ATTENTION: The new home of the Digital Forensics Wiki is at https://forensicswiki.xyz/. Yeah, it's a silly name, but it was cheap.
This wiki will be going offline permanently in the near future. An exact date will be announced soon. Thank you for being a part of this community.
If you wish to work on the new forensicswiki, please join the Google Group forensicswiki-reborn
RegRipper can be customized to the examiner's needs through the use of available plugins or by users writing plugins to suit specific needs.
Technical Background and Forensic Soundness
RegRipper uses James McFarlane’s Parse::Win32Registry module () to access a Windows Registry hive file in an object-oriented manner, bypassing the Win32API. This module is used to locate and access Registry key nodes within the hive file, as well as value nodes and their data. When accessing a key node, the LastWrite time is retrieved, parsed and translated into something the examiner can understand. Data is retrieved in much the same manner…if necessary, the plugin that retrieves the data will also perform translation of that data into something readable.
- RegRipper Blog [(http://www.regripper.wordpress.com)]
- RegRipper Original Code and supporting information [(http://code.google.com/p/winforensicaanalysis/)]
- RegRipper Supplemental Plugins [(http://code.google.com/p/regripperplugins/)]
- Developers blog (Windows Incident Response) [(http://windowsir.blogspot.com/)]