RegRipper

RegRipper is a useful utility for parsing Windows Registry hives, written in Perl by Harlan Carvey. It has various profiles that can be used to parse the SAM, SYSTEM, SOFTWARE, SECURITY, NTUSER.DAT, and USRCLASS.DAT hives, outputting the results to stdout, which can then use I/O redirection to output the results to a file. Since it is not a graphical application, it is easier to write a Dockerfile for this application than for a graphical application, such as Autopsy. However, because RegRipper is primarily developed on Windows, some of the paths, such as to the perl interpreter, are hard-coded into the rip.pl script and need to be modified using a tool such as sed so that the various plugins can be found by the OS.

FROM ubuntu:cosmic
LABEL maintainer "djds djds@ccs.neu.edu"

ENV DEBIAN_FRONTEND="noninteractive"

WORKDIR /opt

RUN apt-get update && apt-get dist-upgrade -y \
    && apt-get install -y git libparse-win32registry-perl

RUN git clone "https://github.com/keydet89/RegRipper2.8.git" \
    && cd RegRipper2.8 \
    && ln -s /opt/RegRipper2.8/plugins /etc/perl/plugins \
    && cp /usr/share/perl5/Parse/Win32Registry/WinNT/Key.pm \
        /usr/share/perl5/Parse/Win32Registry/WinNT/Key_old.pm \
    && cp Key.pm /usr/share/perl5/Parse/Win32Registry/WinNT/Key.pm

WORKDIR /opt/RegRipper2.8

# Change #! and plugin locations for Linux
RUN sed -i 's/#! c:\\perl\\bin\\perl.exe/#!\/usr\/bin\/perl/g' rip.pl \
    && sed -i 's/^#push(@INC,$str);/push(@INC,$str);/g' rip.pl \
    && sed -i '/($^O eq "MSWin32") ? ($plugindir = $str."plugins\/")/d' rip.pl \
    && sed -i '/: ($plugindir = File::Spec->catfile("plugins"));/d' rip.pl \
    && sed -i 's/^#my $plugindir = $str."plugins\/";/my $plugindir = $str."\/opt\/RegRipper2.8\/plugins\/";/g' rip.pl \
    && sed -i 's/^#my $plugindir = File::Spec->catfile("plugins");/my $plugindir = File::Spec->catfile("\/opt\/RegRipper2.8\/plugins");/g' rip.pl \
    && sed -i 's/^#print "Plugins Dir = ".$plugindir."\\n";/print "Plugins Dir = ".$plugindir."\\n";/g' rip.pl \
    && chmod +x rip.pl

ARG GID
ARG ID

RUN groupadd -g "${GID}" regripper \
    && useradd -m -u "${ID}" -g "${GID}" regripper \
    && mkdir -p /home/regripper/data \
    && chown -R regripper:regripper /home/regripper \
    && rm -rf /var/lib/apt/lists/*

WORKDIR /home/regripper/data

# Run as non privileged user
USER regripper

ENTRYPOINT ["/opt/RegRipper2.8/rip.pl"]

Again, since RegRipper is working on local files (Registry Hives), that have exported by another tool, such as Autopsy, it does not need any special or root privileges to run, so it is best to build the container so that the rip.pl script runs as a non-privileged user, in this case regripper. This is possible by passing the same user and group ID environment variables to the buikld script.

#!/bin/bash

set -euo pipefail

REGISTRY="${REGISTRY:-registry.gitlab.com/bghost/docker-forensics/}"

user='djds'
repo='regripper'
tag=${1:-latest}

# set environment vars
GID="${GID:-$(id -g)}"
ID="${ID:-$(id -u)}"

# build the container:
docker build \
    --build-arg GID="${GID}" \
    --build-arg ID="${ID}" \
    -t "${REGISTRY}${user}/${repo}:${tag}" .

if [[ "${PUSH:-}" == "true" ]]; then
    docker push "${REGISTRY}${user}/${repo}:${tag}"
fi

# clean up our host environment
unset {GID,ID}

Then the container can be invoked either by using the following run script or wrapping it in a function.

#!/bin/bash

REGISTRY="${REGISTRY:-registry.gitlab.com/bghost/docker-forensics/}"
tag="latest"

docker run --rm -it \
    -c 4 \
    -m 4096M \
    -v /etc/localtime:/etc/localtime:ro \
    -v /tmp/.X11-unix:/tmp/.X11-unix \
    -e "DISPLAY=unix${DISPLAY}" \
    -v "$(pwd):/home/regripper/data" \
    -v /dev/shm:/dev/shm \
    --name regripper \
    "${REGISTRY}djds/regripper:${tag}" "${@}"

It will accept registry files and command-line paramenters passed to the script/function as if it was an application installed on the host.

$ regripper
Plugins Dir = /opt/RegRipper2.8/plugins
Rip v.2.8_20190318 - CLI RegRipper tool
Rip [-r Reg hive file] [-f plugin file] [-p plugin module] [-l] [-h]
Parse Windows Registry files, using either a single module, or a plugins file.

  -r Reg hive file...Registry hive file to parse
  -g ................Guess the hive file (experimental)
  -f [profile].......use the plugin file (default: plugins\plugins)
  -p plugin module...use only this module
  -l ................list all plugins
  -c ................Output list in CSV format (use with -l)
  -s system name.....Server name (TLN support)
  -u username........User name (TLN support)
  -uP ...............Update profiles
  -h.................Help (print this information)

Ex: C:\>rip -r c:\case\system -f system
    C:\>rip -r c:\case\ntuser.dat -p userassist
    C:\>rip -l -c

All output goes to STDOUT; use redirection (ie, > or >>) to output to a file.

copyright 2019 Quantum Analytics Research, LLC

For example, to parse a SAM hive, exported from Autopsy with the name 110718-SAM and display the first 20 lines to /dev/stdout, the following syntax can be used. In this case, the command is being piped to head, on the host system, but any arbitrary chaining of commands could be used. This is what makes running forensics tools on any Unix-like system so useful, as a custom workflow can be created by chaining simple commands, especially valuable when processing text streams.

$ regripper -r 110718-SAM -f sam | head -n 20
Plugins Dir = /opt/RegRipper2.8/plugins
Parsed Plugins file.
Launching samparse v.20160203
samparse v.20160203
(SAM) Parse SAM file for user & group mbrshp info


User Information
-------------------------
Username        : Administrator [500]
SID             : S-1-5-21-2734969515-1644526556-1039763013-500
Full Name       : 
User Comment    : Built-in account for administering the computer/domain
Account Type    : 
Account Created : Tue Mar 27 12:13:26 2018 Z
Name            :  
Last Login Date : Never
Pwd Reset Date  : Never
Pwd Fail Date   : Never
Login Count     : 0

Alternatively, the entire output of the above command can be redirected to a file with the following syntax.

$ regripper -r 110718-SAM -f sam >Sam-report.txt

A built version of this image can be pulled from the GitLab container registry:

$ docker pull registry.gitlab.com/bghost/docker-forensics/djds/regripper:latest