Difference between revisions of "Regripper"

From ForensicsWiki
Jump to: navigation, search
(Resources:)
 
(5 intermediate revisions by 2 users not shown)
Line 7: Line 7:
 
   website = [http://code.google.com/p/winforensicaanalysis/ code.google.com/p/winforensicaanalysis/] |
 
   website = [http://code.google.com/p/winforensicaanalysis/ code.google.com/p/winforensicaanalysis/] |
 
}}
 
}}
 
== RegRipper ==
 
  
 
RegRipper is an open source forensic software application developed by [[Harlan Carvey]].  RegRipper, written in Perl, is a [[Windows Registry]] data extraction tool.
 
RegRipper is an open source forensic software application developed by [[Harlan Carvey]].  RegRipper, written in Perl, is a [[Windows Registry]] data extraction tool.
Line 16: Line 14:
 
== Technical Background and Forensic Soundness ==
 
== Technical Background and Forensic Soundness ==
  
RegRipper uses James McFarlane’s Parse::Win32Registry module ([http://search.cpan.org/~jmacfarla/Parse-Win32Registry-0.40/]) to access a Windows Registry hive file in an object-oriented manner, bypassing the Win32API.  This module is used to locate and access Registry key nodes within the hive file, as well as value nodes and their data.  When accessing a key node, the LastWrite time is retrieved, parsed and translated into something the examiner can understand.  Data is retrieved in much the same manner…if necessary, the plugin that retrieves the data will also perform translation of that data into something readable.
+
RegRipper uses James McFarlane’s Parse::Win32Registry module [http://search.cpan.org/~jmacfarla/Parse-Win32Registry-0.40/] to access a Windows Registry hive file in an object-oriented manner, bypassing the Win32API.  This module is used to locate and access Registry key nodes within the hive file, as well as value nodes and their data.  When accessing a key node, the LastWrite time is retrieved, parsed and translated into something the examiner can understand.  Data is retrieved in much the same manner…if necessary, the plugin that retrieves the data will also perform translation of that data into something readable.
 +
 
 +
== Also see ==
 +
[[Windows Registry]]
  
== Resources: ==
+
== External Links ==
  
 
* [http://www.regripper.wordpress.com RegRipper Blog]
 
* [http://www.regripper.wordpress.com RegRipper Blog]
* [http://code.google.com/p/winforensicaanalysis/ RegRipper Original Code and supporting information]
+
* [http://code.google.com/p/winforensicaanalysis/ Windows Forensics Analysis]
 
* [http://code.google.com/p/regripperplugins/ RegRipper Supplemental Plugins]
 
* [http://code.google.com/p/regripperplugins/ RegRipper Supplemental Plugins]
 
* [http://windowsir.blogspot.com/ Developers blog (Windows Incident Response)]
 
* [http://windowsir.blogspot.com/ Developers blog (Windows Incident Response)]
 +
* [http://code.google.com/p/regripper/ RegRipper Google Code]

Latest revision as of 01:14, 24 August 2012

RegRipper
Maintainer: Harlan Carvey
OS: Windows
Genre: Analysis
License: GPL
Website: code.google.com/p/winforensicaanalysis/

RegRipper is an open source forensic software application developed by Harlan Carvey. RegRipper, written in Perl, is a Windows Registry data extraction tool.

RegRipper can be customized to the examiner's needs through the use of available plugins or by users writing plugins to suit specific needs.

Technical Background and Forensic Soundness

RegRipper uses James McFarlane’s Parse::Win32Registry module [1] to access a Windows Registry hive file in an object-oriented manner, bypassing the Win32API. This module is used to locate and access Registry key nodes within the hive file, as well as value nodes and their data. When accessing a key node, the LastWrite time is retrieved, parsed and translated into something the examiner can understand. Data is retrieved in much the same manner…if necessary, the plugin that retrieves the data will also perform translation of that data into something readable.

Also see

Windows Registry

External Links