table of contents
REGRIPPER(1) | General Commands Manual | REGRIPPER(1) |
NAME¶
Regripper - forensic analysis of Registry hives
SYNOPSIS¶
regripper [-r<hivefile>] [-f <hivetype>] [-p <plugin>] [-d] [-g] [-aT] [-s systemname] [-u username]
DESCRIPTION¶
Regripper is an source tool for forensic analyses of Windows Registry files. It can be used to surgically extract, translate, and display information (both data and metadata) from Registry-formatted files via plugins in the form of Perl-scripts.
All output goes to STDOUT; use redirection (ie, > or >>) to output to a file.
OPTIONS¶
-r <hive> Specify, which Registry hive file to parse. Those can be found in %SystemRoot%\System32\config or in %userprofile (the user's directory)
-f <hivetype> Specify the hive tpye/profile to use, could be sam, security, software, system, ntuser.
-p <plugin> Specify the lugin to use. E.g. run, appcompatcache and so on. (See -l for full list)
-d Check to see, if the hive is dirty.
-g Guess the hive file type.
-a Automatically run hive-specific plugins.
-aT Automatically run hive-specific timelining (TLN) plugins.
-s <systemname< Specify system name (TLN Support)
-u <username> Specify user name (TLN Support)
-l List all available plugins. You could place custom plugins in usr/bin/regripper/plugins
-c Output list of plugins as comma-separated values.
-h Print short help information.
EXAMPLES¶
List all available plugins
regripper -l
Run a specific plugin; E.g. Retrieve timeline of recent docs from NTUSER.DAT
regripper -r /hive/NTUSER.DAT -p recentdocs_tln
Retrieve run-keys from NTUSER.DAT
regripper -r /hive/NTUSER.DAT -p run
Process a complete hive file of type system:
regripper -r /mnt/SYSTEM -f system > /mnt/reports/system.txt
Parse hive file of type SAM:
regripper -r /mnt/SAM -f sam > /mnt/SAM.txt
AUTHORS¶
Written by Harlan Carvey <keydet89@yahoo.com>
BUGS AND LIMITATIONS¶
This tool does NOT automatically process hive transaction logs. If you need to incorporate data from hive transaction logs into your analysis, consider merging the data via Maxim Suhanov's yarp + registryFlush.py, or via Eric Zimmerman's rla.exe.
REPORTING BUGS¶
When submitting a bug report, please include a description of the problem, how you found it, and your contact information. Submit bug reports to: https://github.com/keydet89/RegRipper3.0/issues
COPYRIGHT¶
This project is licensed under terms of the MIT License - https://opensource.org/licenses/MIT. Copyright by Harlan Carvey <keydet89@yahoo.com> and 2020 Quantum Analytics Research, LLC.
This manual page was written by Jan Gruber <j4n6ru@gmail.com>, for the Debian project (and may be used by others).
SEE ALSO¶
More information on Regripper appears in the README file, distributed with the regripper source code.
v3.0 - December 2020 | Harlan Carvey |