The four corners of the Apple v FBI encryption debacle

The four corners of the Apple v FBI encryption debacle

If only the FBI had picked a case where the issue was clear cut…that would make this encryption issue so much easier.

  1. The FBI doesn’t want Apple to simply “unlock” the phone.

Apple (and just about every other high tech company) has been unlocking devices and allowing access to data for law enforcement for decades.  That’s not the issue here.  The FBI wants the encryption to be broken. They want software to be rewritten or written that compromises security features. That’s a lot different than just unlocking a device.  That request breaks security.  Worse yet, it sets a precedent.  Law enforcement knows about precedent setting laws. Sometimes it is good, but sometimes it is not.

  1. It’s not the end of the world if encryption is broken.

Our lights will still turn on. Cars will still run.  Kids will still be able to go to school.  However, online payment systems will be as protected as a wet paper bag, secure communications will be as secure as Windows 3.1, and anything you send electronically is fair game to hackers (and government).  But don’t worry. If encryption is banned or broken, there will still be those able to use encryption (hint: one is government and the other is not law-abiding citizens).

  1. “Terrorist will Go Dark” is the best marketing ever created by government. 

The only time terrorists are not operating in the dark is when they use social media in the open, print terrorism training manuals (which are then posted online), and killing people in the open.  Plus, they still have to drive, fly, walk, eat, sleep, talk, go to the doctor, read a book, watch TV, and surf the Internet.  Terrorist and criminals have all the faults of ‘regular’ folks like complacency, laziness, incompetence, and bad luck when they plan and commit terrorist acts.  I've published two books on catching criminals (and terrorists) with online and forensic investigations.  You can put both books in the hands of a terrorist and the methods to find and catch them will still work.  "Going dark"? If a criminal or terrorist can do all the things needed to carry out their devious plans in encrypted emails ONLY, their plans are going to stink.  Planning an attack or conspiring to commit a crime requires way more than sending encrypted emails.  Working undercover in criminal organizations did teach me a thing or two in how it really works and how they really think and plan.

  1. You have nothing to hide, so what’s the big deal?

The government claims that since you cannot build a house that is impenetrable, you should not have use of encryption that can’t be broken.  Well..if I could make my home impenetrable, you bet I would. If I could buy a safe that was unbreakable, I would.  They just don’t exist.  It’s not that I have anything illegal to hide in a safe, but I don’t want anyone to steal what I have.  It’s not that I have anything top secret in an email, but I just don’t want strangers reading what I am sending to a friend, or to a business colleague.  The point is NOT having something to hide, but rather, NOT hanging my underwear in the front yard on a clothesline for anyone to see or steal (that is, if they wanted to steal my undies…).

And of course, if Apple loses, or bows down to government pressure, I can think of at least one less customer who will buy a "secure" device from Apple since the definition of "secure" will change to "that which you can't break, but hackers and government can". 

1721 Hits

Dude, just write the book.

Dude, just write the book.

I had a discussion with a peer of mine about writing a book, in that my peer has been thinking of writing a book but never gets around to doing it.  After about two years of listening to how he should write his book, my response was “Dude, stop talking about it and write the darn book.”

His book idea is a nonfiction technical book and is about **secret topic** (of course I’m not leaking the topic or title!).  He is an expert, or at least knows a heckuv a lot more about the topic than I do.  I would buy the book tomorrow.  I even said that if he had written this book when he first told me about it, we’d be talking about the next edition and I would have already bought the first edition.  "Dude, you’re two years and two editions behind now!”

Which brings me to my point. Years ago, I said the same thing.  “Hey, I think I could write a book.” I said it a few people and one of the guys told me, “Dude, just write the darn book.” And so I did.  Three times already. Started a fourth. Plans for a fifth.  All from one person telling me to stop talking about it and write the book.  I took the suggestion to heart because he had already published several books himself. Thanks HC.

Fair warning: It’s not easy.

If you can get a contract, you’ll have deadlines to meet, standards to keep up, and demands placed on you by the publisher. Worse yet, if you don’t have a contract and want to self-publish, you have to place those same demands on yourself.

So now you know the secret. Just write the darn thing.


1115 Hits

Let's not go all Patriot Act on this Apple - FBI encryption thing.

Let's not go all  Patriot Act on this Apple - FBI encryption thing.

I’ve been involved in about a half dozen conversations, three different email threads, and twice as many emails with friends and clients about this Apple – FBI encryption issue.   It seems to be a divided opinion with no compromise, at least as far as I can see.


FBI's Fight With Apple Over Encryption May Erode European Trust in US - Newsweek Sat, 20 Feb 2016 19:24:00 GMT

NewsweekFBI's Fight With Apple Over Encryption May Erode European Trust in USNewsweekMax Schrems, the Austrian who brought the Safe Harbor case to the European Court of Justice and won, tells Newsweek that the FBI's possible victory over Apple isn't too concerning to Europeans because it is a targeted access to data—not the pre ...and moreᅠ»

Read more ...

Here is my opinion: “Let Apple develop their software as they see fit for business and consumer demand, as long as their actions do not violate law.” 

That means that I am in agreement with Apple choosing to not decrypt a dead terrorist's phone. I am not a pro-terrorist or pro-criminal person. In fact, in my previous law enforcement career, I arrested more criminals personally than the rest of my 100+ officer department did…combined.  Not once did I have to break the law, bend the law, or misinterpret the law to make any of my cases in patrol or as a detective. Not once did I ask for any leniency or looking the other way ‘just this one time’ to make a case or to gather evidence. Not once. Ever.

So for any law enforcement agency asking ‘just this once’ to do something does not mean ‘just this one time’. It means, “just this one time until we ask again.”  Technical issues aside, whether or not Apple can unlock the phone or just doesn’t want to unlock the phone, the bigger question is why should they?  If a landlord refuses to give a key to a residence that SWAT has a search warrant for, SWAT will just boot the door. They can't force the landlord to give up the key.  I know this analogy is weak in the key area since you can't break unbreakable encryption, but the concept holds true. You can't force the landlord to give up the key unless the key is some how evidence.

Yes, yes, yes, I know this is a terrorist case. I’ve been involved in terrorism cases before  and exactly know how important these cases are (as I have also investigated murders..they are also important). I have seen quite enough to know how important it is to catch pedophiles, murderers, and terrorists. None should be on the street.  But that doesn’t mean taking shortcuts, bypassing Constitutional Rights, or asking a corporation to bend the rules a little to make a case.  Investigators can do this in Hollywood films, but not in real life.  

And yes, I have had cases where evidence was so little that probable cause to arrest didn’t exist. But such is life in the USA. Get PC (probable cause) and make the case or go back to square one.

After 9/11 and we panicked as a country to capture every terrorist responsible, the PATRIOT Act was typed, printed, signed, sealed, delivered, and implemented in 60 seconds flat. I was a federal task force officer at the time the PATRIOT when into effect. I have never seen such authority given to federal law enforcement in such short order without hardly a concern by the citizens the PATRIOT Act targeted (as in, it targets everyone's communications).  We do not need to continue along the lines of granting more authority to do what can already be done under the authority that already exists which is restricted to protect individual rights.  I’ve seen it misused before and it ain’t pretty. It's wrong.

As far as encryption goes, when any encryption is broken or perceived to broken, no one should use it. When TrueCrypt was reported to be flawed, it practically died, as it should.  Broken encryption is like a wet paper bag. It looks like it will hold your groceries until you actually put groceries in it.

Former NSA Chief Michael Hayden Sides With Apple, Though Admits 'No Encryption Is Unbreakable' - Billboard Thu, 18 Feb 2016 15:38:22 GMT

The Week MagazineFormer NSA Chief Michael Hayden Sides With Apple, Though Admits 'No Encryption Is Unbreakable'BillboardTim Cook's opinion that Apple should not develop a way to hack into the encrypted phone belonging to one of the San Bernardino shooters has earned an endorsement from an unlikely source, though it comes with a big "but." Michael Hayden, the former NSAᅠ...Ex-NSA, CIA chief Michael Hayden sides with Apple in FBI iPhone encryption fightThe Week MagazineFormer Director of CIA and N ...

Read more ...

As for me, any software provider (or secure device provider) that tries to sell me encryption that is so good that no one, including the NSA, can get into it, they better mean it. A disclaimer of, “well, sometimes we might let the FBI access our encryption” means that I am going somewhere else. I have nothing to hide, but I also am not going to cut a hole in my bedroom wall for anyone to peer in and look whenever they want.

For those who fall back on the ‘if you have nothing to hide, you have nothing to worry about’, I fully support your beliefs in waiving your protections. After all, I have given Miranda warnings more times that I can remember and I always asked the suspects if they wanted to waive their rights. Most said yes. It’s their right to waive their rights.  But for me, I’m not waiving anything and I’m not in agreement that the choice to waive or exercise my rights can be taken away because a case agent can’t get enough evidence without resorting to bending the rules ‘just this one time’.

I mean, really. Would you buy a safe to hold your most prized and valuable possessions  knowing that a master key exists? That's like trusting the safe in your hotel closet....

1721 Hits

Apple. Oranges. And Encryption.

Apple. Oranges. And Encryption.

One of the hottest topics currently is the FBI vs Apple battle over encryption, in that the FBI wants Apple to rewrite their operating system in order for law enforcement to bypass Apple’s encryption.  The arguments on both sides are strong. Law enforcement must have the ability to bypass encryption in the name of national security.  Conversely, consumers (in the USA at least) are afforded protections in the Constitution against unreasonable search and seizure.  The third part of this argument is security and safety of ALL electronic data.  If the legal argument stands that encryption is outlawed, that puts all data at risk of being compromised by criminals, disgruntled employees, and lackadaisical custodians of data.

Apple Fights Order to Unlock San Bernardino Gunman's iPhone - New York Times Thu, 18 Feb 2016 02:59:37 GMT

New York TimesApple Fights Order to Unlock San Bernardino Gunman's iPhoneNew York TimesApple executives had hoped to resolve the impasse without having to rewrite their own encryption software. They were frustrated that the Justice Department had aired its demand in public, according to an industry executive with knowledge of the case ...Google's CEO just sided with Apple in the encryption debateThe VergeOn Apple, the FBI, encryption, and why you should be worriedVentureBeatApple, The FBI And iP ...

Read more ...

Encryption does not explicitly have to be banned to outlaw encryption. Once a legal requirement of encryption having backdoors is created, encryption is effectively outlawed.

But I’m not writing about the legalities of encryption, nor the Constitutional protections of being secure in your home and possessions. There are many others debating those issues.  I’m writing about the practical law enforcement investigative efforts with encryption being a small sliver of the topic.  By the way, much of the 'encryption protections' marketed by providers such as Apple is pure marketing...access already exists in many instances.


Apple can read your iMessages despite them being encrypted - SC Magazine Wed, 27 Jan 2016 16:30:40 GMT

SC MagazineApple can read your iMessages despite them being encryptedSC MagazineDespite Apple taking a pro-encryption stance, with its CEO Tim Cook insisting that iMessages are safely encrypted, it turns out that if users backup data using iCloud Backup, they need to be aware that although Apple stores the backup in encrypted form ...

Read more ...

For example, law enforcement receives an abundance of training on an annual and ongoing basis for an entire career. This training covers everything from blood borne pathogens to the application of deadly force.  Investigators receive so much training in how to conduct investigations that range from a broad overview of criminal investigations to specific courses on blood spatter patterns, that any investigator can probably be considered an expert in their respective fields. I stopped counting my formal training hours after it went well over 2,000 hours.  That’s 2,000 hours of formalized, in the classroom training. I’d guess I have close to 3,000 hours now.  Investigators know how to do an investigation and do not need to bend Constitional Rights to do an investigation. The ends do not justify the means.

So consider the amount of training law enforcement receives. Encryption is one small sliver.  It is so small that investigators don’t even take training in it unless they are dedicated digital forensic analysts.  Encryption is such a small concern in most cases that encrypted files are many times ignored in the investigations simply because there is so much more overwhelming evidence to make the case that fighting with an encrypted file or system isn’t worth the effort without knowing how long it will take to crack it (if ever).

And that is my point, or at least one of my points.

To be fair, I am not discounting the importance that encrypted files and systems can give to an investigation.  But at the same time, I personally know of cases were suspects have purposely created thousands of encrypted files on storage media that contained meaningless data for the sole purpose of making an investigator’s job difficult.

My point is that investigators have such an array of investigative tools that they do not need to dip into areas where a person’s possessions and papers are no longer secure.  Although television’s CSI typically exaggerates the tools and capabilities available, there are some neat things that do some neat stuff that you can’t buy off the shelf at Radio Shack.  To the extent the government wants backdoors in encryption, they may as well as for a masterkey for every safe made...just in case they can't force open a safe. Would you ever purchase a safe knowing that someone (or many people) have a master key to your safe?

In the area of providing backdoors in encrypted devices, I am on the edge of saying that if anything, this leans in the area of laziness.  I have seen only ONE case where the only evidence was on one laptop which was encrypted.  All other evidence was circumstantial and would have made a difficult trial. That laptop, to this day and my knowledge, sits encrypted in evidence after years collecting dust. The suspect walked away, no charges. Highly frustrating.  

But that was the only case that I am personally aware.  I don’t know how many more are similar, but my guess is that the ratio is about the same.  But even if there were dozens of cases, I do not believe that waiving personal protections is worth those cases. In those cases, investigators need to do more work to find evidence NOT stored in the device.  Yes, that means getting out of the office. 

Not that I disagree with the ‘easy way’, but I do believe that some things must be done the ‘hard way’. That is just the way it is.  I started in law enforcement before the Internet took off for the average consumer and I left law enforcement when the Internet became what it is today.  I have seen investigators sit at their computers on a daily basis and leaving the office usually meant grabbing a cup of coffee at Starbucks.  Long term surveillance became a thing of the past for many.  Surveillance sometimes was not even on some investigators’ mind at all!  The entire tradition of being a gumshoe detective has been lost on so many.  About the only thing to get some detectives out of the office was the promise of overtime.

Back to the encryption issue. First, be prepared for analogy after analogy about how we should (and should not) have back doors in encryption.  Remember, any backdoor requirement negates the encryption, as in, it will no longer be encryption when anyone can have the key to access it. Analogies don’t always work well, but they are already being used to argue for (or against) backdoors.  Probably the best analogy in this encryption issue is that the government is simply asking you to give them a key to the backdoor of your home, and they are asking you to trust they will only use it when and if they need it. That completely negates the security of your home. 

Second, be prepared to hear that terrorists will not be found and criminals will go free.  Well, that is true, always has been, and always will be.  The government is restrained by the Constitution.  But even with the restraints, you have no idea of the absolute power a search warrant gives law enforcement until you have held one in your hands, forced your way into a person’s abode, and looked into every nook and cranny with unfettered access. To say law enforcement needs more power than that is to say we don’t need protections against unreasonable searches and seizures.

I have also read comments where people have said, “I have nothing to hide, go ahead and look at what you want.” I totally support that argument. Anyone can waive their individual rights whenever they want. I’ve read Miranda Warnings more times than I can count and asked every person if they wanted to waive their rights. Most did.  I wouldn't.  Speaking of Miranda warnings, when the warnings were required to be given (if the suspect was in custody and being questioned), I can imagine the investigators crying over how cases will never be solved because we are telling criminals to not talk. Well...that didn't pan out.  They still talk and will always talk and always confess.  Some never will, regardless if they are given Miranda warnings, but the point remains that investigators must, and do, work within legal limits.

Where I diverge on a person waiving their rights is where everyone must be forced to waive their rights by having all their electronic devices and data accessible by law enforcement.  Again, once there is cause (probably cause), law enforcement can get pretty much anything they want, from kicking down a door to seizing all the funds in a bank account.  If technology eventually allows access into highly encrypted files, then they can have that too.  You don't have to open your door for the police, but if they have a warrant (or other authority, such as exigent circumstances), they will open the door.

As much as I would hate to see Apple close its doors, I would hope that if they lose the encryption battle, Apple simply shuts down in protest.  Consumers are already suspicious of companies that have covertly cooperated, without warrants, to capture and analyze data, and snoop everyone’s phone calls regardless if any individual was suspected of a crime. It’s not that you don’t have something to hide, you just don’t want someone from the government watching you in your home through a compromised webcam to make sure you aren’t doing something wrong.

The last point to make is that banning encryption is like banning anything. It doesn’t work. Banning something only makes new criminals out of non-criminals, allows criminals the only people to possess the banned things, and creates a black market.  If guns are banned, criminals will still have guns. Citizens who refuse to turn in their guns…they become criminals.  And guns will still be available on the black market. This is the same for encryption.  It will still be available and still used by criminals and terrorists. The only people who won’t use encryption (or who agree to allow backdoors) are those who wouldn’t be using it illegally anyway.

I feel for any investigator fighting an encrypted device for file (been there, done it, still doing it).  But a backdoor will not fix the problem. If Apple folds like a cheap card table and builds a backdoor, guess who won’t be using Apple products…criminals and terrorists… They will find something else, which leaves everyone else using an Apple product to know the security has been compromised.  The problem is not solved, it is multiplied.

I’m not bashing law enforcement, but I am saying to them that rather than trying to make laws and force private companies to do their bidding, get out of the office and work. Follow suspects around. Dig through garbage in trash runs.  Interview witnesses.  Develop informants.  Work undercover. Build cases. You don’t need 100% into everything from your desktop to build a case.

As far as the criminals and terrorists go…it does not matter how much they know about the limitations and extent of authority law enforcement has, because a good investigator can make a good case on any criminal or terrorist. I mean it.  There is not a criminal alive that can remain at large if a good investigator puts a case on him (or her). Encryption? So what.  Find evidence elsewhere, because if the only evidence you have is an encrypted device or file, you really don’t have much of a case. Dig and you will find.


1203 Hits

Books written by practitioners are many times better than those written by those who 'never done it'

Books written by practitioners are many times better than those written by those who 'never done it'

Many of Syngress published books I’ve read are those written by people simply writing about how they do their job…while they are doing their job.   They are probably not writing while they are physically doing their work, but you know what I mean.

With my first book, Placing the Suspect Behind the Keyboard, I was consulting on a criminal cyber harassment case, two arson cases, and several civil litigation projects. In three of the cases during writing the book, the main goal was identifying users behind the keyboard (in one case, behind a mobile device).  In addition to doing what I knew from my law enforcement detective days, I conferred with experts for tips and tricks on tracking Internet users.  I was writing the book while doing the work.

My current book, Hiding the Behind the Keyboard, was virtually the same, however, this time with a co-author (John Bair). While writing the book, there were multiple interruptions of having to do work in the real-world outside of typing and testing theories. While John was working homicides and examining mobile devices in those cases, I was consulting on employee matters where unidentified employees were creating havoc with their company by being anonymous online. It is one thing to create a perfect scenario to test a theory and quite another to have actual evidence on an active case.  Again, this was another book of authors writing what they do on a daily basis.

I write about this only because I remind myself regularly of college courses I have taken in digital forensics where the required books not only cost an arm and a leg, but were written by academia, not active practitioners.  I’ve even taken a computer forensics course from a community college where the professor had not done one forensic exam…not a single one.  The professor did not even know how to connect a hardware write-blocker to a hard drive. I kid you not.  

I’m not a Syngress employee, but I do like their books. The cost may seem high for some of the books, but it is still about half the price of a college text in the same subject matter.  But the biggest difference is how the books read. I so much prefer reading a book that simply says, “This is how you do it in the real world”. I do not prefer books that speak in terms of an idealized theory.  Reminds me of my Field Training Officers in patrol telling me to forget what I learned at the academy because they were going to teach me what works on the street, in real life.  The best thing I like about the Syngress books is that I can read what the experts are using day-to-day in their own words.

And year after year, I check to see the new titles that come out and hope that Syngress changes their book covers from the previous year.  This year, there are more than a few titles that I have already pre-ordered and will have on hand for the next conference to have signed by the authors.  The cover design change was probably a bit overdue, but glad it has changed.

The discounts are nice too when you have more than a few books you want to buy...



1045 Hits

Bio-hacked humans and digital forensic issues...

Bio-hacked humans and digital forensic issues...

If you thought The Grudge was the scariest thing you’ve seen on screen, you must have not yet watched Showtime’s ‘The Dark Net’.  In short, the series show how humans are procreating less and merging digitally into technology with bio-hacks. That makes for a bad combination on a few different levels.

Without getting into non-techical issues (such as moral, ethical, or legal), I have a technical question: How the heck are we going to going to do a forensic analysis of a bio-hacked…human?

Before the human race ends up looking like robots, we are already in the era of implanting electronic data devices in our bodies.  Check out to find how you too can jab an injection device into your hand and shoot a RFID under your skin…all by doing it yourself. As for me, I don't think I'll be joining in that movement anytime soon.

RFID ( tags store data. Data such as medical, financial, personal, or any type of information can be stored on a RFID tag, although the amount is quite limited currently (2-10 kilobytes?).  That's not much data, but depending on the content, it may be more than enough to cause a war or bankrupt a company.

But even at that low amount of storage, it can raise suspicions in theft of intellectual property, trade secrets, or national security information.  Imagine the use of implanted RFID chips by criminals, terrorists, and corporate spies to exfiltrate and transport sensitive data.  Just when you thought the MicroSD cards presented a threat because of their small sizes, the RFID is even an even bigger problem.  We can find a USB since we can see it. RFID chips implanted under the skin…not so easy.


Now back to my first question of how we will be doing forensic analysis on a bio-hacked human. When the time arrives where humans are embedded with multiple types of technology and devices, where and how do we start the data acquisition process?   Depending on how much technology is embedded, where it is embedded, and what it is connected to, forensic imaging takes on a whole new world.  

And what if the person (or man-machine cyborg…) doesn’t want to be forensically analyzed? 


Maybe for imaging software, we can try Robocopy (looks like the software is already here….).










1705 Hits

Tech Talk Can Get You Lost in Lingo

Tech Talk Can Get You Lost in Lingo

    Every career and academic field has its own “lingo” to the extent that a conversation buried deep in lingo sounds like a foreign language. I have experienced military lingo, law enforcement lingo, and technical lingo in my life to the point that I practically dream in acronyms, speak with words not recognized by Webster’s Dictionary, and instantly recognize the glazed-over look when speaking to an non-native lingo listener.

                The reasons for individualized lingo range from the coolness factor such “oh dark thirty”  in order to express time as ‘really damn early’ to efficiency such as using “HMMWV” instead of saying “High Mobility Multi-purpose Wheeled Vehicle”.  Many acronyms are spoken as works when gives an added effect of the listener not having a clue of what you are talking about.  For example, “I’m going to pick up a hum-v” means “I’m going to pick up a high mobility multipurpose wheeled vehicle”. Even in law enforcement, the acronyms can irritate the most patient listener if they are not in the club.


                There are two situations where lingo can get you killed, or at least make you feel like you are getting killed. One is in court. The other in your writing.

                Getting killed in court by lingo as a witness is painful. In fact, I’ve seen witnesses get physically ill as if the roach coach burrito eaten at lunch has suddenly reached its final destination in all its glory. Getting beat up on the stand by an attorney or judge is so unpleasant, that time actually slows to a stop and you wonder why you even got up that morning. Using lingo on the stand can give you a bad case of ‘why did I say that?” when being cross examined.

                I talk about lingo today, because I recently experienced one of the best cases of using lingo in all the wrong ways in a federal district court.  I gave my testimony first as the defense expert in a class action lawsuit, and spoke as simply as I could to make sure the judge understood what I intended to say. Then the opposing expert was called. One of the attorneys asked her a question, she answered, but her answer was not only complicated, it was complex, full of lingo, and I even felt a sway of arrogance. I barely understood what she said and took notes to make sure I got correct what she said.


                Then the beating started. The judge asked her to repeat her answer. She did. Then the judge asked her the same question by rephrasing it and asked for a better explaination. The expert answered again but it sounded even more complex. After three more tries with increasing tension and the judge telling the witness that she does not understand the answer, the judge turned to me at the back of the courtroom and said, “Can you tell me what she is trying to say?”

                That is when I knew this cross country trip for court was worth the trip. I translated the opposing expert’s answer, the judge understood it, and the opposing expert said I was correct.  Boom. Lingo killed that day, but luckily it didn’t kill me.

                The other place where lingo can kill is in writing. I’ve written more police reports and affidavits for search warrants than I could ever count and the one thing I learned is to keep lingo out unless it is pertinent, relevant, and understandable. Jurors don’t get lingo and much of what they hear in the movies is incorrect or misused. Judges don’t like it either.  Don’t be the only person in the room that understands what you are saying…

In fiction books where computer technology is a key element or theme, using lingo without explanation is like using a foreign language to frustrate a reader. I say this because I just read an unnamed book that when I read it, I had to really slow down my reading in order to understand what was being described. I don’t like reading slow...which means I won’t finish reading it if I don’t have to.

It is one thing to use a technical term in a sentence, but there comes a point that when the majority of words in a sentence are acronyms and “words” not found in a dictionary, the reader becomes lost and frustrated. That’s not good. It’s not good for reports, testimony, or fiction writing. Nonfiction technical writing is a little different since generally, the reader of a technical writing is a technical person.  For those types of writing, give the definition once and move on since the audience is a technical reader audience. In the other types, even though you give the definition once, the reader/listener is going to forget by the time the uncommon word or acronym is used again. So be sparse in the lingo unless it really matters or that it is used so often, your reader won’t be frustrated trying to figure out what it means.

I’ve given a few talks of putting ‘cybercrime’ into writing for fiction authors who are not computer experts.  Some of the talk is showing what forensics look like (hint: it’s not like what you see in James Bond…) as well as how to use technical terms without turning off the reader or sounding like you don’t know what you are talking about. For me, when I read, I just want to read without having to say to myself, “Excuse me, that’s not how Tor works…”.

Remember, lingo kills.

2223 Hits

What is this thing "privacy" you speak of?

What is this thing "privacy" you speak of?


I luckily missed being born into the Internet generation.  Facebook creeped me out with the amount of information demanded to create an account.  It took me all of 1 minute to create an account, 5 minutes to decide to delete it, and then two hours to figure out how. That was years ago and I still receive email reminders from Facebook to re-join with all my information still in the deleted  account, as if I never deleted it. If you ever wondered what Mark Zuckerberg thought of Facebook users, you may want to take a look... 

Perhaps a decade of working undercover has made me ultra-paranoid on personal information. At the time of doing UC work, I had little concern of sitting in an illegal business, having dinner with an organized crime figure and having one of his goons run me through Google, because there was no Google when I first started. That changed before I left the narc world and an undercover friend of mine was identified with Internet searches (while he was in the midst of a group of bad guys). If I was still doing undercover work, I'd no longer be doing undercover work. Thanks Google...

I can imagine that being born into the Internet age means never knowing what privacy is, nor have any concern about it all. Kids are literally texting in grade school, Facebooking in middle school, and blogging by high school.  Every generation now willfully gives up every aspect of their lives on social media and to buy some gadget online.

So when I see that the majority of people could care less about their most intimate and private details of their lives, it gives me pause. If you don’t think your Internet searches and web browsing is intimate, take a look at your web history and tell me that you don’t have some secrets in what you look at that you wouldn’t want anyone else to know about you. Health, wealth, and interests. How much more intimate can you get?

Despair at the Number of Americans Who Choose Security over Liberty, Privacy - Reason (blog) Thu, 31 Dec 2015 17:41:15 GMT

Reason (blog)Despair at the Number of Americans Who Choose Security over Liberty, PrivacyReason (blog)According to a new, frustrating poll, a majority of Americans in both the major parties appears to support warrantless government surveillance of Am ...

Read more ...


I’m not sure if people just don’t care the government watches and logs their Internet activity or if they just don’t know that they have a right to be secure in their homes, papers, and possessions. Either way, the result is the same. Privacy no more, and like the arrow flown, you can’t get the data back.

I can say that there are government organizations that actually take issue with privacy, one for example: Public Libraries. I’ve had criminal investigations where I needed information about a library patron for serious felonies. Not only were librarians willing to throw down with me to fight giving it to me, but I was promptly kicked out and told to get a warrant (which I did every time).  The library in the county where I live takes privacy seriously (KCLS). No security cameras anywhere. Not inside the library. Not in the parking lots. Nothing recorded. Patrons can use Tor if they bring it on a CD or flashdrive to plug into public use computers. The WiFi is free, no login required, no tracking of the users. 

For this, I say libraries may be the last bastion of personal privacy protection, but then again, I have no idea how many national security letters have been handed out to librarians

Certainly the day is close where privacy no longer exists in any manner. Already, if you ever applied for a security clearance, foreign governments have your application and probably your fingerprints too.

China says OPM breach was the work of criminal hackers - Engadget Thu, 03 Dec 2015 04:59:00 GMT

EngadgetChina says OPM breach was the work of criminal hackersEngadgetChina says the massive security breaches at the US Office of Personnel Management (OPM) that exposed the personal information of more than 21.5 million US government employees, con ...

Read more ...

I can say with experience, the Internet is great for investigators. Finding suspects has never been easier. In fact, finding an entire life history of a suspect takes on a whole new meaning with Facebook and every other type of social networking account.  Heck, they list their associates too. How much easier can it get? Criminals are people too, and they put as much personal information online as everyone else. Take the Dark Web as one example.  The Silk Road creator took massive steps to hide his identity, but an IRS agent identifed him with Google searches...

The Tax Sleuth Who Took Down a Drug Lord - New York Times Fri, 25 Dec 2015 17:48:14 GMT

New York TimesThe Tax Sleuth Who Took Down a Drug Lord New York Times It was Mr. Alford's supervisors at the I.R.S. who assigned him in February 2013 to a D.E.A. task force working the Silk Road case. The Strike Force, as it was known, had so far had l ...

Read more ...

My only concern with personal privacy evaporating like dry ice in the summer is that criminals also have an easier time of finding enough personal information to do damage to anyone, whether as ID theft, stalking, or worse.  It's bad enough that there are several levels of government agencies tracking everyone (including you), and that the criminals are using the same methods, but we also have the foreign governments doing it too.

Probably the best thing that can happen to the Internet is that it breaks...but then again, how will students find answers to their homework if they can't access Wikipedia? Can you imagine telling your kids to go to the library? The horror!

1587 Hits

The best part of writing a book is finishing the book.

The best part of writing a book is finishing the book.

I choose the title of my latest book (Hiding Behind the Keyboard) to be provocative, although the book may not completely be what you would expect if you think that it is a manual to hide yourself on the Internet. Being from Syngress, this is technically a technical book in that it discusses how to uncover covert communications using forensic analysis and traditional investigative methods.

The targeted audience is those charged with finding the secret (and sometimes encrypted) communications of criminals and terrorists.  Whether the communications are conducted through e-mail, chat, forums, or electronic dead drops, there are methods to find the communications to identify and prevent crimes.

For the investigators, before you get uptight that the book gives away secrets, keep in mind that no matter how many “secrets” are known by criminals or terrorists, you can still catch them using the same methods regardless of how much effort criminals put into not getting caught.

As one example, one of the cases I had years ago as a narcotic detective was an anonymous complaint of a large, indoor marijuana grow operation.  Two plainclothes detectives and I knocked on the door and politely asked for consent to search the home for a marijuana grow.  I told the owner that he didn’t have to give consent, or let us in, and could refuse consent at any time.  He gave consent and we found hundreds of marijuana plants growing in the house.  The point of this story was that on a table near the front door, was a book on how to grow marijuana that was opened to the page that said “when the cops come to your door for consent, say NO!”.  He had the book that advised not to do what he did anyway.

The point being, even when knowing how to commit crimes, criminals are still caught and terrorist plots are still stopped. The more important aspect is that investigators need to know as much as they can and this requires training, education, and books like Placing the Suspect Behind the Keyboard and Hiding Behind the Keyboard.

I had help with this book with early reviews, suggestions, recommendations, and co-authoring.  Most of what is in the book, I’ve done or helped others do. Some things work sometimes, other things work other times, and nothing works all the time. But having a toolbox to choose from gives you choices of methods that can fit individual cases.

As a side note, many of the methods can work in civil litigation depending upon cooperation and legal authority. For example, use of the Tor browser in a corporate espionage or employee IP theft case can make a huge difference in the direction a forensic analysis takes.

For anyone going to Las Vegas for the Enfuse conference, I’ll be presenting on this book and look forward to meeting you there (please say hi).

You can order Hiding Behind the Keyboard here:

1585 Hits



The short story-if you want RegRipper, get it from GitHub (don't download it from anywhere else)


What is RegRipper?

RegRipper was created and maintained by Harlan Carvey.  RegRipper, written in Perl, is the fastest, easiest, and best tool for registry analysis in forensics examinations.  RegRipper has been downloaded over 5000 times and used by examiners everywhere.

How can you make it better?

If you want RegRipper to be better, you can help by first sending in registry hives with specific information of what you need RegRipper to do with that hive to Harlan Carvey.  Is it a P2P application of interest?  Or USB devices? Or…?

What is the RegRipper?
RegRipper is *not*…it’s not a Registry Viewer.  An examiner would not open a Registry hive file in RegRipper to “look around”.

Further, RegRipper is NOT intended for use with live hive files.  Hive files need to be extracted from a case (or from a live system using FTK Imager…), or accessible via a tool such as Mount Image Pro or F-Response.

RegRipper is a Windows Registry data extraction and correlation tool. RegRipper uses plugins (similar to Nessus) to access specific Registry hive files in order to access and extract specific keys, values, and data, and does so by bypassing the Win32API.

How does RegRipper work?
RegRipper uses James McFarlane’s Parse::Win32Registry module to access a Windows Registry hive file in an object-oriented manner, bypassing the Win32API.  This module is used to locate and access Registry key nodes within the hive file, as well as value nodes and their data.  When accessing a key node, the LastWrite time is retrieved, parsed and translated into something the examiner can understand.  Data is retrieved in much the same manner…if necessary, the plugin that retrieves the data will also perform translation of that data into something readable.

Who should/can use RegRipper?
Anyone who wants to perform Windows Registry hive file analysis.  This tool is specifically intended for Windows 2000, XP, and 2003 hive files (there has been limited testing on Vista/Win2K8 hive files…everything has worked fine so far…).

How do I use RegRipper?
Simply launch rr.exe.  Also, please be sure to read the RegRipper documentation.

Do I have to install anything to use the RegRipper?
Nope, not a thing.  RegRipper ships as an EXE file, able to run on Windows systems.  All you need to do is extract the EXE and DLL in the same directory. The source file ( is also included, as are the plugins.

Further, RegRipper doesn’t make any changes to your analysis system…no Registry entries are made, nor are any files installed in odd, out-of-the-way locations.




RipXP uses all of the same plugins available with RegRipper, so simply extract the files in this archive into the same directory with RegRipper (rr.exe) and rip (rip.exe).

1. Using your tool-of-choice (I use FTK Imager), open the image and extract the hive files you’re interested in from the system32\config directory, as well as from user profile(s), into a directory (ie, D:\cases\case001\xp\config).

2. Using that same tool, within the image navigate to the directory where the Restore Point directories are located (usually C:\System Volume Information\{GUID}\). Extract all of the RP* directories into a directory on your analysis system (ie, D:\cases\case001\xp\restore).

3. To see the options used by RipXP, simply type:

RipXP allows you to run one plugin across a designated hive file, and all corresponding hive files in the Restore Point directories.

C:\ripXP>ripxp -r d:\case\config\ntuser.dat -d d:\case\restore -p userassist


RegRipper is an open source tool, written in Perl, for extracting/parsing information (keys, values, data) from the Registry and presenting it for analysis.

RegRipper consists of two basic tools, both of which provide similar capability. TheRegRipper GUI allows the analyst to select a hive to parse, an output file for the results, and a profile (list of plugins) to run against the hive. When the analyst launches the tool against the hive, the results go to the file that the analyst designated. If the analyst chooses to parse the System hive, they might also choose to send the results to system.txt. The GUI tool will also create a log of it’s activity in the same directory as the output file, using the same file name but using the .log extension (i.e., if the output is written to system.txt, the log will be written to system.log).

RegRipper also includes a command line (CLI) tool called rip. Rip can be pointed against to a hive and can run either a profile (a list of plugins) or an individual plugin against that hive, with the results being sent to STDOUT. Rip can be included in batch files, using the redirection operators to send the output to a file. Rip does not write a log of it’s activity.

RegRipper is similar to tools such as Nessus, in that the application itself is simply an engine that runs plugins. The plugins are individual Perl scripts that each perform a specific function. Plugins can locate specific keys, and list all subkeys, as well as values and data, or they can locate specific values. Plugins are extremely valuable in the sense that they can be written to parse data in a manner that is useful to individual analysts.

Note: Plugins also serve as a means of retaining corporate knowledge, in that an analyst finds something, creates a plugin, and adds that plugin to a repository that other analysts can access. When the plugin is shared, this has the effect of being a force multiplier, in that all analysts know have access to the knowledge and experience of one analyst. In addition, plugins remain long after analysts leave an organization, allowing for retention of knowledge.

The use and function of RegRipper is discussed in great detail in the book, Windows Registry Forensics.

How do I..

…install RegRipper?

Go to the download site for RegRipper and get the archive that contains the most recent version of RegRipper (in this case, Extract the archive into a directory on your system, such as “C:\rr”.

Next get the latest plugin archive, based on the date of the archive, and extract everything in the archive into “C:\rr\plugins”.

That’s it…you’re done. Either launch rr.exe (the GUI) or run rip.exe (CLI) from the command prompt.

…get a list of all plugins?

This is actually pretty straight-forward. To list all of the plugins in the \plugins folder, simply open a command prompt, navigate to the folder where you installed RegRipper, and type:

rip -l

Another way to see what plugins are available is to launch the Plugin Browser (pb.exe), and navigate through the list of plugins, one at a time. In order to get a .csv listing of the available plugins, use this command:

rip -l -c > plugins.csv

You can then open the resulting file in Excel.

In order to get just a listing of plugins available for a particular hive file (in this case, the Software hive), type:

rip -l -c | find ",Software" /i

Does RegRipper do…?

Perhaps one of the biggest misconceptions regarding the RegRipper plugins is whether or not it does specific things; that is, does it check for specific values, parse specific data, or enumerate the contents of specific keys? This isn’t the right question to ask.

From the beginning, RegRipper plugins have been created and updated based on needs. Some needs are relatively easy to meet, due to the availability of data; most Windows systems have a ‘Run’ key. Other plugins have been created/modified due to unique circumstances based on analysis; finding something new or unusual during an examination will very often result in a new plugin, or an update to an existing plugin.

Of those currently writing plugins, it appears that few have encountered systems on which the P2P application Ares has been installed and used. As such, the plugin may be somewhat limited and not meet the complete needs of a specific examiner working on a specific case.

In short, the power of RegRipper is in the plugins, and for this to be a truly powerful tool, it depends on examiners sharing their needs and data before hand, rather than asking, “Does it do…?” after the fact.

If you have any suggestions, recommendations, or questions about RegRipper, just ask Harlan.  Don't be afraid. Don't post all over the Internet that RegRipper doesn't do what you thought it would or is defective.  Ask Harlan.

This email address is being protected from spambots. You need JavaScript enabled to view it.



Auto-Start Extensibility Points (ASEPs) checked by RegRipper's plug-ins


Run Keys

Software Hive Run keys

• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Runonce

• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run

• HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

• HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run

• HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce

• HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce

• HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

• HKLM\Software\ Microsoft\Windows\CurrentVersion\RunServices

• HKLM\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

• soft_run plugin

NTUSER.DAT Hive Run keys

• HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Run

• HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

• HKCU\Software\Microsoft\Windows\CurrentVersion\Run

• HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

• HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Runonce

• HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Terminal Server\Install\Software\Microsoft\Windows\CurrentVersion\Run

• HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices

• HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServicesOnce

• HKCU\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run

• HKCU\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run

• HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows

o Run and Load values

• user_run plugin

System Services

• HKLM\System\CurrentControlSet\Services

o services plugin (list services by last write times)

o svcdll plugin (list services with ServiceDLL values)

o svc plugin to (list services and drivers by last write times)

o svc_plus plugin (short format with warnings for type mismatches)

o svc2 plugin (csv output)

• Legacy registry keys located at HKLM\System\CurrentControlSet\Enum Root

o legacy plugin

Software Registry Hive ASEPs

• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit

o winlogon plugin

• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

o winlogon plugin

• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman

o winlogon plugin

• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\System

o winlogon plugin

• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify

o winlogon plugin

• HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList

o winlogon plugin

• HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components

o installedcomp plugin

• HKLM\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components

o installedcomp plugin

• HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks

o shellexec plugin

• HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks

o shellexec plugin

• HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

o bho plugin

• HKLM\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects

o bho plugin

• HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32

o drivers32 plugin

• HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Drivers32

o drivers32 plugin

• HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options

o imagefile plugin

• HKLM\Software\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Image File Execution Options

o imagefile plugin

• HKLM\SOFTWARE\Classes\Exefile\Shell\Open\Command\(Default)

o cmd_shell plugin

• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls

o appinitdlls and init_dlls plugins

• HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Windows\Appinit_Dlls

o appinitdlls plugins

• HKLM\SOFTWARE\Microsoft\SchedulingAgent

o schedagent plugin

• HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved

o shellext plugin

• HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost

o svchost plugin

System Registry Hive ASEPs

• HKLM\System\CurrentControlSet\Control\Session Manager\AppCertDlls

o appcertdlls plugin

• HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\SecurityProviders

o securityproviders plugin

• HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages

o lsa_packages plugin

• HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages

o lsa_packages plugin

• HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Security Packages

o lsa_packages plugin

• HKLM\SYSTEM\ControlSet00.$current.\Control\Session Manager\CWDIllegalInDllSearch

o dllsearch plugin

• HKLM\SYSTEM\ControlSet00.$current.\Control\SafeBoot

o safeboot plugin

NTUSER.DAT Registry Hive ASEPs

• HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell

o winlogon_u plugin

• HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows\Load

o load plugin

• HKCU\Software\Microsoft\Command Processor\Autorun

o cmdproc plugin

UsrClass.dat Registry Hive ASEPs

• HKCU\Classes\Exefile\Shell\Open\Command\(Default)

o cmd_shell_u plugin

This section presents and discusses a list of artifact categories, as they relate to the RegRipper tools and plugins. As they are defined or described (see below), each of these categories applies specifically to artifacts found within the Windows Registry.

Many of the available Registry artifacts persist beyond file and program deletion, providing indications of system or user activity that occurred in the past.

Many artifacts can and may fall within multiple categories. For example, the File Access category by extension indicates Program Execution.

Multiple categories of artifacts can be used in analysis though the use of an analysis matrix.

Categories are identified within plugins as part of the configuration hash (%config) provided as part of the plugin. The use of categories in this manner does not obviate the use of profiles within RegRipper; instead, it enhances that capability.

Note: This should be considered to be a living document, subject to update and modification.

Category Definitions

What follows are some of the categories that have been identified, along with descriptions of each of the categories.

Where applicable, examples of available RegRipper plugins are provided.

OS Info

Basic OS information, such as version, installation date, install source path, time zone information, etc.

Example plugins:,

User Account Info

Basic user account information.

Example plugins:,

Network Configuration

Artifacts associated with the network configuration of the system.

Example plugins:,


Registry artifacts associated with the autostart of applications and programs (those programs/applications that are launched with no interaction from the user or system).

This category can overlap with and include some of the same artifacts as those from the Program Execution category.

Example plugins:,

Program Execution

Artifacts that relate to or indicate that programs were executed.

Example plugins:,,,,

Installed Programs

Installed Programs artifacts differ from Program Execution artifacts, in that many applications/programs are installed on a Windows system via a setup.exe file, or via an MSI file. As such, the program itself has artifacts in the Software hive, and then user-specific artifacts "live" in the user's NTUSER.DAT hive.

An example of this includes Adobe Reader; the Software hive will contain information about the system-wide application configuration, while the NTUSER.DAT hives will indicate not only which user(s) launched the application, but also maintain an MRU list of files that the user accessed.

Note: A program or application can be installed, but may not have been executed.

Example plugins:

Storage Information

This category pertains to the usage of or access to storage media, including (but not limited to) USB devices, network shares, "cloud" storage, etc.

Example plugins:

Log Info

This category pertains to artifacts related to the configuration of log files on the system, which can include Windows Event Logs, as well as application specific logs.

Example plugins:


This category pertains to artifacts that specifically provide indications of malware infection or activity. This category differs from the AutoStart category, in that legitimate applications can make use of AutoStart artifacts. In many instances, the AutoStarts or Program Execution categories can be used to extract general information (i.e., contents of the Run key, etc.) that the analyst can review, plugins in the Malware category can be used to look for specific artifacts related to a variety of specific malware samples, or related to malware families.

Examples of a malware specific artifacts include:

  • Variants of Zeus have been known to add "sdra64.exe" to the UserInit Registry value
  • OSVerion

Example plugins:,

File Access

This category pertains to files that a user has accessed, which is most often through the use of a specific application. As such, artifacts within this category will indicate Program Execution (or usage), but the purpose of this category is to provide indications of files that a user specifically had access to, via downloading, or through creation or modification.

Example plugins:,


This category can be a subset of the Installed Programs and Program Execution categories, and is specific to programs/applications intended for off-system communications. While the Program Execution category may be used to look for indications of the use of ftp.exe or chat programs, this category is intended for communication application-specific artifacts.

Example plugins:

Analysis Matrix

The above listed categories can be used in an analysis matrix; several categories of artifacts may be used in specific types of analysis activities.

The following table is a notional analysis matrix, and is intended to serve as a starting point for both discussion and analysis:

  Malware Detection Data Exfil Unauth Use Illicit Images
Program Execution X     X
Malware X     X
File Access   X   X
Storage Info   X   X
Comms X X    


Tool Architecture  

RegRipper is actually a suite of tools that all rely on a core set of functionality.

Helper Functions

The main user interface (UI) tools for RegRipper (ie, the RegRipper GUI and the rip CLI tools) provide a number of functions to the plugins. These functions are included in a separate .pl file, and are accessed by the UI code via the require pragma (allows the code to be loaded at run-time). This allows for the following:

  • The one set of code is available to the UI tools in a uniform manner.
  • The helper function code can updated and made available without requiring the tools themselves to be completely recompiled.
  • The code is completely transparent; anyone can open the helper files and see what the code is doing.

Note: In order to make the code portable and usable by the widest range of users, any modules required to use the helper functions (ie, Time::Local) will be compiled into the UI.


This secton is about how time is treated on Windows systems, as well as the various time formats found on Windows systems.


Time in recorded in a number of formats on Windows systems. Even though MS maintains a page that discusses time formats, there are other formats available, as well.

Unix Time

Unix epoch time - yes, there are time values recorded on Windows systems in the 32-bit Unix epoch time format, which is the number of seconds since midnight UTC, 1 Jan 1970.

This time format has a granularity of 1 second.

This time format is found in Windows XP/2003 Event Log records, as well as some Registry value data.

To convert this time format to something readable, use the built-in gmtime() function.


DOSDateTime - Date and time format encoded in two 16-bit values. Used as part of the shell item format specification, described by Joachim Metz. Shell item ID lists appear in the Shell\BagsMRU Registry values, as well as part of the MS-SHLLINK binary format for Windows shortcut files.

This time format has a granularity of 2 seconds.

Python code for translating the DOSDateTime values into something readable can be found as part of the libforensics package.

Perl code (note: requires the Time::Local module to translate to a Unix epoch time):

sub convertDOSDate {
  my $date = shift;
  my $time = shift;
  if ($date == 0x00 || $time == 0x00){
    return 0;
  else {
    my $sec = ($time & 0x1f) * 2;
    $sec = "0".$sec if (length($sec) == 1);
    my $min = ($time & 0x7e0) >> 5;
    $min = "0".$min if (length($min) == 1);
    my $hr  = ($time & 0xF800) >> 11;
    $hr = "0".$hr if (length($hr) == 1);
    my $day = ($date & 0x1f);
    $day = "0".$day if (length($day) == 1);
    my $mon = ($date & 0x1e0) >> 5;
    $mon = "0".$mon if (length($mon) == 1);
    my $yr  = (($date & 0xfe00) >> 9) + 1980;
    return "$yr-$mon-$day $hr:$min:$sec";
#   return gmtime(timegm($sec,$min,$hr,$day,($mon - 1),$yr));


UUID - Windows systems maintain volume GUIDs, particularly those associated with volumes beneath the MountedDevices and MountPoints2 keys, in UUIDv1 format. Part of this format specification includes a 60-bit time value, which indicates the number of 100-nanosecond intervals since 15 Oct 1582 (this date is described in the RFC as the date of Gregorian reform to the Christian calendar).

This time format has a granularity of 100 nanoseconds.

Note: This format also includes a "node" value, which for several of the volume GUIDs is a MAC address that was available on the Windows system at the time that the GUID was generated.


FILETIME - A 64-bit time value representing the number of 100-nanosecond intervals since midnight UTC, 1 Jan 1601. Used pervasively throughout Windows systems, and can be found:

  • $STANDARD_INFORMATION and $FILE_NAME attributes within MFT records
  • Registry key properties
  • Registry value data

This time format has a granularity of 100 nanoseconds.

Perl code for translating a FILETIME object into a Unix epoch time (borrowed from Andreas Schuster):

# getTime()
# Translate FILETIME object (2 DWORDS) to Unix time, to be passed
# to gmtime() or localtime()
sub getTime($$) {
  my $lo = shift;
  my $hi = shift;
  my $t;

  if ($lo == 0 && $hi == 0) {
    $t = 0;
  } else {
    $lo -= 0xd53e8000;
    $hi -= 0x019db1de;
    $t = int($hi*429.4967296 + $lo/1e7);
  $t = 0 if ($t < 0);
  return $t;


SYSTEMTIME - 128-bit format, and according to MS, "The time is either in coordinated universal time (UTC) or local time, depending on the function that is being called." This time format is used in a number of artifacts on Windows systems, including (but not limited to) in XP Scheduled Task/.job files, as well as in value data beneath the Vista/Win7 NetworkList key (within the Software hive).

It is important to note that this value can be stored in the Registry in either UTC or localtime format. Beneath the NetworkList key, for example, the value is stored in localtime format.

This time format has a granularity of 1 millisecond.

Example Perl code to parse this date format appears as follows:

sub parseDate128 {
  my $date = $_[0];
  my @months = ("Jan","Feb","Mar","Apr","May","Jun","Jul",
  my @days = ("Sun","Mon","Tue","Wed","Thu","Fri","Sat");
  my ($yr,$mon,$dow,$dom,$hr,$min,$sec,$ms) = unpack("v*",$date);
  $hr = "0".$hr if ($hr < 10);
  $min = "0".$min if ($min < 10);
  $sec = "0".$sec if ($sec < 10);
  my $str = $days[$dow]." ".$months[$mon - 1]." ".$dom."
     ".$hr.":".$min.":".$sec." ".$yr;
  return $str;


Strings - Date and time values may be stored in Registry value data in string format; ie, "2011-06-07" or "1/2/2011". This is often found in Registry values in specific applications.

To convert data stored in this format to a Unix epoch time, parse the strings and use the Time::Local module to convert the information.

File System Tunneling

MS KB172190 describes file system tunneling, which can have a significant impact on your analysis.


MS KB299648: Description of NTFS date and time stamps

MS: File Times

MS KB188768: Working with the FILETIME structure

MS: SYSTEMTIME structure

MS: DosDateTimetoFileTime function

Software Sleuthing: DateTime formats and conversions

Old New Thing Blog: DateTime formats and conversions


MS KB 813711 describes what actions cause data to be added to the Shell Bags values.

The structure of shell items is very important to understand, as these structures are used in multiple locations on Windows systems, not just in the Shell BagMRU subkeys within the Registry. For example, the structures are used in the shell item ID list section in Windows shortcut LNK files, as well as within the LNK streams in .automaticDestinations-ms Jump List files on Windows 7. These structures are also used within the data of values beneath the OpenSavePidlMRU keys within the Windows 7 NTUSER.DAT hives (full path is "HKU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSavePidlMRU").

As such, being able to recognize and parse these structures is essential to being able to fully understand the data that you're looking at, and what it's telling you.


The Variable type (type == 0x00) data structures can contain a variety of information, in various formats. One of the data structures, in particular, can be seen (when viewed in hex) to contain "1SPS" in several places. If the data is broken up, using "1SPS" as a separator (ie, via Perl's split() function), the first 16 bytes of each section appears to be a GUID.

One GUID in particular appears as follows:

{B725F130-47EF-101A-A5F1-02608C9EEBAC} - Ref: Schema (Windows)

Apparently, this GUID applies to both desktop and Metro-style (Win8) apps, and is referred to as both a SHCOLUMNID and a PROPERTYKEY structure. The contents of the subsection of data that begins with this GUID can be further parsed using a distinct set of rules.


MS: Canonical Names of Control Panel Items

MS: Known Folder GUIDs

MS: KnownFolderID


Joachim Metz's Windows Shell Item format specification paper (PDF), part of Registry Decoder (written by Kevin Moore)

Willi Ballenthin's Windows Shellbag Forensics


The purpose of adding alerts (or an alerting function, via alertMsg()) is to provide a facility for identifying items of interest (from previous analyses) within the vast wealth of data available within a Windows system, and in particular the Registry. This allows an analyst to identify "low-hanging fruit" that may be of value to an examination.

This page will serve as a facility for collaboration amongst the admins of this site, to add, revise, and hone the information alerted on within various plugins.


Many plugins provide path information that can be searched via grep() for specific indicators of suspicious or malicious activity:

  • - also, added Beth S.'s checks from to the plugin

Note: To avoid issues with case sensitivity, process the path through the lc() function first, and then grep for the lower-case string of interest.


Below are some paths to check for:

  • Recycle
  • GlobalRoot
  • System Volume Information
  • App + Data (gets "Application Data", and "AppData")
  • Temp
  • ADSs - split() the path, check the final element for a colon

Example Code:

my @vals = ("Recycle","GLOBALROOT","System Volume Information", "Temp",
  "Application Data","AppData");

foreach my $v (@vals) {
  ::alertMsg("ALERT: ".$v." found in path: ".$_) if (grep(/lc($v)/,lc($_));

Example ADS Check:

my @vals = split(/\\/,$_);

my $int = scalar(@vals) - 1;

::alertMsg("ALERT: Possible ADS found: ".$_) if (grep(/:/,$vals[$int]));

Other Checks


  • - generate an alert if the value is NOT blank
  • - generate an alert if a Debugger value is found
  • - generate an alert based on MS KB 883260
  • - generate several alerts; UserInit value with multiple entries, 'TaskMan', 'System, 'load' or 'run' values found, etc.

Checking for Encryption


  • MountedDevices key - check value data for "TrueCryptVolume"; access to a TrueCrypt volume often results in a volume GUID within the MountedDevices key that includes "TrueCryptVolumeN" in the data (with N being a volume letter)
14743 Hits