def testCheckKeyPath(self):
"""Tests the _CheckKeyPath function."""
find_spec = registry_searcher.FindSpec(
key_path=u'HKEY_CURRENT_USER\\Software\\Microsoft')
registry_key = fake.FakeWinRegistryKey(
u'Microsoft', key_path=u'HKEY_CURRENT_USER\\Software')
result = find_spec._CheckKeyPath(registry_key, 3)
self.assertTrue(result)
result = find_spec._CheckKeyPath(registry_key, 0)
self.assertTrue(result)
# Test incorrect search depth.
result = find_spec._CheckKeyPath(registry_key, 1)
self.assertFalse(result)
# Test invalid search depth.
result = find_spec._CheckKeyPath(registry_key, -1)
self.assertFalse(result)
result = find_spec._CheckKeyPath(registry_key, 99)
self.assertFalse(result)
# Test find specification with regular expression.
find_spec = registry_searcher.FindSpec(
key_path_regex=[u'HKEY_CURRENT_USER', u'Software', u'Microsoft'])
registry_key = fake.FakeWinRegistryKey(
u'Microsoft', key_path=u'HKEY_CURRENT_USER\\Software')
result = find_spec._CheckKeyPath(registry_key, 3)
self.assertTrue(result)
def testFind(self):
"""Tests the Find function."""
test_path = self._GetTestFilePath(['SYSTEM'])
self._SkipIfPathNotExists(test_path)
win_registry = registry.WinRegistry(
registry_file_reader=test_registry.TestWinRegistryFileReader())
registry_file = win_registry._OpenFile(test_path)
key_path_prefix = win_registry.GetRegistryFileMapping(registry_file)
win_registry.MapFile(key_path_prefix, registry_file)
searcher = registry_searcher.WinRegistrySearcher(win_registry)
find_spec = registry_searcher.FindSpec(
key_path='HKEY_LOCAL_MACHINE\\System\\ControlSet001')
expected_key_paths = ['HKEY_LOCAL_MACHINE\\System\\ControlSet001']
key_paths = list(searcher.Find(find_specs=[find_spec]))
self.assertEqual(key_paths, expected_key_paths)
find_spec = registry_searcher.FindSpec(
key_path_glob='HKEY_LOCAL_MACHINE\\System\\ControlSet001\\*')
expected_key_paths = [
'HKEY_LOCAL_MACHINE\\System\\ControlSet001\\Control',
'HKEY_LOCAL_MACHINE\\System\\ControlSet001\\Enum',
'HKEY_LOCAL_MACHINE\\System\\ControlSet001\\Hardware Profiles',
'HKEY_LOCAL_MACHINE\\System\\ControlSet001\\Policies',
'HKEY_LOCAL_MACHINE\\System\\ControlSet001\\Services'
]
key_paths = list(searcher.Find(find_specs=[find_spec]))
self.assertEqual(key_paths, expected_key_paths)
find_spec = registry_searcher.FindSpec(key_path_regex=[
'HKEY_LOCAL_MACHINE', 'System', 'ControlSet001', '.*'
])
expected_key_paths = [
'HKEY_LOCAL_MACHINE\\System\\ControlSet001\\Control',
'HKEY_LOCAL_MACHINE\\System\\ControlSet001\\Enum',
'HKEY_LOCAL_MACHINE\\System\\ControlSet001\\Hardware Profiles',
'HKEY_LOCAL_MACHINE\\System\\ControlSet001\\Policies',
'HKEY_LOCAL_MACHINE\\System\\ControlSet001\\Services'
]
key_paths = list(searcher.Find(find_specs=[find_spec]))
self.assertEqual(key_paths, expected_key_paths)
# Test without find specifications.
key_paths = list(searcher.Find())
self.assertEqual(len(key_paths), 31351)
def _BuildFindSpecsFromRegistrySourceKey(self, key_path):
"""Build find specifications from a Windows Registry source type.
Args:
key_path (str): Windows Registry key path defined by the source.
Returns:
list[dfwinreg.FindSpec]: find specifications for the Windows Registry
source type.
"""
find_specs = []
for key_path_glob in path_helper.PathHelper.ExpandRecursiveGlobs(
key_path, '\\'):
logger.debug('building find spec from key path glob: {0:s}'.format(
key_path_glob))
key_path_glob_upper = key_path_glob.upper()
if key_path_glob_upper.startswith('HKEY_USERS\\%%USERS.SID%%'):
key_path_glob = 'HKEY_CURRENT_USER{0:s}'.format(
key_path_glob[26:])
find_spec = registry_searcher.FindSpec(key_path_glob=key_path_glob)
find_specs.append(find_spec)
return find_specs
def _BuildFindSpecsFromRegistrySourceKey(self, key_path):
"""Build find specifications from a Windows Registry source type.
Args:
key_path (str): Windows Registry key path defined by the source.
Returns:
list[dfwinreg.FindSpec]: find specifications for the Windows Registry
source type.
"""
find_specs = []
for key_path_glob in path_helper.PathHelper.ExpandGlobStars(
key_path, '\\'):
logger.debug('building find spec from key path glob: {0:s}'.format(
key_path_glob))
key_path_glob_upper = key_path_glob.upper()
if key_path_glob_upper.startswith(
'HKEY_LOCAL_MACHINE\\SYSTEM\\CURRENTCONTROLSET'):
# Rewrite CurrentControlSet to ControlSet* for Windows NT.
key_path_glob = 'HKEY_LOCAL_MACHINE\\System\\ControlSet*{0:s}'.format(
key_path_glob[43:])
elif key_path_glob_upper.startswith('HKEY_USERS\\%%USERS.SID%%'):
key_path_glob = 'HKEY_CURRENT_USER{0:s}'.format(
key_path_glob[26:])
find_spec = registry_searcher.FindSpec(key_path_glob=key_path_glob)
find_specs.append(find_spec)
return find_specs
def testAtMaximumDepth(self):
"""Tests the AtMaximumDepth function."""
find_spec = registry_searcher.FindSpec(
key_path='HKEY_CURRENT_USER\\Software\\Microsoft')
result = find_spec.AtMaximumDepth(1)
self.assertFalse(result)
result = find_spec.AtMaximumDepth(5)
self.assertTrue(result)
def testFind(self):
"""Tests the Find function."""
win_registry = registry.WinRegistry(
registry_file_reader=test_registry.TestWinRegistryFileReader())
test_path = self._GetTestFilePath([u'SYSTEM'])
registry_file = win_registry._OpenFile(test_path)
key_path_prefix = win_registry.GetRegistryFileMapping(registry_file)
win_registry.MapFile(key_path_prefix, registry_file)
searcher = registry_searcher.WinRegistrySearcher(win_registry)
find_spec = registry_searcher.FindSpec(
key_path=u'HKEY_LOCAL_MACHINE\\System\\ControlSet001')
expected_key_paths = [u'HKEY_LOCAL_MACHINE\\System\\ControlSet001']
key_paths = list(searcher.Find(find_specs=[find_spec]))
self.assertEqual(key_paths, expected_key_paths)
find_spec = registry_searcher.FindSpec(
key_path_glob=u'HKEY_LOCAL_MACHINE\\System\\ControlSet001\\*')
expected_key_paths = [
u'HKEY_LOCAL_MACHINE\\System\\ControlSet001\\Control',
u'HKEY_LOCAL_MACHINE\\System\\ControlSet001\\Enum',
u'HKEY_LOCAL_MACHINE\\System\\ControlSet001\\Hardware Profiles',
u'HKEY_LOCAL_MACHINE\\System\\ControlSet001\\Services']
key_paths = list(searcher.Find(find_specs=[find_spec]))
self.assertEqual(key_paths, expected_key_paths)
find_spec = registry_searcher.FindSpec(
key_path_regex=[
u'HKEY_LOCAL_MACHINE', u'System', u'ControlSet001', u'.*'])
expected_key_paths = [
u'HKEY_LOCAL_MACHINE\\System\\ControlSet001\\Control',
u'HKEY_LOCAL_MACHINE\\System\\ControlSet001\\Enum',
u'HKEY_LOCAL_MACHINE\\System\\ControlSet001\\Hardware Profiles',
u'HKEY_LOCAL_MACHINE\\System\\ControlSet001\\Services']
key_paths = list(searcher.Find(find_specs=[find_spec]))
self.assertEqual(key_paths, expected_key_paths)
def Collect(self, knowledge_base, artifact_definition, searcher):
"""Collects values using a Windows Registry value artifact definition.
Args:
knowledge_base (KnowledgeBase): to fill with preprocessing information.
artifact_definition (artifacts.ArtifactDefinition): artifact definition.
searcher (dfwinreg.WinRegistrySearcher): Windows Registry searcher to
preprocess the Windows Registry.
Raises:
PreProcessFail: if the Windows Registry key or value cannnot be read.
"""
for source in artifact_definition.sources:
if source.type_indicator not in (
artifact_definitions.TYPE_INDICATOR_WINDOWS_REGISTRY_KEY,
artifact_definitions.TYPE_INDICATOR_WINDOWS_REGISTRY_VALUE
):
continue
if source.type_indicator == (
artifact_definitions.TYPE_INDICATOR_WINDOWS_REGISTRY_KEY):
key_value_pairs = [{u'key': key} for key in source.keys]
else:
key_value_pairs = source.key_value_pairs
for key_value_pair in key_value_pairs:
key_path = key_value_pair[u'key']
# The artifact definitions currently incorrectly define
# CurrentControlSet so we correct it here for now.
# Also see: https://github.com/ForensicArtifacts/artifacts/issues/120
key_path_upper = key_path.upper()
if key_path_upper.startswith(u'%%CURRENT_CONTROL_SET%%'):
key_path = u'{0:s}{1:s}'.format(
u'HKEY_LOCAL_MACHINE\\System\\CurrentControlSet',
key_path[23:])
find_spec = registry_searcher.FindSpec(key_path_glob=key_path)
for key_path in searcher.Find(find_specs=[find_spec]):
try:
registry_key = searcher.GetKeyByPath(key_path)
except IOError as exception:
raise errors.PreProcessFail((
u'Unable to retrieve Windows Registry key: {0:s} with error: '
u'{1:s}').format(key_path, exception))
if registry_key:
value_name = key_value_pair.get(u'value', None)
if self._ParseKey(knowledge_base, registry_key,
value_name):
return True
def testMatches(self):
"""Tests the Matches function."""
find_spec = registry_searcher.FindSpec(
key_path=u'HKEY_CURRENT_USER\\Software\\Microsoft')
registry_key = fake.FakeWinRegistryKey(
u'Microsoft', key_path=u'HKEY_CURRENT_USER\\Software')
result = find_spec.Matches(registry_key, 3)
self.assertEqual(result, (True, True))
result = find_spec.Matches(registry_key, 1)
self.assertEqual(result, (False, False))
result = find_spec.Matches(registry_key, 0)
self.assertEqual(result, (False, True))
def _BuildFindSpecsFromRegistrySourceKey(self, key_path):
"""Build find specifications from a Windows Registry source type.
Args:
key_path (str): Windows Registry key path defined by the source.
Returns:
list[dfwinreg.FindSpec]: find specifications for the Windows Registry
source type.
"""
find_specs = []
for key_path_glob in path_helper.PathHelper.ExpandRecursiveGlobs(
key_path, '\\'):
if '%%' in key_path_glob:
logger.error('Unable to expand key path: "{0:s}"'.format(key_path_glob))
continue
find_spec = registry_searcher.FindSpec(key_path_glob=key_path_glob)
find_specs.append(find_spec)
return find_specs
def testMatches(self):
"""Tests the Matches function."""
find_spec = registry_searcher.FindSpec(
key_path='HKEY_CURRENT_USER\\Software\\Microsoft')
registry_key = fake.FakeWinRegistryKey(
'Microsoft', key_path='HKEY_CURRENT_USER\\Software')
result = find_spec.Matches(registry_key, 3)
self.assertEqual(result, (True, True))
result = find_spec.Matches(registry_key, 1)
self.assertEqual(result, (False, False))
result = find_spec.Matches(registry_key, 0)
self.assertEqual(result, (False, True))
# Test find specification without key_path_segments.
find_spec._key_path_segments = None
result = find_spec.Matches(registry_key, 3)
self.assertEqual(result, (True, None))
def testInitialize(self):
"""Tests the __init__ function."""
find_spec = registry_searcher.FindSpec()
self.assertIsNotNone(find_spec)
find_spec = registry_searcher.FindSpec(
key_path='HKEY_CURRENT_USER\\Software\\Microsoft')
self.assertIsNotNone(find_spec)
find_spec = registry_searcher.FindSpec(
key_path=['HKEY_CURRENT_USER', 'Software', 'Microsoft'])
self.assertIsNotNone(find_spec)
find_spec = registry_searcher.FindSpec(
key_path_glob='HKEY_CURRENT_USER\\*\\Microsoft')
self.assertIsNotNone(find_spec)
find_spec = registry_searcher.FindSpec(
key_path_glob=['HKEY_CURRENT_USER', '*', 'Microsoft'])
self.assertIsNotNone(find_spec)
find_spec = registry_searcher.FindSpec(
key_path_regex='HKEY_CURRENT_USER\\.*\\Microsoft')
self.assertIsNotNone(find_spec)
find_spec = registry_searcher.FindSpec(
key_path_regex=['HKEY_CURRENT_USER', '.*', 'Microsoft'])
self.assertIsNotNone(find_spec)
with self.assertRaises(TypeError):
registry_searcher.FindSpec(key_path=('bogus', 0))
with self.assertRaises(TypeError):
registry_searcher.FindSpec(key_path_glob=('bogus', 0))
with self.assertRaises(TypeError):
registry_searcher.FindSpec(key_path_regex=('bogus', 0))
with self.assertRaises(ValueError):
registry_searcher.FindSpec(
key_path='HKEY_CURRENT_USER\\Software\\Microsoft',
key_path_glob='HKEY_CURRENT_USER\\*\\Microsoft')
