def test_ntuser_apply_transaction_logs(transaction_ntuser, transaction_log): output_path = os.path.join(mkdtemp(), 'recovered_hive.dat') restored_hive_path, recovered_dirty_pages_count = apply_transaction_logs( transaction_ntuser, transaction_log, restored_hive_path=output_path) assert recovered_dirty_pages_count == 132 found_differences = compare_hives(transaction_ntuser, restored_hive_path) assert len(found_differences) == 588 assert len([x for x in found_differences if x[0] == 'new_subkey']) == 527 assert len([x for x in found_differences if x[0] == 'new_value']) == 60
def test_system_apply_transaction_logs(transaction_system, transaction_log_1, transaction_log_2): output_path = os.path.join(mkdtemp(), 'recovered_hive.dat') restored_hive_path, recovered_dirty_pages_count = apply_transaction_logs(transaction_system, primary_log_path=transaction_log_1, secondary_log_path=transaction_log_2, restored_hive_path=output_path) assert recovered_dirty_pages_count == 315 found_differences = compare_hives(transaction_system, restored_hive_path) assert len(found_differences) == 2486 assert len([x for x in found_differences if x[0] == 'new_subkey']) == 2472 assert len([x for x in found_differences if x[0] == 'new_value']) == 13
def test_system_apply_transaction_logs_2(transaction_usrclass, usrclass_tr_log_1, usrclass_tr_log_2): output_path = os.path.join(mkdtemp(), 'recovered_hive.dat') restored_hive_path, recovered_dirty_pages_count = apply_transaction_logs(transaction_usrclass, primary_log_path=usrclass_tr_log_1, secondary_log_path=usrclass_tr_log_2, restored_hive_path=output_path) assert recovered_dirty_pages_count == 158 found_differences = compare_hives(transaction_usrclass, restored_hive_path) assert len(found_differences) == 73 assert len([x for x in found_differences if x[0] == 'new_subkey']) == 33 assert len([x for x in found_differences if x[0] == 'new_value']) == 40
def test_ntuser_apply_transaction_logs(transaction_ntuser, transaction_log): output_path = os.path.join(mkdtemp(), 'recovered_hive.dat') restored_hive_path, recovered_dirty_pages_count = apply_transaction_logs( transaction_ntuser, transaction_log, restored_hive_path=output_path) assert recovered_dirty_pages_count == 132 found_differences = compare_hives(transaction_ntuser, restored_hive_path) assert len(found_differences) == 587 assert len([x for x in found_differences if x[0] == 'new_subkey']) == 527 assert len([x for x in found_differences if x[0] == 'new_value']) == 59 # TODO: # Have a REG file of a couple of registry hives, and compare with output of regipy
def parse_transaction_log(hive_path, primary_log_path, secondary_log_path, output_path, verbose): with logbook.NestedSetup(_get_log_handlers(verbose=verbose)).applicationbound(): logger.info(f'Processing hive {hive_path} with transaction log {primary_log_path}') if secondary_log_path: logger.info(f'Processing hive {hive_path} with secondary transaction log {primary_log_path}') restored_hive_path, recovered_dirty_pages_count = apply_transaction_logs(hive_path, primary_log_path, secondary_log_path=secondary_log_path, restored_hive_path=output_path, verbose=verbose) if recovered_dirty_pages_count: click.secho( f'Recovered {recovered_dirty_pages_count} dirty pages. Restored hive is at {restored_hive_path}', fg='green')
def parse_transaction_log(hive_path, primary_log_path, secondary_log_path, output_path, verbose): _setup_logging(verbose=verbose) logger.info( f'Processing hive {hive_path} with transaction log {primary_log_path}') if secondary_log_path: logger.info( f'Processing hive {hive_path} with secondary transaction log {primary_log_path}' ) restored_hive_path, recovered_dirty_pages_count = apply_transaction_logs( hive_path, primary_log_path, secondary_log_path=secondary_log_path, restored_hive_path=output_path, verbose=verbose) if recovered_dirty_pages_count: click.secho( f'Recovered {recovered_dirty_pages_count} dirty pages. Restored hive is at {restored_hive_path}', fg='green')