I didn’t have any issues with the processing but there was no listed USB devices in the tree and when I re watched the video, I know it uses regripper but did I miss something and just not see it or did anyone else have an issue with it?
2 Likes
I am in the same boat.
Rewatched the video to make sure I didn’t miss anything. Nope.
No USB devices listed in Autopsy.
Agreed and there is no evidence that RegRipper is installed.
Same here. Went to the link in the slide and see that the version up there is from 2013, and yet there are newer versions on github at https://github.com/keydet89/RegRipper2.8. The video wasn’t too clear on how to download and install additional “plug-ins” so will have to work that out before proceeding.
Aside from that, the information will be in the registry, so alternately, I try to look into the USBSTOR key (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\USBSTOR) to see what is listed in there.
1 Like
So here is a very weird situation. I moved the entire case and all associated files over to my Surface Book Pro so I can work on the class tomorrow from another location and fired it all up and guess what showed up? All kinds of extra entries to include all the regripper items. Cant explain that one. Maybe it just needed a full restart? But its all there now.
I used an old version of autopsy a while back and jumped on this class to get reaquainted with it as a backup tool. i must say it has progressed nicely and may take the place of some of my other tools due to some of them pricing themselves out of the market…
I have read in other threads that, in particular, the USB Devices Attached did not appear for everyone. One user found that quitting and restarting Autopsy fixed the view. Just don’t do this while ingesting.
Please report back if this fixes for you.
1 Like
I had the same issue where it didn’t appear in the tree… I closed Autopsy and re-opened, that worked.
Same here. Restart solved the problem. Thanks.
I have the same problem. Refreshing the tree or restarting Autopsy don’t show me any USB devices. My logs are pretty similar to @peritos .
I did not see the USB devices as well .and Also what I saw the dates were different also. the dates in quiz were 12 Nov but in the database it was 13 Nov
If you are seeing the date/timestamps being off by a day, you probably have the time zone set to whatever your local timezone is. As with everything, time zone skew may change the date/time, which is why it is always, always best to do everything in UTC. Regardless of the tool/program/software that you are using.
2 Likes
Glad to see I’m not alone.
That might be the case. for date and time. Yes it was off by a day for all the dates
But why I cannot see the USB devices
Have you tried exiting Autopsy, restarting it, and opening the case again? Some systems seem to have a UI refresh issue, where the UI does not refresh properly. We’ve not been able to figure out why that happens on some systems and not others, but in roughly half the cases the system is a low to mid level system, but it can happen on even the most powerful systems.
Also, remember, that Regripper results can also be found under the “Reports” section.
Yeah I got it back when run it again today. Now I got the list of USB Devices attached.
I am also getting the same error in my logs:
SEVERE: Exception occurred in Registry
Refreshing had no effect.
I had the same problem but this issue was resolved just after i restarted Autopsy.
Other recent activities such as installed programs, OS information, OS user accounts, shell bags, recent docs and Recycle bin also showed up finally.
I confirm that I also had the same problem during training. When autopsy restarted, however, the usb devices appeared.
Hello,
Based off of that error, it sounds like the disk image you downloaded was corrupt, or Autopsy could not process the image (and resulting Registry files) properly. You may also be running Autopsy on *nix/MacOS systems, which may be causing an issue as well, we cannot really determine that for sure without more information than an error in the logs.
Please try to download the image(s) again, and add the files to the case again, and try again.
Thank you