I am writing an Autopsy Data Ingest plug-in that calls the command line version of RegRipper (rip.exe) using its bam plugin module. Unfortunately, when Autopsy launches rip, rip does not recognize my Registry file as a SYSTEM hive.
Rip has a -g switch that tells it to guess the type of registry file. In testing, I discovered that in Autopsy:
rip “SYSTEM.reg” -g
returns “unknown = 1”.
However, the same rip command line run in a Windows command shell returns “system = 1”.
Have you ever heard of anything like this? I would appreciate any insight you share.
More info: The command string I was building turned out to be rip -r “(space)SYSTEM.reg(space)” -g, that’s why it was failing. That’s fixed now and rip.exe recognizes the hive file as type SYSTEM.
However, I still have a problem with the command I need to execute to gather the data I need. It is:
rip.exe -r “SYSTEM.reg” -p bam with the output redirected to a file via processBuilder.redirectOutput(reportFile)
I know rip.exe can see the bam plugin, as confirmed with rip.exe -l (to list plugins)
However, my reportFile is always zero bytes. Is there a way I can see what is going on when my command is run? I don’t see any error messages in the log. Where else can I look?
Thank you for your suggestions. Fortunately, I got it fixed yesterday.
The problem was that I was sending my rip.exe command string in pieces to Autopsy, just like the sample data source ingest module python plugin code Autopsy provides. However, apparently Autopsy was not putting the command together properly, so rip would not run. I still don’t know what the command looked like once Autopsy assembled it, but now I’m sending it to Autopsy in one long string and it works. (Likewise, I can’t explain why rip -l and rip -r “system.reg” -g worked, but rip -r “system.reg” -p bam didn’t.)