Open in app

Sign in

Write

Sign in

Installing RegRipper on Linux

JBrown
3 min readNov 4, 2018

--

Updated September 29, 2020:

This is an update to the Ripper install instructions I posted a while back and covers version RR3.0. RegRipper is a registry parsing tool written by Harlan Carvey and is used in offline forensic analysis of Windows systems. The following is an explanation of how to get the current version to work on Linux and a script that can be used to automatically install RegRipper and the required Perl Parse Win32-Registry modules on Ubuntu and other Debian based systems that use apt package manager.

The install script is located here:
https://raw.githubusercontent.com/dfir-scripts/installers/main/RegRipper30-apt-git-Install.sh

If you just want to modify rip.pl and set up plugins directory path:
( path sets to /usr/share/plugins)

https://raw.githubusercontent.com/dfir-scripts/installers/main/rip.pl2linux.sh

RegRipper Requirements for Running on Linux:

  • RegRipper repository from Github
  • Parse-Win32-Registry
  • Set plugin path in rip.pl that points to plugins on the disk
  • Set Perl path in rip.pl

Installing Parse-Win32Registry:

If you need to install RegRipper on another Linux platform, here is some info on installing Parse-Win32Registry.

Installing Parse-Win32-Registry from source

https://github.com/gitpan/Parse-Win32Registry
http://metacpan.org/release/Parse-Win32Registry

#requires make
wget http://search.cpan.org/CPAN/authors/id/J/JM/JMACFARLA/Parse-Win32Registry-1.0.tar.gz
tar -xvfz  Parse-Win32Registry-1.0.tar.gz
cd Parse-Win32Registry-1.0
perl Makefile.PL
make
make test
make install

OR Use Cpanminus to Install Parse-Win32Registry

Debian/Ubuntu
sudo apt-get install cpanminus

Centos 7/RedHat
Install perl-App-cpanminus rpm package:

Install Parse-Win32Registry
sudo cpanm — force install Parse::Win32Registry

Installing Regripper on MacOS
I have not tried this, but the article below uses a similar approach as above.
https://medium.com/@TonyCrespo.Me/regripper-configuration-on-macos-8a5a8b5f6697

#########################################

Update From June 19, 2020:

The new version of RegRipper (Rip v.2.8_20190318) has lots of new plugins and capabilities. Here are some steps you can follow to run RegRipper on Ubuntu. You can also follow these step to update SANS Sift to run all the latest regripper plugins.

Step 1: Install Win32Registry
# apt-get update -y
# sudo apt-get install -y libparse-win32registry-perl

Step 2: Download and Copy Regripper Files to Destination Folders
Download Regripper to /usr/local/src, then create a symbolic link to /usr/share/regripper and make files executable.

# cd /usr/local/src/
# git clone https:/github.com/keydt89/RegRipper2.8.git
# mv RegRipper2.8 regripper
# ln -s/usr/share/regripper /usr/local/src/regripper/plugins
# chmod 755 regripper/*

Step 3: Update Perl Modules and copy files to new locations
Copy module updates from latest version of Regripper to Win32Registry and copy shellitems.pl and time.pl to /usr/local/bin.

# cd /usr/local/src/regripper
# cp File.pm /usr/share/perl5/Parse/Win32Registry/WinNT/File.pm
# cp Key.pm /usr/share/perl5/Parse/Win32Registry/WinNT/Key.pm
# cp Base.pm /usr/share/perl5/Parse/Win32Registry/Base.pm
# cp time.pl /usr/local/bin/time.pl
# cp shellitems.pl /usr/local/bin/shellitems.pl

Step 4: Update rip.pl and copy to new location
Download and run rip.pl2linux update script. Then copy file to executable path

# wget https://raw.githubusercontent.com/dfir-scripts/installers/main/rip.pl2linux.sh
# chmod 755 rip.pl2linux.sh
# ./rip.pl2linux.sh
# cp rip.pl2linux.sh /usr/local/bin/rip.pl

# usage: rip.pl2linux.sh (Make sure original rip.pl in current path)


# Get a copy of rip.pl from the RegRipper distro
echo "rip.pl-2linux.sh"
[ -e rip.pl ] && echo "rip.pl in current path:" && md5sum rip.pl|| echo "rip.pl not in current path:"  
[ -e rip.pl ] && cp rip.pl rip.pl.linux || exit
# Replace Windows hash bang and set perl lib
sed -i '/^#! c:[\]perl[\]bin[\]perl.exe/d' rip.pl.linux
sed -i "1i #!`which perl`" rip.pl.linux
sed -i '2i use lib qw(/usr/lib/perl5/);' rip.pl.linux
sed -i 's/\#push/push/' rip.pl.linux
sed -i 's/\#my\ \$plugindir/\my\ \$plugindir/g' rip.pl.linux
sed -i 's/\"plugins\/\"\;/\"\/usr\/share\/regripper\/plugins\/\"\;/' rip.pl.linux
sed -i 's/(\"plugins\")\;/(\"\/usr\/share\/regripper\/plugins\")\;/' rip.pl.linux

[ -e rip.pl.linux ] && echo "rip.pl.linux file created!" && md5sum rip.pl.linux
echo -e "replace original rip.pl with new file rip.pl.linux

Back up and make sure the following files are updated:
/usr/local/bin/shellitems.pl #RegRipper ver 2.8
/usr/local/bin/time.pl   #RegRipper ver 2.8
/usr/share/perl5/Parse/Win32Registry/WinNT/File.pm
/usr/share/perl5/Parse/Win32Registry/WinNT/Key.pm
/usr/share/perl5/Parse/Win32Registry/Base.pm"
Regripper
Ubuntu

--

--

JBrown
JBrown

Written by JBrown

14 Followers
1 Following

DFIR Notes

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams