Theres 2 distinct ways I use regripper. One is maybe a push button approach.
At the start of a case I will probably run regripper with all plugins I have over all live hives. I wont be too concerned with the output at this stage but will have a quick look at specific areas ua, mru, run, mounted devices etc. Just to get a feel for what is going on. If there are file or folder names that i find of interest throughout my exam I will probably grep for those against my output. The parsed plain text nature of the output makes it really easy to do this, it also makes it easy to scan through and see areas that maybe I wouldnt have considered looking at straight away (i know i know, regripper is not meant for people to have a look around). Quick, dirty and push button but this always helps me have an idea for where to go next, in 10 minutes or so I might have determined my next days worth of analysis based on seeing something in the output of regripper.
The second way I use regripper is completely targetted,a) i want to know about one set of values across a number of machines or b) i want to know about one machine historically. This has made cases for me in the past, although it would be completely possible without regripper, the fact that automation becames so easy then there becomes no reason not to look at all rp's for this value of interest.
Sorry to go a bit off piste, I just wanted to point out that tools that are easy to use arent necessarily evil . Maybe I am doing it wrong but I use regripper all the time and it was always helps me find a direction or evidence
To try and answer back on topic.
As a free tool I have hever expected anything at all from regripper. So to find documntation, coherent readme instructions and on going development is great news.
The next level? I would like to see some kind of database/wiki where in a standard format there is discussion of
An area of the registry
Breakdown/decoding of the values
Discussion of Forensic value
Sample hive
Parsing code
I dont envisage this as an output from one person, this should be collaboratively community led and the standard format means that someone can post about an area but nothing else, someone else could come along and provide a samplehive while others provide case study experince info and others the code.
p
Thanks, your thoughts are greatly appreciated.
The next level? I would like to see some kind of database/wiki where in a standard format there is discussion of
An area of the registry
Breakdown/decoding of the values
Discussion of Forensic value
Sample hive
Parsing code
This already exists with ForensicArtifacts.com, and quite truthfully, could exist in the ForensicsWiki.
I dont envisage this as an output from one person, this should be collaboratively community led and the standard format means that someone can post about an area but nothing else, someone else could come along and provide a samplehive while others provide case study experince info and others the code.
Not to sound cynical, but "collaboratively community led" generally results in small handful of people doing all the work, and everyone else either simply consuming the information, or stating what's wrong with it or what it's missing in a public forum without doing anything to improve it.
Further, folks are very unlikely to provide sample hives. Since I released RegRipper, I've stated again and again that if someone would like a plugin written, provide a concise description of what you want and a sample hive. In some cases, people have refused to provide sample hives. When someone has provided a sample hive, I've been able to turn around a working plugin with the hour, with complete discretion regarding the source and the sample hive.
I'm not saying that these aren't good ideas…what I am saying is that based on my experience thus far, some have worked to a limited degree, and others haven't. I'd like to see this change.
Not to sound cynical, but "collaboratively community led" generally results in small handful of people doing all the work, and everyone else either simply consuming the information, or stating what's wrong with it or what it's missing in a public forum without doing anything to improve it.
Further, folks are very unlikely to provide sample hives. Since I released RegRipper, I've stated again and again that if someone would like a plugin written, provide a concise description of what you want and a sample hive. In some cases, people have refused to provide sample hives. When someone has provided a sample hive, I've been able to turn around a working plugin with the hour, with complete discretion regarding the source and the sample hive.
I'm not saying that these aren't good ideas…what I am saying is that based on my experience thus far, some have worked to a limited degree, and others haven't. I'd like to see this change.
Yeh I totally agree with you. This is why there is quite often the contradiction of people who believe in openess and sharing looking for closed communities in which to operate with other like minded people.
To continue to strive to openly share and grow the community in public, you and a number of others are to be applauded.
Can we turn the question around?
Besides money, how could the community help you continue developing and enhancing RR?