Andrew Rathbun

What version of RLA were you using?

So maybe `%f` which would put the filename of the DB being parsed into the BaseFilename, kinda like how KAPE works with `%m` and `%d` with Hostname and DateTime?

> does the csv itself contain a source file field? Yes it does.

> @AndrewRathbun have you ever tried this? > I'll have to give this a go after hours! I'll report back

Alright, sorry for the delay on this. I made a test Batch file, `ROOTtest.reb`, as seen below: ```yaml Description: ROOT test Author: Andrew Rathbun Version: 1 Id: 49ff9762-4dce-413f-928b-786daa8aec5a Keys: -...

@DFIR-Purim any feedback on the above?

> This does work, but you need to be running it with sudo. > > sans@siftworkstation: /cases > $ sudo dotnet /opt/zimmermantools/net6/SQLECmd/SQLECmd.dll -d /mnt/windows_mount --hunt --csv /cases/sql1 > SQLECmd version...

https://github.com/nccgroup/MetadataPlus/blob/6e658244359e564a5e3ec0837dc47e6afa5d21cd/MetaDataPlus/MetadataPlus.csproj#L11C29-L11C34 This is a .NET 4.7.2 project. It would need to be .NET 6 in order for it to work on other platforms.

Also, more as an FYI, I added some Windows 11 `Windows.db` artifacts here for public consumption. Basically, a snapshot of the artifacts from when I booted Windows, after I did...

Fair enough. Clean installs of Windows 10 and Windows 11 appear to provide an artifact that the parser handles without issue. I am guessing it's the Windows 10 -> Windows...