def get_USB(self):
ret_list = list()
stor_list = list()
usb_obj = dict()
temp_list = list()
try:
path = "ControlSet00%s\\Enum\\USBSTOR" % self.__control_set_check(
self.__reg)
recent = self.__reg.open(path)
except:
print("Plz Check the file. This file is ", self.__reg.hive_type())
return -1
for v in recent.subkeys():
stor_list.append(v.name())
for i in stor_list:
key2 = self.__reg.open(path + "\\%s" % i)
for v in key2.subkeys():
usb_obj = dict()
key3 = self.__reg.open(path + "\\%s\\%s" % (i, v.name()))
for k in key3.values():
usb_obj["TimeZone"] = r_time(
key3.timestamp()).strftime("%Z")
usb_obj["Last Written Time"] = r_time(
key3.timestamp()).strftime("%Y-%m-%d %H:%M:%S")
usb_obj["Device Name"] = i
usb_obj[k.name()] = k.value()
ret_list.append(usb_obj)
return ret_list
def find_value(self, key):
ret_list = list()
try:
key_path = self.__reg.open(key)
except:
print("[-] Plz Check the path or file")
return -1
all_value = dict()
time_pattern = re.compile("Time")
for i in key_path.values():
if time_pattern.findall(
i.name()) and i.value_type() == Registry.RegBin:
all_value[i.name()] = c_time(self.__bin_to_int(
i.value())).strftime("%Y-%m-%d %H:%M:%S")
else:
all_value["TimeZone"] = r_time(
key_path.timestamp()).strftime("%Z")
all_value["Key Path"] = key
all_value["Last Written Time"] = r_time(
key_path.timestamp()).strftime("%Y-%m-%d %H:%M:%S")
all_value[i.name()] = i.value()
ret_list.append(all_value)
return ret_list
def get_recent_docs(self):
ret_list = list()
try:
recent = self.__reg.open(
"SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs"
)
except:
print("Plz Check the file. This file is ", self.__reg.hive_type())
return -1
for i, v in enumerate(recent.values()):
if i == 0:
continue
# print(v.value().decode('utf-16'))
reg_obj = {
"TimeZone":
r_time(recent.timestamp()).strftime('%Z'),
"Last Written time":
r_time(recent.timestamp()).strftime('%Y-%m-%d %H:%M:%S'),
"name":
v.name(),
"data":
v.value().decode('utf-16').split('\x00')[0]
}
ret_list.append(reg_obj)
return ret_list
def get_os_info(self):
ret_list = list()
try:
os_info = self.__reg.open("Microsoft\\Windows NT\\CurrentVersion")
os_dict = dict()
except:
print("Plz Check the file. This file is ", self.__reg.hive_type())
return -1
for v in os_info.values():
if v.name() == "CurrentVersion":
os_dict['CurrentVersion'] = v.value()
if v.name() == "CurrentBuild":
os_dict['CurrentBuild'] = v.value()
if v.name() == "InstallDate":
# os_dict['InstallDate'] = reg_time(v.value()).strftime("%Y-%m-%d %H:%M:%S"),
# os_dict['TimeZone'] = c_time(v.value()).strftime("%Z")
value_time = datetime.fromtimestamp(
mktime(time.gmtime(v.value())))
os_dict['TimeZone'] = r_time(value_time).strftime("%Z")
os_dict['InstallDate'] = r_time(value_time).strftime(
"%Y-%m-%d %H:%M:%S")
if v.name() == "RegisteredOwner":
os_dict['RegisteredOwner'] = v.value()
if v.name() == "EditionID":
os_dict['EditionID'] = v.value()
if v.name() == "ProductName":
os_dict['ProductName'] = v.value()
if (not 'CurrentVersion' in os_dict) or (os_dict['CurrentVersion']
== ''):
os_dict['CurrentVersion'] = "N/A"
if (not 'CurrentBuild' in os_dict) or (os_dict['CurrentBuild'] == ''):
os_dict['CurrentBuild'] = "N/A"
if (not 'TimeZone' in os_dict) or (os_dict['TimeZone'] == ''):
os_dict['TimeZone'] = "N/A"
if (not 'InstallDate' in os_dict) or (os_dict['InstallDate'] == ''):
os_dict['InstallDate'] = "N/A"
if (not 'RegisteredOwner' in os_dict) or (os_dict['RegisteredOwner']
== ''):
os_dict['RegisteredOwner'] = "N/A"
if (not 'EditionID' in os_dict) or (os_dict['EditionID'] == ''):
os_dict['EditionID'] = "N/A"
if (not 'ProductName' in os_dict) or (os_dict['ProductName'] == ''):
os_dict['ProductName'] = "N/A"
os_obj = {
"CurrentVersion": os_dict['CurrentVersion'],
"CurrentBuild": os_dict['CurrentBuild'],
"TimeZone": os_dict['TimeZone'],
"InstallDate": os_dict['InstallDate'],
"RegisteredOwner": os_dict['RegisteredOwner'],
"EditionID": os_dict['EditionID'],
"ProductName": os_dict['ProductName']
}
ret_list.append(os_obj)
return ret_list
def __print_path(self, find_val, reg_key, ktime):
split_list = reg_key.split("\\")
key_obj = {
"TimeZone": r_time(ktime).strftime("%Z"),
"Last Written Time": r_time(ktime).strftime("%Y-%m-%d %H:%M:%S"),
"Search Keyword": find_val,
"Root Key": split_list[0],
"Search Key Path": "\\".join(split_list[1:])
}
self.__ret_list.append(key_obj)
return self.__ret_list
def __print_ms(self, recent, version):
ms_list = list()
# print("recent.values : ", dir(recent.values()[0]))
# print("raw_data : ", recent.values()[0].raw_data())
# print("raw_data : ", recent.values()[0].raw_data().decode("utf-16"))
for i, v in enumerate(recent.values()):
file_name = v.raw_data().decode('utf-16').split("*")[1]
reg_obj = {
"Version":
version,
"TimeZone":
r_time(recent.timestamp()).strftime('%Z'),
"MS Key Last Written time":
r_time(recent.timestamp()).strftime('%Y-%m-%d %H:%M:%S'),
"path":
file_name[:-1]
}
ms_list.append(reg_obj)
return ms_list
def get_IE_visit(self):
ret_list = list()
try:
recent = self.__reg.open(
"Software\Microsoft\Internet Explorer\TypedURLs")
except:
print("Plz Check the file. This file is ", self.__reg.hive_type())
return -1
for i, v in enumerate(recent.values()):
# print(v.value().decode('utf-16'))
reg_obj = {
"time":
r_time(recent.timestamp()).strftime("%Y-%m-%d %H:%M:%S"),
"TimeZone": r_time(recent.timestamp()).strftime("%Z"),
"data": v.value()
}
ret_list.append(reg_obj)
return ret_list
def user_name(self):
ret_list = list()
try:
user_path = "SAM\\Domains\\Account\\Users\\Names"
user = self.__reg.open(user_path)
except:
print("Plz Check the file. This file is ", self.__reg.hive_type())
return -1
for items in user.subkeys():
user_obj = {
'UserName':
items.name(),
'TimeZone':
r_time(items.timestamp()).strftime("%Z"),
'Last Written Time':
r_time(items.timestamp()).strftime("%Y-%m-%d %H:%M:%S")
}
ret_list.append(user_obj)
return ret_list
def get_recent_MRU(self):
ret_list = list()
try:
recent = self.__reg.open(
"Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU")
except:
print("Plz Check the file. This file is ", self.__reg.hive_type())
return -1
for i, v in enumerate(recent.values()):
reg_obj = {
"TimeZone":
r_time(recent.timestamp()).strftime('%Z'),
"Last Written time":
r_time(recent.timestamp()).strftime('%Y-%m-%d %H:%M:%S'),
"name":
v.name(),
"data":
v.value()
}
ret_list.append(reg_obj)
return ret_list
def __processing(self, reg_list, keyList):
ret_list = list()
time_pattern = re.compile("Date")
time_pattern2 = re.compile("Time")
for i in range(2, len(reg_list)):
tmp = reg_list[i].replace('\n', '')
tSplit = tmp.split('\t')
ret_obj = dict()
for splitIndex, splitValue in enumerate(tSplit):
# ret_obj[keyList[splitIndex]] = splitValue
if time_pattern.findall(keyList[splitIndex]) or time_pattern2.findall(keyList[splitIndex]):
if splitValue == "N/A":
# print(splitValue)
ret_obj[keyList[splitIndex]] = splitValue
else:
replace_time = datetime.strptime(splitValue[:-1], "%Y-%m-%d %H:%M:%S.%f")
ret_obj["TimeZone"] = r_time(replace_time).strftime("%Z")
ret_obj[keyList[splitIndex]] = r_time(replace_time).strftime("%Y-%m-%d %H:%M:%S")
else:
ret_obj[keyList[splitIndex]] = splitValue
ret_list.append(ret_obj)
return ret_list
def __print_hwp(self, recent, version):
hwp_list = list()
# print("recent.values : ", dir(recent.values()[0]))
# print("raw_data : ", recent.values()[0].raw_data())
# print("raw_data : ", recent.values()[0].raw_data().decode("utf-16"))
for i, v in enumerate(recent.values()):
if v.value_type() == Registry.RegBin:
reg_obj = {
"Version":
version,
"TimeZone":
r_time(recent.timestamp()).strftime('%Z'),
"MS Key Last Written time":
r_time(recent.timestamp()).strftime('%Y-%m-%d %H:%M:%S'),
"Name":
v.name(),
"Path":
v.value().decode("utf-16").split("\x00")[0]
}
hwp_list.append(reg_obj)
else:
pass
return hwp_list
def get_path(self, path, length):
ret_list = list()
for partition in self.__vol:
self.__partition_list.append(partition.start)
print("please input argument partition start sector : ",
self.__partition_list)
try:
fs = self.open_fs(length)
except:
print("[-] Plz Check Disk Area")
try:
f = fs.open_dir(path)
for i in f:
file_type = str(i.info.name.type)
if file_type == "TSK_FS_NAME_TYPE_REG":
file_type = "FILE"
elif file_type == "TSK_FS_NAME_TYPE_DIR":
file_type = "DIR"
else:
file_type = str(i.info.name.type)
if i.info.meta is None:
f_path_obj = {
"file_name": i.info.name.name.decode(),
"file_type": file_type,
"Type": "Delete",
"size": "None",
"TimeZone": "None",
"ctime": "None",
"mtime": "None",
"atime": "None",
"change time": "None"
}
ret_list.append(f_path_obj)
else:
f_path_obj = {
"file_name":
i.info.name.name.decode(),
"file_type":
file_type,
"Type":
"Exist",
"size":
str(i.info.meta.size),
"TimeZone":
r_time(self.__cal_time(
i.info.meta.crtime)).strftime("%Z"),
"ctime":
r_time(self.__cal_time(
i.info.meta.crtime)).strftime("%Y-%m-%d %H:%M:%S"),
"mtime":
r_time(self.__cal_time(
i.info.meta.mtime)).strftime("%Y-%m-%d %H:%M:%S"),
"atime":
r_time(self.__cal_time(
i.info.meta.atime)).strftime("%Y-%m-%d %H:%M:%S"),
"change time":
r_time(self.__cal_time(
i.info.meta.ctime)).strftime("%Y-%m-%d %H:%M:%S")
}
ret_list.append(f_path_obj)
return ret_list
except:
print("[-] This is not included this path or Not data")
return -1
def get_ms_office(self):
ret_list = list()
try:
path = "Software\\Microsoft\\Office"
version = self.__reg.open(path)
except:
print("Plz Check the file. This file is ", self.__reg.hive_type())
return -1
temp_list = list()
a = list()
for items in version.subkeys():
try:
float(items.name())
a.append(items.name())
except:
pass
for i in range(len(a)):
if a[i] == '11.0':
try:
recent1 = self.__reg.open(path +
"\\%s\\Excel\\Recent Files" %
(a[i]))
xls = self.__print_ms(recent1, a[i])
except:
xls = []
try:
recent2 = self.__reg.open(
path + "\\%s\\PowerPoint\\Recent File List" % (a[i]))
ppt = self.__print_ms(recent2, a[i])
except:
ppt = []
try:
recent3 = self.__reg.open(path +
"\\%s\\Word\\Recent File List" %
(a[i]))
word = self.__print_ms(recent3, a[i])
except:
word = []
temp_list = xls + ppt + word
if a[i] == '15.0' or a[i] == '12.0':
outlook = list()
try:
recent0 = self.__reg.open(path +
"\\%s\\Outlook\\PST" % a[i])
for i, v in enumerate(recent0.values()):
file_name = v.raw_data().decode('utf-16')
reg_obj = {
"Version":
a[i],
"TimeZone":
r_time(recent0.timestamp()).strftime('%Z'),
"MS Key Last Written time":
r_time(recent0.timestamp()).strftime(
'%Y-%m-%d %H:%M:%S'),
"path":
file_name[:-1]
}
outlook.append(reg_obj)
except:
outlook = []
try:
recent1 = self.__reg.open(path +
"\\%s\\Excel\\File MRU" % a[i])
xls = self.__print_ms(recent1, a[i])
except:
xls = []
try:
recent2 = self.__reg.open(path +
"\\%s\\PowerPoint\\File MRU" %
a[i])
ppt = self.__print_ms(recent2, a[i])
except:
ppt = []
try:
recent3 = self.__reg.open(path +
"\\%s\\Word\\File MRU" % a[i])
word = self.__print_ms(recent3, a[i])
except:
word = []
temp_list = outlook + xls + ppt + word
if a[i] == '16.0':
try:
path2 = path + "\\%s\\Excel\\User MRU" % (a[i])
path2 = path + "\\%s\\PowerPoint\\User MRU" % (a[i])
path2 = path + "\\%s\\Word\\User MRU" % (a[i])
LiveId = self.__reg.open(path2)
outlook = list()
b = list()
for items in LiveId.subkeys():
b.append(items.name())
except:
try:
outlook = list()
recent0 = self.__reg.open(path +
"\\%s\\Outlook\\Search" %
a[i])
for v in recent0.values():
ret_obj = {
"Version":
a[i],
"TimeZone":
r_time(recent0.timestamp()).strftime('%Z'),
"MS Key Last Written time":
r_time(recent0.timestamp()).strftime(
'%Y-%m-%d %H:%M:%S'),
"path":
v.name()
}
outlook.append(ret_obj)
except:
outlook = []
try:
recent0 = self.__reg.open(path +
"\\%s\\Outlook\\Search" % a[i])
for v in recent0.values():
ret_obj = {
"Version":
a[i],
"TimeZone":
r_time(recent0.timestamp()).strftime('%Z'),
"MS Key Last Written time":
r_time(recent0.timestamp()).strftime(
'%Y-%m-%d %H:%M:%S'),
"path":
v.name()
}
outlook.append(ret_obj)
except:
outlook = []
try:
recent1 = self.__reg.open(
path + "\\%s\\Excel\\User MRU\\%s\\File MRU" %
(a[i], b[0]))
xls = self.__print_ms(recent1, a[i])
except:
xls = []
try:
recent2 = self.__reg.open(
path + "\\%s\\PowerPoint\\User MRU\\%s\\File MRU" %
(a[i], b[0]))
ppt = self.__print_ms(recent2, a[i])
except:
ppt = []
try:
recent3 = self.__reg.open(
path + "\\%s\\Word\\User MRU\\%s\\File MRU" %
(a[i], b[0]))
word = self.__print_ms(recent3, a[i])
except:
word = []
temp_list = outlook + xls + ppt + word
ret_list = ret_list + temp_list
return ret_list
