Sunday, April 20, 2008

Updated RegRipper

I posted an updated version of RegRipper (2.01A, Basic Edition) up on had a couple of small updates to the GUI, mostly in the area of input validation (thanks to sippy for the input on that), but nothing to warrant a new version number, really. A quick run-down of updates includes:

- GUI input validation stuff (thanks to sippy)

- Added '-c' switch to rip.exe, so that when you list the plugins (ie, 'rip -l') you can now get the output in CSV format

- Added some new plugins (SAMParse, WinNT_CV, ProfileList, BitBucket, etc.), as well as made some minor updates to a couple of others, based on my own testing and use, as well as a suggestion from a user

This download includes all of the plugins from the previous download, plus the ones mentioned above. Installing this package is as simple a extracting the files from the zip archive into the same directory you used with the previous version.

A couple of notes and reminders on the use of these tools...

- RegRipper is NOT intended to be run on live Registry hive files - feel free to do so, but please...if it doesn't work, I already know that! =)

- If you find that RegRipper did not apparently work properly, or you think it didn't, then please feel free to contact me...but please also include the log file generated by RegRipper (ie, rr-.log). If at all possible, the actual hive file you were running against would be very helpful, but in most cases the log file should contain some useful info, albeit nothing customer- or case-specific.

- Keep in mind that while the edition of RegRipper you're using is fully functional, there is additional functionality that has been incorporated into the Advanced edition of the tool, such as support for selecting and using arbitrary plugins files, etc. I've included this in the if you have feature requests, please consult the FAQ and file named "regripper.pdf" first.

- Please be sure to read the documentation (FAQ, regripper.pdf) if you have any questions. I have received requests to provide plugins for USB removable storage devices...after I put in the effort to write and test the plugin, and included it in the distribution.

For those of you who have tried/used RegRipper, I hope you've found it as useful as I continue to find it just about every day. For those of you who have commented or provided feedback, I thank you very much for that.

Other stuff...
On a side note, I added an experimental '-g' switch to the version of rip.exe that I keep with the Advanced edition of RegRipper...this switch does some guessing as to what kind of hive file the analyst is pointing to. One of the things I've been toying with on the side, something requested by a friend, is the ability to parse not only a specific hive file, but to then access the Restore Points on XP, and run that same plugin against the appropriate hive file within each RP. I've got most of the code working, at this point it's simply a matter of tying it together and having the output in a readable format.