Reg Ripper
Reg Ripper
Dedicated to incident response and computer forensic analysis topics, with respect to Windows 2000, XP,
2003, and Vista operating systems
Registry Analysis
Registry analysis has long been an
overlooked and underutilized tool in the
forensic examiners toolkit. Some think
its too difficult, too time consuming,
and that the cost of having to figure out
what to look for and how to extract it is
simply not worth what you get back in
return.
Figure 2
Note: The plugins illustrated in figure 2
are not a complete list of plugins, only a
representative sample.
The plugins directory is hard-coded into
the RegRipper application. The plugins
file contains a listing of each plugin to
be run, listed in the order that the
examiner wishes the plugins to run. The
examiner can easily modify the plugins
file, as it is a flat text file containing the
names of each plugin to be run on one
line. RegRipper parses the plugins file,
skipping blank lines and any line
beginning with # (in Perl, this
indicates a comment line). Example
content of the plugins file appears as
follows:
Figure 1
As is further illustrated in figure 1, the
Perl source code for RegRipper is also
included, along with the Perl runtime
DLL and the EXE file.
logonusername
acmru
runmru
typedurls
userassist
http://simile.mit.edu/timeline/
Figure 4
Note that in figure 4, a file extension is
not required. The examiner simply
enters the name of the report file,
without any extension (.txt, etc.). The
file extension is auto-populated by
RegRipper. As with the Hive File text
field, the examiner can also either type
or paste in the path and filename for the
report file.
Note: Once the examiner has selected a
location for the report file, RegRipper
will automatically use that same location
and file name (changing the extension to
.log) for the log file of its own
activities. As such, if the examiner opts
to save the report file as a file named
Case006-B,
RegRipper
will
automatically
append
the
.txt
extension for the report file, and then
create Case006-B.log as the log file.
Figure 3
The first text field in the RegRipper GUI
is labeled Hive File, and is the text
field in which the examiner must
identify the Registry hive file to be
parsed. The examiner can select a
specific hive file to parse by either
typing the complete path to the file into
the text field, or by clicking on the first
Browse button, navigating to the
appropriate location, and selecting the
file in question. The examiner must then
enter the location for the report file into
the second text field, or click on the
second Browse button to select an
output directory for the report file, as
well as a file name, as illustrated in
figure 4.
Figure 5
Once all fields have been populated, the
examiner simply clicks the Rip It!
button and RegRipper loads and runs
each plugin, in order, and each plugin
extracts specific information from the
Registry hive file and writes it to the
report file. Again, RegRipper maintains
a log of its own activity, which uses the
same file name as the report file, in the
same path, except with the .log
extension.
Figure 6 illustrates the
RegRipper after it has completed all of
its plugins.
Figure 6
An excerpt from the report file generated
by RegRipper appears a follows:
---------------------------------------ACMru - Search Assistant
Software\Microsoft\Search Assistant\ACMru
Rip.exe
Rip.exe is an extremely useful command
line interface (CLI) utility that ships with
RegRipper. Rip allows the examiner to:
Plugins Files
The plugins files used by RegRipper are
simply configuration files that tell
RegRipper which plugins to run and in
which order. These files co-exist within
the same directory as the plugins
themselves and do not have an
extension. Lines of the plugin file that
are to be skipped (i.e., comments, etc.)
need only to start with #RegRipper
will ignore the rest of the line.
C:\>rip
C:\>rip h
C:\>rip /?
Note: To use rip.exe to create your own
plugin file, type the following command
at the command prompt:
C:\>rip l c > plugins.csv
When the command completes, open the
resulting .csv file in Excel. The output
has four columns, giving the plugin
name, version, hive file, and a brief