• Stars
    star
    184
  • Rank 209,187 (Top 5 %)
  • Language
    Python
  • License
    Apache License 2.0
  • Created over 5 years ago
  • Updated about 1 year ago

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

A modern Python-3-based alternative to RegRipper

regrippy -- a modern Python 3 alternative to RegRipper

This is the public GitHub repository of RegRippy

We are aware of the existence of mkorman90/regipy, which has a similar goal. Both projects were developed in parallel, we were not aware of any other project like RegRippy when we started developing it.

Description

RegRippy is a framework for reading and extracting useful forensics data from Windows registry hives. It is an alternative to RegRipper developed in modern Python 3. It makes use of William Ballenthin's python-registry to access the raw registry hives.

The goal of this project is to provide a framework for quickly and easily developing your own plugins in an incident response scenario.

This tool will try its best to stay out of your way and quickly provide you with usable data:

# Get the computer name
$ regrip.py --root /mnt/evidence/C compname
JOHN-DESKTOP

# Get URLs typed in IE for all users on a machine
$ regrip.py -v --root /mnt/evidence/C --all-user-hives typedurls
regrip.py:info:Administrator
regrip.py:warn:Could not open key Software\Microsoft\Internet Explorer\TypedURLs
regrip.py:info:John
https://google.com/?q=how+to+buy+bitcoin

All plugins should also support both a human-readable and machine-readable output (the Bodyfile format), allowing easy piping to mactime or other tools.

Install

RegRippy is available on PyPI and can be installed using pip:

$ pip install regrippy

If you want the bleeding-edge release, it can be installed like any other Python package using pip or setuptools:

$ pip install .
# Alternatively
$ python3 setup.py install

Symlinks will automatically be created for all plugins: for example, you can call the compname plugin by running:

$ reg_compname -r /mnt/c/

Usage

usage: regrip.py [-h] [--system SYSTEM] [--software SOFTWARE] [--sam SAM]
                 [--ntuser NTUSER] [--usrclass USRCLASS] [--root ROOT]
                 [--all-user-hives] [--backups] [--verbose] [--bodyfile]
                 [--list]
                 plugin_name

Extract information from Windows Registry hives

positional arguments:
  plugin_name           Name of the plugin to run

optional arguments:
  -h, --help            show this help message and exit
  --system SYSTEM, -y SYSTEM
                        Path to the SYSTEM hive. Overrides --root and the
                        REG_SYSTEM environment variable
  --software SOFTWARE, -o SOFTWARE
                        Path to the SOFTWARE hive. Overrides --root and the
                        REG_SOFTWARE environment variable
  --sam SAM, -a SAM     Path to the SAM hive. Overrides --root and the REG_SAM
                        environment variable
  --ntuser NTUSER, -n NTUSER
                        Path to the NTUSER.DAT hive. Overrides the REG_NTUSER
                        environment variable
  --usrclass USRCLASS, -u USRCLASS
                        Path to the UsrClass.DAT hive. Overrides the
                        REG_USRCLASS environment variable
  --root ROOT, -r ROOT  Path to the C: folder. Overrides the REG_ROOT
                        environment variable
  --all-user-hives      Work on all NTUSER.DAT and USRCLASS.DAT hives if
                        required. Requires --root. Overrides --ntuser and
                        --usrclass.
  --backups             Run the plugin on backup registry hives as well (does
                        not work for hives loaded from stdin)
  --verbose, -v         Be more verbose
  --bodyfile, -b        Force output in Bodyfile format
  --list, -l            List available plugins

Documentation & development

If you want to make your own plugin using the RegRippy framework, head over to the documentation right now!

You can also build the documentation yourself by running:

$ tox -e docs

Testing

This project uses tox to automate the testing process, as well as pytest for the test themselves.

Running the tests can be done by invoking:

$ tox -e py37

Credits

License

RegRippy is released under the Apache 2.0 license.

More Repositories

1

ttddbg

Time Travel Debugging IDA plugin
C++
551
star
2

Winshark

A wireshark plugin to instrument ETW
Lua
527
star
3

Yagi

Yet Another Ghidra Integration for IDA
C++
480
star
4

Invoke-Bof

Load any Beacon Object File using Powershell!
PowerShell
245
star
5

comida

An IDA Plugin that help analyzing module that use COM
Python
198
star
6

etl-parser

Event Trace Log file parser in pure Python
Python
132
star
7

yara-ttd

Use YARA rules on Time Travel Debugging traces
C
86
star
8

vbSparkle

VBScript & VBA source-to-source deobfuscator with partial-evaluation
C#
72
star
9

ntTraceControl

Powershell Event Tracing Toolbox
PowerShell
72
star
10

CVE-2024-4040

Scanner for CVE-2024-4040
Python
50
star
11

etwbreaker

An IDA plugin to deal with Event Tracing for Windows (ETW)
Python
49
star
12

minusone

Powershell Linter
Rust
46
star
13

PSTrace

Trace ScriptBlock execution for powershell v2
C
39
star
14

tree-sitter-powershell

Powershell grammar for tree-sitter
JavaScript
36
star
15

dnYara

A multi-platform .Net wrapper library for the native Yara library.
C#
35
star
16

timeliner

A rewrite of mactime, a bodyfile reader
Go
34
star
17

Splunk-ETW

A Splunk Technology Add-on to forward filtered ETW events.
C#
30
star
18

cacdec

The hidden mstsc recorder player
Python
28
star
19

ttd2mdmp

Extract data of TTD trace file to a minidump
C++
28
star
20

dirtypipe-ebpf_detection

An eBPF detection program for CVE-2022-0847
C
27
star
21

mispy

Another MISP module for Python
Python
17
star
22

mispgo

Golang library for MISP
Go
5
star
23

usnrs

USN Journal parsing software and library
Rust
5
star
24

bodyfile

A bodyfile parsing library
Go
3
star
25

nix-forensics

Reproducible forensics environment, 100% of the time
Nix
3
star
26

skyblue.team

Our website
HTML
1
star