RegRipper
RegRipper is a CLI tool for performing forensic analysis of Windows Registry hives. It extracts, translates, and displays data and metadata using Perl plugins.
Description
RegRipper’s CLI tool can be used to surgically extract, translate, and display information (both data and metadata) from Registry-formatted files via plugins in the form of Perl-scripts. It allows the analyst to select a hive-file to parse and a plugin or a profile, which is a list of plugins to run against the given hive. The results go to STDOUT and can be redirected to a file.
Perform forensic analysis of registry hives. The tool parses Windows Registry files using either a single module or a profile. It checks if the hive is dirty but does not automatically process transaction logs; for that, use yarp + registryFlush.py or rla.exe from Eric Zimmerman.
All output goes to STDOUT; use redirection (ie, > or >>) to output to a file.
How It Works
RegRipper parses Windows Registry hive files using Perl plugins or profiles. It extracts data and metadata via surgically targeted plugins, supports guessing hive types, checking if hives are dirty, and running hive-specific or TLN plugins. Output is directed to STDOUT for redirection. Does not auto-process transaction logs.
Installation
sudo apt install regripperFlags
Examples
regripper -hrip -r c:\case\system -f systemrip -r c:\case\ntuser.dat -p userassistrip -r c:\case\ntuser.dat -arip -l -cregripper -r hivefile -g