RegRip py is a framework for reading and extracting useful forensics data from Windows registry hives. It is an alternative to RegRipper developed in modern Python 3. It makes use of William Ballenthin's python-registry to access the raw registry hives.
The goal of this project is to provide a framework for quickly and easily developing your own plugins in an incident response scenario.
This tool will try its best to stay out of your way and quickly provide you with usable data:
# Get the computer name
$ regrip.py --root /mnt/evidence/C compname
# Get URLs typed in IE for all users on a machine
$ regrip.py -v --root /mnt/evidence/C --all-user-hives typedurls
regrip.py:warn:Could not open key Software\Microsoft\Internet Explorer\TypedURLs
All plugins should also support both a human-readable and machine-readable output (the Bodyfile format), allowing easy piping to mactime or other tools.