SANS Digital Forensics and Incident Response Blog

RegRipper: Ripping Registries With Ease

Harlan Carvey's RegRipper, available at http://code.google.com/p/regripper/, is fantastic tool for getting data quickly out of the registry whether you are doing it for incident response or forensics. In essence what it does is produce reports based upon pre-canned registry searches. All you need to do is give it the registry file you want to review, give it a location for the report, and select the type of registry file. Then push a button.

RegRipper uses plugins to extract information out of the registry files. Each plugin has been created to handle the data that is stored in the registry key it has been setup to review. For example, the plugins will decode the ROT-13 encrypted data and translate binary data to ASCII.

Example Screen Shot

RegRipper Screenshot

RegRipper creates two files when it runs. The first is the report file that contains the output of the plugins that were ran against the registry file. The second file is a log file that contains the dates, times, plugins ran, and the number of errors that occurred with the plugins. The log file filename is based off of the report file name minus the extension.

Here is a small excerpt from a system registry file:

ComputerName = testbox
----------------------------------------
ControlSet002\Control\Windows key, ShutdownTime value
ControlSet002\Control\Windows
LastWrite Time Mon Jan 19 23:03:52 2009 (UTC)
ShutdownTime = Mon Jan 19 23:03:52 2009 (UTC)
----------------------------------------
ShutdownCount
ControlSet002\Control\Watchdog\Display
LastWrite Time Mon Jan 19 23:03:52 2009 (UTC)
ShutdownCount = 218
----------------------------------------
TimeZoneInformation key
ControlSet002\Control\TimeZoneInformation
LastWrite Time Sun Nov 2 14:14:54 2008 (UTC)
DaylightName -> Eastern Daylight Time
StandardName -> Eastern Standard Time
Bias -> 300 (5 hours)
ActiveTimeBias -> 300 (5 hours)
----------------------------------------
ControlSet002\Control\Terminal Server key, fDenyTSConnections value
LastWrite Time Fri Oct 24 20:53:51 2008 (UTC)
fDenyTSConnections = 1
----------------------------------------

Notice in the output we have the last write times for the registry keys as well as the values for those keys. Keep in mind that all of the time stamps listed in the report file are in UTC format.

Using RegRipper under Linux

Using it under Wine

Download Cygwin at: http://www.cygwin.com/

Installing Cygwin:

  1. wine setup.exe
  2. On the screen Select Packages
    1. Select Perl to be installed.
  3. Now install.

After Cygwin is installed you can start using RegRipper by unzipping the RegRipper download. Then to start it use:

# wine rr.exe

Linux Version

There is also a Linux version available at Daniele Murrau's website: http://brainstretching.blogspot.com/2008/10/linux-e-regripper.html. Download is at: http://rapidshare.com/files/175773378/regripper_linux.tar.gz

To Install:

  1. Install Perl on your Linux system if it is not already installed
  2. perl -MCPAN -e shell
    1. install Parse::Win32Registry

An example of running it:

# ./rip.pl -r /tmp/1registry/system -f system > /tmp/1registry/reports/system2.txt

The only problem I see with the Linux version is that plugins will need to be updated from time to time by downloading the Windows version and copied over to the Linux version.

EDITORS NOTE: Regripper is installed on the latest version of the SIFT workstation by default.

Run from /usr/local/src/regripper
# perl rip.pl —r <HIVEFILE> —f <HIVETYPE>
[Useful Options]
-r Registry hive file to parse <HIVEFILE>
-f Use <HIVETYPE> (e.g. sam, security, software, system, ntuser)
-l List all plugins

EXAMPLE:
# cd /usr/local/src/regripper
# perl rip.pl —r /mnt/hack/casename/Windows/System32/config/SAM —f sam > /images/casename/SAM.txt
No need to download and install anything. This has already been updated into SEC508 Computer Forensics, Investigation, and Response as well.

Don't Forget Tool Testing

Lastly, as with any new tool, take the time and test the tool out to make sure that you are getting accurate data. As a forensics examiner it is your responsibility to ensure that your tools are producing accurate data.

Some questions you should be asking when checking the tool:

  1. How does the data in the reports compared to what is in the registry? Here we are looking to make sure the data reported is correct with what is in the registry.
  2. Do other registry tools report different data? Again, checking the accurateness of the data between two different tools.
  3. If you plan on using the Linux with Wine or Linux version: Do you get the same data whether you run it under Windows, Linux with Wine, or Linux?

Keven Murphy, GCFA Gold #24, is a IT security manager contracted to a Fortune 100 defense contractor.

4 Comments

Posted February 6, 2009 at 11:27 AM | Permalink | Reply

gleeda

I'm not really sure why you need to install Cygwin to use rr.exe under wine'' It should just run with wine without the extra step.

Posted February 6, 2009 at 1:08 PM | Permalink | Reply

keydet89

The only problem I see with the Linux version is that plugins will need to be updated from time to time by downloading the Windows version and copied over to the Linux version.
This isn't completely correct. All you would need to do is download the plugins themselves. However, much like Nessus, user's are free to write their own plugins or modify the current ones to meet their needs. Therefore, updating can come from installing new plugins, or from other sources.

Posted February 6, 2009 at 9:48 PM | Permalink | Reply

robtlee

Just a quick note: Regripper is installed on the latest version of the SIFT workstation by default.
# cd /usr/local/src/regripper
# rip.pl -r register-hive-to-be-parsed -f type
No need to download and install anything. This has already been updated into SEC508 as well.
Best,
Rob Lee

Posted May 7, 2014 at 1:00 PM | Permalink | Reply

anon

Link (regripper.net) is no longer active. Please update to the following.
http://code.google.com/p/regripper/