Month: May 2016

Parsing Registry files with RegRipper

The registry of a system contains a lot of good data that can be used forensic analysis. Parsing that data from dead box forensics (bit image) using RegRipper (rip.pl) will provide you with a lot of useful information. RegRipper is an automated HIVE parser that can parse the forensic contents of the SAM, SECURITY, SYSTEM, SOFTWARE, and the NTUSER.DAT HIVES that it is pointed at. You can even use this to forensically mine the contents of restore point registry files. RegRipper utilizes plugins and aside from the default ones installed during installation, more are available online. The program is available for use on Linux or Windows. The Windows variant includes a GUI.

Rip.pl can be invoked by pointing the -r HIVEFILE at the hive you would like to mine forensically. You also need to tell RegRipper the type of hive file it is (sam, security, software, system, ntuser). Hives can be found at C:\Windows\system32\config and the ntuser.dat is located on the root of the each users profile. Once RegRipper is installed on your system, you can use the below syntax to get started and useful options.

# rip.pl -r -f
[Useful Options]
-r Registry hive file to parse
-f Use(sam, security, software, system, ntuser)
-1 List all plugins
-h Help