Info

The inspiration for RegExtract came totally from the excellent RegRipper, created by the very knowledgable Harlan Carvey, who is the author of the excellent Windows Forensic Analysis book (I have got the 2nd edition on pre-order).

I have written my own binary Windows registry parser that is to be used in a number of forensic applications. I needed a good test bed and what better than to compare the results with RegRipper, so I have implemented all of the plugins available with RegRipper plus a few more. There is currently at least 60+ plugins. You can run an individual plugin against a registry hive or select a registry hive and run all plugins applicable to the input registry hive or run specific plugins in a specific order. I will be adding the ability to run the plugins against the hive located in the System Restore (again another idea from RegRipper).

I have now written a console version that provides the same functionality as the GUI version, see the Download page. I originally designed the application to dynamically load the plugins, but since no one else would ever contribute plugins, it seemed a pointless overhead, so now all of the plugin code is stored in one binary. If anyone wants a specific plugin writing then let me know the registry keys etc (ideally with an example registry hive file) and I will write one for you.

Features

• Fast compiled code
• Cross platform via Mono - See separate Mono download
• Lots of plugins (60+)
• Runs single plugins
• Runs all applicable plugins against a specific registry hive type that is determined by using the embedded file name
• Folder mode that allows the user to run any user selected plugins, in a user selected order against all registry hives in a folder. The functionality uses automatic hive recognition to determine the hive type and then runs the applicable, selected plugins.
• Can run specific plugins in user defined order
• Excellent support of Unicode

Screenshot