def get_typed_urls(self): """ /!\ Only urls directly typed """ #TODO: convert time into human readable dates typed_urls_list = [] for (user, hive) in self.config.users_hives: try: urls_list = [] urls = registry.get_registry_subkeys(hive, "Software\\Microsoft\\Internet Explorer\\TypedURLs") times = registry.get_registry_subkeys(hive, "Software\\Microsoft\\Internet Explorer\\TypedURLsTime") for url in urls[0]['Values']: for time in times[0]['Values']: if time['Name'] == url['Name']: urls_list.append({'Url': url['Value'], 'Time': time['Value']}) typed_urls_list.append({'User': user, 'Last Write Time': urls[0]['Last Write Time'], 'Urls': urls_list}) except: pass return typed_urls_list
def get_startup_list(self): startup_list = [] key_list = [] for key_name in ["Microsoft\\Windows\\CurrentVersion\\Run", "Microsoft\\Windows\\CurrentVersion\\RunOnce", "Microsoft\\Windows\\CurrentVersion\\RunOnceEx", "Microsoft\\Windows\\CurrentVersion\\RunServices", "Microsoft\\Windows\\CurrentVersion\\RunServicesOnce", "Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit", "Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify", "Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell"]: try: key = registry.get_registry_subkeys(self.software_hive, key_name) key_list += key except: pass for subkey in key_list: startup_list.append(subkey) return startup_list
def find_mounteddevices_info(config, serial_number): """ Parse the SYSTEM\MountedDevices registry key looking for informations corresponding to the USB device with the given serial number. Arguments: The Configuration object for the analyzed disk. The serial number of the device to look for. Return: A list with the drive where the USB device was mount and his guid. A None object if the informations couldn't be retrieved. """ drive = None device_guid = None for subkey in registry.get_registry_subkeys(config.system_hive, "MountedDevices")[0]['Values']: subkey_value = "".join(chr(ord(c)) for c in subkey['Value'] if c != '\x00') if serial_number in subkey_value and "DosDevices" in subkey['Name']: drive = subkey['Name'].split("\\")[-1] else: device_guid = subkey['Name'].split("Volume")[-1] if drive and device_guid: return [drive, device_guid] return ["Drive couldn't be found :(", "GUID couldn't be found :("]
def get_registered_applications(self): return registry.get_registry_subkeys(self.software_hive, "RegisteredApplications")