Autopsy vs RegRipper
GitHub Stats
About Autopsy
Autopsy is a digital forensics platform with a user-friendly GUI, designed to facilitate disk image analysis, timeline analysis, keyword searching, and hash filtering. Developed in Java, it integrates with the Sleuth Kit and supports a wide range of forensic investigations, from file recovery to artifact analysis. Autopsy's comprehensive feature set and ease of use make it a valuable tool for forensic examiners and law enforcement agencies conducting digital investigations.
About RegRipper
RegRipper is a Windows registry data extraction and correlation tool, written in Perl with an extensible plugin architecture. It parses offline Windows registry hive files (SAM, SYSTEM, SOFTWARE, NTUSER.DAT, UsrClass.dat) and extracts forensically significant data including user accounts, network connections, USB device history, application execution, file access timestamps, autorun entries, and hundreds of other artifacts. Each plugin targets a specific registry key or set of keys, formatting the output for analyst consumption. RegRipper is the standard tool for Windows registry forensics - its plugin library covers virtually every registry artifact documented in DFIR literature. It can process hives from mounted images, extracted files, or live systems, and outputs timestamped data suitable for timeline analysis. Harlan Carvey, the author, continuously maintains the plugin library as new forensic artifacts are discovered.
Platform Support
Tags
Autopsy only
RegRipper only