RegRipper
Harlan Carvey
Create a Place for Regripper
Get RegRipper
http://code.google.com/p/winforensicaanalysis
Setup Regripper
• Unpack the zip file
• Move all to the root of the regripper directory
• Update the plugins form
• http://code.google.com/p/regripperplugins/
• Test drive
RegRipper Interface
Create a Case Folder
Get Your Hive Files
C:\Windows\System32\Config - Get ‘em all.
Save in your case folder
There they are
RegRipper
• Frame work for extracting and displaying
specific info from hive files
• Permits the tailoring of registry reports
• Enables the writing of plugins
• The contents of the “plugins” file determines
which and in what order the plugins are
executed
Plugins File
RegRipper Interface
Which hive file will be analyzed
Where to put the report
Which Plugins file to use
Example
Output
Command Line exe