Contents
RegRipper is an open source forensic software used as a Windows Registry data extraction command line or GUI tool. It is written in Perl and this article will describe RegRipper command line tool installation on the Linux systems such as Debian, Ubuntu, Fedora, Centos or Redhat. For the most part, the installation process of command line tool RegRipper is OS agnostic except the part where we deal with installation pre-requisites.
https://linuxconfig.org/how-to-install-regripper-registry-data-extraction-tool-on-linux
https://github.com/keydet89/RegRipper2.8
List all available plugins:
https://github.com/keydet89/RegRipper2.8
Pre-requisites
Fist we need to install all prerequisites. Choose a relevant command below based on the Linux distribution you are running:DEBIAN/UBUNTU
# apt-get install cpanminus make unzip wget
FEDORA
# dnf install perl-App-cpanminus.noarch make unzip wget perl-Archive-Extract-gz-gzip.noarch which
CENTOS/REDHAT
# yum install perl-App-cpanminus.noarch make unzip wget perl-Archive-Extract-gz-gzip.noarch which
Installation of required libraries
The RegRipper command line tool depends on perlParse::Win32Registry
library. The following commands will take care of this pre-requisite and install this library into /usr/local/lib/rip-lib
directory:# mkdir /usr/local/lib/rip-lib
# cpanm -l /usr/local/lib/rip-lib Parse::Win32Registry
RegRipper script installation
At this stage we are ready to installrip.pl
script. The script is intended to run on MS Windows systems and as a result we need to make some small modifications. We will also include a path to the above installed Parse::Win32Registry
library. Download RegRipper source code from https://regripper.googlecode.com/files/
. Current version is 2.8:# wget -q https://regripper.googlecode.com/files/rrv2.8.zip
Extract rip.pl
script:# unzip -q rrv2.8.zip rip.pl
Remove interpretor line and unwanted DOS new line character ^M
:
# tail -n +2 rip.pl > rip
# perl -pi -e 'tr[\r][]d' rip
Modify script to include an interpretor relevant to your Linux system and also include library path to Parse::Win32Registry
:# sed -i "1i #!`which perl`" rip
# sed -i '2i use lib qw(/usr/local/lib/rip-lib/lib/perl5/);' rip
Install your RegRipper rip
script and make it executable:# cp rip /usr/local/bin
# chmod +x /usr/local/bin/rip
RegRipper Plugins installation
Lastly, we need to install RegRipper's Plugins.# wget -q https://regripper.googlecode.com/files/plugins20130429.zip
# mkdir /usr/local/bin/plugins
# unzip -q plugins20130429.zip -d /usr/local/bin/plugins
RegRipper registry data extraction tool is now installed on your system and available via rip
command:# rip
Rip v.2.8 - CLI RegRipper tool
Rip [-r Reg hive file] [-f plugin file] [-p plugin module] [-l] [-h]
Parse Windows Registry files, using either a single module, or a plugins file.
-r Reg hive file...Registry hive file to parse
-g ................Guess the hive file (experimental)
-f [profile].......use the plugin file (default: plugins\plugins)
-p plugin module...use only this module
-l ................list all plugins
-c ................Output list in CSV format (use with -l)
-s system name.....Server name (TLN support)
-u username........User name (TLN support)
-h.................Help (print this information)
Ex: C:\>rip -r c:\case\system -f system
C:\>rip -r c:\case\ntuser.dat -p userassist
C:\>rip -l -c
All output goes to STDOUT; use redirection (ie, > or >>) to output to a file.
copyright 2013 Quantum Analytics Research, LLC
RegRipper command examples
Few examples using RegRipper andNTUSER.DAT
registry hive file. List all available plugins:
$ rip -l -c
List software installed by the user:$ rip -p listsoft -r NTUSER.DAT
Launching listsoft v.20080324
listsoft v.20080324
(NTUSER.DAT) Lists contents of user's Software key
listsoft v.20080324
List the contents of the Software key in the NTUSER.DAT hive
file, in order by LastWrite time.
Mon Dec 14 06:06:41 2015Z Google
Mon Dec 14 05:54:33 2015Z Microsoft
Sun Dec 29 16:44:47 2013Z Bitstream
Sun Dec 29 16:33:11 2013Z Adobe
Sun Dec 29 12:56:03 2013Z Corel
Thu Dec 12 07:34:40 2013Z Clients
Thu Dec 12 07:34:40 2013Z Mozilla
Thu Dec 12 07:30:08 2013Z MozillaPlugins
Thu Dec 12 07:22:34 2013Z AppDataLow
Thu Dec 12 07:22:34 2013Z Wow6432Node
Thu Dec 12 07:22:32 2013Z Policies
Extract all available information using all plugins and save it to case1.txt.
file:$ for i in $( rip -l -c | grep NTUSER.DAT | cut -d , -f1 ); do rip -p $i -r NTUSER.DAT &>> case1.txt ; do
No comments:
Post a Comment