The Windows Incident Response Blog is dedicated to the myriad information surrounding and inherent to the topics of IR and digital analysis of Windows systems. This blog provides information in support of my books; "Windows Forensic Analysis" (1st thru 4th editions), "Windows Registry Forensics",
as well as the book I co-authored with Cory Altheide, "Digital Forensics with Open Source Tools".
Pages
▼
Tuesday, April 08, 2008
RegRipper on SF.net
I've posted RegRipper v2.0A Basic Edition to SF.net. The archive includes the source and EXEs for RegRipper and rip.exe (as well as the required DLL), an FAQ, whitepaper, list of current plugins, etc.
Thanks for those words! If you can think of other keys or anything else that might be done to improve the tool...aside from those things already mentioned in the documentation...please feel free to drop me a line.
A couple of things that have been mentioned so far...
Collection of Protected Storage Service info for each user
Love to, but I need help with the encryption.
Include ability to do XML, CSV, and HTML output
That might be something for the future...
You collect the contents of the USBStor key, can you also do that for the Enum\IDE key?
Done.
Can you just dump the contents of the Windows\CurrentVersion key?
As to your second question, I mentioned in one of my books that I'd written one such tool myself. Using the Win32::TieRegistry module, I'd written a tool back in 2001-2002 that did just that...I ran it once a month across our infrastructure to get the contents of certain keys to look for spyware. I'd run it during lunch, come back, and have a report. Very nice stuff.
HC,
ReplyDeleteAll I can say is wow, and thank you. Look forward to spending some time testing this.
Thank you for all you give back to the community.
Harlan! Works like a charm on my XP Pro SP3 machine. Fast, accurate and simply great ! More feedback to come ...
ReplyDeleteCheers,
mitch
Wow! Currently using this for an incident investigation, and it is turning work that would take hours into minutes! Thanks H.C.!
ReplyDeleteVery cool! I'm glad it worked as well for you as it has for me...
ReplyDeletejust caught this, i'm looking forward to getting my grubby little mitts on it (sorry that was very English).
ReplyDeleteThanks Harlan.
WOW!
ReplyDeleteThis thing rocks!
Dave,
ReplyDeleteThanks for those words! If you can think of other keys or anything else that might be done to improve the tool...aside from those things already mentioned in the documentation...please feel free to drop me a line.
A couple of things that have been mentioned so far...
Collection of Protected Storage Service info for each user
Love to, but I need help with the encryption.
Include ability to do XML, CSV, and HTML output
That might be something for the future...
You collect the contents of the USBStor key, can you also do that for the Enum\IDE key?
Done.
Can you just dump the contents of the Windows\CurrentVersion key?
Done.
I just used this tool during our most recent incident. It works like a charm.
ReplyDeleteThank you very much, Harlan for such a great tool.
Does anyone know a reliable windows registry scanner software that can search the registry in a number of workstations at the same time?
So, I will provide the range of IPs and the reg key and the software will return the workstations that the reg key exists and its value.
Cheers,
Caner
Caner,
ReplyDeleteThanks!
As to your second question, I mentioned in one of my books that I'd written one such tool myself. Using the Win32::TieRegistry module, I'd written a tool back in 2001-2002 that did just that...I ran it once a month across our infrastructure to get the contents of certain keys to look for spyware. I'd run it during lunch, come back, and have a report. Very nice stuff.
h