Saturday, December 26, 2015

How to install RegRipper registry data extraction tool on Linux

RegRipper is an open source forensic software used as a Windows Registry data extraction command line or GUI tool. It is written in Perl and this article will describe RegRipper command line tool installation on the Linux systems such as Debian, Ubuntu, Fedora, Centos or Redhat. For the most part, the installation process of command line tool RegRipper is OS agnostic except the part where we deal with installation pre-requisites.

1. Pre-requisites

Fist we need to install all prerequisites. Choose a relevant command below based on the Linux distribution you are running:
# apt-get install cpanminus make unzip wget
# dnf install perl-App-cpanminus.noarch make unzip wget perl-Archive-Extract-gz-gzip.noarch which
# yum install  perl-App-cpanminus.noarch make unzip wget perl-Archive-Extract-gz-gzip.noarch which

2. Installation of required libraries

The RegRipper command line tool depends on perl Parse::Win32Registry library. The following commands will take care of this pre-requisite and install this library into /usr/local/lib/rip-lib directory:
# mkdir /usr/local/lib/rip-lib
#  cpanm -l /usr/local/lib/rip-lib Parse::Win32Registry

3. RegRipper script installation

At this stage we are ready to install script. The script is intended to run on MS Windows systems and as a result we need to make some small modifications. We will also include a path to the above installed Parse::Win32Registry library. Download RegRipper source code from Current version is 2.8:
#  wget -q
Extract script:
# unzip -q 
Remove interpretor line and unwanted DOS new line character ^M:
# tail -n +2 > rip
# perl -pi -e 'tr[\r][]d' rip
Modify script to include an interpretor relevant to your Linux system and also include library path to Parse::Win32Registry:
# sed -i "1i #!`which perl`" rip
# sed -i '2i use lib qw(/usr/local/lib/rip-lib/lib/perl5/);' rip
Install your RegRipper rip script and make it executable:
# cp rip /usr/local/bin
# chmod +x /usr/local/bin/rip

4. RegRipper Plugins installation

Lastly, we need to install RegRipper's Plugins.
# wget -q
# mkdir /usr/local/bin/plugins 
# unzip -q -d /usr/local/bin/plugins
RegRipper registry data extraction tool is now installed on your system and available via rip command:
# rip
Rip v.2.8 - CLI RegRipper tool
Rip [-r Reg hive file] [-f plugin file] [-p plugin module] [-l] [-h]
Parse Windows Registry files, using either a single module, or a plugins file.

  -r Reg hive file...Registry hive file to parse
  -g ................Guess the hive file (experimental)
  -f [profile].......use the plugin file (default: plugins\plugins)
  -p plugin module...use only this module
  -l ................list all plugins
  -c ................Output list in CSV format (use with -l)
  -s system name.....Server name (TLN support)
  -u username........User name (TLN support)
  -h.................Help (print this information)
Ex: C:\>rip -r c:\case\system -f system
    C:\>rip -r c:\case\ntuser.dat -p userassist
    C:\>rip -l -c

All output goes to STDOUT; use redirection (ie, > or >>) to output to a file.
copyright 2013 Quantum Analytics Research, LLC

5. RegRipper command examples

Few examples using RegRipper and NTUSER.DAT registry hive file.

List all available plugins:
$ rip -l -c
List software installed by the user:
$ rip -p listsoft -r NTUSER.DAT
Launching listsoft v.20080324
listsoft v.20080324
(NTUSER.DAT) Lists contents of user's Software key

listsoft v.20080324
List the contents of the Software key in the NTUSER.DAT hive
file, in order by LastWrite time.

Mon Dec 14 06:06:41 2015Z       Google
Mon Dec 14 05:54:33 2015Z       Microsoft
Sun Dec 29 16:44:47 2013Z       Bitstream
Sun Dec 29 16:33:11 2013Z       Adobe
Sun Dec 29 12:56:03 2013Z       Corel
Thu Dec 12 07:34:40 2013Z       Clients
Thu Dec 12 07:34:40 2013Z       Mozilla
Thu Dec 12 07:30:08 2013Z       MozillaPlugins
Thu Dec 12 07:22:34 2013Z       AppDataLow
Thu Dec 12 07:22:34 2013Z       Wow6432Node
Thu Dec 12 07:22:32 2013Z       Policies
Extract all available information using all plugins and save it to case1.txt. file:
$ for i in $( rip -l -c | grep NTUSER.DAT | cut -d , -f1 ); do rip -p $i -r NTUSER.DAT &>> case1.txt ; done

No comments:

Post a Comment