[feature] Add username in user-related artefacts file names

Question

[feature] Add username in user-related artefacts file names

Closed this issue 3 years ago · 2 comments

Hello,
I am using the default configuration to fetch user-related artefacts such as NTUSER.DAT. With the current naming method of artefacts (HEXCODE_ARTEFACTNAME.EXTENSION), I find it not very convient to know which artefact belongs to which user. Is it possible to name the acquired file by adding the username ? Such as Administrator_NTUSER.DAT and guest_NTUSER.DAT.
By the way, the way I'm using to extract username from these artefacts is processing the artefacts with RegRipper. Do you have a better suggestion with DFIR-Orc?
Thank you for developping such a nice tool though.

Answer 1 · 2021-04-09T13:11:43.000Z

Along with each collection with GetThis, you get a GetThis.csv file in the archive.
This will provide you with the original full path of the HEXCODE_ARTEFACTNAME.EXTENSION on the source file system.

GetThis is only a file system tool.
It has no knownledge of the user associated with the artefact collected (user profiles may or may not be located in c:\Users....).
It may also happen to collect ntuser.dat in F:\Backup\whatever\ntuser.dat for instance.

So, it really is up to you processing of archives to understand how (and if) you can associate user names with user hives.

Answer 2 · 2021-04-09T13:29:44.000Z

Thanks @jeanga ! I didn't notice this.