silv3rhorn / autoripy Goto Github PK

Is this a dead project, or perchance could a new compiled version of "autoripy.exe" for Windows, which uses all of the latest RegRipper 3.0 plugins, be generated and posted here?

I just discovered to my delight, that RegRipper 4.0 was released about 6 months ago! I'm going to be upgrading asap. Can/does "autoripy" need to be updated to support any new RR 4.0 plugins?

*** SPOILER ALERT! ***

The answer turned out to be "No update needed". Autoripy release version "autoripy-20240128" (the latest currently available at the time) worked with RegRipper 4.0 without any modifications. However, please note that "autoripy" will attempt to call a number of RegRipper 3.0 plugins (11 to be exact) that have been been removed from the current RegRipper 4.0 release (i.e., they essentially been deprecated). As such, you won't get any output from those plugins unless you copy the old plugin files from your RegRipper3.0\plugins folder over into your RegRipper4.0\plugins folder. In addition, please note that there are also 11 previously deprecated RegRipper 2.8 plugins, that have been brought back in RegRipper 4.0.

The easiest way to deal with this is to use "robocopy" to copy all the *.pl files (excluding all *_tln plugin files) from the "RegRipper3.0\plugins" folder, AND THEN the "autoripy/deprecatedRR2.8Plugins" folder, into the "RegRipper4.0\plugins" folder, WHILE MAKING SURE TO PREVENT THE OVERWRITING OF ANY EXISTING FILES AT THE DESTINATION! For example:

1. robocopy C:\DFIR_Tools\keydet89\RegRipper3.0\plugins C:\DFIR_Tools\keydet89\RegRipper4.0\plugins *.pl /XC /XN /XO /XF *_tln.pl (Currently copies 15 RR3.0 plugins over)

2. robocopy C:\DFIR_Tools\Silv3rHorn\autoripy\deprecatedRR28Plugins C:\DFIR_Tools\keydet89\RegRipper4.0\plugins *.pl /XC /XN /XO (Currently copies 101 deprecated RR2.8 plugins over)

Make sure the run the copy (without overwrite) operations in the listed order. That is to say, copy over the old RR3.0 plugins over first, followed by the deprecated RR2.8 plugins. Again, do NOT overwrite any files that already exist in the destination folder when doing that.

Hi yk,

I am unable to run autoripy, I have put autoripy in the same folder as regripper and this is the command that I ran on an extracted registry hive in a directory

python autoripy -rr C:\Users\XXX\Desktop\Regripper -s C:\Users\XXX\Desktop\registry -c all

Am I doing it right? kindly advise.

Thank you.

Hi, I'm getting the following error when I attempt to run the newly released "autoripy" (v20200827) executable:

C:\IRTools\RegRipper3.0>autoripy-20200827.exe
Traceback (most recent call last):
File "autoripy.py", line 105, in
File "autoripy.py", line 89, in main
File "plugin_selector.py", line 184, in get_selection
File "plugin_selector.py", line 22, in _validate_input
File "ntpath.py", line 78, in join
TypeError: expected str, bytes or os.PathLike object, not NoneType
[5648] Failed to execute script autoripy

Also, when I attempt to execute the newly released .py version of the tool, I get the (similar) error:

C:\IRTools\RegRipper3.0\autoripy-20200827>autoripy.py
Traceback (most recent call last):
File "C:\IRTools\RegRipper3.0\autoripy-20200827\autoripy.py", line 105, in
if not main():
File "C:\IRTools\RegRipper3.0\autoripy-20200827\autoripy.py", line 89, in main
options = ps.get_selection()
File "C:\IRTools\RegRipper3.0\autoripy-20200827\plugin_selector.py", line 184, in get_selection
if not _validate_input(options):
File "C:\IRTools\RegRipper3.0\autoripy-20200827\plugin_selector.py", line 22, in _validate_input
if not os.path.isfile(os.path.join(options.rr, u'rip.exe')):
File "C:\Python\Python38\lib\ntpath.py", line 78, in join
path = os.fspath(path)
TypeError: expected str, bytes or os.PathLike object, not NoneType

Looks like some kind of bug to me. However, it is interesting to note that executing either the .exe or the .py with an incorrect parameter, or with the "-h" parameter, does result in the correct "Usage" message being displayed. For example:

C:\IRTools\RegRipper3.0>autoripy-20200827.exe -h
usage: autoripy-20200827.exe [-h] [-s SYSTEM] [-a AMCACHE] [-n NTUSER] [-u USRCLASS] [-m MULTIPLE] [-r REPORTDIR] [-c CAT] [rr]

autoripy is an attempt to replicate the functions of auto_rip by Corey Harrell in Python.
auto_rip automates the execution of RegRipper according to an examination process.
auto_rip is a Copyright of Corey Harrell (jIIr).

Supported Categories:
all gets information from all categories
os gets General Operating System Information
users gets User Account Information
software gets Installed Software Information
network gets Networking Configuration Information
storage gets Storage Information
device gets Device Information
execution gets Program Execution Information
autoruns gets Autostart Locations Information
log gets Logging Information
malware gets Malware Indicators
web gets Web Browsing Information
user_config gets User Account Configuration Information
user_act gets User Account General Activity
user_network gets User Account Network Activity
user_file gets User Account File/Folder Access Activity
user_virtual gets User Account Virtualization Access Activity
comm Communication Software Information

Usage:
Extract all information from the SAM, Security, Software, and System hives.
autoripy C:\regripper -s H:\Windows\System32\config -c all

     Extract file access information from NTUSER.DAT and UsrClass.dat hive (Windows 7 profile)
     autoripy C:\regripper -n H:\Users\Corey -u H:\Users\Corey\AppData\Local\Microsoft\Windows -c user_file

     Extract all information from all Windows registry hives without using -c switch.
     autoripy C:\regripper -s H:\Windows\System32\config -a H:\Windows\AppCompat\Programs -n H:\Users\Corey -u H:\Users\Corey\AppData\Local\Microsoft\Windows

     Extract all information from the SAM, Security, Software and System hives, then store output reports in a specified directory.
     autoripy C:\regripper -s H:\Windows\System32\config -r C:\reports

     Extract all information from the SAM, Security, Software and System hives, NTUSER.DAT and UsrClass.dat from each user in separate directories, then store output reports in a specified directory.
     autoripy C:\regripper -s H:\hives -m H:\hives\Users -r C:\reports

positional arguments:
rr path to the folder containing RegRipper.

optional arguments:
-h, --help show this help message and exit
-s SYSTEM, --system SYSTEM
path to the folder containing the SAM, Security, Software, and System hives.
-a AMCACHE, --amcache AMCACHE
path to the folder containing the Amcache.hve hive.
-n NTUSER, --ntuser NTUSER
path to the folder containing the NTUSER.DAT hive.
-u USRCLASS, --usrclass USRCLASS
path to the folder containing the UsrClass.dat hive.
-m MULTIPLE, --multiple MULTIPLE
path to the folder containing multiple \NTUSER.DAT and/or \UsrClass.DAT.
-r REPORTDIR, --reportdir REPORTDIR
path to the folder to store the output reports.
-c CAT, --cat CAT specifies the plugin categories to run. Separate multiple categories with a comma.

...or...

C:\IRTools\RegRipper3.0>autoripy-20200827.exe -?
usage: autoripy-20200827.exe [-h] [-s SYSTEM] [-a AMCACHE] [-n NTUSER] [-u USRCLASS] [-m MULTIPLE] [-r REPORTDIR]
[-c CAT]
[rr]
autoripy-20200827.exe: error: unrecognized arguments: -?

May you add support for following nomenclature?

user-NTUSER.DAT
user-ntuser.dat.LOG1
user-ntuser.dat.LOG2
user-UsrClass.dat
user-UsrClass.dat.LOG1
user-UsrClass.dat.LOG2

Supports autoripy transaction logs...merging the transaction logs into the hive prior to parsing?

Thank you!

This warning shows up in console every time MALWARE category is executed. Below are the logs:

---- Processing the EXECUTION category
---- Processing the USER_CONFIG category
---- Processing the WEB category
---- Processing the COMM category
---- Processing the OS category
---- Processing the SOFTWARE category
---- Processing the USER_ACT category
---- Processing the MALWARE category
Use of uninitialized value $list in pattern match (m//) at PERL2EXE_STORAGE/utf8_heavy.pl line 399.
---- Processing the AUTORUNS category
---- Processing the STORAGE category
---- Processing the LOG category
---- Processing the NETWORK category
---- Processing the USER_NETWORK category
---- Processing the USER_VIRTUAL category
---- Processing the USER_FILE category
---- Processing the USERS category
---- Processing the DEVICE category