English
Deutsch
Regripper is not available in Debian stable, so download the deb-File manually:
Download regripper in Debisn sid/unstable
If you are not doing the analysis locally, copy the deb-File to the system you want to install it:
scp regripper_3.0*.deb admin@forensic:
Install the regripper deb package manually and fix missing dependencies:
sudo dpkg -i regripper_3.0*.deb
sudo apt-get install -f
The Windows registry is not a single large file on the hard drive, but a collection of files called hives. Each hive then contains a registry tree.
| Hive | Description |
|---|---|
| NTUSER.DAT | User specific information |
| SAM | User Information |
| SYSTEM | Windows Settings |
| SOFTWARE | Software Settings |
| SECURITY | Security Policies |
Finding the location of each hive file can be easily done by find:
find /mnt/ -name NTUSER.DAT
The tool regripper can now be executed on each hive file separately. It has hive specific plugins but also some quick options:
Rip v.3.0 - CLI RegRipper tool
Rip [-r Reg hive file] [-f profile] [-p plugin] [options]
Parse Windows Registry files, using either a single module, or a profile.
-r [hive] .........Registry hive file to parse
-d ................Check to see if the hive is dirty
-g ................Guess the hive file type
-a ................Automatically run hive-specific plugins
-aT ...............Automatically run hive-specific TLN plugins
-f [profile].......use the profile
-p [plugin]........use the plugin
-l ................list all plugins
-c ................Output plugin list in CSV format (use with -l)
-s systemname......system name (TLN support)
-u username........User name (TLN support)
-uP ...............Update default profiles
-h.................Help (print this information)
We do now for example analyze or export the user specific information from the windows registry and its hive file NTUSER.DAT:
regripper -r /mnt/xvdc3/Users/admin/NTUSER.DAT -g -a
Last modified: April 21, 2023
binsec GmbH