1. July 2022

Now and again I pop my head up and take a look around to see where RegRipper has been, and is being, used. My last blog post on this topic had quite a few listings, but sometimes changing the search terms reveals something new, or someone else has decided to use RegRipper since the last time I looked.

References to RegRipper go way back, almost as far as RegRipper itself (circa 2008):
SANS blog (2009)
SANS blog (2010)
SANS Infosec Handler’s Diary blog (2012)
Kali Tools (RR v2.5)
SANS Blog, Mass Triage, pt 4 (2019)

The latest commercial forensics platform that I’ve found that employs RegRipper is Paraben E3. I recently took a look at the evaluation version, and found “rip.pl” (RegRipper v3.0 with modifications) in the C:\Program Files\Paraben Corporation\Electronic Evidence Examiner\PerlSmartAnalyzer folder, along with the “plugins” subfolder.

You can see the Registry parsing in action and how it’s incorporated into the platform at the Paraben YouTube Channel:
AppCompatCache parsing
Reviewing Data from AmCache

Reviewing the videos, there’s something very familiar about the output illustrated on-screen. 😉

Other Resources (that incorporate RegRipper)
</p>%0A</div>%0A<div><font%20size=">This article has been indexed from Windows Incident Response

Read the original article: