http//
Does anyone using RegRipper have any thoughts or insight into what they'd like to see or discuss?
First, thank you.
Second, a community feedback driven, progressive development of future path. That is, allow an open period of development direction feedback, thereafter vote period on direction, and finally plan out the path to the selected direction(s).
(And the captcha fix for the forum. I can rarely make it in, as it is always "try again!")
As for support or specialized development, I would leave that for you to make it into a revenue model. After all, you still have bills.
Second, a community feedback driven, progressive development of future path. That is, allow an open period of development direction feedback, thereafter vote period on direction, and finally plan out the path to the selected direction(s).
This has been available from the beginning. I have seen that most folk simply run the tool without really questioning what the output means, if it's correct, or even thinking about what other data they'd like to see.
As for support or specialized development, I would leave that for you to make it into a revenue model. After all, you still have bills.
My concern is that once I move to a revenue model, that's when folks are going to get to be demanding! 😉
Right now, there are number (small, but it's still a number) of folks who use RR and write plugins. As far as development, very few (one or two) have asked for features, and they are the same ones. One person has been engaging with me regarding features beyond that.
On the flip side of the coin, it seems that most people just run RR by downloading plugins and pushing the button…sadly, that's not how it works. For example, to use the GUI, you need to (a) download any new plugins, and (b) explicitly add them to a profile used by the GUI. It's not hard, but it seems that it does set the bar a bit too high.
From the time that I released RR, I have been more than willing to write requested plugins, provided that the requester furnishes (a) a concise description of what they want, and (b) a sample hive file. I don't get many requests. I do see some folks creating their own plugins, which is great/fantastic/wonderful, but I also see people stating publicly that some plugin or another doesn't exist, rather than simply asking for help.
I would get rid of the GUI, to be honest.
The "push-button forensics" is just driving me nuts. There are ample evidence that this happens from posts here, other forums, listservs, and even court evidence…
"Push button forensics" is not just relegated to people who use GUIs. GUIs are not inherently evil. Or are you browsing FF using Lynx?
I have to agree with Chris…GUIs are not inherently evil, the same way guns are not inherently evil.
If a GUI can be used to bootstrap analysts into actually performing some modicum of Registry analysis, and get at least 1% of those analysts to get interested enough into going further, then I'd suggest that it's worth keeping the GUI, and maybe even improving upon it.
I guess what I'm much more interested in is, does the way RegRipper works make sense? Is there anything in the methodology that could be improved? What about the plugins? I don't get many requests for plugins…instead, what I see is someone posting in a forum or stating at a conference, "RegRipper doesn't do this…". That actually happened at the recent SANS Forensic Summit…I have to say, I was kind of shocked. Admittedly, there are a handful of folks who write their own plugins, but I mean, really…do you complain at the bank when you got a green lollipop instead of a red one, or do you simply go back and ask for a red one?
Ok, here is what I really don't understand and my 2 cents…
I have seen it in my short 5 yr period in computer forensics, there are many Forensic tech's out there that are recipe analsyt. What I mean is that they really have no idea what they are looking at, but they like to push buttons and get some kind of results. They really don't understand what the result means, but they are results. This where I really believe that GUI's are evil sometimes. If you only had command lines, I think that you have understand what command to use, rather than clicking on an option (like a multiple choice exam..you maybe just be right and not undertand what's going on).
Keydet89, from what I have seen and understand in RegRipper is outstanding. I have the book Windows Forensics and am still working my way through that book and finding the material very informative. I am sure that many ppl our there are like me in that, in order to use RegRipper you have to feel confortable on what it does and how it does it. The topic of plugins is well talked about but maybe its just me or I haven't found it, but is there material on step-by-step how to use plugins? I have just started to exam plugins and what the possibilties are, but I would like to start at point A and understand first how to properly run them then move onto how it does it actually work and what the results mean.
Thanks
Ok, here is what I really don't understand and my 2 cents…
I have seen it in my short 5 yr period in computer forensics, there are many Forensic tech's out there that are recipe analsyt. What I mean is that they really have no idea what they are looking at, but they like to push buttons and get some kind of results. They really don't understand what the result means, but they are results. This where I really believe that GUI's are evil sometimes. If you only had command lines, I think that you have understand what command to use, rather than clicking on an option (like a multiple choice exam..you maybe just be right and not undertand what's going on).
I'm sorry, but I really don't agree with this..the reason being that one can use RegRipper (GUI), or the CLI part of RegRipper, rip, using the following command line
rip -r X\Windows\system32\config\system -f system > report.txt
Both options use very similar arguments/options, and neither provides more transparency to what's actually going on than the other.
In part, I do understand what you're referring to…I've said for a long time that the purpose of a GUI is to protect the user from themselves. But this depends upon how the GUI is written. The tool author can either limit what the user has access to (can select some options, but not others), or simply use the GUI as a means of reminding what options are available to the user…a good example of which is some of the GUIs available for nmap.
Keydet89, from what I have seen and understand in RegRipper is outstanding. I have the book Windows Forensics and am still working my way through that book and finding the material very informative. I am sure that many ppl our there are like me in that, in order to use RegRipper you have to feel confortable on what it does and how it does it. The topic of plugins is well talked about but maybe its just me or I haven't found it, but is there material on step-by-step how to use plugins?
I'm not sure what you mean by "use" the plugins.
One way to use a plugin is to drop it into the plugins folder, and 'use' it via rip
rip -r NTUSER.DAT -p userassist
Another way to use it, via RegRipper (GUI) is to drop the plugin into the plugins folder, and then edit the appropriate profile. For example, I wrote a plugin called "appcompatcache.pl", which mimics what Mandiant's shimcache.py does. I would drop that file into the plugins folder, and then open the 'system' profile (file named 'system' with no extension) in Notepad, and add that plugin to the list of plugins to be run via the profile.
I have just started to exam plugins and what the possibilties are, but I would like to start at point A and understand first how to properly run them then move onto how it does it actually work and what the results mean.
I hope that the above was helpful. You'll find that information in the book, "Windows Registry Forensics".
Maybe getting rid of the GUI is not the best option.
I will not hijack the thread to bemoan tribulations with posers.
Back to RR
I have seen it in my short 5 yr period in computer forensics, there are many Forensic tech's out there that are recipe analsyt. What I mean is that they really have no idea what they are looking at, but they like to push buttons and get some kind of results. They really don't understand what the result means, but they are results. This where I really believe that GUI's are evil sometimes. If you only had command lines, I think that you have understand what command to use, rather than clicking on an option (like a multiple choice exam..you maybe just be right and not undertand what's going on).
If I get correctly the sense, you are saying (and here you are somewhat "right" ) ) that there are quite a number of incompetent Forensic Tech's.
IMHO you are mistakenly attributing the blame for this to the availability of "easy" (GUI) software.
Being myself NOT a Forensic tech BUT an old command line dinosaur, I am touched by your consideration, but feel authorized to take it away (temporarily) from the specific "digital forensic field".
Take medicine.
There are quite a number of MD's that cannot see a bone fracture in a mega-hyper-turbo-magnetic-resonance-computerized-tomographic image.
As well, it is probable that the now retired doctor that helped with your birth can find it in an overexposed X-ray image taken with a 1955 machine he has in his basement.
But there are also many more than a few good, young, MD's that can use efficiently the results of the newer machinery, only, the NIMRI is not as good with bones as a more traditional technology.
You need to use the "right tool" for the job and have the competence to use this tool.
It is a common opinion that CLI is MORE "powerful" than corresponding GUI (and often it is).
When this happens, it is only because the GUI is badly made, or because programmers that write CLI programs are "better" (in the sense that more "old school" or with "wider experience") programmers than those that wite GUI apps.
If GUI programs are easier (or more convenient) to use while delivering the SAME power, they are GOOD GUI programs.
If GUI programs are easier (or more convenient) to use BUT deliver LESS power, then there may be an issue, and they are NOT good GUI programs.
But if a given Fornsic Tech (in this like in any other profession) is an incompetent lazy b*****d, it is not because someone was so kind as to provide good, easier to use GUI apps, it is only because he is an incompetent lazy b*****d.
A program, like any algorithm, procedure, etc, is nothing but a tool, if the tool is efficient and contributes to provide a good result, who cares if it is CLI or GUI?
If you have to losen a nut and you use a pair of pliers instead of a spanner, as long as
- you actually losen the nut
- you don't ruin unneededly the nut or bolt
no one will care about the tool you used.
The point is that if you don't know exactly how to losen a nut and you insist on using an unsuitable tool (because you don't know how to use a spanner), before or later you will either fail to losen a nut (because it is too d@mn tightened to be losened by some pliers) or you will ruin the nut, because the pliers will slip.
On the other hand if the nut is already ruined, it is possible that you will fail with the spanner and that you will succeed with the pliers.
But it won't be the merit (or fault) of the pliers, or of the spanners or of the nut, they are tools, it's the way that they are used that may make a difference.
jaclaz