How to do digital forensics and reverse engineering on windows registries with free REGRIPPER tool

System logs analysis is one of the most useful hacking tasks for researchers and specialists in digital forensics and reverse engineering, so a tool that facilitates this process can be fundamental in an investigation.

This time, digital forensics experts from the International Institute of Cyber Security (IICS) will show you RegRipper, a tool for automatic registry analysis on the Windows system, which will provide you with this important information in a simple and convenient format for further investigation tasks. This tool is available on GitHub.

Digital forensics experts describe RegRipper as a set of open-source Perl scripts that operates thanks to the registry hive; a command is selected and as set a version of the system outputs is obtained in text format.

Install RegRipper

To get started, download the file from GitHub, unzip the file, and proceed to the menu items shown below. You will need to choose between two execution options: console (rip.exe) and windowed (rr.exe). The first option provides more flexible functions, while the second is the easier to use option.

We need the operating system log files. They can be removed from a non-system disk by simply copying them.

  • Run the application with rr.exe
  • Open the registry hive (let’s say SOFTWARE in this example)
  • Indicate the output text file (SOFT. TXT)
  • Click the Rip! button

One by one, all the commands relevant to the hive “SOFTWARE” will start to run (you can find out whether a plugin is suitable or not from its content, digital forensics experts mention).

The output file will contain information for each of the commands. The file obtained will be full of information of interest to researchers, but there are ways to obtain more specific information.

Working with RegRipper console version

This is where the interesting part begins, as we will be able to flexibly configure which plugins might work.

rip -r ..\reg\SOFTWARE -p networklist > networks.txt

The networklist command will run and display a list of networks and their installation data:

You can also find the target operating system version with the winver command:

You will be able to find the time of the user’s last login by entering lastloggedon:

To conclude, you can also automatically run all available commandss automatically. The required command appears when you open the help options (-h).

As you can see, this is a magnificent tool that will allow you to get a lot of information from the analyzed system. Remember that this material was prepared for informational purposes and should not be taken as a call to action; IICS is not responsible for the misuse that may occur to the information contained herein.

To learn more about information security risks, malware variants, digital forensics, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.