def testCheckKeyPath(self): """Tests the _CheckKeyPath function.""" find_spec = registry_searcher.FindSpec( key_path=u'HKEY_CURRENT_USER\\Software\\Microsoft') registry_key = fake.FakeWinRegistryKey( u'Microsoft', key_path=u'HKEY_CURRENT_USER\\Software') result = find_spec._CheckKeyPath(registry_key, 3) self.assertTrue(result) result = find_spec._CheckKeyPath(registry_key, 0) self.assertTrue(result) # Test incorrect search depth. result = find_spec._CheckKeyPath(registry_key, 1) self.assertFalse(result) # Test invalid search depth. result = find_spec._CheckKeyPath(registry_key, -1) self.assertFalse(result) result = find_spec._CheckKeyPath(registry_key, 99) self.assertFalse(result) # Test find specification with regular expression. find_spec = registry_searcher.FindSpec( key_path_regex=[u'HKEY_CURRENT_USER', u'Software', u'Microsoft']) registry_key = fake.FakeWinRegistryKey( u'Microsoft', key_path=u'HKEY_CURRENT_USER\\Software') result = find_spec._CheckKeyPath(registry_key, 3) self.assertTrue(result)
def testFind(self): """Tests the Find function.""" test_path = self._GetTestFilePath(['SYSTEM']) self._SkipIfPathNotExists(test_path) win_registry = registry.WinRegistry( registry_file_reader=test_registry.TestWinRegistryFileReader()) registry_file = win_registry._OpenFile(test_path) key_path_prefix = win_registry.GetRegistryFileMapping(registry_file) win_registry.MapFile(key_path_prefix, registry_file) searcher = registry_searcher.WinRegistrySearcher(win_registry) find_spec = registry_searcher.FindSpec( key_path='HKEY_LOCAL_MACHINE\\System\\ControlSet001') expected_key_paths = ['HKEY_LOCAL_MACHINE\\System\\ControlSet001'] key_paths = list(searcher.Find(find_specs=[find_spec])) self.assertEqual(key_paths, expected_key_paths) find_spec = registry_searcher.FindSpec( key_path_glob='HKEY_LOCAL_MACHINE\\System\\ControlSet001\\*') expected_key_paths = [ 'HKEY_LOCAL_MACHINE\\System\\ControlSet001\\Control', 'HKEY_LOCAL_MACHINE\\System\\ControlSet001\\Enum', 'HKEY_LOCAL_MACHINE\\System\\ControlSet001\\Hardware Profiles', 'HKEY_LOCAL_MACHINE\\System\\ControlSet001\\Policies', 'HKEY_LOCAL_MACHINE\\System\\ControlSet001\\Services' ] key_paths = list(searcher.Find(find_specs=[find_spec])) self.assertEqual(key_paths, expected_key_paths) find_spec = registry_searcher.FindSpec(key_path_regex=[ 'HKEY_LOCAL_MACHINE', 'System', 'ControlSet001', '.*' ]) expected_key_paths = [ 'HKEY_LOCAL_MACHINE\\System\\ControlSet001\\Control', 'HKEY_LOCAL_MACHINE\\System\\ControlSet001\\Enum', 'HKEY_LOCAL_MACHINE\\System\\ControlSet001\\Hardware Profiles', 'HKEY_LOCAL_MACHINE\\System\\ControlSet001\\Policies', 'HKEY_LOCAL_MACHINE\\System\\ControlSet001\\Services' ] key_paths = list(searcher.Find(find_specs=[find_spec])) self.assertEqual(key_paths, expected_key_paths) # Test without find specifications. key_paths = list(searcher.Find()) self.assertEqual(len(key_paths), 31351)
def _BuildFindSpecsFromRegistrySourceKey(self, key_path): """Build find specifications from a Windows Registry source type. Args: key_path (str): Windows Registry key path defined by the source. Returns: list[dfwinreg.FindSpec]: find specifications for the Windows Registry source type. """ find_specs = [] for key_path_glob in path_helper.PathHelper.ExpandRecursiveGlobs( key_path, '\\'): logger.debug('building find spec from key path glob: {0:s}'.format( key_path_glob)) key_path_glob_upper = key_path_glob.upper() if key_path_glob_upper.startswith('HKEY_USERS\\%%USERS.SID%%'): key_path_glob = 'HKEY_CURRENT_USER{0:s}'.format( key_path_glob[26:]) find_spec = registry_searcher.FindSpec(key_path_glob=key_path_glob) find_specs.append(find_spec) return find_specs
def _BuildFindSpecsFromRegistrySourceKey(self, key_path): """Build find specifications from a Windows Registry source type. Args: key_path (str): Windows Registry key path defined by the source. Returns: list[dfwinreg.FindSpec]: find specifications for the Windows Registry source type. """ find_specs = [] for key_path_glob in path_helper.PathHelper.ExpandGlobStars( key_path, '\\'): logger.debug('building find spec from key path glob: {0:s}'.format( key_path_glob)) key_path_glob_upper = key_path_glob.upper() if key_path_glob_upper.startswith( 'HKEY_LOCAL_MACHINE\\SYSTEM\\CURRENTCONTROLSET'): # Rewrite CurrentControlSet to ControlSet* for Windows NT. key_path_glob = 'HKEY_LOCAL_MACHINE\\System\\ControlSet*{0:s}'.format( key_path_glob[43:]) elif key_path_glob_upper.startswith('HKEY_USERS\\%%USERS.SID%%'): key_path_glob = 'HKEY_CURRENT_USER{0:s}'.format( key_path_glob[26:]) find_spec = registry_searcher.FindSpec(key_path_glob=key_path_glob) find_specs.append(find_spec) return find_specs
def testAtMaximumDepth(self): """Tests the AtMaximumDepth function.""" find_spec = registry_searcher.FindSpec( key_path='HKEY_CURRENT_USER\\Software\\Microsoft') result = find_spec.AtMaximumDepth(1) self.assertFalse(result) result = find_spec.AtMaximumDepth(5) self.assertTrue(result)
def testFind(self): """Tests the Find function.""" win_registry = registry.WinRegistry( registry_file_reader=test_registry.TestWinRegistryFileReader()) test_path = self._GetTestFilePath([u'SYSTEM']) registry_file = win_registry._OpenFile(test_path) key_path_prefix = win_registry.GetRegistryFileMapping(registry_file) win_registry.MapFile(key_path_prefix, registry_file) searcher = registry_searcher.WinRegistrySearcher(win_registry) find_spec = registry_searcher.FindSpec( key_path=u'HKEY_LOCAL_MACHINE\\System\\ControlSet001') expected_key_paths = [u'HKEY_LOCAL_MACHINE\\System\\ControlSet001'] key_paths = list(searcher.Find(find_specs=[find_spec])) self.assertEqual(key_paths, expected_key_paths) find_spec = registry_searcher.FindSpec( key_path_glob=u'HKEY_LOCAL_MACHINE\\System\\ControlSet001\\*') expected_key_paths = [ u'HKEY_LOCAL_MACHINE\\System\\ControlSet001\\Control', u'HKEY_LOCAL_MACHINE\\System\\ControlSet001\\Enum', u'HKEY_LOCAL_MACHINE\\System\\ControlSet001\\Hardware Profiles', u'HKEY_LOCAL_MACHINE\\System\\ControlSet001\\Services'] key_paths = list(searcher.Find(find_specs=[find_spec])) self.assertEqual(key_paths, expected_key_paths) find_spec = registry_searcher.FindSpec( key_path_regex=[ u'HKEY_LOCAL_MACHINE', u'System', u'ControlSet001', u'.*']) expected_key_paths = [ u'HKEY_LOCAL_MACHINE\\System\\ControlSet001\\Control', u'HKEY_LOCAL_MACHINE\\System\\ControlSet001\\Enum', u'HKEY_LOCAL_MACHINE\\System\\ControlSet001\\Hardware Profiles', u'HKEY_LOCAL_MACHINE\\System\\ControlSet001\\Services'] key_paths = list(searcher.Find(find_specs=[find_spec])) self.assertEqual(key_paths, expected_key_paths)
def Collect(self, knowledge_base, artifact_definition, searcher): """Collects values using a Windows Registry value artifact definition. Args: knowledge_base (KnowledgeBase): to fill with preprocessing information. artifact_definition (artifacts.ArtifactDefinition): artifact definition. searcher (dfwinreg.WinRegistrySearcher): Windows Registry searcher to preprocess the Windows Registry. Raises: PreProcessFail: if the Windows Registry key or value cannnot be read. """ for source in artifact_definition.sources: if source.type_indicator not in ( artifact_definitions.TYPE_INDICATOR_WINDOWS_REGISTRY_KEY, artifact_definitions.TYPE_INDICATOR_WINDOWS_REGISTRY_VALUE ): continue if source.type_indicator == ( artifact_definitions.TYPE_INDICATOR_WINDOWS_REGISTRY_KEY): key_value_pairs = [{u'key': key} for key in source.keys] else: key_value_pairs = source.key_value_pairs for key_value_pair in key_value_pairs: key_path = key_value_pair[u'key'] # The artifact definitions currently incorrectly define # CurrentControlSet so we correct it here for now. # Also see: https://github.com/ForensicArtifacts/artifacts/issues/120 key_path_upper = key_path.upper() if key_path_upper.startswith(u'%%CURRENT_CONTROL_SET%%'): key_path = u'{0:s}{1:s}'.format( u'HKEY_LOCAL_MACHINE\\System\\CurrentControlSet', key_path[23:]) find_spec = registry_searcher.FindSpec(key_path_glob=key_path) for key_path in searcher.Find(find_specs=[find_spec]): try: registry_key = searcher.GetKeyByPath(key_path) except IOError as exception: raise errors.PreProcessFail(( u'Unable to retrieve Windows Registry key: {0:s} with error: ' u'{1:s}').format(key_path, exception)) if registry_key: value_name = key_value_pair.get(u'value', None) if self._ParseKey(knowledge_base, registry_key, value_name): return True
def testMatches(self): """Tests the Matches function.""" find_spec = registry_searcher.FindSpec( key_path=u'HKEY_CURRENT_USER\\Software\\Microsoft') registry_key = fake.FakeWinRegistryKey( u'Microsoft', key_path=u'HKEY_CURRENT_USER\\Software') result = find_spec.Matches(registry_key, 3) self.assertEqual(result, (True, True)) result = find_spec.Matches(registry_key, 1) self.assertEqual(result, (False, False)) result = find_spec.Matches(registry_key, 0) self.assertEqual(result, (False, True))
def _BuildFindSpecsFromRegistrySourceKey(self, key_path): """Build find specifications from a Windows Registry source type. Args: key_path (str): Windows Registry key path defined by the source. Returns: list[dfwinreg.FindSpec]: find specifications for the Windows Registry source type. """ find_specs = [] for key_path_glob in path_helper.PathHelper.ExpandRecursiveGlobs( key_path, '\\'): if '%%' in key_path_glob: logger.error('Unable to expand key path: "{0:s}"'.format(key_path_glob)) continue find_spec = registry_searcher.FindSpec(key_path_glob=key_path_glob) find_specs.append(find_spec) return find_specs
def testMatches(self): """Tests the Matches function.""" find_spec = registry_searcher.FindSpec( key_path='HKEY_CURRENT_USER\\Software\\Microsoft') registry_key = fake.FakeWinRegistryKey( 'Microsoft', key_path='HKEY_CURRENT_USER\\Software') result = find_spec.Matches(registry_key, 3) self.assertEqual(result, (True, True)) result = find_spec.Matches(registry_key, 1) self.assertEqual(result, (False, False)) result = find_spec.Matches(registry_key, 0) self.assertEqual(result, (False, True)) # Test find specification without key_path_segments. find_spec._key_path_segments = None result = find_spec.Matches(registry_key, 3) self.assertEqual(result, (True, None))
def testInitialize(self): """Tests the __init__ function.""" find_spec = registry_searcher.FindSpec() self.assertIsNotNone(find_spec) find_spec = registry_searcher.FindSpec( key_path='HKEY_CURRENT_USER\\Software\\Microsoft') self.assertIsNotNone(find_spec) find_spec = registry_searcher.FindSpec( key_path=['HKEY_CURRENT_USER', 'Software', 'Microsoft']) self.assertIsNotNone(find_spec) find_spec = registry_searcher.FindSpec( key_path_glob='HKEY_CURRENT_USER\\*\\Microsoft') self.assertIsNotNone(find_spec) find_spec = registry_searcher.FindSpec( key_path_glob=['HKEY_CURRENT_USER', '*', 'Microsoft']) self.assertIsNotNone(find_spec) find_spec = registry_searcher.FindSpec( key_path_regex='HKEY_CURRENT_USER\\.*\\Microsoft') self.assertIsNotNone(find_spec) find_spec = registry_searcher.FindSpec( key_path_regex=['HKEY_CURRENT_USER', '.*', 'Microsoft']) self.assertIsNotNone(find_spec) with self.assertRaises(TypeError): registry_searcher.FindSpec(key_path=('bogus', 0)) with self.assertRaises(TypeError): registry_searcher.FindSpec(key_path_glob=('bogus', 0)) with self.assertRaises(TypeError): registry_searcher.FindSpec(key_path_regex=('bogus', 0)) with self.assertRaises(ValueError): registry_searcher.FindSpec( key_path='HKEY_CURRENT_USER\\Software\\Microsoft', key_path_glob='HKEY_CURRENT_USER\\*\\Microsoft')