Sunday, April 25, 2010

Running Regripper on Linux

I have been using Harlan Carvey's excellent RegRipper tool for a while now to analyse Windows registry hive files as part of incident investigations, and since I do the majority of my investigations from Linux systems I thought I'd share here the process I use to run RegRipper from Linux.

I am aware that a Linux version of RegRipper has been created but at the time that I checked it was not available to download from RapidShare.  In addition, since the process of getting the Windows version to run on Linux is so easy, this is usually the method I follow.

I am doing the following on Ubuntu 9.10, but these instructions should work on the majority of Linux installations.  The majority of these commands to install RegRipper need to be run as root, so I am using a root shell, opened on Ubuntu via the command "sudo -s".

First we need to install the Parse::Win32Registry perl module, which RegRipper uses to parse the registry hive files.  Grab it from CPAN like so.

root@lion:~# perl -MCPAN -e 'install Parse::Win32Registry'

Now we need to create a directory for RegRipper to run from.  I like to put it in its own directory under /opt, but you can put it wherever you wish.  Create the directory and change to it.

root@lion:~# mkdir -p /opt/regripper
root@lion:~# cd /opt/regripper

Now we download the RegRipper program itself.  The command below downloads the latest available version at the time of writing.  To check for later versions, go here and check the Downloads area.

root@lion:/opt/regripper# wget http://regripper.net/RR/RegRipper/rr_20080909.zip

Unzip RegRipper

root@lion:/opt/regripper# unzip rr_20080909.zip

Convert to Unix line endings and make the rip.pl script executable

root@lion:/opt/regripper# perl -pi -e 's/\r\n/\n/g' rip.pl
root@lion:/opt/regripper# chmod +x rip.pl

Exit the first line of rip.pl to use your systems perl interpreter to run rip.pl

root@lion:/opt/regripper# which perl | sed 's/\//\\\//g' > /tmp/perlloc && sed -i "s/ c:\\\\perl\\\\bin\\\\perl.exe/`cat /tmp/perlloc`/" rip.pl

Add/Modify a few commands to allow the RegRipper plugins directory to be found:

 root@lion:/opt/regripper# echo $PWD | sed 's/\//\\\//g' > /tmp/pwd && sed -i "s/use Getopt::Long;/use Getopt::Long;\nuse lib \'`cat /tmp/pwd`\/\';\n/" rip.pl
root@lion:/opt/regripper# sed -i "s/plugindir = \"plugins\\\\\\\\/plugindir = \"`cat /tmp/pwd`\/plugins\//" rip.pl
root@lion:/opt/regripper# sed -i 's/require "plugins\\\\".$plugins{$i}."\\.pl";/require "plugins\/".$plugins{$i}."\\.pl";/' rip.pl

Now we should be able to run the rip.pl RegRipper command line interface.

root@lion:/opt/regripper# ./rip.pl
Rip v.20080419 - CLI RegRipper tool   
Rip [-r Reg hive file] [-f plugin file] [-p plugin module] [-l] [-h]
Parse Windows Registry files, using either a single module, or a plugins file.
All plugins must be located in the "plugins" directory; default plugins file
used if no other filename given is "plugins\plugins".

  -r Reg hive file...Registry hive file to parse
  -g ................Guess the hive file (experimental)
  -f [plugin file]...use the plugin file (default: plugins\plugins)
  -p plugin module...use only this module
  -l ................list all plugins
  -c ................Output list in CSV format (use with -l)
  -h.................Help (print this information)
 
Ex: C:\>rr -r c:\case\system -f system
    C:\>rr -r c:\case\ntuser.dat -p userassist
    C:\>rr -l -c

All output goes to STDOUT; use redirection (ie, > or >>) to output to a file.
 
copyright 2008 H. Carvey

And we can run it against one of the Registry hive files from my Windows system volume mounted at /media/sda2

root@lion:/opt/regripper# ./rip.pl -r /media/sda2/Windows/System32/config/SAM -f sam
Parsed Plugins file.
Launching samparse v.20080415

User Information
-------------------------
Username        : Administrator [500]
Full Name       :
User Comment    : Built-in account for administering the computer/domain [SNIP]


And thats it - happy RegRipping!

Update:  Modified download path above to take into account change of location on RegRipper site.

4 comments:

  1. I am using fedora 11, n works perfect!!!

    Thankx for your post, saved me a lot of effort!

    ReplyDelete
  2. Thanks for the tutorial! Got it working on Debian. Much preferred to run directly with Perl than WINE.

    ReplyDelete
  3. Thank you very much Stephen. This works perfectly well in Ubuntu 12.04 and RR version 2.8. Running RR in Linux has saved me lot of time for investigations.

    ReplyDelete