Running Regripper on Linux

I have been using Harlan Carvey's excellent RegRipper tool for a while now to analyse Windows registry hive files as part of incident investigations, and since I do the majority of my investigations from Linux systems I thought I'd share here the process I use to run RegRipper from Linux.

I am aware that a Linux version of RegRipper has been created but at the time that I checked it was not available to download from RapidShare.  In addition, since the process of getting the Windows version to run on Linux is so easy, this is usually the method I follow.

I am doing the following on Ubuntu 9.10, but these instructions should work on the majority of Linux installations.  The majority of these commands to install RegRipper need to be run as root, so I am using a root shell, opened on Ubuntu via the command "sudo -s".

First we need to install the Parse::Win32Registry perl module, which RegRipper uses to parse the registry hive files.  Grab it from CPAN like so.

[email protected]:~# perl -MCPAN -e 'install Parse::Win32Registry'

Now we need to create a directory for RegRipper to run from.  I like to put it in its own directory under /opt, but you can put it wherever you wish.  Create the directory and change to it.

[email protected]:~# mkdir -p /opt/regripper
[email protected]:~# cd /opt/regripper

Now we download the RegRipper program itself.  The command below downloads the latest available version at the time of writing.  To check for later versions, go here and check the Downloads area.

[email protected]:/opt/regripper# wget

Unzip RegRipper

[email protected]:/opt/regripper# unzip

Convert to Unix line endings and make the script executable

[email protected]:/opt/regripper# perl -pi -e 's/\r\n/\n/g'
[email protected]:/opt/regripper# chmod +x

Exit the first line of to use your systems perl interpreter to run

[email protected]:/opt/regripper# which perl | sed 's/\//\\\//g' > /tmp/perlloc && sed -i "s/ c:\\\\perl\\\\bin\\\\perl.exe/`cat /tmp/perlloc`/"

Add/Modify a few commands to allow the RegRipper plugins directory to be found:

 [email protected]:/opt/regripper# echo $PWD | sed 's/\//\\\//g' > /tmp/pwd && sed -i "s/use Getopt::Long;/use Getopt::Long;\nuse lib \'`cat /tmp/pwd`\/\';\n/"
[email protected]:/opt/regripper# sed -i "s/plugindir = \"plugins\\\\\\\\/plugindir = \"`cat /tmp/pwd`\/plugins\//"
[email protected]:/opt/regripper# sed -i 's/require "plugins\\\\".$plugins{$i}."\\.pl";/require "plugins\/".$plugins{$i}."\\.pl";/'

Now we should be able to run the RegRipper command line interface.

[email protected]:/opt/regripper# ./
Rip v.20080419 - CLI RegRipper tool   
Rip [-r Reg hive file] [-f plugin file] [-p plugin module] [-l] [-h]
Parse Windows Registry files, using either a single module, or a plugins file.
All plugins must be located in the "plugins" directory; default plugins file
used if no other filename given is "plugins\plugins".

  -r Reg hive file...Registry hive file to parse
  -g ................Guess the hive file (experimental)
  -f [plugin file]...use the plugin file (default: plugins\plugins)
  -p plugin module...use only this module
  -l ................list all plugins
  -c ................Output list in CSV format (use with -l)
  -h.................Help (print this information)
Ex: C:\>rr -r c:\case\system -f system
    C:\>rr -r c:\case\ntuser.dat -p userassist
    C:\>rr -l -c

All output goes to STDOUT; use redirection (ie, > or >>) to output to a file.
copyright 2008 H. Carvey

And we can run it against one of the Registry hive files from my Windows system volume mounted at /media/sda2

[email protected]:/opt/regripper# ./ -r /media/sda2/Windows/System32/config/SAM -f sam
Parsed Plugins file.
Launching samparse v.20080415

User Information
Username        : Administrator [500]
Full Name       :
User Comment    : Built-in account for administering the computer/domain [SNIP]

And thats it - happy RegRipping!

Update:  Modified download path above to take into account change of location on RegRipper site.