RegRipper
O que é RegRipper?
RegRipperAn open-source Windows registry forensics tool by Harlan Carvey that runs plug-in 'extractors' over registry hives (NTUSER.DAT, SYSTEM, SOFTWARE, SAM, SECURITY) to surface specific artifacts of investigative interest.
RegRipper, written by Harlan Carvey and maintained on GitHub, is the de facto open-source tool for triaging Windows registry hives. Where a generic registry viewer (Registry Explorer, regedit) lets an analyst browse, RegRipper runs a curated library of Perl plug-ins that each target a specific artifact — RecentDocs, ShellBags, UserAssist, AppCompatCache, AmCache, USB device history, installed software, persistent run keys, services, scheduled tasks, network interfaces, Office MRU, and many more. Plug-ins emit consistently formatted text suitable for inclusion in a forensic report or for line-by-line review. RegRipper is normally pointed at offline copies of `NTUSER.DAT`, `UsrClass.dat`, `SOFTWARE`, `SYSTEM`, `SAM`, `SECURITY` extracted from a disk image or live system, and is most often used after autopsy/imaging tools have collected the relevant hives. Recent versions added support for the BCD hive and several new persistence-mechanism plug-ins reflecting modern adversary tradecraft.
● Exemplos
- 01
An IR triage runs RegRipper's `userassist`, `runmru`, and `recentdocs` plug-ins against a suspect's NTUSER.DAT to reconstruct recent program launches and document opens.
- 02
A persistence-focused pass executes `services`, `run`, and `appcompatcache` against the SYSTEM hive of every endpoint imaged during the engagement.
● Perguntas frequentes
O que é RegRipper?
An open-source Windows registry forensics tool by Harlan Carvey that runs plug-in 'extractors' over registry hives (NTUSER.DAT, SYSTEM, SOFTWARE, SAM, SECURITY) to surface specific artifacts of investigative interest. Pertence à categoria Forense e resposta da cibersegurança.
O que significa RegRipper?
An open-source Windows registry forensics tool by Harlan Carvey that runs plug-in 'extractors' over registry hives (NTUSER.DAT, SYSTEM, SOFTWARE, SAM, SECURITY) to surface specific artifacts of investigative interest.
Como funciona RegRipper?
RegRipper, written by Harlan Carvey and maintained on GitHub, is the de facto open-source tool for triaging Windows registry hives. Where a generic registry viewer (Registry Explorer, regedit) lets an analyst browse, RegRipper runs a curated library of Perl plug-ins that each target a specific artifact — RecentDocs, ShellBags, UserAssist, AppCompatCache, AmCache, USB device history, installed software, persistent run keys, services, scheduled tasks, network interfaces, Office MRU, and many more. Plug-ins emit consistently formatted text suitable for inclusion in a forensic report or for line-by-line review. RegRipper is normally pointed at offline copies of `NTUSER.DAT`, `UsrClass.dat`, `SOFTWARE`, `SYSTEM`, `SAM`, `SECURITY` extracted from a disk image or live system, and is most often used after autopsy/imaging tools have collected the relevant hives. Recent versions added support for the BCD hive and several new persistence-mechanism plug-ins reflecting modern adversary tradecraft.
Como se defender contra RegRipper?
As defesas contra RegRipper costumam combinar controles técnicos e práticas operacionais, conforme detalhado na definição acima.
Quais são outros nomes para RegRipper?
Nomes alternativos comuns: RegRipper3, rip.exe.
● Termos relacionados
- forensics-ir№ 1372
Análise do Registry do Windows
Exame forense das hives do Registry do Windows para recuperar configuração, atividade do utilizador e evidências de execução ou persistência.
- forensics-ir№ 048
Amcache.hve
Colmeia do registro do Windows que armazena metadados detalhados (incluindo SHA-1) de cada executavel que rodou ou esteve presente no sistema, oferecendo forte evidencia de execucao em Windows moderno.
- forensics-ir№ 1143
Shellbags
Chaves de registro que armazenam as preferencias de visualizacao de pastas do Explorer por usuario e servem como prova forense de que um usuario abriu uma pasta especifica, inclusive em midias removiveis ou caminhos de rede.
- forensics-ir№ 1146
Shimcache (AppCompatCache)
Valor do registro do Windows que armazena metadados de executaveis para verificacoes de compatibilidade; historicamente usado como prova de execucao, com ressalvas importantes de interpretacao.
- forensics-ir№ 1371
Windows Event Log Analysis
The DFIR practice of parsing, correlating, and interpreting Windows Event Log (EVTX) records — Security, System, Application, and PowerShell logs — to reconstruct user activity, authentication events, and adversary techniques.
- forensics-ir№ 430
EZ Tools de Eric Zimmerman
Conjunto gratuito de ferramentas DFIR para Windows, em linha de comando e GUI, criado por Eric Zimmerman para parsear artefatos forenses e construir linhas do tempo.