RegRipper
RegRipper 是什么?
RegRipperAn open-source Windows registry forensics tool by Harlan Carvey that runs plug-in 'extractors' over registry hives (NTUSER.DAT, SYSTEM, SOFTWARE, SAM, SECURITY) to surface specific artifacts of investigative interest.
RegRipper, written by Harlan Carvey and maintained on GitHub, is the de facto open-source tool for triaging Windows registry hives. Where a generic registry viewer (Registry Explorer, regedit) lets an analyst browse, RegRipper runs a curated library of Perl plug-ins that each target a specific artifact — RecentDocs, ShellBags, UserAssist, AppCompatCache, AmCache, USB device history, installed software, persistent run keys, services, scheduled tasks, network interfaces, Office MRU, and many more. Plug-ins emit consistently formatted text suitable for inclusion in a forensic report or for line-by-line review. RegRipper is normally pointed at offline copies of `NTUSER.DAT`, `UsrClass.dat`, `SOFTWARE`, `SYSTEM`, `SAM`, `SECURITY` extracted from a disk image or live system, and is most often used after autopsy/imaging tools have collected the relevant hives. Recent versions added support for the BCD hive and several new persistence-mechanism plug-ins reflecting modern adversary tradecraft.
● 示例
- 01
An IR triage runs RegRipper's `userassist`, `runmru`, and `recentdocs` plug-ins against a suspect's NTUSER.DAT to reconstruct recent program launches and document opens.
- 02
A persistence-focused pass executes `services`, `run`, and `appcompatcache` against the SYSTEM hive of every endpoint imaged during the engagement.
● 常见问题
RegRipper 是什么?
An open-source Windows registry forensics tool by Harlan Carvey that runs plug-in 'extractors' over registry hives (NTUSER.DAT, SYSTEM, SOFTWARE, SAM, SECURITY) to surface specific artifacts of investigative interest. 它属于网络安全的 取证与应急响应 分类。
RegRipper 是什么意思?
An open-source Windows registry forensics tool by Harlan Carvey that runs plug-in 'extractors' over registry hives (NTUSER.DAT, SYSTEM, SOFTWARE, SAM, SECURITY) to surface specific artifacts of investigative interest.
RegRipper 是如何工作的?
RegRipper, written by Harlan Carvey and maintained on GitHub, is the de facto open-source tool for triaging Windows registry hives. Where a generic registry viewer (Registry Explorer, regedit) lets an analyst browse, RegRipper runs a curated library of Perl plug-ins that each target a specific artifact — RecentDocs, ShellBags, UserAssist, AppCompatCache, AmCache, USB device history, installed software, persistent run keys, services, scheduled tasks, network interfaces, Office MRU, and many more. Plug-ins emit consistently formatted text suitable for inclusion in a forensic report or for line-by-line review. RegRipper is normally pointed at offline copies of `NTUSER.DAT`, `UsrClass.dat`, `SOFTWARE`, `SYSTEM`, `SAM`, `SECURITY` extracted from a disk image or live system, and is most often used after autopsy/imaging tools have collected the relevant hives. Recent versions added support for the BCD hive and several new persistence-mechanism plug-ins reflecting modern adversary tradecraft.
如何防御 RegRipper?
针对 RegRipper 的防御通常结合技术控制与运营实践,详见上方完整定义。
RegRipper 还有哪些其他名称?
常见的别称包括: RegRipper3, rip.exe。
● 相关术语
- forensics-ir№ 1372
Windows 注册表分析
对 Windows 注册表蜂巢进行取证检查,以恢复配置信息、用户活动以及程序执行或持久化的证据。
- forensics-ir№ 048
Amcache.hve
Windows 注册表配置单元,记录系统中执行过或出现过的每个可执行文件的详细元数据(含 SHA-1),在现代 Windows 中是有力的执行证据。
- forensics-ir№ 1143
Shellbags
保存每个用户在 Windows 资源管理器中文件夹视图设置的注册表键,可作为该用户访问过特定文件夹的取证证据,包括可移动介质和网络路径。
- forensics-ir№ 1146
Shimcache (AppCompatCache)
Windows 注册表中的一个值,用于应用兼容性检查时记录可执行文件元数据;历史上常作为执行证据,但在解读时需特别注意若干限制。
- forensics-ir№ 1371
Windows Event Log Analysis
The DFIR practice of parsing, correlating, and interpreting Windows Event Log (EVTX) records — Security, System, Application, and PowerShell logs — to reconstruct user activity, authentication events, and adversary techniques.
- forensics-ir№ 430
Eric Zimmerman 的 EZ Tools
由 Eric Zimmerman 维护的免费 Windows DFIR 工具集,包含命令行与 GUI 工具,用于解析常见取证工件并构建时间线。