Regripper Feedback

[kwallster]

I like it! Here is what I would like to see,

• In the "Directory Listing" pane while looking at the "Raw Tool Output" it would be nice to have a path column so that I can quickly determine which hive I am looking at. This way if I'm interested in a particular users NTUSER.DAT I can find the file that I want without having to open each one and click on the "Metadata" tab.
• I like to include a copy of the regripper output in my reports. I see that the ability to tag the results for inclusion in your report exists but when you view the results in the html report the output is not formatted and is difficult to read. It would be nice if you could link the nicely formatted regripper output into the report. Or a way of linking to or pulling out the text file containing the regripper output.
• In my one test I noticed that there was no output for the SAM hive.

[bcarrier]

Quick comments here for future reference before I forget:

Re Full Path: The engineering challenge here is that these are all artifacts associated with a file. In some cases, like this, you may want to see the full path of the file that the artifact is associated with. In other cases, such as web bookmarks that come out of a SQLite database file, you may not want to see the same exact path in hundreds of lines. We could either put the path at the end for all artifacts or we could add some logic to show or hide for different types of artifacts.

Re: Output: Agreed that it is not pretty right now. Is there a nicely formatted regripper output or just the text output (and I don't mean that to be a dig on RegRipper output)? We could probably link to the original text file. Maybe with a TEXT_FILE attribute.

Re: SAM hive: Does regripper produce output if you run it manually?

[kwallster]

RE Full Path: I just noticed that If you scroll to the bottom of the "Raw Tool Output" in the Results tab that the "Source File Path" is displayed. If this were to be displayed prior to the "Text" field examiner's can quickly determine which version of the registry hive they are looking at. It's really only a big deal when there is a lot of data.

Re Output: :) I like the regripper text file. The output fit's nicely into our electronic report. A link to the text file would be fine for us. I don't believe there is a nicer output format.

Re SAM hive: I just looked in the \ModuleOutput\RecentActivity\reg folder and see that Autopsy did parse the SAM. The SAM-regripper-##-full.txt files were there. This looks like a case of simply ensuring that results appear in the Raw Tool Output... If I was smart enough, I would add it in right away... but I'm not feeling smart at the moment. Taking that a step further this would be a nice little plugin for someone to write for an upcoming competition, since autopsy is already 90% there for this task in that it is producing the "Full" output. Is this just a matter of formatting the desired output into an ?xml? file and getting the user data to appear as extracted content?

The fact that the full regripper output is available is handy as is it one less step that needs to be performed when starting an examination. Plus it happens early on in the ingestion process so we can quickly being looking at the results! You guys are doing great stuff!

[bcarrier]

Re Full Path: Good point. That is easier to prioritize to the top than in the table view.

Re SAM: So, it ran, but we never copied the results into the database?

Thanks for the feedback.

[kwallster]

Re SAM: That is correct.

[mitchwander]

I wholeheartedly agree with kwallster's comment regarding full path. I hope that it can be done in a manner that is consistent with the intent of his initial comment - looking at a particular user. It would be ideal to show the username clearly in a column (for NTUSER.DAT) instead of the full path, if the full path will require scrolling or resizing a column. Full path would provide all of the information, though simply showing the username may also add value.