Open in app

Sign in

Write

Sign in

RegRipper configuration on MacOS

ElevatedDesigns.AI
3 min readNov 22, 2019

First things first: A brief introduction…

Written in Perl by Harlan Carvey, RegRipper is an open source code designed to analyze Windows OS registry hives. Main capabilities include the extraction and parsing of registry key data (keys, values, data) to human readable format.

The issue:

For forensic investigations involving a Windows system, RegRipper is a great tool when it comes to analysis of registry hives. An executable (rip.exe) for a GUI is available for Windows OS as well as a CLI version, however, a GUI is not available for MacOS, leaving its perl script(rip.pl) as the only alternative. As a result, some Mac investigators/users opt for using a Windows VM (virtual machine) to run it, or alternatives that may not deliver the same results.

Alternatives (rip.pl):

An alternative to use this code on MacOS involves downloading the zipped repository from GitHub (link) and unzipping its contents to a directory on your Mac system. To use it, you will change path to the downloaded directory and follow syntax, similar to the image below.

cd tools/regripper2.8-master

perl rip.pl -r <registry_hive_path> -f <registry_profile> (optionally you could write contents to a text file adding the following argument) > <output_file>

Solution (one of many):

The ultimate goal was the ability to use this tool as if it were natively to MacOS without having to change directories, etc.

You will be using terminal.app and a text editor of your choice.

  1. On terminal run:
  • This step was required for me since the installation of “Parse::Win32Registry” (Step 3) would get stuck, timing out in attempts to resolve to the default set of URLs configured for CPAN.

open /Users/<your_profile>/.cpan/CPAN/MyConfig.pm (this will open the config file in a text editor)

2. Scroll down to line #58. Modify it to match as follows:

‘urllist’ => [q[http://www.perl.org/CPAN/]],

Save and close the file.

3. On terminal run:

CPAN and then run “install Parse::Win32Registry” (without quotes).

Wait for completion of installation.

4. Download the RegRipper files from GitHub). Unzip the files to a known place (downloads if easy)

5. Open terminal and create a plugins directory.

mkdir /usr/local/bin/plugins

6. Go to your downloaded directories and find the file “rip.pl”. Open this file with your preferred text editor and modify the following lines.

#1 from “#! c:\perl\bin\perl.exe” to “#!/usr/bin/perl -w”

#119 from “ require “plugins/”.$plugins{$i}.”\.pl”;” to “ require “/usr/local/bin/plugins/”.$plugins{$i}.”\.pl”;”

Save and close the file

7. Open terminal and change path to the directory where the rip.pl file is located and run the following command to move rip.pl to “/usr/local/bin/” and make the code executable

mv rip.pl /usr/local/bin/

chmood +x /usr/local/bin/rip.pl

8. Now, you will need to move the plugin files that you downloaded to the plugins directory created in step 6.

mv -v <directory path of downloaded plugins> /usr/local/bin/plugins

9. You can now run rip.pl from the terminal without having to change directory to downloaded RegRipper directory or having to manually call perl to run it.

rip.pl -r <path to registry hive> -f <registry profile> > <output file>

11. OPTIONAL: You can create an alias so that you don’t have to type the extra .pl in rip.pl too by creating an alias. Running the following command.

alias rip=”rip.pl”

THAT IS IT…

I hope this has been informative and useful.

Until next time…

Perl
Cybersecurity
Regripper
Windows Forensics
Windows Registry

--

--

ElevatedDesigns.AI

Written by ElevatedDesigns.AI

28 Followers

Just a guy… writing of subjects I find interesting in hopes that it helps anyone.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams