Training
Featured CourseView All Courses
Get a free hour of SANS training

Experience SANS training through course previews.

Learn More
Learning Paths
FeaturedView all Focus Areas
Cloud Security Training
Can't find what you are looking for?

Let us help.

Contact us
Resources
SANS Community Benefits

Connect, learn, and share with other cybersecurity professionals

CISO Network

Engage, challenge, and network with fellow CISOs in this exclusive community of security leaders

Join the SANS Community

Become a member for instant access to our free resources.

Sign Up
For Organizations
Public Sector

Mission-focused cybersecurity training for government, defense, and education

Partnerships

Explore industry-specific programming and customized training solutions

Sponsorship Opportunities

Sponsor a SANS event or research paper

Interested in developing a training plan to fit your organization’s needs?

We're here to help.

Contact Us
Talk with an expert
Talk with an expert

RegRipper: Ripping Registries With Ease

Authored by

Harlan Carvey's RegRipper, available at http://code.google.com/p/regripper/, is fantastic tool for getting data quickly out of the registry whether you are doing it for incident response or forensics. In essence what it does is produce reports based upon pre-canned registry searches. All you need to do is give it the registry file you want to review, give it a location for the report, and select the type of registry file. Then push a button.

RegRipper uses plugins to extract information out of the registry files. Each plugin has been created to handle the data that is stored in the registry key it has been setup to review. For example, the plugins will decode the ROT-13 encrypted data and translate binary data to ASCII.

RegRipper creates two files when it runs. The first is the report file that contains the output of the plugins that were ran against the registry file. The second file is a log file that contains the dates, times, plugins ran, and the number of errors that occurred with the plugins. The log file filename is based off of the report file name minus the extension.

Here is a small excerpt from a system registry file:

ComputerName = testbox
----------------------------------------
ControlSet002\Control\Windows key, ShutdownTime value
ControlSet002\Control\Windows
LastWrite Time Mon Jan 19 23:03:52 2009 (UTC)
    ShutdownTime = Mon Jan 19 23:03:52 2009 (UTC)
----------------------------------------
ShutdownCount
ControlSet002\Control\Watchdog\Display
LastWrite Time Mon Jan 19 23:03:52 2009 (UTC)
    ShutdownCount = 218
----------------------------------------
TimeZoneInformation key
ControlSet002\Control\TimeZoneInformation
LastWrite Time Sun Nov  2 14:14:54 2008 (UTC)
    DaylightName   -> Eastern Daylight Time
    StandardName   -> Eastern Standard Time
    Bias           -> 300 (5 hours)
    ActiveTimeBias -> 300 (5 hours)
----------------------------------------
ControlSet002\Control\Terminal Server key, fDenyTSConnections value
LastWrite Time Fri Oct 24 20:53:51 2008 (UTC)
    fDenyTSConnections = 1
----------------------------------------

Notice in the output we have the last write times for the registry keys as well as the values for those keys. Keep in mind that all of the time stamps listed in the report file are in UTC format.

Using RegRipper under Linux

Using it under Wine

Download Cygwin at: http://www.cygwin.com/

Installing Cygwin:

  1. wine setup.exe
    1. Select Perl to be installed.
  3. Now install.

After Cygwin is installed you can start using RegRipper by unzipping the RegRipper download. Then to start it use:

# wine rr.exe

Linux Version

There is also a Linux version available at Daniele Murrau's website: http://brainstretching.blogspot.com/2008/10/linux-e-regripper.html. Download is at: http://rapidshare.com/files/175773378/regripper_linux.tar.gz

To Install:

  1. Install Perl on your Linux system if it is not already installed
    1. install Parse::Win32Registry

An example of running it:

# ./rip.pl -r /tmp/1registry/system -f system > /tmp/1registry/reports/system2.txt

The only problem I see with the Linux version is that plugins will need to be updated from time to time by downloading the Windows version and copied over to the Linux version.

EDITORS NOTE: Regripper is installed on the latest version of the SIFT workstation by default.

Run from /usr/local/src/regripper
# perl rip.pl —r <HIVEFILE> —f <HIVETYPE>
[Useful Options]
-r Registry hive file to parse <HIVEFILE>
-f Use <HIVETYPE> (e.g. sam, security, software, system, ntuser)
-l List all plugins

EXAMPLE: 

# cd /usr/local/src/regripper
# perl rip.pl —r /mnt/hack/casename/Windows/System32/config/SAM —f sam > /images/casename/SAM.txt

No need to download and install anything. This has already been updated into SEC508 Computer Forensics, Investigation, and Response as well.

Don't Forget Tool Testing

Lastly, as with any new tool, take the time and test the tool out to make sure that you are getting accurate data. As a forensics examiner it is your responsibility to ensure that your tools are producing accurate data.

Some questions you should be asking when checking the tool:

  1. How does the data in the reports compared to what is in the registry? Here we are looking to make sure the data reported is correct with what is in the registry.
  2. Do other registry tools report different data? Again, checking the accurateness of the data between two different tools.
  3. If you plan on using the Linux with Wine or Linux version: Do you get the same data whether you run it under Windows, Linux with Wine, or Linux?

Keven Murphy, GCFA Gold #24, is a IT security manager contracted to a Fortune 100 defense contractor.

SANS Digital Forensics and Incident Response Blog | RegRipper: Ripping Registries With Ease | SANS Institute