Volatility and a Python Implementation of RegRipper
As many of you have probably noticed, one of the things that was missing from the 1.4 development branch was the RegRipper integration. Almost two years ago, Moyix created a prototype which allowed Volatility users to leverage the capabilities of RegRipper for analyzing the Registry hives cached in physical memory. While we have spent countless hours entertaining ourselves by digging through Jesse K’s memory samples to extract interesting artifacts (passwords, access points he was connecting to, documents that were being written, etc), it was always a “bit of hackery” since it relied on “Inline::Python” to manage the “unholy union of Perl and Python”. Unfortunately, “Inline::Python” could only be used on Linux and thus proved the wrong solution for 1.4. While I have heard numerous people yearn for a Python version of RegRipper, no one had stepped up to take on that challenge, until now.
The intrepid lg recently announced that he had created a prototype Python port of RegRipper as a Volatility plugin, RegList. For all of those seeking Python registry analysis, this is your opportunity to contribute to the community and provide feedback. I’m sure lg would appreciate the help!
Volatility continues to be the first and only tool to support cached registry analysis and I’m not talking about simply enumerating registry handles (circa 2007). It has also proven to be the only tool that real memory analysts use…not to mention commercial imitators (grep -i -r “Volatility” email).
Shoutz to lg! Thanks for the Vol-loV:
<quote>
“The Volatility developers did a great job with their re-architecture of the already extremely useful Volatility memory forensics tool. And there’s a new plugin to go with it …
Major changes include:
* Volatility now supports multiple flavours of Windows.
* The code was rewritten to greatly speed up processing of memory dumps.
* The developers included comprehensive documentation covering all aspects of the tool: installation / use / development / architecture.
* Installation is much simpler.
What is not covered in the Volatility documentation is explained clearly in the last 4 chapters of Malware Analyst’s Cookbook, Michael Hale Ligh et al, Wiley 2011. A must read if you are serious about forensics in general and Volatility in particular.
</quote>
