RegRipper wrapper for simplified bulk parsing or registry hives
Mandiant (FireEye) 2016
##Current Version 1.2
##Description rr_parseomater.py wraps around RegRipper's (https://github.com/keydet89/RegRipper2.8) rip.exe executable to easily parse and timeline all NTUSER.DAT, USRCLASS.DAT, and S-Registry files (SAM, SOFTWARE, SECURITY, SYSTEM).
- removes plugin results with no findings for easy to read results
- extracts username from NTUSER hive and appends to output file name
- creates a timeline for each hive and one master timeline for analysis
- Extract all NTUSER.DAT files to a folder such as "registryfiles/ntuser"
- Extract all USRCLASS.DAT files to a folder such as "registryfiles/usrclass"
- Extract SAM, SOFTWARE, SECURITY, and SYSTEM files to a folder such as "registryfiles/sregistry"
- Create an output reports directory such as "registryfiles/reports"
- Place rr_parseomater.py in RegRipper directory (same directory as rip.exe)
- Execute with appropriate directory paths (in this order):
- rr_parseomater.py registryfiles/ntuser registryfiles/usrclass registryfiles/sregistry registryfiles/reports
- Find a new timeline technique that will add values' data to the timeline
- Add proper argument handling and help menu