SBECmd: Output filenames from SBECmd lack usernames on Linux #233
Description
When I run SBECmd on a Linux system, the output CSV filenames do not contain the usernames as expected. Instead, the files are named using numeric prefixes or just the hive type (0_NTUSER.csv, UsrClass.csv, etc.).
For example, I mounted a Windows image at /mnt/windows_mount and ran the following command:
truck@siftworkstation:~$ dotnet ./SBECmd.dll -d /mnt/windows_mount --csv ~/sbecmd-output/
SBECmd version 2.1.0.0
truck@siftworkstation:~$ ls -al ~/sbecmd-output/
total 64
drwxrwxr-x 2 truck truck 4096 May 15 14:01 .
drwxr-xr-x 27 truck truck 4096 May 15 14:00 ..
-rw-rw-r-- 1 truck truck 227 May 15 14:01 0_NTUSER.csv
-rw-rw-r-- 1 truck truck 1871 May 15 14:01 0_UsrClass.csv
-rw-rw-r-- 1 truck truck 227 May 15 14:01 1_NTUSER.csv
-rw-rw-r-- 1 truck truck 9110 May 15 14:01 1_UsrClass.csv
-rw-rw-r-- 1 truck truck 5069 May 15 14:01 2_UsrClass.csv
-rw-rw-r-- 1 truck truck 227 May 15 14:01 NTUSER.csv
-rw-rw-r-- 1 truck truck 12325 May 15 14:01 '!SBECmd_Messages.txt'
-rw-rw-r-- 1 truck truck 369 May 15 14:01 UsrClass.csv
!SBECmd_Messages.txt file shows SBECmd correctly identifies different user hives during processing:
[14:01:56.432 INF] Finished processing /mnt/windows_mount/Users/Administrator/NTUSER.DAT
[14:01:56.432 INF] Exported to: /home/truck/sbecmd-output/NTUSER.csv
Questions:
- Is this the expected behavior on Linux or am I doing something wrong? Should the output filenames include the username (like
Administrator_NTUSER.csv) if available? - If this is expected behavior, is there a way to include the source file path (
/mnt/windows_mount/Users/Administrator/NTUSER.DAT) as a column within each CSV for context?
Thanks in advanced.