dccfguru…
None of those tools does what RegRipper does, so I'm not sure how the list goes on…or how there's a list at all.
None of the tools do exactly what RegRipper does; however, RegRipper is still pulling the values from the Registry, is it not? You can still verify the values reported by RegRipper are the same values reported from other tools. Each tool will display the values in a different manner to the user, but the values should still be consistent between tools.
Have you verified the regripper results against another tool to insure regripper is providing correct results.
This is a good post…what tools would you recommend for doing this?
AccessData's Registry Viewer, mounting the registry files in EnCase, Paraben's Registry Analyzer… the list goes on…
From RegRipper website…
"
What is the RegRipper?
I should start by saying what the RegRipper is *not*…it's not a Registry Viewer. An examiner would not open a Registry hive file in RegRipper to "look around".
…RegRipper is a Windows Registry data extraction and correlation tool. RegRipper uses plugins (similar to Nessus) to access specific Registry hive files in order to access and extract specific keys, values, and data, and does so by bypassing the Win32API.
"
Might help clear some confusion between registry viewing and analysis.
Also
http//
Further, most Registry viewing tools allow you to do just that…view Registry hive files. RegRipper does things such as translate value names where applicable (UserAssist) and also extracts data (timestamps, MAC addresses, etc.) from data, in many cases translating that binary information into something readable and understandable.
I'm all for using multiple tools to validate your findings. However, IMHO, based on the design of RegRipper, you can necessarily say that it's a simple matter of loading a hive file into a viewer in order to validate your RegRipper findings.
Isn't that what dccfguru was suggesting? Why so much condescension when people ask legitimate questions about validating their results, including data translated by Regiripper for readability?
What "condescension" are you referring to? I'm just trying to clarify the purpose of and design behind RegRipper, and I'm not being condescending at all.
Keydet89,
I've forgotten that rr has auditpol plugin. Apologies, it was way late & brain kinda froze.
I've used Accessdata registry viewer but it's just that, a viewer. It can't go where rr can go. Definitely looking for alternative tool for verification purposes.
MC
> Definitely looking for alternative tool for verification purposes.
Try my tool (RegExtract), which is completely is based on RegRipper (props to Harlan).
It started as me having the need to parse binary registry files for a another project, so I turned it into a Microsoft.Net library. RegExtract uses the library and I used RR to validate my results.
Info http//
Download http//
It requires v3.5 of the Microsoft.Net framework.
Not being flippant or condescending, as I completely understand the need for verification…but if you're looking for another tool to verify what RegRipper reports, I'd strongly suggest a hex editor.
The format of hive files is documented, as is the abstraction layer provided by Perl and the supporting module(s). Open the plugin you're interested in in Notepad and read what it does…depending upon the plugin, you may find URLs to references that provide information as to why that key or value or data is being sought.
Then go to your hive file and trace the information by hand.
Again…not being flippant or condescending. There ARE no other tools like RegRipper, so it's not as if you're going to be able to verify your results the way you would by comparing Registry File Viewer head-to-head with AccessData's Registry Viewer.
This is probably a better topic for another thread, one specific to tool verification in general.
Juts out of curiosity, why would you need to another tool to verify the data RegRipper provides? And Yes, KeyDet89 is correct, the list does go on. RegRipper simply presents the data in an easily readable format. You could export the suspect hive and parse it with a hex editor, or use the native function in EnCase, or Registry Viewer, or Registry Analyzer….as indicated.
Has RegRipper come under some scrutiny? Has something happened that would lead you to believe that the RR results were inaccurate?
There are a number of applications that can be used to query and pull data from the Windows Registry. One such set of PERL scripts were written by James Macfarlane. He is the author of Parse-Win32Registry. You can read more details about his PERL scripts here;
http//
I've been using a number of his scripts, including the regtimeline, regtree, regview, regdiff, and regfind for quite some time. If I remember correctly Jame's regtimeline was created long before Harlan's registry timeline script. I know RegRipper relies on Jame's Parse-Win32Registry extensively.
If you haven't used or looked into Jame's scripts you may want to.
Cheers!
farmerdude