WEBVTT 0:00:03.040000 --> 0:00:06.140000 I didn't want to conclude our conversation on Windows Registry Analysis 0:00:06.140000 --> 0:00:08.660000 without mentioning this tool. 0:00:08.660000 --> 0:00:11.820000 Harlan Carvey, one of the first researchers working in digital forensics 0:00:11.820000 --> 0:00:15.680000 related to Windows, developed Red Dripper using a Perl script. 0:00:15.680000 --> 0:00:20.300000 This tool is easy to use and, as you can see here, the interface is quite 0:00:20.300000 --> 0:00:24.160000 simple. Let's go ahead and get started. 0:00:24.160000 --> 0:00:26.160000 Here we have a field for Hive File. 0:00:26.160000 --> 0:00:30.680000 To analyze a file, let's click the Browse button and search. 0:00:30.680000 --> 0:00:35.820000 Let's say we want to analyze this SAM file. 0:00:35.820000 --> 0:00:38.560000 Let's go ahead and select it and click the Open button. 0:00:38.560000 --> 0:00:43.440000 Next, we will click the Browse button for the report file, which allows 0:00:43.440000 --> 0:00:46.500000 us to select where we want to store the report. 0:00:46.500000 --> 0:00:53.480000 Let's enter a name, select a location, and then click Save. 0:00:53.480000 --> 0:00:56.980000 Here we have a drop-down option for Profile, which allows us to select 0:00:56.980000 --> 0:00:59.240000 a plugin that we may want to apply. 0:00:59.240000 --> 0:01:02.780000 Since it's a SAM file, we want to apply the SAM plugin. 0:01:02.780000 --> 0:01:05.580000 Now, we can click the Rippet button. 0:01:05.580000 --> 0:01:07.940000 That's why it's called Ripper, right? 0:01:07.940000 --> 0:01:09.960000 The process is now done. 0:01:09.960000 --> 0:01:18.400000 We can go ahead and close this and take a look at the results in Report. 0:01:18.400000 --> 0:01:22.080000 The report tells us what's been done, if there were any errors and what 0:01:22.080000 --> 0:01:23.980000 plugins were applied. 0:01:23.980000 --> 0:01:30.960000 Here we have the username, which is Administrator, just as we saw in the 0:01:30.960000 --> 0:01:34.380000 previous video when we used Registry Explorer. 0:01:34.380000 --> 0:01:37.960000 A bit further down, we can see when the last login was, as well as the 0:01:37.960000 --> 0:01:40.100000 password reset date. 0:01:40.100000 --> 0:01:43.640000 We can also see if this is for a normal user account. 0:01:43.640000 --> 0:01:46.220000 And here we have a guest user. 0:01:46.220000 --> 0:01:52.640000 As we look further down, we can see other usernames, like User1 and Hacker. 0:01:52.640000 --> 0:01:56.280000 And as we continue to scroll through, we are presented with more details, 0:01:56.280000 --> 0:02:00.240000 which are for the default user accounts that are found on the machine. 0:02:00.240000 --> 0:02:04.040000 So, as you can see, this is very simple to use. 0:02:04.040000 --> 0:02:10.460000 Let's open Redgripper again, and this time, let's select the system. 0:02:10.460000 --> 0:02:13.460000 Let's also name the report and select a destination. 0:02:13.460000 --> 0:02:18.400000 We'll call the system report, and save it here. 0:02:18.400000 --> 0:02:22.980000 In the profile dropdown, let's select System. 0:02:22.980000 --> 0:02:26.760000 Now, let's click the Ripper button. 0:02:26.760000 --> 0:02:29.940000 The tool will now start ripping the system hive with all the plugins that 0:02:29.940000 --> 0:02:34.040000 it has for the system hive, and then it will store them in our report. 0:02:34.040000 --> 0:02:37.220000 This shouldn't take long to complete. 0:02:37.220000 --> 0:02:39.700000 Redgripper is frequently updated by Harlan. 0:02:39.700000 --> 0:02:44.220000 The community is also very supportive by providing new plugins and artifacts. 0:02:44.220000 --> 0:02:48.340000 This is a very useful tool, also when working, I highly recommend that 0:02:48.340000 --> 0:02:50.320000 you use two different tools. 0:02:50.320000 --> 0:02:54.540000 Looking at the tool, we can see that data is being ripped off this hive. 0:02:54.540000 --> 0:02:59.440000 Let's wait until this finishes, as it shouldn't take too much longer. 0:02:59.440000 --> 0:03:01.180000 Everything is now done. 0:03:01.180000 --> 0:03:04.120000 Let's go ahead and close this. 0:03:04.120000 --> 0:03:08.640000 Now, let's open the log report, which shows everything that was done. 0:03:08.640000 --> 0:03:10.340000 We can see that there were some errors. 0:03:10.340000 --> 0:03:12.820000 We won't go through those right now. 0:03:12.820000 --> 0:03:16.480000 And here, we have the report. 0:03:16.480000 --> 0:03:22.120000 As we scroll through, we see what has been done on the AppCache. 0:03:22.120000 --> 0:03:34.660000 We also have the crash audit fail and its details. 0:03:34.660000 --> 0:03:38.180000 As an example, let's perform a search. 0:03:38.180000 --> 0:03:40.000000 We could search for shutdown. 0:03:40.000000 --> 0:03:44.220000 If we look to the left, we can see clear page file at shutdown here, and 0:03:44.220000 --> 0:03:45.820000 it is set to zero. 0:03:45.820000 --> 0:03:49.000000 We also saw this in Registry Explorer. 0:03:49.000000 --> 0:03:54.060000 Actually, let's look for computer name. 0:03:54.060000 --> 0:04:00.800000 And, as you can see here, we found the computer name details. 0:04:00.800000 --> 0:04:05.100000 So, as you can see, Redgrippers an easy to use tool that provides a very 0:04:05.100000 --> 0:04:08.260000 detailed report with lots of useful information. 0:04:08.260000 --> 0:04:20.240000 Like here, we see information on USB stores. 0:04:20.240000 --> 0:04:23.840000 We'll come back to this when we start analyzing USBs. 0:04:23.840000 --> 0:04:27.400000 I highly recommend that you use this tool as it's one of the best in the 0:04:27.400000 --> 0:04:31.660000 digital forensics community. 0:04:31.660000 --> 0:04:36.860000 And, this concludes our video lesson on registry analysis using Redgripper. 0:04:36.860000 --> 0:04:37.700000 Thanks for joining us.