def init_win_vista_and_above(self):
users = registry_obj.get_registry_key(
registry_obj.HKEY_LOCAL_MACHINE,
r"SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList")
drive, p = os.path.splitdrive(self.systemroot)
params = {"logger": self.logger}
self.vss = _VSS._get_instance(params, drive)
if users:
for i in xrange(users.get_number_of_sub_keys()):
user = users.get_sub_key(i)
tmp = user.get_value_by_name("ProfileImagePath").get_data()
path = tmp.replace(drive,
self.vss._return_root()) + r"\NTUSER.DAT"
path_usrclass = tmp.replace(drive, self.vss._return_root(
)) + r"\AppData\Local\Microsoft\Windows\\UsrClass.dat"
try:
regf_file = registry_obj.RegfFile()
regf_file.open(path)
regf_file_usrclass = registry_obj.RegfFile()
regf_file_usrclass.open(path_usrclass)
self.user_hives.append(
(user.get_name(), regf_file.get_root_key(),
regf_file_usrclass.get_root_key()))
except IOError: # not a user
pass
def __init__(self, params):
super(WindowsXPFiles, self).__init__(params)
drive, p = os.path.splitdrive(self.systemroot)
self.vss = None
try:
self.vss = _VSS._get_instance(params, drive)
except Exception as e:
self.logger.warn("Shadow Copy Erreur")
def csv_registry(self):
arch = _Archives(os.path.join(self.output_dir,'dump_registry.zip'), self.logger)
if hasattr(self, 'root_reg'):
files_to_zip = [os.path.join(self.root_reg, f) for f in os.listdir(self.root_reg) if os.path.isfile(os.path.join(self.root_reg, f))]
path_ntuserdat = os.path.join(self.userprofile, '*', 'NTUSER.DAT')
files_to_zip.extend([ os.path.join(_VSS._get_instance(self.params,os.path.splitdrive(f)[0])._return_root(),os.path.splitdrive(f)[1]) for f in glob.glob(path_ntuserdat) if os.path.isfile(f)])
for f in files_to_zip:
arch.record(f)
def csv_registry(self):
arch = _Archives(os.path.join(self.output_dir, 'dump_registry.zip'),
self.logger)
if hasattr(self, 'root_reg'):
files_to_zip = [
os.path.join(self.root_reg, f)
for f in os.listdir(self.root_reg)
if os.path.isfile(os.path.join(self.root_reg, f))
]
path_ntuserdat = os.path.join(self.userprofile, '*', 'NTUSER.DAT')
files_to_zip.extend([
os.path.join(
_VSS._get_instance(
self.params,
os.path.splitdrive(f)[0])._return_root(),
os.path.splitdrive(f)[1])
for f in glob.glob(path_ntuserdat) if os.path.isfile(f)
])
for f in files_to_zip:
arch.record(f)
def init_win_vista_and_above(self):
users = registry_obj.get_registry_key(registry_obj.HKEY_LOCAL_MACHINE,
r"SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList")
drive, p = os.path.splitdrive(self.systemroot)
params = {"logger": self.logger}
self.vss = _VSS._get_instance(params, drive)
if users:
for i in xrange(users.get_number_of_sub_keys()):
user = users.get_sub_key(i)
tmp = user.get_value_by_name("ProfileImagePath").get_data()
path = tmp.replace(drive, self.vss._return_root()) + r"\NTUSER.DAT"
path_usrclass = tmp.replace(drive,
self.vss._return_root()) + r"\AppData\Local\Microsoft\Windows\\UsrClass.dat"
try:
regf_file = registry_obj.RegfFile()
regf_file.open(path)
regf_file_usrclass = registry_obj.RegfFile()
regf_file_usrclass.open(path_usrclass)
self.user_hives.append(
(user.get_name(), regf_file.get_root_key(), regf_file_usrclass.get_root_key()))
except IOError: # not a user
pass
def __init__(self, params):
super(Windows2008ServerFiles, self).__init__(params)
drive, p = os.path.splitdrive(self.systemroot)
self.vss = _VSS._get_instance(params, drive)
def __init__(self, params):
super(Windows8Files, self).__init__(params)
drive, p = os.path.splitdrive(self.systemroot)
self.vss = _VSS._get_instance(params, drive)
def __init__(self, params):
super(Windows8Dump, self).__init__(params)
self.root_reg = os.path.join(_VSS._get_instance(params)._return_root(), 'Windows\System32\config')
def __init__(self, params):
super(Windows8_1Files, self).__init__(params)
self.userprofile = params['USERPROFILE']
drive, p = os.path.splitdrive(self.systemroot)
self.vss = _VSS._get_instance(params, drive)
