[feature] Add username in user-related artefacts file names

[voilaviola]

Hello, I am using the default configuration to fetch user-related artefacts such as NTUSER.DAT. With the current naming method of artefacts (HEXCODE_ARTEFACTNAME.EXTENSION), I find it not very convient to know which artefact belongs to which user. Is it possible to name the acquired file by adding the username ? Such as Administrator_NTUSER.DAT and guest_NTUSER.DAT. By the way, the way I'm using to extract username from these artefacts is processing the artefacts with RegRipper. Do you have a better suggestion with DFIR-Orc? Thank you for developping such a nice tool though.

[jeanga]

Along with each collection with GetThis, you get a GetThis.csv file in the archive. This will provide you with the original full path of the HEXCODE_ARTEFACTNAME.EXTENSION on the source file system.

GetThis is only a file system tool. It has no knownledge of the user associated with the artefact collected (user profiles may or may not be located in c:\Users....). It may also happen to collect ntuser.dat in F:\Backup\whatever\ntuser.dat for instance.

So, it really is up to you processing of archives to understand how (and if) you can associate user names with user hives.

[voilaviola]

Thanks @jeanga ! I didn't notice this.