eoyslebo / regripper Goto Github PK

RegRipper FAQ

This is the FAQ for the RegRipper. 

1.  What is the RegRipper?
I should start by saying what the RegRipper is *not*...it's not
a Registry Viewer.  An examiner would not open a Registry hive file
in RegRipper to "look around".  

Further, RegRipper is NOT intended for use with live hive files.  Hive
files need to be extracted from a case (or from a live system using FTK
Imager...), or accessible via a tool such as Mount Image Pro.

RegRipper is a Windows Registry data extractor.  RegRipper uses plugins
(similar to Nessus) to access specific Registry hive files in order to 
access and extract specific keys, values, and data, and does so by 
bypassing the Win32API.  

2.  How does RegRipper work?
RegRipper uses James McFarlane's Parse::Win32Registry module to access 
a Windows Registry hive file in an object-oriented manner, bypassing the
Win32API.  This module is used to locate and access Registry key nodes
within the hive file, as well as value nodes and their data.  When 
accessing a key node, the LastWrite time is retrieved, parsed and 
translated into something the examiner can understand.  Data is retrieved
in much the same manner...if necessary, the plugin that retrieves the
data will also perform translation of that data into something readable.

3.  Who wrote and maintains RegRipper?
I did/do.  If you have any questions, concerns, comments, or suggestions 
regarding how RegRipper works, please feel free to contact me.

4.  Who should/can use RegRipper?
Anyone who wants to perform Windows Registry hive file analysis.  This tool
is specifically intended for Windows 2000, XP, and 2003 hive files (there
has been limited testing on Vista/Win2K8 hive files...everything has worked
fine so far...).

5.  How do I use RegRipper?
Simply launch rr.exe.  Also, please be sure to read the RegRipper documentation.

6.  Do I have to install anything to use the RegRipper?
Nope, not a thing.  RegRipper ships as an EXE file, able to run on Windows
systems.  All you need to do is extract the EXE and DLL in the same directory.
The source file (rr.pl) is also included, as are the plugins.

Further, RegRipper doesn't make any changes to your analysis system...no 
Registry entries are made, nor are any files installed in odd, out-of-the-way
locations.

Links
Module - http://search.cpan.org/~jmacfarla/Parse-Win32Registry/lib/
                Parse/Win32Registry.pm
                
Email - H. Carvey - [email protected]

RegRipper and rip.exe are released under the GPL license.  Please see license.txt
for details.

RegRipper and rip.exe are copyrighted to H. Carvey.