A modern Python-3-based alternative to RegRipper
RegRippy is a framework for reading and extracting useful forensics data from Windows registry hives. It is an alternative to RegRipper developed in modern Python 3. It makes use of William Ballenthin's python-registry to access the raw registry hives.
The goal of this project is to provide a framework for quickly and easily developing your own plugins in an incident response scenario.
By default, the script will look for the various hives by reading the
REG_USRCLASS environment variables. This allows the analyst to simply
export these in their current shell session and not have to worry about specifying them every time they invoke the script.
Alternatively, you can use the
--root switch to specify the path to the root of the
C: drive. RegRippy will automatically look into the right places depending on which hive each plugin needs.
All plugins should also support both a human-readable and machine-readable output (the Bodyfile format), allowing easy piping to
mactime or other tools.
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.