Thoughts on Tool Features

I posted the poll because when I asked a vendor for their thoughts, the response was, “…none of our users have asked for it.” Another vendor responded with:

From a user perspective, some of the feedback from the poll, as well as from other conversations and exchanges, indicates that some users feel that vendors should take charge of providing “needed” functionality without being asked. 

This really seems like two diametrically opposed views on the subject, with the vendor side saying, “we rely on our users to tell us their needs”, and the users saying, “we rely on our vendors to guide our investigations.”

In 2020, I presented at OSDFCon on effectively using RegRipper. On pg 3 of the linked PDF, in the second slide, there are several thoughts I had regarding possible useful updates to RegRipper, including adding MITRE ATT&CK mapping, Analysis Tips, and reference URLs to the plugin output. I did not receive any feedback to this presentation, either during or following the presentation itself. No, “hey, this is a great idea!”, and no, “OMG, this is the dumbest thing I’ve ever heard.” However, I felt that these were things that I would find useful in the tool, and since other analysts didn’t seem to be interested, I set about creating my own internal repo of RegRipper v4.0, or “Pro”. This has become the tool I use, update, and continue to develop. In fact, earlier this year, I started in the first steps of creating plugins with JSON output, starting with the appcompatcache.pl plugin.

Back around 2007, I started developing what became RegRipper because none of the tools I had access to at the time, either commercial or free, provided the capability I needed for the work I was doing and the process I was developing. I opted to create a tool in the model of Nessus (i.e., plugins) so that I could easily update the tool without completely rewriting it. I developed the tool so that I could run individual plugins, or “profiles”, which are designated groups of plugins that can be run in support of a playbook. I later added the ability to run all available plugins as it seemed to be how most folks were wanting to use the tool anyway.

The idea of “profiles”, while I thought it would be an incredible capability, never caught on. You could run “profiles”, or analysis playbooks based on file access, USB device usage, etc. I know that there are commercial tools out there that have these capabilities, but what RegRipper provided me was the ability not only to pick and choose, but to also update the tool with new plugins, new capabilities and functionality, with minimal turn-around time. I’ve had a few instances over the years where folks have reached out and asked for assistance, provided test data, and I’ve been able to turn around a working plugin in under an hour.

This is what I wanted for the community…for folks using the tool to find something they hadn’t seen before, something new, and add to the tool. Unfortunately, that really never caught on, and to some extent, now I know why.

The question becomes, where do you stand? Do you think that vendors providing commercial forensic suites should drive investigations based on the features they provide, or should analysts and investigators be the ones who drive their investigations, and look for the right tool, or correct too usage?