Windows Registry forms an important part when performing a forensics analysis of a Windows machine. So, when you have a hive which has been extracted from a machine using EnCase or like software, RegRipper is THE software you need to perform your forensics.
RegRipper is a Windows Registry data extraction tool. It also co-relates all the information it has found while scanning. It completely bypasses the Win32API while accessing some registry hives. How it does that? It does so by making use of James McFarlane’s Parse::Win32Registry module. This module is used to locate and access Registry key nodes within the hive file, as well as value nodes and their data. It also has support for plugins. It is an open source application. It works with Windows 2000, Windows XP, Windows 2003 & Windows Vista. It is user friendly since it provides a GUI for extracting specific information from a Registry hive file, defined through the use of plugins. The extracted information is printed in a text-based report file so that you can easily include it in your reports as per your requirements.
A simple screen shot of RegRipper follows:
RegRipper will extract information about recently accessed files, applications, etc from the MRU lists along with timestamp information from Registry keys. Some of the plugins are included in the package are:
logonusername.pl
acmru.pl
runmru.pl
typedurls.pl
userassist.pl
They perform the functions as per their names. The output from each of these plugins is printed to the report file. The order and number of plugins to be run can be decided by you.
All this information can be obtained in greater detail here. You can also download this PERL program here.
Related External Links
If you enjoyed this article, you might also like:
- September 2, 2010 -- UPDATE: Microsoft Enhanced Mitigation Evaluation Toolkit v2!
Nice! Our first post regarding the Microsoft Enhanced Mitigation Evaluation Toolkit or EMET can be f... - April 23, 2010 -- Microsoft pulls faulty patch, plans re-release
Critical patch that affects Windows 2000 Server running Windows Media Services didn't work, so Micro... - April 13, 2010 -- MS10-022 – Important: Vulnerability in VBScript Scripting Engine Could Allow Remote Code Execution (981169)
Bulletin Severity Rating:Important - This security update resolves a publicly disclosed vulnerabilit... - March 26, 2010 -- UPDATE: SANS Investigative Forensic Toolkit v2!
It has been some days since SANS released an updated version of SIFT or the SANS Investigative Foren... - March 9, 2010 -- MS10-016 – Important: Vulnerability in Windows Movie Maker Could Allow Remote Code Execution (975561)
Bulletin Severity Rating:Important - This security update addresses a privately reported vulnerabili... - March 4, 2010 -- ms09_043_owc_htmlurl.rb.txt
This Metasploit module exploits a buffer overflow in Microsoft's Office Web Components. When passing... - February 24, 2010 -- Export all Windows Logs from the Event Viewer from a Remote Machine!
What if you want to export all logs - Application, Security and System - from a system on your netwo... - February 11, 2010 -- USBDeviceForensics – Extract information regarding USB devices!
USBDeviceForensics is an application to extract numerous bits of information regarding USB devices. ... - February 9, 2010 -- MS10-008 – Critical: Cumulative Security Update of ActiveX Kill Bits (978262)
Bulletin Severity Rating:Critical - This security update addresses a privately reported vulnerabilit...
Tagged as: forensics tools, Microsoft, RegRipper, Windows
Comments on this entry are closed.