bulk_extractor vs RegRipper
GitHub Stats
About bulk_extractor
bulk_extractor is a high-performance digital forensics tool that scans disk images, files, or directories and extracts useful information without parsing the file system or file system structures. It finds email addresses, URLs, credit card numbers, JPEG images, JSON fragments, GPS coordinates, Windows registry fragments, AES keys, and other artifacts by scanning raw data. This approach means it can recover data from unallocated space, slack space, compressed archives, and even encrypted volumes where the key is present in memory. bulk_extractor operates on the raw bytes of the input, dividing it into pages that are processed in parallel across all available CPU cores, making it extremely fast - often 10x faster than other carving tools. Its output consists of feature files that can be analyzed with tools like the included bulk_diff utility or imported into other analysis platforms.
About RegRipper
RegRipper is a Windows registry data extraction and correlation tool, written in Perl with an extensible plugin architecture. It parses offline Windows registry hive files (SAM, SYSTEM, SOFTWARE, NTUSER.DAT, UsrClass.dat) and extracts forensically significant data including user accounts, network connections, USB device history, application execution, file access timestamps, autorun entries, and hundreds of other artifacts. Each plugin targets a specific registry key or set of keys, formatting the output for analyst consumption. RegRipper is the standard tool for Windows registry forensics - its plugin library covers virtually every registry artifact documented in DFIR literature. It can process hives from mounted images, extracted files, or live systems, and outputs timestamped data suitable for timeline analysis. Harlan Carvey, the author, continuously maintains the plugin library as new forensic artifacts are discovered.
Platform Support
Tags
bulk_extractor only
RegRipper only