1. What is RegRipper?
RegRipper is an open-source Windows Registry analysis tool used in digital forensics to extract and analyze critical artifacts from registry hives. It's particularly valuable for:
- Incident response investigations
- Malware analysis
- User activity reconstruction
- Timeline creation
2. Key Features
✔ Plugin-based architecture (200+ plugins for different registry keys)
✔ Supports both CLI and GUI versions (RipXP)
✔ Handles live systems and dead-box forensics
✔ Works with raw registry hives (SYSTEM, SOFTWARE, SAM, NTUSER.DAT, etc.)
3. Installation
Download from GitHub
We can see the following files after extract the ZIP file. rip is CLI where as rr is GUI version. In our case we are going to use GUI version.
To launch the application's graphical user interface (GUI), double-click the 'rr' file. The GUI will appear, as shown in screenshot #2. Next, use the 'Browse' button adjacent to the 'Hive file' field to locate and select your Hive files. Following the numbered sequence, open the HIVE SAM, SYSTEM, SECURITY, and SOFTWARE files one at a time.
For this lab purpose we are going to use the Windows Forensics Cheatsheets from the BlueCap.
GUI Version of RegRipper.
Computer Name: HMLM\SYSTEM\CurrentControlSet\Control\Computer-name\ . From the Notepad Plus press Control+F then type Computer Name, it will locate the computer name. Like in our screenshot.
Network Information: HKLM\System\CureentControlSet\Services\Tcpip\parameters\Interfaces\{interface-name
