July 11, 2009

RipXP parses registry hives in Windows restore points

Harlan Carvey has managed to make a great new tool again: RipXP. RipXP is similar to rip.exe, in that it is a CLI tool and that it uses the same plugins as RegRipper and rip.exe. You give ripXP (as command line arguments) the hive file, the directory where the Restore Points reside, and a plugin to run. Once you have all this, ripXP will then:

- Access the hive file and guess what kind (SAM, System, NTUSER.DAT, Software, or Security) hive file it is (if it's an NTUSER.DAT file, it will attempt to retrieve the user's SID)

- Compare the type of hive file to the hive file that the plugin was written for; that is, if you pass it a System hive file, it won't let you run a plugin meant for an NTUSER.DAT file (just like rip.exe, ripXP includes the "-l" option so you can list all available plugins)

- Run the plugin against the hive file you selected

- Access the System Restore RP directories, and run the plugin against the appropriate hive

All this happens automatically, and the output goes to STDOUT, so all you have to do is redirect the output to a file.

Download RipXP at http://www.regripper.net/

Jul 11, 2009 10:50:27 AM | Forensics

The comments to this entry are closed.

NEXT POST
Some simple user defined variables in MySQL You can use simple user defined variables in MySQL (command line). Expressions involving variables are evaluated for each row of a query result, a property that you can use to provide a column of row numbers in the output. It's...
PREVIOUS POST
Capture memory with FTK Imager v. 2.6.1 It's possible to capture the contents of RAM memory with FTK Imager v. 2.6.1 now. As you can see, a new button has appeared in the toolbar: Download FTK Imager v. 2.6.1 at http://www.accessdata.com/downloads/current_releases/imager/imager-ftk_imager-2.6.1.exe

Mark

The Typepad Team

Search

My Other Accounts

Recent Comments