RegRipper
Qu'est-ce que RegRipper ?
RegRipperAn open-source Windows registry forensics tool by Harlan Carvey that runs plug-in 'extractors' over registry hives (NTUSER.DAT, SYSTEM, SOFTWARE, SAM, SECURITY) to surface specific artifacts of investigative interest.
RegRipper, written by Harlan Carvey and maintained on GitHub, is the de facto open-source tool for triaging Windows registry hives. Where a generic registry viewer (Registry Explorer, regedit) lets an analyst browse, RegRipper runs a curated library of Perl plug-ins that each target a specific artifact — RecentDocs, ShellBags, UserAssist, AppCompatCache, AmCache, USB device history, installed software, persistent run keys, services, scheduled tasks, network interfaces, Office MRU, and many more. Plug-ins emit consistently formatted text suitable for inclusion in a forensic report or for line-by-line review. RegRipper is normally pointed at offline copies of `NTUSER.DAT`, `UsrClass.dat`, `SOFTWARE`, `SYSTEM`, `SAM`, `SECURITY` extracted from a disk image or live system, and is most often used after autopsy/imaging tools have collected the relevant hives. Recent versions added support for the BCD hive and several new persistence-mechanism plug-ins reflecting modern adversary tradecraft.
● Exemples
- 01
An IR triage runs RegRipper's `userassist`, `runmru`, and `recentdocs` plug-ins against a suspect's NTUSER.DAT to reconstruct recent program launches and document opens.
- 02
A persistence-focused pass executes `services`, `run`, and `appcompatcache` against the SYSTEM hive of every endpoint imaged during the engagement.
● Questions fréquentes
Qu'est-ce que RegRipper ?
An open-source Windows registry forensics tool by Harlan Carvey that runs plug-in 'extractors' over registry hives (NTUSER.DAT, SYSTEM, SOFTWARE, SAM, SECURITY) to surface specific artifacts of investigative interest. Cette notion relève de la catégorie Forensique et réponse en cybersécurité.
Que signifie RegRipper ?
An open-source Windows registry forensics tool by Harlan Carvey that runs plug-in 'extractors' over registry hives (NTUSER.DAT, SYSTEM, SOFTWARE, SAM, SECURITY) to surface specific artifacts of investigative interest.
Comment fonctionne RegRipper ?
RegRipper, written by Harlan Carvey and maintained on GitHub, is the de facto open-source tool for triaging Windows registry hives. Where a generic registry viewer (Registry Explorer, regedit) lets an analyst browse, RegRipper runs a curated library of Perl plug-ins that each target a specific artifact — RecentDocs, ShellBags, UserAssist, AppCompatCache, AmCache, USB device history, installed software, persistent run keys, services, scheduled tasks, network interfaces, Office MRU, and many more. Plug-ins emit consistently formatted text suitable for inclusion in a forensic report or for line-by-line review. RegRipper is normally pointed at offline copies of `NTUSER.DAT`, `UsrClass.dat`, `SOFTWARE`, `SYSTEM`, `SAM`, `SECURITY` extracted from a disk image or live system, and is most often used after autopsy/imaging tools have collected the relevant hives. Recent versions added support for the BCD hive and several new persistence-mechanism plug-ins reflecting modern adversary tradecraft.
Comment se défendre contre RegRipper ?
Les défenses contre RegRipper combinent habituellement des contrôles techniques et des pratiques opérationnelles, comme détaillé dans la définition ci-dessus.
Quels sont les autres noms de RegRipper ?
Noms alternatifs courants : RegRipper3, rip.exe.
● Termes liés
- forensics-ir№ 1372
Analyse du Registre Windows
Examen forensique des ruches du Registre Windows pour récupérer la configuration, l'activité utilisateur et des preuves d'exécution ou de persistance.
- forensics-ir№ 048
Amcache.hve
Ruche de registre Windows qui enregistre des metadonnees detaillees (dont un SHA-1) sur chaque executable ayant tourne ou ete present sur le systeme, et qui fournit une preuve d'execution solide sur Windows moderne.
- forensics-ir№ 1143
Shellbags
Cles de registre qui stockent les preferences d'affichage par utilisateur de l'Explorateur Windows et servent de preuve qu'un utilisateur a ouvert un dossier specifique, y compris des chemins amovibles ou reseau.
- forensics-ir№ 1146
Shimcache (AppCompatCache)
Valeur du registre Windows qui trace des metadonnees d'executables pour les controles de compatibilite ; historiquement utilisee comme preuve d'execution, avec d'importantes nuances d'interpretation.
- forensics-ir№ 1371
Windows Event Log Analysis
The DFIR practice of parsing, correlating, and interpreting Windows Event Log (EVTX) records — Security, System, Application, and PowerShell logs — to reconstruct user activity, authentication events, and adversary techniques.
- forensics-ir№ 430
EZ Tools d'Eric Zimmerman
Suite gratuite d'outils DFIR Windows (CLI et GUI) d'Eric Zimmerman pour parser les artefacts forensiques courants et construire des chronologies.