Thursday, November 20, 2008

Yet another way to use RegRipper

The other day, John McCash sent me an email that said the following (posted with permission):

I figured out how to make Encase switch the current working directory for the viewer and like it. The command line "/c cd /d D:\regripper&rip -r [file] -f all&pause", using "C:\WINDOWS\system32\cmd.exe" as the application path, works just dandy in the file viewer configuration.

What John's done is launch rip.exe as an EnCase file viewer. Now, I'm not sure why you'd want to use "D:\regripper&rip", and to be honest, I usually don't use file viewers in EnCase, but hey, John, if that works for you, more power to ya! Git 'er done! ;-)

4 comments:

Anonymous said...

Harlan - Just to clarify, what the specified command actually does is to change the current directory for the spawned 'file viewer' to D:\regripper, then run 'rip -r [file] -r all', and pause with the results displayed in the Windows shell pop-up window until the user hits a key. This allows me to quickly and easily preview the results of running regripper on a registry hive file, without having to actually export the file and run it by hand. If I want to save the results, I either run it manually, or copy and paste the results from the shell window. You will probably need to also increase the buffer and windows size for your Windows shell. I did it this way because neither notepad or wordpad will read from standard input.
John McCash

H. Carvey said...

John,

Great stuff! This is exactly what's needed...this kind of explanation.

Anonymous said...

I think anything that reduces the click-fest that is unavoidable when shunting data around our burgeoning forensic toolbox is a good thing!

Can't get the &pause line to work though. Piping the output to the clipboard on a Vista box might work.

Sonia

Anonymous said...

nvm, silly quotes! It works now. Ty for the great scripts too Harlan.

Sonia