http://linuxconfig.org/how-to-install-regripper-registry-data-extraction-tool-on-linux#h5-regripper-command-examples
RegRipper is an open source forensic software used as a Windows Registry data extraction command line or GUI tool. It is written in Perl and this article will describe RegRipper command line tool installation on the Linux systems such as Debian, Ubuntu, Fedora, Centos or Redhat. For the most part, the installation process of command line tool RegRipper is OS agnostic except the part where we deal with installation pre-requisites.
List all available plugins:
RegRipper is an open source forensic software used as a Windows Registry data extraction command line or GUI tool. It is written in Perl and this article will describe RegRipper command line tool installation on the Linux systems such as Debian, Ubuntu, Fedora, Centos or Redhat. For the most part, the installation process of command line tool RegRipper is OS agnostic except the part where we deal with installation pre-requisites.
1. Pre-requisites
Fist we need to install all prerequisites. Choose a relevant command below based on the Linux distribution you are running:DEBIAN/UBUNTU # apt-get install cpanminus make unzip wget FEDORA # dnf install perl-App-cpanminus.noarch make unzip wget perl-Archive-Extract-gz-gzip.noarch which CENTOS/REDHAT # yum install perl-App-cpanminus.noarch make unzip wget perl-Archive-Extract-gz-gzip.noarch which
2. Installation of required libraries
The RegRipper command line tool depends on perlParse::Win32Registry library. The following commands will take care of this pre-requisite and install this library into /usr/local/lib/rip-lib directory:
# mkdir /usr/local/lib/rip-lib # cpanm -l /usr/local/lib/rip-lib Parse::Win32Registry
3. RegRipper script installation
At this stage we are ready to installrip.pl script. The
script is intended to run on MS Windows systems and as a result we need
to make some small modifications. We will also include a path to the
above installed Parse::Win32Registry library.
Download RegRipper source code from https://regripper.googlecode.com/files/. Current version is 2.8:
# wget -q https://regripper.googlecode.com/files/rrv2.8.zipExtract
rip.pl script:
# unzip -q rrv2.8.zip rip.plRemove interpretor line and unwanted DOS new line character
^M:
# tail -n +2 rip.pl > rip # perl -pi -e 'tr[\r][]d' ripModify script to include an interpretor relevant to your Linux system and also include library path to
Parse::Win32Registry:
# sed -i "1i #!`which perl`" rip # sed -i '2i use lib qw(/usr/local/lib/rip-lib/lib/perl5/);' ripInstall your RegRipper
rip script and make it executable:
# cp rip /usr/local/bin # chmod +x /usr/local/bin/rip
4. RegRipper Plugins installation
Lastly, we need to install RegRipper's Plugins.# wget -q https://regripper.googlecode.com/files/plugins20130429.zip # mkdir /usr/local/bin/plugins # unzip -q plugins20130429.zip -d /usr/local/bin/pluginsRegRipper registry data extraction tool is now installed on your system and available via
rip command:
# rip
Rip v.2.8 - CLI RegRipper tool
Rip [-r Reg hive file] [-f plugin file] [-p plugin module] [-l] [-h]
Parse Windows Registry files, using either a single module, or a plugins file.
-r Reg hive file...Registry hive file to parse
-g ................Guess the hive file (experimental)
-f [profile].......use the plugin file (default: plugins\plugins)
-p plugin module...use only this module
-l ................list all plugins
-c ................Output list in CSV format (use with -l)
-s system name.....Server name (TLN support)
-u username........User name (TLN support)
-h.................Help (print this information)
Ex: C:\>rip -r c:\case\system -f system
C:\>rip -r c:\case\ntuser.dat -p userassist
C:\>rip -l -c
All output goes to STDOUT; use redirection (ie, > or >>) to output to a file.
copyright 2013 Quantum Analytics Research, LLC
5. RegRipper command examples
Few examples using RegRipper andNTUSER.DAT registry hive file. List all available plugins:
$ rip -l -cList software installed by the user:
$ rip -p listsoft -r NTUSER.DAT Launching listsoft v.20080324 listsoft v.20080324 (NTUSER.DAT) Lists contents of user's Software key listsoft v.20080324 List the contents of the Software key in the NTUSER.DAT hive file, in order by LastWrite time. Mon Dec 14 06:06:41 2015Z Google Mon Dec 14 05:54:33 2015Z Microsoft Sun Dec 29 16:44:47 2013Z Bitstream Sun Dec 29 16:33:11 2013Z Adobe Sun Dec 29 12:56:03 2013Z Corel Thu Dec 12 07:34:40 2013Z Clients Thu Dec 12 07:34:40 2013Z Mozilla Thu Dec 12 07:30:08 2013Z MozillaPlugins Thu Dec 12 07:22:34 2013Z AppDataLow Thu Dec 12 07:22:34 2013Z Wow6432Node Thu Dec 12 07:22:32 2013Z PoliciesExtract all available information using all plugins and save it to
case1.txt. file:
$ for i in $( rip -l -c | grep NTUSER.DAT | cut -d , -f1 ); do rip -p $i -r NTUSER.DAT &>> case1.txt ; done
No comments:
Post a Comment