RegRipper in an Autopsy plug-in

#1

I am writing an Autopsy Data Ingest plug-in that calls the command line version of RegRipper (rip.exe) using its bam plugin module. Unfortunately, when Autopsy launches rip, rip does not recognize my Registry file as a SYSTEM hive.
Rip has a -g switch that tells it to guess the type of registry file. In testing, I discovered that in Autopsy:
rip “SYSTEM.reg” -g
returns “unknown = 1”.
However, the same rip command line run in a Windows command shell returns “system = 1”.

Have you ever heard of anything like this? I would appreciate any insight you share.

#2

Correction: The command is
rip -r “SYSTEM.reg” -g

#3

More info: The command string I was building turned out to be rip -r “(space)SYSTEM.reg(space)” -g, that’s why it was failing. That’s fixed now and rip.exe recognizes the hive file as type SYSTEM.

However, I still have a problem with the command I need to execute to gather the data I need. It is:
rip.exe -r “SYSTEM.reg” -p bam with the output redirected to a file via processBuilder.redirectOutput(reportFile)

I know rip.exe can see the bam plugin, as confirmed with rip.exe -l (to list plugins)

However, my reportFile is always zero bytes. Is there a way I can see what is going on when my command is run? I don’t see any error messages in the log. Where else can I look?

#4

Hi Wendy,

Not sure exactly why you aren’t getting the output, but I’d point you to the existing RegRipper integration:

It could be easier for you to build on top of that integration and parse the BAM output.

#5

Hi Wendy,

Here is a plugin that does not use regripper but does get the BAM Key. Let me know if that is what you were looking for.

Kind regards.

Mark

#6

Thank you for your suggestions. Fortunately, I got it fixed yesterday.

The problem was that I was sending my rip.exe command string in pieces to Autopsy, just like the sample data source ingest module python plugin code Autopsy provides. However, apparently Autopsy was not putting the command together properly, so rip would not run. I still don’t know what the command looked like once Autopsy assembled it, but now I’m sending it to Autopsy in one long string and it works. (Likewise, I can’t explain why rip -l and rip -r “system.reg” -g worked, but rip -r “system.reg” -p bam didn’t.)

Thank you again. -Wendy