def Main(): """The main program function. Returns: bool: True if successful or False if not. """ argument_parser = argparse.ArgumentParser(description=( 'Extracts the program cache from a NTUSER.DAT Registry file.')) argument_parser.add_argument( '-d', '--debug', dest='debug', action='store_true', default=False, help='enable debug output.') argument_parser.add_argument( 'source', nargs='?', action='store', metavar='PATH', default=None, help=( 'path of the volume containing C:\\Windows, the filename of ' 'a storage media image containing the C:\\Windows directory, ' 'or the path of a NTUSER.DAT Registry file.')) options = argument_parser.parse_args() if not options.source: print('Source value is missing.') print('') argument_parser.print_help() print('') return False logging.basicConfig( level=logging.INFO, format='[%(levelname)s] %(message)s') output_writer = output_writers.StdoutOutputWriter() if not output_writer.Open(): print('Unable to open output writer.') print('') return False # TODO: add support to select user. volume_scanner_mediator = dfvfs_command_line.CLIVolumeScannerMediator() registry_collector = collector.WindowsRegistryCollector( mediator=volume_scanner_mediator) if not registry_collector.ScanForWindowsVolume(options.source): print('Unable to retrieve the Windows Registry from: {0:s}.'.format( options.source)) print('') return False # TODO: map collector to available Registry keys. collector_object = programscache.ProgramsCacheCollector( debug=options.debug, output_writer=output_writer) result = collector_object.Collect(registry_collector.registry) if not result: print('No Explorer StartPage or StartPage2 keys found.') output_writer.Close() return True
def testOpenClose(self): """Tests the Open and Close functions.""" test_output_writer = output_writers.StdoutOutputWriter() result = test_output_writer.Open() self.assertTrue(result) test_output_writer.Close()
def testFormatDataInHexadecimal(self): """Tests the _FormatDataInHexadecimal function.""" test_output_writer = output_writers.StdoutOutputWriter() data = b'\x00\x01\x02\x03\x04\x05\x06' expected_formatted_data = ( '0x00000000 00 01 02 03 04 05 06 ' '.......\n' '\n') formatted_data = test_output_writer._FormatDataInHexadecimal(data) self.assertEqual(formatted_data, expected_formatted_data) data = b'\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09' expected_formatted_data = ( '0x00000000 00 01 02 03 04 05 06 07 08 09 ' '..........\n' '\n') formatted_data = test_output_writer._FormatDataInHexadecimal(data) self.assertEqual(formatted_data, expected_formatted_data) data = b'\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f' expected_formatted_data = ( '0x00000000 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f ' '................\n' '\n') formatted_data = test_output_writer._FormatDataInHexadecimal(data) self.assertEqual(formatted_data, expected_formatted_data) data = ( b'\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f' b'\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f' b'\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f' ) expected_formatted_data = ( '0x00000000 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f ' '................\n' '...\n' '0x00000020 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f ' '................\n' '\n') formatted_data = test_output_writer._FormatDataInHexadecimal(data) self.assertEqual(formatted_data, expected_formatted_data)
def Main(): """The main program function. Returns: bool: True if successful or False if not. """ argument_parser = argparse.ArgumentParser(description=( 'Extracts the system information from a SOFTWARE Registry file.')) argument_parser.add_argument('-d', '--debug', dest='debug', action='store_true', default=False, help=('enable debug output.')) argument_parser.add_argument( 'source', nargs='?', action='store', metavar='PATH', default=None, help=('path of the volume containing C:\\Windows, the filename of ' 'a storage media image containing the C:\\Windows directory, ' 'or the path of a SOFTWARE Registry file.')) options = argument_parser.parse_args() if not options.source: print('Source value is missing.') print('') argument_parser.print_help() print('') return False logging.basicConfig(level=logging.INFO, format='[%(levelname)s] %(message)s') output_writer = output_writers.StdoutOutputWriter() if not output_writer.Open(): print('Unable to open output writer.') print('') return False volume_scanner_mediator = dfvfs_command_line.CLIVolumeScannerMediator() registry_collector = collector.WindowsRegistryCollector( mediator=volume_scanner_mediator) if not registry_collector.ScanForWindowsVolume(options.source): print('Unable to retrieve the Windows Registry from: {0:s}.'.format( options.source)) print('') return False # TODO: map collector to available Registry keys. collector_object = sysinfo.SystemInfoCollector(debug=options.debug, output_writer=output_writer) result = collector_object.Collect(registry_collector.registry) if not result: print('No Current Version key found.') else: output_writer.WriteValue( 'Product name', collector_object.system_information.product_name) output_writer.WriteValue( 'Product identifier', collector_object.system_information.product_identifier) output_writer.WriteValue( 'Current version', collector_object.system_information.current_version) output_writer.WriteValue( 'Current type', collector_object.system_information.current_type) output_writer.WriteValue( 'Current build number', collector_object.system_information.current_build_number) output_writer.WriteValue( 'CSD version', collector_object.system_information.csd_version) output_writer.WriteValue( 'Registered organization', collector_object.system_information.registered_organization) output_writer.WriteValue( 'Registered owner', collector_object.system_information.registered_owner) date_time_value = collector_object.system_information.installation_date date_time_string = date_time_value.CopyToDateTimeString() output_writer.WriteValue('Installation date', date_time_string) output_writer.WriteValue('Path name', collector_object.system_information.path_name) output_writer.WriteValue( '%SystemRoot%', collector_object.system_information.system_root) output_writer.WriteText('\n') output_writer.Close() return True
def Main(): """The main program function. Returns: bool: True if successful or False if not. """ argument_parser = argparse.ArgumentParser(description=( 'Extracts the UserAssist information from a NTUSER.DAT Registry file.' )) argument_parser.add_argument( '--codepage', dest='codepage', action='store', metavar='CODEPAGE', default='cp1252', help='the codepage of the extended ASCII strings.') argument_parser.add_argument('-d', '--debug', dest='debug', action='store_true', default=False, help='enable debug output.') argument_parser.add_argument( 'source', nargs='?', action='store', metavar='PATH', default=None, help=('path of the volume containing C:\\Windows, the filename of ' 'a storage media image containing the C:\\Windows directory, ' 'or the path of a NTUSER.DAT Registry file.')) options = argument_parser.parse_args() if not options.source: print('Source value is missing.') print('') argument_parser.print_help() print('') return False logging.basicConfig(level=logging.INFO, format='[%(levelname)s] %(message)s') output_writer = output_writers.StdoutOutputWriter() if not output_writer.Open(): print('Unable to open output writer.') print('') return False mediator = volume_scanner.WindowsRegistryVolumeScannerMediator() scanner = volume_scanner.WindowsRegistryVolumeScanner(mediator=mediator) volume_scanner_options = dfvfs_volume_scanner.VolumeScannerOptions() volume_scanner_options.partitions = ['all'] volume_scanner_options.snapshots = ['none'] volume_scanner_options.volumes = ['none'] if not scanner.ScanForWindowsVolume(options.source, options=volume_scanner_options): print( ('Unable to retrieve the volume with the Windows directory from: ' '{0:s}.').format(options.source)) print('') return False # TODO: map collector to available Registry keys. collector_object = userassist.UserAssistCollector( debug=options.debug, output_writer=output_writer) result = collector_object.Collect(scanner.registry) if not result: print('No UserAssist key found.') else: guid = None for user_assist_entry in collector_object.user_assist_entries: if user_assist_entry.guid != guid: print('GUID\t\t: {0:s}'.format(user_assist_entry.guid)) guid = user_assist_entry.guid print('Name\t\t: {0:s}'.format(user_assist_entry.name)) print('Original name\t: {0:s}'.format( user_assist_entry.value_name)) print('') output_writer.Close() return True
def testWriteText(self): """Tests the WriteText function.""" test_output_writer = output_writers.StdoutOutputWriter() test_output_writer.WriteText('Test')
def testWriteValue(self): """Tests the WriteValue function.""" test_output_writer = output_writers.StdoutOutputWriter() test_output_writer.WriteValue('Description', 'Value')
def testWriteDebugData(self): """Tests the WriteDebugData function.""" test_output_writer = output_writers.StdoutOutputWriter() test_output_writer.WriteDebugData('Description', b'DATA')
def Main(): """The main program function. Returns: bool: True if successful or False if not. """ argument_parser = argparse.ArgumentParser(description=( 'Extracts Application Compatibility Cache information from ' 'a SYSTEM Registry file.')) argument_parser.add_argument( '--all', dest='all_control_sets', action='store_true', default=False, help=( 'Process all control sets instead of only the current control set.' )) argument_parser.add_argument('-d', '--debug', dest='debug', action='store_true', default=False, help='enable debug output.') argument_parser.add_argument( 'source', nargs='?', action='store', metavar='PATH', default=None, help=('path of the volume containing C:\\Windows, the filename of ' 'a storage media image containing the C:\\Windows directory, ' 'or the path of a SYSTEM Registry file.')) options = argument_parser.parse_args() if not options.source: print('Source value is missing.') print('') argument_parser.print_help() print('') return False logging.basicConfig(level=logging.INFO, format='[%(levelname)s] %(message)s') mediator = volume_scanner.WindowsRegistryVolumeScannerMediator() scanner = volume_scanner.WindowsRegistryVolumeScanner(mediator=mediator) volume_scanner_options = dfvfs_volume_scanner.VolumeScannerOptions() volume_scanner_options.partitions = ['all'] volume_scanner_options.snapshots = ['none'] volume_scanner_options.volumes = ['none'] if not scanner.ScanForWindowsVolume(options.source, options=volume_scanner_options): print( ('Unable to retrieve the volume with the Windows directory from: ' '{0:s}.').format(options.source)) print('') return False output_writer = output_writers.StdoutOutputWriter() if not output_writer.Open(): print('Unable to open output writer.') print('') return False try: collector_object = appcompatcache.AppCompatCacheCollector( debug=options.debug, output_writer=output_writer) # TODO: change collector to generate AppCompatCacheCachedEntry has_results = collector_object.Collect( scanner.registry, all_control_sets=options.all_control_sets) if has_results: for cached_entry in collector_object.cached_entries: output_writer.WriteFiletimeValue( 'Last modification time', cached_entry.last_modification_time) output_writer.WriteValue('Path', cached_entry.path) output_writer.WriteText('\n') finally: output_writer.Close() if not has_results: print('No application compatibility cache entries found.') return True
def Main(): """The main program function. Returns: bool: True if successful or False if not. """ argument_parser = argparse.ArgumentParser(description=( 'Extracts the cached credentials from a SECURITY Registry file.')) argument_parser.add_argument('-d', '--debug', dest='debug', action='store_true', default=False, help=('enable debug output.')) argument_parser.add_argument( 'source', nargs='?', action='store', metavar='PATH', default=None, help=('path of the volume containing C:\\Windows, the filename of ' 'a storage media image containing the C:\\Windows directory, ' 'or the path of a SECURITY and SYSTEM Registry file.')) options = argument_parser.parse_args() if not options.source: print('Source value is missing.') print('') argument_parser.print_help() print('') return False logging.basicConfig(level=logging.INFO, format='[%(levelname)s] %(message)s') output_writer = output_writers.StdoutOutputWriter() if not output_writer.Open(): print('Unable to open output writer.') print('') return False mediator = volume_scanner.WindowsRegistryVolumeScannerMediator() scanner = volume_scanner.WindowsRegistryVolumeScanner(mediator=mediator) volume_scanner_options = dfvfs_volume_scanner.VolumeScannerOptions() volume_scanner_options.partitions = ['all'] volume_scanner_options.snapshots = ['none'] volume_scanner_options.volumes = ['none'] if not scanner.ScanForWindowsVolume(options.source, options=volume_scanner_options): print( ('Unable to retrieve the volume with the Windows directory from: ' '{0:s}.').format(options.source)) print('') return False if scanner.IsSingleFileRegistry(): print('Both SECURITY and SYSYEM Registry files are required.') print('') return False # TODO: map collector to available Registry keys. collector_object = cached_credentials.CachedCredentialsKeyCollector( debug=options.debug, output_writer=output_writer) result = collector_object.Collect(scanner.registry) if not result: print('No Cache key found.') else: output_writer.WriteText('\n') output_writer.Close() return True
def Main(): """The main program function. Returns: bool: True if successful or False if not. """ argument_parser = argparse.ArgumentParser(description=( 'Extracts Application Compatibility Cache information from ' 'a SYSTEM Registry file.')) argument_parser.add_argument( '--all', dest='all_control_sets', action='store_true', default=False, help=( 'Process all control sets instead of only the current control set.' )) argument_parser.add_argument('-d', '--debug', dest='debug', action='store_true', default=False, help='enable debug output.') argument_parser.add_argument( 'source', nargs='?', action='store', metavar='PATH', default=None, help=('path of the volume containing C:\\Windows, the filename of ' 'a storage media image containing the C:\\Windows directory,' 'or the path of a SYSTEM Registry file.')) options = argument_parser.parse_args() if not options.source: print('Source value is missing.') print('') argument_parser.print_help() print('') return False logging.basicConfig(level=logging.INFO, format='[%(levelname)s] %(message)s') output_writer = output_writers.StdoutOutputWriter() if not output_writer.Open(): print('Unable to open output writer.') print('') return False volume_scanner_mediator = dfvfs_command_line.CLIVolumeScannerMediator() registry_collector = collector.WindowsRegistryCollector( mediator=volume_scanner_mediator) if not registry_collector.ScanForWindowsVolume(options.source): print('Unable to retrieve the Windows Registry from: {0:s}.'.format( options.source)) print('') return False # TODO: map collector to available Registry keys. collector_object = appcompatcache.AppCompatCacheCollector( debug=options.debug, output_writer=output_writer) result = collector_object.Collect( registry_collector.registry, all_control_sets=options.all_control_sets) if not result: output_writer.WriteText( 'No Application Compatibility Cache key found.') output_writer.WriteText('') else: for cached_entry in collector_object.cached_entries: output_writer.WriteFiletimeValue( 'Last modification time', cached_entry.last_modification_time) output_writer.WriteText('\n') output_writer.WriteValue('Path', cached_entry.path) output_writer.WriteText('\n') output_writer.WriteText('') output_writer.WriteText('\n') output_writer.Close() return True
def Main(): """The main program function. Returns: bool: True if successful or False if not. """ argument_parser = argparse.ArgumentParser(description=( 'Extracts Security Account Manager information from a SAM Registry ' 'file.')) argument_parser.add_argument('-d', '--debug', dest='debug', action='store_true', default=False, help='enable debug output.') argument_parser.add_argument( 'source', nargs='?', action='store', metavar='PATH', default=None, help=('path of the volume containing C:\\Windows, the filename of ' 'a storage media image containing the C:\\Windows directory, ' 'or the path of a SAM Registry file.')) options = argument_parser.parse_args() if not options.source: print('Source value is missing.') print('') argument_parser.print_help() print('') return False logging.basicConfig(level=logging.INFO, format='[%(levelname)s] %(message)s') output_writer = output_writers.StdoutOutputWriter() if not output_writer.Open(): print('Unable to open output writer.') print('') return False volume_scanner_mediator = dfvfs_command_line.CLIVolumeScannerMediator() registry_collector = collector.WindowsRegistryCollector( mediator=volume_scanner_mediator) if not registry_collector.ScanForWindowsVolume(options.source): print('Unable to retrieve the Windows Registry from: {0:s}.'.format( options.source)) print('') return False # TODO: map collector to available Registry keys. collector_object = sam.SecurityAccountManagerCollector( debug=options.debug, output_writer=output_writer) result = collector_object.Collect(registry_collector.registry) if not result: output_writer.WriteText('No Security Account Manager key found.') output_writer.WriteText('') else: for user_account in collector_object.user_accounts: output_writer.WriteValue('Username', user_account.username) output_writer.WriteValue('Relative identifier (RID)', user_account.rid) output_writer.WriteValue('Primary group identifier', user_account.primary_gid) if user_account.full_name: output_writer.WriteValue('Full name', user_account.full_name) if user_account.comment: output_writer.WriteValue('Comment', user_account.comment) if user_account.user_comment: output_writer.WriteValue('User comment', user_account.user_comment) output_writer.WriteFiletimeValue('Last log-in time', user_account.last_login_time) output_writer.WriteFiletimeValue( 'Last password set time', user_account.last_password_set_time) output_writer.WriteFiletimeValue( 'Account expiration time', user_account.account_expiration_time) output_writer.WriteFiletimeValue( 'Last password failure time', user_account.last_password_failure_time) output_writer.WriteValue('Number of log-ons', user_account.number_of_logons) output_writer.WriteValue('Number of password failures', user_account.number_of_password_failures) if user_account.codepage: output_writer.WriteValue('Codepage', user_account.codepage) output_writer.WriteText('') output_writer.Close() return True
def Main(): """The main program function. Returns: bool: True if successful or False if not. """ argument_parser = argparse.ArgumentParser(description=( 'Extracts the program cache from a NTUSER.DAT Registry file.')) argument_parser.add_argument('-d', '--debug', dest='debug', action='store_true', default=False, help='enable debug output.') argument_parser.add_argument( 'source', nargs='?', action='store', metavar='PATH', default=None, help=('path of the volume containing C:\\Windows, the filename of ' 'a storage media image containing the C:\\Windows directory, ' 'or the path of a NTUSER.DAT Registry file.')) options = argument_parser.parse_args() if not options.source: print('Source value is missing.') print('') argument_parser.print_help() print('') return False logging.basicConfig(level=logging.INFO, format='[%(levelname)s] %(message)s') # TODO: add support to select user. mediator = volume_scanner.WindowsRegistryVolumeScannerMediator() scanner = volume_scanner.WindowsRegistryVolumeScanner(mediator=mediator) volume_scanner_options = dfvfs_volume_scanner.VolumeScannerOptions() volume_scanner_options.partitions = ['all'] volume_scanner_options.snapshots = ['none'] volume_scanner_options.volumes = ['none'] if not scanner.ScanForWindowsVolume(options.source, options=volume_scanner_options): print( ('Unable to retrieve the volume with the Windows directory from: ' '{0:s}.').format(options.source)) print('') return False output_writer = output_writers.StdoutOutputWriter() if not output_writer.Open(): print('Unable to open output writer.') print('') return False try: collector_object = programscache.ProgramsCacheCollector( debug=options.debug, output_writer=output_writer) # TODO: change collector to generate ProgramCacheEntry has_results = collector_object.Collect(scanner.registry) finally: output_writer.Close() if not has_results: print('No program cache entries found.') return True
def Main(): """The main program function. Returns: bool: True if successful or False if not. """ argument_parser = argparse.ArgumentParser( description=('Extracts the type libraries from the Windows Registry.')) argument_parser.add_argument('-d', '--debug', dest='debug', action='store_true', default=False, help='enable debug output.') argument_parser.add_argument( 'source', nargs='?', action='store', metavar='PATH', default=None, help=('path of the volume containing C:\\Windows, the filename of ' 'a storage media image containing the C:\\Windows directory, ' 'or the path of a SOFTWARE Registry file.')) options = argument_parser.parse_args() if not options.source: print('Source value is missing.') print('') argument_parser.print_help() print('') return False logging.basicConfig(level=logging.INFO, format='[%(levelname)s] %(message)s') output_writer = output_writers.StdoutOutputWriter() if not output_writer.Open(): print('Unable to open output writer.') print('') return False mediator = volume_scanner.WindowsRegistryVolumeScannerMediator() scanner = volume_scanner.WindowsRegistryVolumeScanner(mediator=mediator) volume_scanner_options = dfvfs_volume_scanner.VolumeScannerOptions() volume_scanner_options.partitions = ['all'] volume_scanner_options.snapshots = ['none'] volume_scanner_options.volumes = ['none'] if not scanner.ScanForWindowsVolume(options.source, options=volume_scanner_options): print( ('Unable to retrieve the volume with the Windows directory from: ' '{0:s}.').format(options.source)) print('') return False # TODO: map collector to available Registry keys. collector_object = type_libraries.TypeLibrariesCollector( debug=options.debug, output_writer=output_writer) result = collector_object.Collect(scanner.registry) if not result: print('No TypeLib key found.') else: for type_library in collector_object.type_libraries: print('{0:s}\t{1:s}\t{2:s}\t{3:s}'.format( type_library.guid, type_library.version, type_library.description, type_library.typelib_filename)) output_writer.Close() return True