ATTENTION: The new home of the Digital Forensics Wiki is at Yeah, it's a silly name, but it was cheap.
This wiki will be going offline permanently in the near future. An exact date will be announced soon. Thank you for being a part of this community.
If you wish to work on the new forensicswiki, please join the Google Group forensicswiki-reborn


From ForensicsWiki
Revision as of 17:22, 17 July 2012 by Bshavers (Talk | contribs) (RegRipper)

Jump to: navigation, search


RegRipper is an open source forensic software application developed by Harlan CarveyHarlan Carvey. RegRipper, written in Perl, is a Windows Registry data extraction tool.

RegRipper can be customized to the examiner's needs through the use of available plugins or by users writing plugins to suit specific needs.

Technical Background and Forensic Soundness

RegRipper uses James McFarlane’s Parse::Win32Registry module ([1]) to access a Windows Registry hive file in an object-oriented manner, bypassing the Win32API. This module is used to locate and access Registry key nodes within the hive file, as well as value nodes and their data. When accessing a key node, the LastWrite time is retrieved, parsed and translated into something the examiner can understand. Data is retrieved in much the same manner…if necessary, the plugin that retrieves the data will also perform translation of that data into something readable.