A Windows Registry forensics tool for extracting and analyzing data from registry hives using Perl-based plugins.
RegRipper3.0 is a forensic analysis tool for extracting and analyzing data from Windows Registry hives. It uses Perl-based plugins to automate the parsing of registry files, helping investigators uncover artifacts related to user activity, system changes, and malware persistence. The tool supports both GUI and command-line interfaces for flexible usage in digital forensics workflows.
Digital forensics analysts, incident responders, and security researchers who need to analyze Windows Registry hives during investigations or threat hunting.
Developers choose RegRipper3.0 for its extensive plugin ecosystem, automation capabilities, and focus on registry-specific forensics, providing a specialized alternative to general-purpose forensic tools.
RegRipper3.0
The GUI (rr.exe) and CLI (rip.exe) can automatically run all applicable plugins against a selected hive without manual profile selection, streamlining forensic workflows as highlighted in the README.
Allows running individual plugins or predefined profiles with output to user-specified directories, providing customization control for different analysis needs.
Output dates follow ISO 8601 (RFC 3339 profile), ensuring consistency and interoperability in forensic timelines, as addressed in the README's 'WHAT'S NEW' section.
Includes modified Parse::Win32Registry Perl modules for improved registry parsing, though this requires careful setup on Linux as noted in the README.
The tool does not automatically process hive transaction logs, requiring external tools like yarp or rla.exe for comprehensive analysis, as explicitly stated in the README's NOTE section.
On Linux, users must manually copy modified Perl modules to the correct locations, which can be error-prone and complicate installation, adding setup overhead.
While a GUI is provided, it may lack advanced features and modern usability compared to other forensic tools, potentially hindering efficiency for users accustomed to more interactive interfaces.
Loki - Simple IOC and YARA Scanner
Adversary tradecraft detection, protection, and hunting
PowerForensics provides an all in one platform for live disk forensic analysis
FastIR Collector is a Windows live forensics tool that gathers system artifacts and records them in CSV or JSON files for analysis. It enables security professionals to detect early signs of compromise by examining various system components and user activities. ## Key Features - **Artifact Collection** — Extracts forensic data from filesystem, registry, memory, network, and system health components - **Modular Packages** — Organized collection modules (fs, health, registry, memory, dump, FileCatcher) for targeted investigations - **Custom Profiles** — Allows creation of custom extraction profiles to focus on specific artifacts - **Multiple Output Formats** — Supports CSV and JSON outputs for compatibility with analysis tools - **FileCatcher Module** — Includes Yara rules and mime-type filtering for targeted file collection - **System Dumps** — Capability to capture MFT, RAM, disk, registry, and SAM dumps for deep analysis ## Philosophy FastIR Collector was designed to provide a comprehensive, modular approach to Windows live forensics, enabling security teams to quickly gather evidence and identify compromise indicators before attackers can cover their tracks.
Open-Awesome is built by the community, for the community. Submit a project, suggest an awesome list, or help improve the catalog on GitHub.