I’ve written about using tools before in this blog, but there are times when something comes up that provokes a desire to revisit a topic, to repeat it, or to evolve and develop the thoughts around it. This is one of those posts.
When I first released RegRipper in 2008, my intention was that once others saw the value in the tool, it would organically just grow on its own as practitioners found value in the tool, and sought to expand it. My thought was that once analysts started using it, they’d see the value proposition in the tool, and all see that the real power that comes from it is that it can easily be updated; “easily” by either developing new plugins, or seeking assistance in doing so.
That was the vision, but it’s not something that was ever really realized. Yes, over time, some have created their own plugins, and of those, some have shared them. However, for the most part, the “use case” behind RegRipper has been “download and RUNALLTHETHINGS”, and that’s pretty much it.
On my side, there are a few assumptions I’ve made with respect to those using RegRipper, specifically around how they were using it. One assumption has been that whomever downloaded and is using the tool has a purposeful, intentional reason for doing so, that they understand their investigative goals and understand that there’s value in using tools like RegRipper to extract information for analysis, to validate other findings and add context, and to use as pivot points into further analysis.
Another assumption on my part is that if they don’t find what they’re looking for, don’t find something that “helps”, or don’t understand what they do find, that they’ll ask. Ask me, ask someone else.
And finally, I assume that when they find something that either needs to be updated in a plugin, or a new plugin needs to be written to address something, that they’ll do so (copy-paste is a great way to start), or reach out to seek assistance in doing so.
Now, I’m assuming here, because it’s proved impossible to engage others in the “community” in a meaningful conversation regarding tool usage, but i
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
This article has been indexed from Windows Incident Response
Read the original article: