A modern Python-3-based alternative to RegRipper
Project description
RegRippy is a framework for reading and extracting useful forensics data from Windows registry hives. It is an alternative to RegRipper developed in modern Python 3. It makes use of William Ballenthin's python-registry to access the raw registry hives.
The goal of this project is to provide a framework for quickly and easily developing your own plugins in an incident response scenario.
By default, the script will look for the various hives by reading the REG_SYSTEM
, REG_SOFTWARE
, REG_SAM
, REG_NTUSER
and REG_USRCLASS
environment variables. This allows the analyst to simply export
these in their current shell session and not have to worry about specifying them every time they invoke the script.
Alternatively, you can use the --root
switch to specify the path to the root of the C:
drive. RegRippy will automatically look into the right places depending on which hive each plugin needs.
All plugins should also support both a human-readable and machine-readable output (the Bodyfile format), allowing easy piping to mactime
or other tools.
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.