DOKK / manpages / debian 12 / regripper / regripper.1.en
REGRIPPER(1) General Commands Manual REGRIPPER(1)

Regripper - forensic analysis of Registry hives

regripper [-r<hivefile>] [-f <hivetype>] [-p <plugin>] [-d] [-g] [-aT] [-s systemname] [-u username]

Regripper is an source tool for forensic analyses of Windows Registry files. It can be used to surgically extract, translate, and display information (both data and metadata) from Registry-formatted files via plugins in the form of Perl-scripts.

All output goes to STDOUT; use redirection (ie, > or >>) to output to a file.

-r <hive> Specify, which Registry hive file to parse. Those can be found in %SystemRoot%\System32\config or in %userprofile (the user's directory)

-f <hivetype> Specify the hive tpye/profile to use, could be sam, security, software, system, ntuser.

-p <plugin> Specify the lugin to use. E.g. run, appcompatcache and so on. (See -l for full list)

-d Check to see, if the hive is dirty.

-g Guess the hive file type.

-a Automatically run hive-specific plugins.

-aT Automatically run hive-specific timelining (TLN) plugins.

-s <systemname< Specify system name (TLN Support)

-u <username> Specify user name (TLN Support)

-l List all available plugins. You could place custom plugins in usr/bin/regripper/plugins

-c Output list of plugins as comma-separated values.

-h Print short help information.

List all available plugins

regripper -l


Run a specific plugin; E.g. Retrieve timeline of recent docs from
    NTUSER.DAT






regripper -r /hive/NTUSER.DAT -p recentdocs_tln






Retrieve run-keys from NTUSER.DAT






regripper -r /hive/NTUSER.DAT -p run






Process a complete hive file of type system:






regripper -r /mnt/SYSTEM -f system > /mnt/reports/system.txt






Parse hive file of type SAM:






regripper -r /mnt/SAM -f sam > /mnt/SAM.txt












Written by Harlan Carvey <keydet89@yahoo.com>










This tool does NOT automatically process hive transaction logs. If
    you need to incorporate data from hive transaction logs into your analysis,
    consider merging the data via Maxim Suhanov's yarp + registryFlush.py, or
    via Eric Zimmerman's rla.exe.










When submitting a bug report, please include a description of the
    problem, how you found it, and your contact information. Submit bug reports
    to: https://github.com/keydet89/RegRipper3.0/issues










This project is licensed under terms of the MIT License -
    https://opensource.org/licenses/MIT. Copyright by Harlan Carvey
    <keydet89@yahoo.com> and 2020 Quantum Analytics Research, LLC.


This manual page was written by Jan Gruber
    <j4n6ru@gmail.com>, for the Debian project (and may be used by
    others).










More information on Regripper appears in the README file,
    distributed with the regripper source code.







  

    v3.0 - December 2020
    Harlan Carvey