Skip to content
A modern Python-3-based alternative to RegRipper
Branch: master
Clone or download
timtaylor3 and simsor Merge timtaylor3/regrippy: add usersids.py, lastshutdown.py, systemin…
…fo.py (#2)

* Create lastshutdown.py

* Create systeminfo

* Create usersids.py

* Rename systeminfo to systeminfo.py

* Minor fixes.

* Minor Changes

* Minor Changes

* Update systeminfo.py

* Minor Changes

* Initial Commit

* Minor Changes

* Initial Commit

* Initial Commit

* Initial Commit

* Work in progress

* Initial Commit

* Initial Commit

* Logic update to check for empty IP Address.

* Removed error checking if key wasn't found.

* Removed "interface1.add_child('DhcpIPAddress')" because ti wasn't necessary.

* Fixed an issue when reading "IP Address" from a list.

* Updated test assertions.

* Fixed Key Not found logic.

* Delete network.py

Removed because it was a WIP.
Latest commit 48bdb13 Apr 24, 2019
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
docs
regrippy Merge timtaylor3/regrippy: add usersids.py, lastshutdown.py, systemin… Apr 24, 2019
tests
.gitignore First release of RegRippy Apr 12, 2019
LICENSE First release of RegRippy Apr 12, 2019
README.md First release of RegRippy Apr 12, 2019
regrip.py First release of RegRippy Apr 12, 2019
requirements.txt
setup.py Update setup.py Apr 12, 2019

README.md

regrippy -- a modern Python 3 alternative to RegRipper

This is the public GitHub repository of RegRippy

We are aware of the existence of mkorman90/regipy, which has a similar goal. Both projects were developed in parallel, we were not aware of any other project like RegRippy when we started developing it.

Description

RegRippy is a framework for reading and extracting useful forensics data from Windows registry hives. It is an alternative to RegRipper developed in modern Python 3. It makes use of William Ballenthin's python-registry to access the raw registry hives.

The goal of this project is to provide a framework for quickly and easily developing your own plugins in an incident response scenario.

This tool will try its best to stay out of your way and quickly provide you with usable data:

# Get the computer name
$ regrip.py --root /mnt/evidence/C compname
JOHN-DESKTOP

# Get URLs typed in IE for all users on a machine
$ regrip.py -v --root /mnt/evidence/C --all-user-hives typedurls
regrip.py:info:Administrator
regrip.py:warn:Could not open key Software\Microsoft\Internet Explorer\TypedURLs
regrip.py:info:John
https://google.com/?q=how+to+buy+bitcoin

All plugins should also support both a human-readable and machine-readable output (the Bodyfile format), allowing easy piping to mactime or other tools.

Install

RegRippy is available on PyPI and can be installed using pip:

$ pip install regrippy

If you want the bleeding-edge release, it can be installed like any other Python package using pip or setuptools:

$ pip install .
# Alternatively
$ python3 setup.py install

Symlinks will automatically be created for all plugins: for example, you can call the compname plugin by running:

$ reg_compname -r /mnt/c/

Usage

usage: regrip.py [-h] [--system SYSTEM] [--software SOFTWARE] [--sam SAM]
                 [--ntuser NTUSER] [--usrclass USRCLASS] [--root ROOT]
                 [--all-user-hives] [--verbose] [--pipe] [--list]
                 plugin_name

Extract information from Windows Registry hives

positional arguments:
  plugin_name           Name of the plugin to run

optional arguments:
  -h, --help            show this help message and exit
  --system SYSTEM, -y SYSTEM
                        Path to the SYSTEM hive. Overrides --root and the
                        REG_SYSTEM environment variable
  --software SOFTWARE, -o SOFTWARE
                        Path to the SOFTWARE hive. Overrides --root and the
                        REG_SOFTWARE environment variable
  --sam SAM, -a SAM     Path to the SAM hive. Overrides --root and the REG_SAM
                        environment variable
  --ntuser NTUSER, -n NTUSER
                        Path to the NTUSER.DAT hive. Overrides the REG_NTUSER
                        environment variable
  --usrclass USRCLASS, -u USRCLASS
                        Path to the UsrClass.DAT hive. Overrides the
                        REG_USRCLASS environment variable
  --root ROOT, -r ROOT  Path to the C: folder.
  --all-user-hives      Work on all NTUSER.DAT and USRCLASS.DAT hives if
                        required. Requires --root. Overrides --ntuser and
                        --usrclass.
  --verbose, -v         Be more verbose
  --pipe, -p            Force output in pipe format
  --list, -l            List available plugins

Development

If you want to make your own plugin using the RegRippy framework, head over to the documentation right now!

Credits

License

RegRippy is released under the Apache 2.0 license.

You can’t perform that action at this time.