NAME

       Regripper - forensic analysis of Registry hives

SYNOPSIS

       regripper [-r<hivefile>] [-f <hivetype>] [-p <plugin>] [-d] [-g] [-aT] [-s systemname] [-u
       username]

DESCRIPTION

       Regripper is an source tool for forensic analyses of Windows Registry  files.  It  can  be
       used  to  surgically  extract, translate, and display information (both data and metadata)
       from Registry-formatted files via plugins in the form of Perl-scripts.

       All output goes to STDOUT; use redirection (ie, > or >>) to output to a file.

OPTIONS

       -r  <hive>  Specify,  which  Registry  hive  file  to  parse.  Those  can  be   found   in
       %SystemRoot%\System32\config or in %userprofile (the user's directory)

       -f  <hivetype>  Specify  the  hive  tpye/profile to use, could be sam, security, software,
       system, ntuser.

       -p <plugin> Specify the lugin to use. E.g. run, appcompatcache and so on. (See -l for full
       list)

       -d Check to see, if the hive is dirty.

       -g Guess the hive file type.

       -a Automatically run hive-specific plugins.

       -aT Automatically run hive-specific timelining (TLN) plugins.

       -s <systemname< Specify system name (TLN Support)

       -u <username> Specify user name (TLN Support)

       -l List all available plugins. You could place custom plugins in usr/bin/regripper/plugins

       -c Output list of plugins as comma-separated values.

       -h Print short help information.

EXAMPLES

       List all available plugins

              regripper -l

       Run a specific plugin; E.g. Retrieve timeline of recent docs from NTUSER.DAT

              regripper -r /hive/NTUSER.DAT -p recentdocs_tln

       Retrieve run-keys from NTUSER.DAT

              regripper -r /hive/NTUSER.DAT -p run

       Process a complete hive file of type system:

              regripper -r /mnt/SYSTEM -f system > /mnt/reports/system.txt

       Parse hive file of type SAM:

              regripper -r /mnt/SAM -f sam > /mnt/SAM.txt

AUTHORS

       Written by Harlan Carvey <keydet89@yahoo.com>

BUGS AND LIMITATIONS

       This tool does NOT automatically process hive transaction logs. If you need to incorporate
       data from hive transaction logs into your analysis, consider merging the  data  via  Maxim
       Suhanov's yarp + registryFlush.py, or via Eric Zimmerman's rla.exe.

REPORTING BUGS

       When  submitting  a bug report, please include a description of the problem, how you found
       it,     and     your     contact     information.      Submit     bug     reports      to:
       https://github.com/keydet89/RegRipper3.0/issues

COPYRIGHT

       This     project     is     licensed    under    terms    of    the    MIT    License    -
       https://opensource.org/licenses/MIT.  Copyright by Harlan Carvey <keydet89@yahoo.com>  and
       2020 Quantum Analytics Research, LLC.

       This manual page was written by Jan Gruber <j4n6ru@gmail.com>, for the Debian project (and
       may be used by others).

SEE ALSO

       More information on Regripper appears in the README file, distributed with  the  regripper
       source code.