Updating to the latest RegRipper on SANS Sift

Running RegRipper on Windows is great and all, but what if you want to use Linux instead? Well, the latest SANS Sift (2018.038.0) comes with RegRipper installed, but it is currently the old 2008419 version. The new version is a must if you want to use all the latest plugins to generate TLN output and probe for additional artifacts.

Here is a way to update and get the new RegRipper on SANS Sift:

Get Newest Regripper:
cd ~/
git clone

Wget Sift specific rip.pl patch script:
wget https://raw.githubusercontent.com/siftgrab/siftgrab/master/rip.pl2linux.sh

Patch the latest version of rip.pl so it will work in Sift:
wget https://raw.githubusercontent.com/siftgrab/siftgrab/master/rip.pl2linux.sh
chmod +x rip.pl2linux.sh
(creates an updated rip.pl called rip.new)

Copy updated RegRipper files to Sift:
chmod +x rip.new
sudo cp rip.new /usr/local/bin/rip.pl
sudo cp rip.new /usr/share/regripper/rip.pl
chmod +x RegRipper2.8/shellitems.pl
sudo cp RegRipper2.8/shellitems.pl /usr/local/bin/shellitems.pl
chmod +x RegRipper2.8/plugins/*
sudo cp RegRipper2.8/plugins/* /usr/local/src/regripper/plugins


Regripper displays new version with newest plugins and-uP option

Let’s test and see if it works!

Download the Siftgrab ntuser2tln script to automate and test:
wget https://raw.githubusercontent.com/siftgrab/siftgrab/master/ntuser2tln.sh
chmod +x ntsuer2tln.sh
mkdir output
cd output
sudo ../ntuser2tln.sh /cases -e -c

Run ntuser2tln.sh -e (epoch time) -c (multiple computers) on all ntuser.dat files in the Sift /cases folder
Timelines of sample data from NTUSERS.DAT registries created!
Triage-Timline.TLN.txt contains a consolidated timeline of all output.

We did not see any new plugin output, but I suspect that is only because of the age and small size of the data set. Download and try it yourself!


DFIR Notes