RVT has RegRipper support

RegRipper support is  added to the Revealer Toolkit Shell through these commands:

  • script regripper listmodules
  • script regripper execmodule <plugin> <hivetype> <partition>
  • script regripper execallmodules <hivetype> <partition>

The last one executes RegRipper over all the files that seem a registry hive, and store the results on the output/regripper morgue folder, sorted by modification date.

Catch the lastest code at http://code.google.com/p/revealertoolkit/, revision 32.

RegRipper code works under linux after doing these steps:

  • installing Parse::Win32Registry perl module through CPAN
  • modifing the rip.pl (see diff file at the end)
  • converting the file to unix format with dos2unix tool
  • and installing rip.pl and plugins folder under /usr/local/RegRipper
  • finally, a ln -s /usr/local/RegRipper/rip.pl /usr/local/bin/rip  will smooth your life

These changes complete a bit more previous proposals (see http://brainstretching.blogspot.com/2008/10/linux-e-regripper.html)


< #! c:\perl\bin\perl.exe

> #!/usr/bin/perl


< my $plugindir = “plugins\\”;

> my $plugindir = “/usr/local/RegRipper/plugins/”;


<             require “plugins\\”.$plugins{$i}.”\.pl”;

>             require $plugindir.$plugins{$i}.”\.pl”;


3 May 2009

3 May 2009 at 21:30

