Harlan Carvey hat Version 2.0A seines Tools RegRipper veröffentlicht. Mit RegRipper kann man sehr komfortabel diverse Registry-Keys analysieren. Besonderes Augenmerk liegt hier bei den MRU- und UA-Keys, die gerade bei der Analyse von nutzungsspuren wichtig sind. Neben der GUI-Version rrb.exe
gibt es nun auch eine CLI-Version rli.exe
, die etwas handlicher ist und auch in eigene Skripte einbaubar ist.
Die Ausgabe der CLI-Version rli.exe
von RegRipper erfolgt auf der Console, läst sich aber in eine Datei umleiten. RegRipper ist um verschiedene Plugins erweiterbar. Mit der Option -l lassen sich die enthaltenen Plugins auflisten.
[~alex]rip.exe -l
1. acmru v.20080324 [NTUSER.DAT]
- Gets contents of user's ACMru key
2. adoberdr v.20080324 [NTUSER.DAT]
- Gets user's Adobe Reader cRecentFiles values
3. aim v.20080325 [NTUSER.DAT]
- Gets info from the AOL Instant Messenger (not AIM) install
4. appinitdlls v.20080324 [Software]
- Gets contents of AppInit_DLLs value
5. applets v.20080324 [NTUSER.DAT]
- Gets contents of user's Applets key
6. apppaths v.20080404 [Hive file]
- Gets content of App Paths key
7. auditpol v.20080327 [Security]
- Get audit policy from the Security hive file
8. bho v.20080325 [Software]
- Gets Browser Helper Objects from Software hive
9. cmd_shell v.20080328 [Software]
- Gets shell open cmds for various file types
10. comdlg32 v.20080324 [NTUSER.DAT]
- Gets contents of user's ComDlg32 key
11. compdesc v.20080324 [NTUSER.DAT]
- Gets contents of user's ComputerDescriptions key
12. compname v.20080324 [System]
- Gets ComputerName value from System hive
13. devclass v.20080331 [System]
- Get USB device info from the DeviceClasses keys in the System hive
14. fw_config v.20080328 [System]
- Gets the Windows Firewall config from the System hive
15. imagefile v.20080325 [Software]
- Gets Image File Execution Options subkeys w/ Debugger value
16. listsoft v.20080324 [NTUSER.DAT]
- Lists contents of user's Software key
17. logonusername v.20080324 [NTUSER.DAT]
- Get user's Logon User Name value
18. logon_xp_run v.20080328 [NTUSER.DAT]
- Autostart - Get XP user logon Run key contents from NTUSER.DAT hive
19. mmc v.20080324 [NTUSER.DAT]
- Get contents of user's MMC\Recent File List key
20. mndmru v.20080324 [NTUSER.DAT]
- Get contents of user's Map Network Drive MRU
21. mountdev v.20080324 [System]
- Return contents of System hive MountedDevices key
22. mp2 v.20080324 [NTUSER.DAT]
- Gets user's MountPoints2 key contents
23. mpmru v.20080324 [NTUSER.DAT]
- Gets user's Media Player RecentFileList values
24. mspaper v.20080324 [NTUSER.DAT]
- Gets images listed in user's MSPaper key
25. muicache v.20080324 [NTUSER.DAT]
- Gets EXEs from user's MUICache key
26. network v.20080324 [System]
- Gets info from System\Control\Network GUIDs
27. networkcards v.20080325 [Software]
- Get NetworkCards
28. nic_mst2 v.20080324 [System]
- Gets NICs from System hive; looks for MediaType = 2
29. officedocs v.20080324 [NTUSER.DAT]
- Gets contents of user's Office doc MRU keys
30. realplayer6 v.20080324 [NTUSER.DAT]
- Gets user's RealPlayer v6 MostRecentClips(Default) values
31. recentdocs v.20080324 [NTUSER.DAT]
- Gets contents of user's RecentDocs key
32. recentdocs2 v.20080324 [NTUSER.DAT]
- Gets contents of user's RecentDocs key
33. regtime v.20080324 [All]
- Dumps entire hive, all keys sorted by LastWrite time
34. runmru v.20080324 [NTUSER.DAT]
- Gets contents of user's RunMRU key
35. services v.20080324 [System]
- Lists Services keys LastWrite times from System hive
36. shutdown v.20080324 [System]
- Gets ShutdownTime value from System hive
37. soft_run v.20080328 [Software]
- Autostart - get Run key contents from Software hive
38. ssid v.20080327 [Software]
- Get WZCSVC SSID Info
39. termserv v.20080324 [System]
- Gets fDenyTSConnections value from System hive
40. timezone v.20080324 [System]
- Get TimeZoneInformation key contents
41. tsclient v.20080324 [NTUSER.DAT]
- Displays contents of user's Terminal Server Client\Default key
42. typedurls v.20080324 [NTUSER.DAT]
- Returns contents of user's TypedURLs key.
43. uninstall v.20080331 [Software]
- Gets contents of Uninstall key from Software hive
44. usbstor v.20080331 [System]
- Get USBStor key info
45. userassist v.20080324 [NTUSER.DAT]
- Displays contents of UserAssist Active Desktop key
46. userinit v.20080328 [Software]
- Gets UserInit value
47. user_run v.20080328 [NTUSER.DAT]
- Autostart - get Run key contents from NTUSER.DAT hive
48. vncviewer v.20080325 [NTUSER.DAT]
- Get VNCViewer system list
49. winzip v.20080325 [NTUSER.DAT]
- Get WinZip extract and filemenu values
Update 20.04.2008: Harlan hat Version 2.01A veröffentlicht