RegRipper and F-Response
Jun 13, 2024
This one is personal to me. I've known Harlan Carvey, creator of RegRipper, a long time. We met over a decade ago when he so graciously picked me up at the airport and introduced me to a friend of his getting ready to do big things in the physical memory space (cough Volexity cough).
Anyway, at the time Harlan also introduced me to RegRipper, a wonderful tool for parsing registry hives from machines. I've had years to watch it grow and evolve, and to get to know the person behind it.
I consider Harlan an excellent example of the best parts of this industry, namely, attention to detail, an earnest desire to help, and a willingness to share his immense knowledge.
That's part of why it was a fun trip down memory lane to get the latest RegRipper build from Github and give it a run on one of our local demo machines.
What is RegRipper?
RegRipper is a Windows Registry data extraction and correlation tool. It's commonly used in digital forensics to analyze Windows Registry data. It uses plugins to extract specific keys, values, and data from the Windows Registry. Unlike a registry browser, RegRipper focuses on data points of potential interest and presents them formatted for reporting.
In short, RegRipper helps investigators extract relevant information from Windows Registry files during forensic analysis.
The best way to use it with F-Response it to leverage one of our products to access the remote disk (or make a collection) then extract the registry hives from the remote machine. In the above example I did exactly that, and ran the default reporting against a SYSTEM hive file.
The resulting report was cleanly formatted for easy access.
It's great to see these kinds of tools out there, and even more important to give credit the exceptional people behind them.
Thanks, Harlan. Here's to many more years of RegRipper and F-Response!
Warmest Regards,
M Shannon