Timeline Registry Automation Script

I just couldn't keep from writing the script. Just couldn't. After going through the process yesterday, then posting about it, I just kept thinking about how I could streamline the process, so I took me a little bit of time and worked up the following. Ran through it a few times to make sure it worked and tweaked it a little.

Please keep in mind, I'm no scripting guru (aka, Hal Pomeranz et al) , so this may seem kludgy. But it does work. I could probably feed it a list of mount points and output files to fill in the variables and have it run through the whole of it, but that would probably take me more time to create and test (and fix) than it would for me to run this a handful of times.

So here it is, in all its (lack of) glory:



_________________________________________________________________

#!/bin/sh
#
# Script to automate regripper in linux for timeline creation.
# This is designed to be run from your regripper directory.
# This version of rip.pl is brought over from the Windows download to run in Linux based on http://grey-corner.blogspot.com/2010/04/running-regripper-on-linux.html
#
# This will will automatically run through the 4 hives in a given mount point and write specified output file.
# By default, the 'all' module is run, rather than specific to hive type.
#
# $Src is the path (mount point) to be recursed for file in question
# $Dst is the path & file for regripper output (path must already exist)
# Order of operation should be ./rip.sh src dst
Src=$1
Dst=$2
#
#
# Check that the user provided all arguments required by this script.
if [ -z $1 ]; then
echo -e "USAGE: rip.sh SOURCEDIR OUTPUTFILE";
exit;
fi
if [ -z $2 ]; then
echo "USAGE: rip.sh sourcedir TARGETFILE";
exit;
fi

echo

echo

#
# Begin the job, updating the user along the way.

echo "Parsing user hive ... Please be patient."

echo

find $1 -iname ntuser.dat | while read d; do ./rip.pl -f all -r "$d" >> $2; done

echo

echo "Thank you for being patient."

echo

echo

echo "Parsing system hive ... This will only take a minute."

echo

find $1 -iname system | while read d; do ./rip.pl -f all -r "$d" >> $2; done

echo

echo "See, I told you it wouldn't take long."

echo

echo

echo "Parsing security hive ... Just a second, it's almost done."

echo

find $1 -iname sam | while read d; do ./rip.pl -f all -r "$d" >> $2; done

echo

echo "There! I can't believe you're so impatient."

echo

echo "Last one - the software hive ... Hold your horses, okay?"

echo

find $1 -iname software | while read d; do ./rip.pl -f all -r "$d" >> $2; done

echo

echo "Okay, we're done now. Stop complaining; I worked as fast as I could."

echo
echo

echo "If you want to run another system, please start over"

echo

echo "Thanks for playing; have a nice day."
echo

# end of script
#

_________________________________________________________________


Here's hoping someone can use it.

Cheers!

LM