diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java index 365f71c81a..a0c0e75a48 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java @@ -418,10 +418,31 @@ class ExtractRegistry extends Extract { String errFilePath = outFilePathBase + "-full.err.txt"; //NON-NLS logger.log(Level.INFO, "Writing Full RegRipper results to: {0}", regOutputFiles.fullPlugins); //NON-NLS executeRegRipper(rrFullCmd, rrFullHome, regFilePath, fullType, regOutputFiles.fullPlugins, errFilePath); + try { + scanErrorLogs(errFilePath); + } catch (IOException ex) { + logger.log(Level.SEVERE, "Unable to run RegRipper", ex); //NON-NLS + this.addErrorMessage(NbBundle.getMessage(this.getClass(), "ExtractRegistry.execRegRip.errMsg.failedAnalyzeRegFile", this.getName())); + } } return regOutputFiles; } + private void scanErrorLogs(String errFilePath) throws IOException { + File regfile = new File(errFilePath); + try (BufferedReader reader = new BufferedReader(new FileReader(regfile))) { + String line = reader.readLine(); + while (line != null) { + line = line.trim(); + if (line.contains("Error")) { + logger.log(Level.WARNING, "Regripper file {0} contains errors from run", errFilePath); //NON-NLS + + } + line = reader.readLine(); + } + } + } + private void executeRegRipper(List regRipperPath, Path regRipperHomeDir, String hiveFilePath, String hiveFileType, String outputFile, String errFile) { try { List commandLine = new ArrayList<>(); @@ -1497,11 +1518,11 @@ class ExtractRegistry extends Extract { line = line.trim(); // Reading to the SECTION DIVIDER to get next section of records to process. Dates appear to have // multiple spaces in them that makes it harder to parse so next section will be easier to parse - while (!line.contains(SECTION_DIVIDER) && !line.contains("MSOffice version not found.")) { + while (!line.contains(SECTION_DIVIDER) && !line.contains("not found") && !line.contains("version 2010 located")) { line = reader.readLine(); } line = reader.readLine(); - while (!line.contains(SECTION_DIVIDER) && !line.contains("MSOffice version not found.")) { + while (!line.contains(SECTION_DIVIDER) && !line.contains("not found")) { // record has the following format // 1294283922|REG|||OfficeDocs2010 - F:\Windows_time_Rules_xp.doc String tokens[] = line.split("\\|"); diff --git a/thirdparty/rr-full/plugins/ie_zones.pl b/thirdparty/rr-full/plugins/ie_zones.pl index 935b3fb537..fb99552f1c 100644 --- a/thirdparty/rr-full/plugins/ie_zones.pl +++ b/thirdparty/rr-full/plugins/ie_zones.pl @@ -61,7 +61,11 @@ sub pluginmain { # Get Zones and various security settings foreach my $n (0..4) { $zone = $key->get_subkey('Zones\\'.$n); - ::rptMsg("Zone ".$n.": ".$zone->get_value("PMDisplayName")->get_data()." - ".$zone->get_value("Description")->get_data()); + if (defined($zone->get_value("PMDisplayName"))) { + ::rptMsg("Zone ".$n.": ".$zone->get_value("PMDisplayName")->get_data()." - ".$zone->get_value("Description")->get_data()); + } else { + ::rptMsg("Zone ".$n.": ".$zone->get_value("DisplayName")->get_data()." - ".$zone->get_value("Description")->get_data()); + } ::rptMsg("LastWrite: ".gmtime($zone->get_timestamp()." UTC")); my @vals = $zone->get_list_of_values(); diff --git a/thirdparty/rr-full/plugins/searchscopes.pl b/thirdparty/rr-full/plugins/searchscopes.pl index 8b8eecc9c0..299293f94f 100644 --- a/thirdparty/rr-full/plugins/searchscopes.pl +++ b/thirdparty/rr-full/plugins/searchscopes.pl @@ -47,8 +47,10 @@ sub pluginmain { if ($key = $root_key->get_subkey($key_path)) { ::rptMsg("SearchScopes"); ::rptMsg($key_path); - ::rptMsg("DefaultScope: ".$key->get_value("DefaultScope")->get_data()); - ::rptMsg(""); + if (defined($key->get_value("DefaultScope"))) { + ::rptMsg("DefaultScope: ".$key->get_value("DefaultScope")->get_data()); + ::rptMsg(""); + } # ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); my @subkeys = $key->get_list_of_subkeys(); if (scalar(@subkeys) > 0) {