Windows Registry forms an important part when performing a forensics analysis of a Windows machine. So, when you have a hive which has been extracted from a machine using EnCase or like software, RegRipper is THE software you need to perform your forensics.
RegRipper is a Windows Registry data extraction tool. It also co-relates all the information it has found while scanning. It completely bypasses the Win32API while accessing some registry hives. How it does that? It does so by making use of James McFarlane’s Parse::Win32Registry module. This module is used to locate and access Registry key nodes within the hive file, as well as value nodes and their data. It also has support for plugins. It is an open source application. It works with Windows 2000, Windows XP, Windows 2003 & Windows Vista. It is user friendly since it provides a GUI for extracting specific information from a Registry hive file, defined through the use of plugins. The extracted information is printed in a text-based report file so that you can easily include it in your reports as per your requirements.
A simple screen shot of RegRipper follows:
RegRipper will extract information about recently accessed files, applications, etc from the MRU lists along with timestamp information from Registry keys. Some of the plugins are included in the package are:
logonusername.pl
acmru.pl
runmru.pl
typedurls.pl
userassist.pl
They perform the functions as per their names. The output from each of these plugins is printed to the report file. The order and number of plugins to be run can be decided by you.
All this information can be obtained in greater detail here. You can also download this PERL program here.
Related External Links
regripper, regripper application mru, extract registry for regripper, regripper for vista, the hives dvd megaupload
You must log in to post a comment.