Use regripper to analyse Windows registry

Linux

Installation of regripper in Debian stable

Regripper is not available in Debian stable, so download the deb-File manually:

Download regripper in Debisn sid/unstable

If you are not doing the analysis locally, copy the deb-File to the system you want to install it:

scp regripper_3.0*.deb admin@forensic:

Install the regripper deb package manually and fix missing dependencies:

sudo dpkg -i regripper_3.0*.deb
sudo apt-get install -f

Structure of the Windows Registry

The Windows registry is not a single large file on the hard drive, but a collection of files called hives. Each hive then contains a registry tree.

Hive Description
NTUSER.DAT User specific information
SAM User Information
SYSTEM Windows Settings
SOFTWARE Software Settings
SECURITY Security Policies

Storage Location of the Hives

Finding the location of each hive file can be easily done by find:

find /mnt/ -name NTUSER.DAT

Regripper Syntax

The tool regripper can now be executed on each hive file separately. It has hive specific plugins but also some quick options:

Rip v.3.0 - CLI RegRipper tool
Rip [-r Reg hive file] [-f profile] [-p plugin] [options]
Parse Windows Registry files, using either a single module, or a profile.

  -r [hive] .........Registry hive file to parse
  -d ................Check to see if the hive is dirty
  -g ................Guess the hive file type
  -a ................Automatically run hive-specific plugins
  -aT ...............Automatically run hive-specific TLN plugins
  -f [profile].......use the profile
  -p [plugin]........use the plugin
  -l ................list all plugins
  -c ................Output plugin list in CSV format (use with -l)
  -s systemname......system name (TLN support)
  -u username........User name (TLN support)
  -uP ...............Update default profiles
  -h.................Help (print this information)

Analyze NTUSER.DAT with regripper

We do now for example analyze or export the user specific information from the windows registry and its hive file NTUSER.DAT:

regripper -r /mnt/xvdc3/Users/admin/NTUSER.DAT -g -a

binsec academy GmbH - Online IT Security Training with Practical Focus

binsec academy GmbH is provider of online IT security training, offering practical, lab-based courses for professionals. The academy provides hands-on training in areas such as penetration testing and secure software development. Participants gain practical experience through realistic lab environments, including simulations of company networks and applications. Courses are available in multiple programming languages and align with standards like OWASP Top 10 and PCI DSS. Upon successful completion, participants receive certifications such as the Binsec Academy Certified Pentest Professional (BACPP) and Binsec Academy Certified Secure Coding Professional (BACSCP), demonstrating their ability to identify and remediate security vulnerabilities.

Goto binsec acadmy GmbH

binsec GmbH – Experts in Penetration Testing

binsec GmbH is a German IT security company focused on professional penetration testing. With over 10 years of experience, the team conducts in-depth penetration tests on networks, web applications, APIs, and mobile apps. Certified experts systematically identify and document security vulnerabilities to support organizations in improving their security and meeting compliance requirements.

Goto binsec GmbH

Contact

binsec GmbH
Solmsstraße 41
60486 Frankfurt am Main
Germany

Legal notice

Director: Patrick Sauer
Authorized Officer: Dominik Sauer, Florian Zavatzki
Registration: Frankfurt am Main, HRB97277
Turnover Tax Identification No.: DE290966808