I had to make one minor change to rip.pl on the SIFT
The command is "rip.pl -r [hive] -p [plugin]", in the SIFT regripper I was getting and error message "/usr/local/src/regripper/pluginsmpmru.pl not found"
To "fix" it (I say "fix" loosely…'cos it's not really broken, just the pointer to the plugins folder not pointing regripper to the right place) you can do either of the following.
You can change the command to "rip.pl -r [hive] -p \/[plugin]" (add the backslash to escape the following added forward slash)…or add a forward slash at the end of line 29 of rip.pl
"my $plugindir = '/usr/local/src/regripper/plugins';" becomes
"my $plugindir = '/usr/local/src/regripper/plugins/';"
I reach for regripper in most tasks I undertake, and would not be without it. I have used the nice pointy-clicky tools,but there's nothing that will make you learn the windows registry like rr (best to combine it with Windows Forensic Analysis book)
Have you checked out "Windows Registry Forensics"??
Have you checked out "Windows Registry Forensics"??
Not yet…it's in my Amazon wishlist though.. *sigh* so many books, so little time!.. lol