Regripper - forensic analysis of Registry hives

       Written by Harlan Carvey <keydet89@yahoo.com>

       This tool does NOT automatically process hive transaction logs. If you need to incorporate data from hive
       transaction   logs   into   your  analysis,  consider  merging  the  data  via  Maxim  Suhanov's  yarp  +
       registryFlush.py, or via Eric Zimmerman's rla.exe.

       This project is licensed under terms of the MIT License - https://opensource.org/licenses/MIT.  Copyright
       by Harlan Carvey <keydet89@yahoo.com> and 2020 Quantum Analytics Research, LLC.

       This manual page was written by Jan Gruber <j4n6ru@gmail.com>, for the Debian project (and may be used by
       others).

       Regripper is an source tool for forensic analyses of Windows Registry files. It can be used to surgically
       extract,  translate,  and  display information (both data and metadata) from Registry-formatted files via
       plugins in the form of Perl-scripts.

       All output goes to STDOUT; use redirection (ie, > or >>) to output to a file.

       List all available plugins

              regripper -l

       Run a specific plugin; E.g. Retrieve timeline of recent docs from NTUSER.DAT

              regripper -r /hive/NTUSER.DAT -p recentdocs_tln

       Retrieve run-keys from NTUSER.DAT

              regripper -r /hive/NTUSER.DAT -p run

       Process a complete hive file of type system:

              regripper -r /mnt/SYSTEM -f system > /mnt/reports/system.txt

       Parse hive file of type SAM:

              regripper -r /mnt/SAM -f sam > /mnt/SAM.txt

       Regripper - forensic analysis of Registry hives

-r <hive> Specify, which Registry hive file to parse. Those can be found in  %SystemRoot%\System32\config
       or in %userprofile (the user's directory)

       -f <hivetype> Specify the hive tpye/profile to use, could be sam, security, software, system, ntuser.

       -p <plugin> Specify the lugin to use. E.g. run, appcompatcache and so on. (See -l for full list)

       -d Check to see, if the hive is dirty.

       -g Guess the hive file type.

       -a Automatically run hive-specific plugins.

       -aT Automatically run hive-specific timelining (TLN) plugins.

       -s <systemname< Specify system name (TLN Support)

       -u <username> Specify user name (TLN Support)

       -l List all available plugins. You could place custom plugins in usr/bin/regripper/plugins

       -c Output list of plugins as comma-separated values.

       -h Print short help information.

       When submitting a bug report, please include a description of the problem, how you  found  it,  and  your
       contact information.  Submit bug reports to: https://github.com/keydet89/RegRipper3.0/issues

       More information on Regripper appears in the README file, distributed with the regripper source code.

Harlan Carvey                                 v3.0 - December 2020                                  REGRIPPER(1)

regripper [-r<hivefile>] [-f <hivetype>] [-p <plugin>] [-d] [-g] [-aT] [-s systemname] [-u username]