Thursday, April 04, 2013

RegRipper Consolidation

RegRipper has been consolidated at a single, static site.

Going forward, everything related to RegRipper will be available via (either at, or linked from) this one site.  Updates to the tools will be available here, documentation will be available in the Wiki, and the latest plugin archives will be available from this site, as well.

The reason for doing this is that there just seems to be too much confusion associated with the tool.  I've received emails saying that there are just too many sites that offer RegRipper, and that it's too confusing to figure out which one is the right one.  So, let's just make it simple...this is the right one.

You'll notice that there's material in the Wiki, as well.  We'll be using this to document and provide information in one single, static location.  There is some information there now, but if there's something of interest that you can't find, let me know. I'll be happy to add or update information on the Wiki so that it's more useful.

I greatly appreciate all of the work that folks like Francesco, Brett, and Corey have put into the tool over the years.  I also greatly appreciate the work of folks who have written plugins, as well as folks like Adam and "Cheeky4n6Monkey" who've written tools in an effort to make RegRipper easier to use.  This consolidation does not take away from the great work that they've all done...it's simply a desire to bring everything together in one place.

So, what's different with this iteration of RegRipper?  Not a lot, really.  Again, it's more of a consolidation than anything else.  Corey and I have put a lot of effort into "cleaning" up the plugin archive.  We have updated a number of the plugins, consolidating some functionality, and adding other functionality (support for Wow6432Node where appropriate, etc.); in fact, there are so many of those little changes that we're going to forego the History page, but we'll pick it back up as we start documenting changes again going forward.  So really...the biggest change is just the consolidation of everything in a single location.

Again, going forward, I'd like to have everything related to RegRipper at one site.  Also, if you have any plugin requests, or just want to provide sample data for testing, please feel free to send it to me.

Finally, one more great big thanks to all of those who have supported RegRipper, by blogging about it, requesting or providing plugins, including it in an archive or distro, etc. 

6 comments:

Ken Pryor said...

I'm glad to see everything will now be at the same location. Should make things easier for everyone.
KP

Keydet89 said...

Thanks, Ken.

So, what are your thoughts on some of the new functionality?

Phil Rodokanakis said...

That's a great idea. I hadn't updated RegRipper in a while, because I was confused (well, I really didn't take the time to figure out all the details, but consolidating everything in one site makes A LOT of sense to me. Thanks for doing this Harlan.

Question: The "rip -h" command, shows three examples in the bottom of the help output. But all three examples pertain to the rr.exe (e.g., "rr -l -c"). Shouldn't those examples use "rip.exe" instead of "rr.exe'? For example, to get a listing of the plug-ins, "rr -l -c" gets me nothing, whereas "rip -l -c > PlugInsList.csv" get's me a listing of the plug-ins in CSV format.

Thanks again for all your efforts on behalf of all forensicators.

Best regards, Phil

Keydet89 said...

Phil,

...because I was confused...

About? By?

... three examples...

You're right. In all this time, you're the first person to catch that. I'll fix it and roll it out in a later version. Thanks.

Chad Tilbury said...

Nice work on the consolidation! Thank you for all the hard work. Regripper still reigns as one of the most important and useful DFIR utilities.

Keydet89 said...

Chad,

Thanks. I had hoped to get more support from the community in developing the tool, specifically with respect to the plugins. Corey Harrell, Brett Shavers, fpi, etc...all of their assistance has been invaluable, and greatly appreciated.

Unfortunately, too many people ask, "...does it do this?", and too often the answer is "no", simply because I haven't see those cases, or the data. I don't expect everyone to write plugins, but I have hoped for a while now that folks would offer up data so that new plugins could be written, or current plugins made better.

It's also unfortunate that my offer of assistance to Rob with respect to writing plugins to support the FOR508 course wasn't accepted. I think that there was a lot of great potential there...