RegRipper is an open source forensic software used as a Windows Registry data extraction command line or GUI tool. It is written in Perl and this article will describe RegRipper command line tool installation on the Linux systems such as Debian, Ubuntu, Fedora, Centos or Redhat. For the most part, the installation process of command line tool RegRipper is OS agnostic except the part where we deal with installation pre-requisites.
Pre-requisites
First we need to install all prerequisites. Choose a relevant command below based on the Linux distribution you are running:
DEBIAN/UBUNTU # apt-get install cpanminus make unzip wget FEDORA # dnf install perl-App-cpanminus.noarch make unzip wget perl-Archive-Extract-gz-gzip.noarch which CENTOS/REDHAT # yum install perl-App-cpanminus.noarch make unzip wget perl-Archive-Extract-gz-gzip.noarch which
Installation of required libraries
The RegRipper command line tool depends on perl Parse::Win32Registry
library. The following linux commands will take care of this pre-requisite and install this library into /usr/local/lib/rip-lib
directory:
# mkdir /usr/local/lib/rip-lib # cpanm -l /usr/local/lib/rip-lib Parse::Win32Registry
RegRipper script installation
At this stage we are ready to install rip.pl
script. The script is intended to run on MS Windows systems and as a result we need to make some small modifications. We will also include a path to the above installed Parse::Win32Registry
library.
Download RegRipper source code from https://regripper.googlecode.com/files/
. Current version is 2.8:
# wget -q https://regripper.googlecode.com/files/rrv2.8.zip
Extract rip.pl
script:
# unzip -q rrv2.8.zip rip.pl
Remove interpretor line and unwanted DOS new line character ^M
:
# tail -n +2 rip.pl > rip # perl -pi -e 'tr[\r][]d' rip
Modify script to include an interpretor relevant to your Linux system and also include library path to Parse::Win32Registry
:
# sed -i "1i #!`which perl`" rip # sed -i '2i use lib qw(/usr/local/lib/rip-lib/lib/perl5/);' rip
Install your RegRipper rip
script and make it executable:
# cp rip /usr/local/bin # chmod +x /usr/local/bin/rip
RegRipper Plugins installation
Lastly, we need to install RegRipper’s Plugins.
# wget -q https://regripper.googlecode.com/files/plugins20130429.zip # mkdir /usr/local/bin/plugins # unzip -q plugins20130429.zip -d /usr/local/bin/plugins
RegRipper registry data extraction tool is now installed on your system and available via rip
command:
# rip Rip v.2.8 - CLI RegRipper tool Rip [-r Reg hive file] [-f plugin file] [-p plugin module] [-l] [-h] Parse Windows Registry files, using either a single module, or a plugins file. -r Reg hive file...Registry hive file to parse -g ................Guess the hive file (experimental) -f [profile].......use the plugin file (default: plugins\plugins) -p plugin module...use only this module -l ................list all plugins -c ................Output list in CSV format (use with -l) -s system name.....Server name (TLN support) -u username........User name (TLN support) -h.................Help (print this information) Ex: C:\>rip -r c:\case\system -f system C:\>rip -r c:\case\ntuser.dat -p userassist C:\>rip -l -c All output goes to STDOUT; use redirection (ie, > or >>) to output to a file. copyright 2013 Quantum Analytics Research, LLC
RegRipper command examples
Few examples using RegRipper and NTUSER.DAT
registry hive file.
List all available plugins:
$ rip -l -c
List software installed by the user:
$ rip -p listsoft -r NTUSER.DAT Launching listsoft v.20080324 listsoft v.20080324 (NTUSER.DAT) Lists contents of user's Software key listsoft v.20080324 List the contents of the Software key in the NTUSER.DAT hive file, in order by LastWrite time. Mon Dec 14 06:06:41 2015Z Google Mon Dec 14 05:54:33 2015Z Microsoft Sun Dec 29 16:44:47 2013Z Bitstream Sun Dec 29 16:33:11 2013Z Adobe Sun Dec 29 12:56:03 2013Z Corel Thu Dec 12 07:34:40 2013Z Clients Thu Dec 12 07:34:40 2013Z Mozilla Thu Dec 12 07:30:08 2013Z MozillaPlugins Thu Dec 12 07:22:34 2013Z AppDataLow Thu Dec 12 07:22:34 2013Z Wow6432Node Thu Dec 12 07:22:32 2013Z Policies
Extract all available information using all plugins and save it to case1.txt.
file:
$ for i in $( rip -l -c | grep NTUSER.DAT | cut -d , -f1 ); do rip -p $i -r NTUSER.DAT &>> case1.txt ; done