Scroll to navigation

REGRIPPER(1) General Commands Manual REGRIPPER(1)

NAME

Regripper - forensic analysis of Registry hives

SYNOPSIS

regripper [-r<hivefile>] [-f <hivetype>] [-p <plugin>] [-d] [-g] [-aT] [-s systemname] [-u username]

DESCRIPTION

Regripper is an source tool for forensic analyses of Windows Registry files. It can be used to surgically extract, translate, and display information (both data and metadata) from Registry-formatted files via plugins in the form of Perl-scripts.

All output goes to STDOUT; use redirection (ie, > or >>) to output to a file.

OPTIONS

-r <hive> Specify, which Registry hive file to parse. Those can be found in %SystemRoot%\System32\config or in %userprofile (the user's directory)

-f <hivetype> Specify the hive tpye/profile to use, could be sam, security, software, system, ntuser.

-p <plugin> Specify the lugin to use. E.g. run, appcompatcache and so on. (See -l for full list)

-d Check to see, if the hive is dirty.

-g Guess the hive file type.

-a Automatically run hive-specific plugins.

-aT Automatically run hive-specific timelining (TLN) plugins.

-s <systemname< Specify system name (TLN Support)

-u <username> Specify user name (TLN Support)

-l List all available plugins. You could place custom plugins in usr/bin/regripper/plugins

-c Output list of plugins as comma-separated values.

-h Print short help information.

EXAMPLES

List all available plugins

regripper -l


Run a specific plugin; E.g. Retrieve timeline of recent docs from
    NTUSER.DAT






regripper -r /hive/NTUSER.DAT -p recentdocs_tln






Retrieve run-keys from NTUSER.DAT






regripper -r /hive/NTUSER.DAT -p run






Process a complete hive file of type system:






regripper -r /mnt/SYSTEM -f system > /mnt/reports/system.txt






Parse hive file of type SAM:






regripper -r /mnt/SAM -f sam > /mnt/SAM.txt










AUTHORS


Written by Harlan Carvey <keydet89@yahoo.com>








BUGS AND LIMITATIONS


This tool does NOT automatically process hive transaction logs. If
    you need to incorporate data from hive transaction logs into your analysis,
    consider merging the data via Maxim Suhanov's yarp + registryFlush.py, or
    via Eric Zimmerman's rla.exe.








REPORTING BUGS


When submitting a bug report, please include a description of the
    problem, how you found it, and your contact information. Submit bug reports
    to: https://github.com/keydet89/RegRipper3.0/issues








COPYRIGHT


This project is licensed under terms of the MIT License -
    https://opensource.org/licenses/MIT. Copyright by Harlan Carvey
    <keydet89@yahoo.com> and 2020 Quantum Analytics Research, LLC.


This manual page was written by Jan Gruber
    <j4n6ru@gmail.com>, for the Debian project (and may be used by
    others).








SEE ALSO


More information on Regripper appears in the README file,
    distributed with the regripper source code.







  

    v3.0 - December 2020
    Harlan Carvey