Updating to the latest RegRipper on SANS Sift
Running RegRipper on Windows is great and all, but what if you want to use Linux instead? Well, the latest SANS Sift (2018.038.0) comes with RegRipper installed, but it is currently the old 2008419 version. The new version is a must if you want to use all the latest plugins to generate TLN output and probe for additional artifacts.
Here is a way to update and get the new RegRipper on SANS Sift:
Get Newest Regripper:
git clone https://github.com/keydet89/RegRipper2.8.git
Wget Sift specific rip.pl patch script:
Patch the latest version of rip.pl so it will work in Sift:
chmod +x rip.pl2linux.sh
“siftgrab/rip.pl2linux.sh” (creates an updated rip.pl called rip.new)
Copy updated RegRipper files to Sift:
chmod +x rip.new
sudo cp rip.new /usr/local/bin/rip.pl
sudo cp rip.new /usr/share/regripper/rip.pl
chmod +x RegRipper2.8/shellitems.pl
sudo cp RegRipper2.8/shellitems.pl /usr/local/bin/shellitems.pl
chmod +x RegRipper2.8/plugins/*
sudo cp RegRipper2.8/plugins/* /usr/local/src/regripper/plugins
Let’s test and see if it works!
Download the Siftgrab ntuser2tln script to automate and test:
chmod +x ntsuer2tln.sh
sudo ../ntuser2tln.sh /cases -e -c
We did not see any new plugin output, but I suspect that is only because of the age and small size of the data set. Download and try it yourself!