tag:blogger.com,1999:blog-4080617372940068027.post6800622006090344393..comments2024-03-13T01:32:25.097-04:00Comments on Journey Into Incident Response: Unleashing auto_ripCorey Harrellhttp://www.blogger.com/profile/15008629321023489214noreply@blogger.comBlogger17125tag:blogger.com,1999:blog-4080617372940068027.post-91129148824370980172015-08-11T05:19:04.313-04:002015-08-11T05:19:04.313-04:00I always look forward to your posts! Outstanding ...I always look forward to your posts! Outstanding work. Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4080617372940068027.post-67880042753722846982014-10-08T09:57:34.081-04:002014-10-08T09:57:34.081-04:00@anon,
Trying to communicate through blog comment...@anon,<br /><br />Trying to communicate through blog comments is not the best way. Look on the about page to get my email address and shoot me an email about what is going on. Email is the better route for trying to identify an issue instead of comments on a blog postCorey Harrellhttps://www.blogger.com/profile/15008629321023489214noreply@blogger.comtag:blogger.com,1999:blog-4080617372940068027.post-480254076622756962014-10-08T09:44:10.070-04:002014-10-08T09:44:10.070-04:00tnx for answering: BUT........
i downloaded the m...tnx for answering: BUT........<br /><br />i downloaded the most recent regripper 4-14, auto_rip64 with the .pl file.(your link) Put them in the regripper folder. CLI: regripper>auto_rip64 -s "D:\regripwin7" -c os,users...... -r D:\autoripreport.<br />Within a split second on screen ----processing the os catogoy ---- (etc)<br />looking in the report only a header is present. no further data. nothing processed.<br />What do i do wrong.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4080617372940068027.post-41507089739955807152014-10-03T20:23:10.140-04:002014-10-03T20:23:10.140-04:00@anon,
In your command you only have to use the -...@anon,<br /><br />In your command you only have to use the -c switch once. Also, if you don't use the -c switch then all plug-ins are released. The version I released after I made this post I added the -r switch to specify the output folder. Here is the link to the latest.<br /><br />http://journeyintoir.blogspot.com/2014/08/autorip-tr3securecollection-dfs-updates.htmlCorey Harrellhttps://www.blogger.com/profile/15008629321023489214noreply@blogger.comtag:blogger.com,1999:blog-4080617372940068027.post-81301249990939464472014-10-01T17:49:52.071-04:002014-10-01T17:49:52.071-04:00Corey Harrel,
nice automated tool. As i was playi...Corey Harrel,<br /><br />nice automated tool. As i was playing with auto_rip i placed the system-sam-software hives, the NTuser.dat in de same folder for testing (regripwin7). When i copy out the same files with encase i also put them together in the same folder. (when more users than of course seperate ntuserdat folders.). Now i run<br /><br />auto_rip -s "C:\regripwin7" -c os,users,software,network,storage,execution,autoruns,log,web,comm -n "C:\regripwin7" -c user_config,user_act,user_network,user_file,user_virtual -u "C:\regripwin7" <br /><br />i don't have a textfile for the usrclass.dat.<br /><br />Is there a posability to choose the output path for the reports.<br />Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4080617372940068027.post-29963126650005053942014-08-12T21:03:24.034-04:002014-08-12T21:03:24.034-04:00@anon,
In your commands drop the ntuser.dat and u...@anon,<br /><br />In your commands drop the ntuser.dat and usrclass.dat. Auto_rip works with folders and not file names. The below command is what you need.<br /><br />auto_rip.exe -n e:\registry\bjacobsCorey Harrellhttps://www.blogger.com/profile/15008629321023489214noreply@blogger.comtag:blogger.com,1999:blog-4080617372940068027.post-60922508894596047382014-08-12T12:20:12.094-04:002014-08-12T12:20:12.094-04:00Thank you for such a great tool. I am a little la...Thank you for such a great tool. I am a little late to the forensic<br />party :) but I am trying to get on the fast track and have run into<br />the following errors. When attempting to process either the<br />Usrclass.dat or NTUSER.DAT files I receive the below errors. Both<br />files are located on a USB thumb drive and processing those same files<br />using regripper work as designed. Would you happen to know why I am<br />receiving the errors? As a FYI... I am using your awesome Tr3Secure<br />Data Collection script to capture the files in question. Thank you in<br />advance for any assistance that you can provide!<br /><br />>auto_rip.exe -u e:\registry\test\UsrClass.dat<br />Invalid argument at script/auto_rip-exe.pl line 128.<br /><br />>auto_rip.exe -n e:\registry\test\NTUSER.DAT<br />Invalid argument at script/auto_rip-exe.pl line 120.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4080617372940068027.post-82772540478973213042014-04-18T11:25:23.142-04:002014-04-18T11:25:23.142-04:00Very nice tool. I had some issues because I had s...Very nice tool. I had some issues because I had spaces in my folder name. The error message was: <br />"No such file or directory at script/auto_rip-exe.pl line 110". For those who get this error message, use double-quotes around your path name and everything will work fine. Thanks for making a great tool (RR) even better!Chris Thennoreply@blogger.comtag:blogger.com,1999:blog-4080617372940068027.post-3844636960679069492013-06-10T22:43:07.406-04:002013-06-10T22:43:07.406-04:00This is great. Again, 2nd Chad's comments. T...This is great. Again, 2nd Chad's comments. Thanks for all the work on all the updates to RegRipper and new tools like auto_rip. I think I was on travel when this was released and am catching up on my blog reading now so Im late to the party. But hats off to you and Harlan for your continued work here. Thank you.Rob Leehttps://www.blogger.com/profile/06831677721936003773noreply@blogger.comtag:blogger.com,1999:blog-4080617372940068027.post-30566546813298252822013-06-04T10:54:59.744-04:002013-06-04T10:54:59.744-04:00Love this - thanks so much for taking the time to ...Love this - thanks so much for taking the time to create it.Jared Greenhillhttps://www.blogger.com/profile/09183928416232849587noreply@blogger.comtag:blogger.com,1999:blog-4080617372940068027.post-64253436387335432942013-06-03T23:37:36.559-04:002013-06-03T23:37:36.559-04:00@anon, the tool can be downloaded over at the RegR...@anon, the tool can be downloaded over at the RegRipper site http://code.google.com/p/regripper/downloads/listCorey Harrellhttps://www.blogger.com/profile/15008629321023489214noreply@blogger.comtag:blogger.com,1999:blog-4080617372940068027.post-79982842998460586402013-06-03T11:24:06.316-04:002013-06-03T11:24:06.316-04:00where do you download this tool?
thankswhere do you download this tool?<br />thanksAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-4080617372940068027.post-54686226740495756692013-05-24T02:33:51.351-04:002013-05-24T02:33:51.351-04:00Excellent work, Corey ! This will definitely be us...Excellent work, Corey ! This will definitely be useful to all the DFIR community. Thanks for everything you do for the community by the way ! :-)Cedric Pernethttp://bl0g.cedricpernet.netnoreply@blogger.comtag:blogger.com,1999:blog-4080617372940068027.post-5951438744090699122013-05-23T22:18:02.802-04:002013-05-23T22:18:02.802-04:00Thank you for releasing auto_rip (and all of the h...Thank you for releasing auto_rip (and all of the hard work you and Harlan have been putting into the RegRipper cleanup). With the number of RegRipper plugins growing, it makes logical sense to break them up by something other than originating hive. Excellent work matching plugins to process steps! Chad Tilburyhttp://forensicmethods.comnoreply@blogger.comtag:blogger.com,1999:blog-4080617372940068027.post-89370609485485898912013-05-22T22:46:56.184-04:002013-05-22T22:46:56.184-04:00@anon,
I thinking creating wrapper scripts is one...@anon,<br /><br />I thinking creating wrapper scripts is one of the easiest ways speed up your examinations. The scripts make the tools do what you need them to do which saves time compared to jumping around.<br /><br />> suggest to Harlan and yourself<br /><br />Harlan has already added category info to some plugins. Check out some of the TLN plugins for timelines. Good suggest though and its something to think about.<br /><br />> I have a category called "malware assist<br /><br />I have a malware category as well. If you look at the auto_rip reports you'll notice it skips a number. That's a place holder for all the RegRipper plugins geared towards malware. I'm still trying to figure out how I want to approach it with auto_rip<br /><br />Thanks for the comment and it's cool to hear someone else was thinking along the same lines. auto_rip has been a time saver and now I use it on all my cases.Corey Harrellhttps://www.blogger.com/profile/15008629321023489214noreply@blogger.comtag:blogger.com,1999:blog-4080617372940068027.post-81869705264669853542013-05-22T11:05:49.417-04:002013-05-22T11:05:49.417-04:00Corey, this is excellent. I had done something sim...Corey, this is excellent. I had done something similar with RR 2.5. I created a set of custom categories for the plugins for what I felt would assist me and speed up the examination. I then created custom profiles and dumped the plugin name into that profile. I would then select the custom profile from the drop box in the RR gui. I would like to suggest to Harlan and yourself that you take it a step further and consider an "Official Category" for each plugin and include that in the plugin description .csv file. I understand the dynamic nature of the artifacts and potential overlap (malware activity not necessarily user activity, vise versa), however the investigator can make that determination. For example, I have a category called "Malware Assist" when investigating an infected machine. The custom profile has all the plugins I consider will assist me in identifying notable activity quickly. I did my categories because as you mentioned, all the "jumping around" was time consuming and hard to keep track. Anyway, just my 2 cents. In closing...your work and Harlan's is incredible. I consider you both my virtual mentors and push myself everyday as I learn so much from both of you. I am looking forward to the book.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-4080617372940068027.post-35557231858772954462013-05-22T07:12:20.124-04:002013-05-22T07:12:20.124-04:00Great post, Corey, and thanks for sharing this too...Great post, Corey, and thanks for sharing this tool. H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.com