Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/keydet89/RegRipper3.0

RegRipper3.0
https://github.com/keydet89/RegRipper3.0

Last synced: 3 months ago
JSON representation

RegRipper3.0

Host: GitHub
URL: https://github.com/keydet89/RegRipper3.0
Owner: keydet89
License: other
Created: 2020-05-27T15:24:38.000Z (over 4 years ago)
Default Branch: master
Last Pushed: 2023-09-12T03:08:48.000Z (about 1 year ago)
Last Synced: 2024-02-14T20:37:58.879Z (9 months ago)
Language: Perl
Size: 4.05 MB
Stars: 460
Watchers: 27
Forks: 118
Open Issues: 5
Metadata Files:
- Readme: README.md
- License: license.md

Awesome Lists containing this project

ForensicsTools - RegRipper3.0 - RegRipper is an open source Perl tool for parsing the Registry and presenting it for analysis. (Challenges / Windows Artifacts)
awesome-forensics - RegRipper3.0 - RegRipper is an open source Perl tool for parsing the Registry and presenting it for analysis (Tools / Windows Artifacts)
Awesome-Forensics - RegRipper3.0 - RegRipper is an open source Perl tool for parsing the Registry and presenting it for analysis (Tools / Windows Artifacts)

README

# RegRipper3.0

Here's what's new in this release

## WHAT'S NEW

- With the GUI (`rr.exe`), you no longer have to select a `profile;`.
Instead, select the hive to parse, and the output directory and the GUI will
automatically run all applicable plugins against the hive. This capability is
included in `rip.exe`, as well, via the `-a` switch. As an
alternative, you can use the `-aT` switch to run all hive-specific TLN plugins
against the hive. The ability to run individual plugins, as well as profiles,
has been retained, as well. You can see other options available by typing
`rip` or `rip -h` or `rip /?` at the command line.

- Date Format - There was a GitHub issue posted, asking that the date format be
changed to be IAW [ISO 8601](https://en.wikipedia.org/wiki/ISO_8601). However, the actual format provided as part of the
issue/request was IAW the RFC 3339 profile (i.e., space between the date and
time).

### NOTE

This tool does NOT automatically process hive transaction logs. If you need
to incorporate data from hive transaction logs into your analysis, consider merging
the data via Maxim Suhanov's `yarp` + `registryFlush.py`, or via Eric Zimmerman's `rla.exe`
which is included in [Eric's Registry Explorer/RECmd](https://f001.backblazeb2.com/file/EricZimmermanTools/RegistryExplorer_RECmd.zip).

The following Perl module files have been modified, and the modified versions are
provided as part of this repo:

```
C:\Perl\site\lib\Parse\Win32Registry\WinNT\File.pm
C:\Perl\site\lib\Parse\Win32Registry\WinNT\Base.pm
C:\Perl\site\lib\Parse\Win32Registry\WinNT\Key.pm
```

If you're using the Windows `exe` version of the tools, this is irrelevant, as the
modified files are "**compiled**" into the `exe`. However, if you're installing on Linux,
copy the files from the repo to the appropriate locations in your installation.