Beispiel #1
0
    def testCollect(self):
        """Tests the Collect function."""
        test_path = self._GetTestFilePath(['NTUSER.DAT'])
        self._SkipIfPathNotExists(test_path)

        registry = dfwinreg_registry.WinRegistry()

        with open(test_path, 'rb') as file_object:
            registry_file = dfwinreg_regf.REGFWinRegistryFile(
                ascii_codepage='cp1252')
            registry_file.Open(file_object)

            key_path_prefix = registry.GetRegistryFileMapping(registry_file)
            registry_file.SetKeyPathPrefix(key_path_prefix)
            registry.MapFile(key_path_prefix, registry_file)

            test_output_writer = test_lib.TestOutputWriter()
            collector_object = programscache.ProgramsCacheCollector(
                output_writer=test_output_writer)

            result = collector_object.Collect(registry)

        self.assertTrue(result)

        test_output_writer.Close()
Beispiel #2
0
def Main():
  """The main program function.

  Returns:
    bool: True if successful or False if not.
  """
  argument_parser = argparse.ArgumentParser(description=(
      'Extracts the program cache from a NTUSER.DAT Registry file.'))

  argument_parser.add_argument(
      '-d', '--debug', dest='debug', action='store_true', default=False,
      help='enable debug output.')

  argument_parser.add_argument(
      'source', nargs='?', action='store', metavar='PATH', default=None,
      help=(
          'path of the volume containing C:\\Windows, the filename of '
          'a storage media image containing the C:\\Windows directory, '
          'or the path of a NTUSER.DAT Registry file.'))

  options = argument_parser.parse_args()

  if not options.source:
    print('Source value is missing.')
    print('')
    argument_parser.print_help()
    print('')
    return False

  logging.basicConfig(
      level=logging.INFO, format='[%(levelname)s] %(message)s')

  output_writer = output_writers.StdoutOutputWriter()

  if not output_writer.Open():
    print('Unable to open output writer.')
    print('')
    return False

  # TODO: add support to select user.
  volume_scanner_mediator = dfvfs_command_line.CLIVolumeScannerMediator()
  registry_collector = collector.WindowsRegistryCollector(
      mediator=volume_scanner_mediator)
  if not registry_collector.ScanForWindowsVolume(options.source):
    print('Unable to retrieve the Windows Registry from: {0:s}.'.format(
        options.source))
    print('')
    return False

  # TODO: map collector to available Registry keys.
  collector_object = programscache.ProgramsCacheCollector(
      debug=options.debug, output_writer=output_writer)

  result = collector_object.Collect(registry_collector.registry)
  if not result:
    print('No Explorer StartPage or StartPage2 keys found.')

  output_writer.Close()

  return True
Beispiel #3
0
    def testCollectEmpty(self):
        """Tests the Collect function on an empty Registry."""
        registry = dfwinreg_registry.WinRegistry()

        test_output_writer = test_lib.TestOutputWriter()
        collector_object = programscache.ProgramsCacheCollector(
            output_writer=test_output_writer)

        result = collector_object.Collect(registry)
        self.assertFalse(result)

        test_output_writer.Close()
Beispiel #4
0
  def testCollect(self):
    """Tests the Collect function."""
    registry_collector = collector.WindowsRegistryCollector()

    test_path = self._GetTestFilePath(['NTUSER.DAT'])
    registry_collector.ScanForWindowsVolume(test_path)

    self.assertIsNotNone(registry_collector.registry)

    test_output_writer = test_lib.TestOutputWriter()
    collector_object = programscache.ProgramsCacheCollector(
        output_writer=test_output_writer)

    result = collector_object.Collect(registry_collector.registry)
    self.assertTrue(result)

    test_output_writer.Close()
def Main():
    """The main program function.

  Returns:
    bool: True if successful or False if not.
  """
    argument_parser = argparse.ArgumentParser(description=(
        'Extracts the program cache from a NTUSER.DAT Registry file.'))

    argument_parser.add_argument('-d',
                                 '--debug',
                                 dest='debug',
                                 action='store_true',
                                 default=False,
                                 help='enable debug output.')

    argument_parser.add_argument(
        'source',
        nargs='?',
        action='store',
        metavar='PATH',
        default=None,
        help=('path of the volume containing C:\\Windows, the filename of '
              'a storage media image containing the C:\\Windows directory, '
              'or the path of a NTUSER.DAT Registry file.'))

    options = argument_parser.parse_args()

    if not options.source:
        print('Source value is missing.')
        print('')
        argument_parser.print_help()
        print('')
        return False

    logging.basicConfig(level=logging.INFO,
                        format='[%(levelname)s] %(message)s')

    # TODO: add support to select user.
    mediator = volume_scanner.WindowsRegistryVolumeScannerMediator()
    scanner = volume_scanner.WindowsRegistryVolumeScanner(mediator=mediator)

    volume_scanner_options = dfvfs_volume_scanner.VolumeScannerOptions()
    volume_scanner_options.partitions = ['all']
    volume_scanner_options.snapshots = ['none']
    volume_scanner_options.volumes = ['none']

    if not scanner.ScanForWindowsVolume(options.source,
                                        options=volume_scanner_options):
        print(
            ('Unable to retrieve the volume with the Windows directory from: '
             '{0:s}.').format(options.source))
        print('')
        return False

    output_writer = output_writers.StdoutOutputWriter()

    if not output_writer.Open():
        print('Unable to open output writer.')
        print('')
        return False

    try:
        collector_object = programscache.ProgramsCacheCollector(
            debug=options.debug, output_writer=output_writer)

        # TODO: change collector to generate ProgramCacheEntry
        has_results = collector_object.Collect(scanner.registry)

    finally:
        output_writer.Close()

    if not has_results:
        print('No program cache entries found.')

    return True