EN
ENNA

RegRipper

๐Ÿ”ฌ Digital Forensics ยท Perl

RegRipper is a Windows registry data extraction and correlation tool, written in Perl with an extensible plugin architecture. It parses offline Windows registry hive files (SAM, SYSTEM, SOFTWARE, NTUSER.DAT, UsrClass.dat) and extracts forensically significant data including user accounts, network connections, USB device history, application execution, file access timestamps, autorun entries, and hundreds of other artifacts. Each plugin targets a specific registry key or set of keys, formatting the output for analyst consumption. RegRipper is the standard tool for Windows registry forensics - its plugin library covers virtually every registry artifact documented in DFIR literature. It can process hives from mounted images, extracted files, or live systems, and outputs timestamped data suitable for timeline analysis. Harlan Carvey, the author, continuously maintains the plugin library as new forensic artifacts are discovered.

692stars
147forks
6issues
Updated 1y ago
View on GitHub

Installation

from source

$ git clone https://github.com/keydet89/RegRipper3.0.git

Windows

$ Download from GitHub and run rip.exe

Use Cases

  • Extracting user account data and password hashes from SAM hives
  • Recovering USB device connection history from SYSTEM hives
  • Parsing autorun entries and persistence mechanisms from SOFTWARE and NTUSER.DAT
  • Building forensic timelines from registry timestamp artifacts
  • Analyzing application execution history via UserAssist, Shimcache, and BAM

Tags

registrywindows-forensicsartifact-extractiondfirhive-parserplugins

Details

Category
๐Ÿ”ฌ Digital Forensics
Language
Perl
Platforms
๐ŸชŸwindows๐Ÿงlinux

Links

GitHub Repository

github.com/keydet89/RegRipper3.0

Releases

github.com/keydet89/RegRipper3.0/releases

Issues

github.com/keydet89/RegRipper3.0/issues

Sponsored

Your ad here

Reach security professionals and developers - ads@en-na.com

Alternatives & Comparisons

Volatility 3

Python

Advanced memory forensics framework. Extracts artifacts from RAM dumps - processes, network connections, registry.

Compare RegRipper vs Volatility 3

Autopsy

Java

Digital forensics platform with GUI. Disk image analysis, timeline analysis, keyword search, hash filtering.

Compare RegRipper vs Autopsy

KAPE

C#

Kroll Artifact Parser and Extractor. Fast triage collection and parsing of forensic artifacts from Windows, macOS, and Linux.

Compare RegRipper vs KAPE

bulk_extractor

C++

High-performance forensic data carver. Extracts email addresses, URLs, credit cards, and other artifacts from disk images at speed.

Compare RegRipper vs bulk_extractor

More in Digital Forensics

Volatility 3

Python

Advanced memory forensics framework. Extracts artifacts from RAM dumps - processes, network connections, registry.

memoryram-dumpartifact-extraction

Autopsy

Java

Digital forensics platform with GUI. Disk image analysis, timeline analysis, keyword search, hash filtering.

disk-forensicsguitimeline

Ghidra

Java

NSA's reverse engineering framework. Disassembly, decompilation, graphing, and scripting for binary analysis.

reverse-engineeringdecompilerbinary-analysis

Binwalk

Python

Firmware analysis tool. Searches binary images for embedded files, executables, and file systems.

firmwarebinaryextraction

YARA

C

Pattern matching swiss knife for malware researchers. Create rules to identify and classify malware samples.

malwarepattern-matchingrules

Velociraptor

Go

Endpoint visibility and collection tool. Hunt for artifacts across thousands of endpoints simultaneously.

endpointhuntingdfir