.TH REGRIPPER "1" "v3.0 - December 2020" "Harlan Carvey" .SH NAME Regripper \- forensic analysis of Registry hives .SH SYNOPSIS .B regripper [\fB-r\fR] [\fB-f\fR ] [\fB-p\fR ] [\fB-d\fR] [\fB-g\fR] [\fB-a\fRT] [\fB-s\fR systemname] [\fB-u\fR username] .SH DESCRIPTION Regripper is an source tool for forensic analyses of Windows Registry files. It can be used to surgically extract, translate, and display information (both data and metadata) from Registry-formatted files via plugins in the form of Perl-scripts. All output goes to STDOUT; use redirection (ie, > or >>) to output to a file. .SH OPTIONS \fB-r\fR \f\\fR Specify, which Registry hive file to parse. Those can be found in %SystemRoot%\\System32\\config or in %userprofile (the user's directory) \fB-f\fR \f\\fR Specify the hive tpye/profile to use, could be sam, security, software, system, ntuser. \fB\-p\fR \f\\fR Specify the \fplugin\fR to use. E.g. run, appcompatcache and so on. (See -l for full list) \fB\-d\fR Check to see, if the hive is dirty. \fB\-g\fR Guess the hive file type. \fB\-a\fR Automatically run hive-specific plugins. \fB\-aT\fR Automatically run hive-specific timelining (TLN) plugins. \fB\-s\fR \f\\fR Specify user name (TLN Support) \fB-l\fR List all available plugins. You could place custom plugins in \f/usr/bin/regripper/plugins\f. \fB\-c\fR Output list of plugins as comma-separated values. \fB-h\fR Print short help information. .SH EXAMPLES List all available plugins .PP .nf .RS regripper -l .RE .fi .PP Run a specific plugin; E.g. Retrieve timeline of recent docs from NTUSER.DAT .PP .nf .RS regripper -r /hive/NTUSER.DAT -p recentdocs_tln .RE .fi .PP Retrieve run-keys from NTUSER.DAT .PP .nf .RS regripper -r /hive/NTUSER.DAT -p run .RE .fi .PP Process a complete hive file of type system: .PP .nf .RS regripper -r /mnt/SYSTEM -f system > /mnt/reports/system.txt .RE .fi .PP Parse hive file of type SAM: .PP .nf .RS regripper -r /mnt/SAM -f sam > /mnt/SAM.txt .RE .fi .PP .SH AUTHORS Written by Harlan Carvey .SH BUGS AND LIMITATIONS This tool does NOT automatically process hive transaction logs. If you need to incorporate data from hive transaction logs into your analysis, consider merging the data via Maxim Suhanov's yarp + registryFlush.py, or via Eric Zimmerman's rla.exe. .SH REPORTING BUGS When submitting a bug report, please include a description of the problem, how you found it, and your contact information. Submit bug reports to: https://github.com/keydet89/RegRipper3.0/issues .SH COPYRIGHT This project is licensed under terms of the MIT License - https://opensource.org/licenses/MIT. Copyright by Harlan Carvey and 2020 Quantum Analytics Research, LLC. This manual page was written by Jan Gruber , for the Debian project (and may be used by others). .SH SEE ALSO More information on Regripper appears in the README file, distributed with the regripper source code.