Not long ago, some exchanges and conversations led me to do something I’d never done before…post a poll on LinkedIn. These conversations had to do with whether or not analysts and practitioners within the industry felt there was adequate value proposition to incorporate RegRipper in to a commercial forensic suite. No conditions, no specific goals or outcomes, just “is this something that makes sense?” As you can see from the poll, the responses (the few that there are) are pretty much 4:1 in favor of the idea.
I posted the poll because when I asked a vendor for their thoughts, the response was, “…none of our users have asked for it.” Another vendor responded with:
…we need to focus on two things – what customers tell us they want (preferably things that are both powerful and unique), and what helps us in significant ways in our own casework.
There have been times we go pretty far out on a limb in terms of functionality we think people will want, and no one gives a shit.
From a user perspective, some of the feedback from the poll, as well as from other conversations and exchanges, indicates that some users feel that vendors should take charge of providing “needed” functionality without being asked.
This really seems like two diametrically opposed views on the subject, with the vendor side saying, “we rely on our users to tell us their needs”, and the users saying, “we rely on our vendors to guide our investigations.”
In 2020, I presented at OSDFCon on effectively using RegRipper. On pg 3 of the linked PDF, in the second slide, there are several thoughts I had regarding possible useful updates to RegRipper, including adding MITRE ATT&CK mapping, Analysis Tips, and reference URLs to the plugin output. I did not receive any feedback to this presentation, either during or following the presentation itself. No, “hey, this is a great idea!”, and no, “OMG, this is the dumbest thing I’ve ever hea
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
This article has been indexed from Windows Incident Response
Read the original article: