def find_usbstor_info(config): """ Find all usb informations present in the SYSTEM\CurrentControlSet\Enum\USBSTOR registry key. Arguments: The Configuration object for the analyzed disk. Return: A list of all the present informations by tuple. For Windows XP, a tuple contains the usb type, vendor, product, version, serial number and parent prefix id. For other Windows versions, a tuple contains the same informations with the exception of the parent prefix id which doesn't exist anymore. """ usbstor_info_list = [] serial_number_list = [] try: for usb_info in registry.find_key_start_with(config.system_hive, config.current_control_set + "\\Enum\\USBSTOR"): if "FriendlyName" in usb_info['Name']: last_write = usb_info['Last Write Time'] serial_number = str(usb_info['Name'].split("\\")[4]) usb_type, usb_vendor, usb_product_id, usb_revision = \ usb_info['Name'].split("\\")[3].split("&") friendly_name = str(usb_info['Value']) if serial_number not in serial_number_list: usbstor_info_list.append([last_write, serial_number, usb_type, usb_vendor, usb_product_id, usb_revision, friendly_name]) serial_number_list.append(serial_number) finally: return usbstor_info_list
def get_sid_and_folder_from_username(config, username): try: for key in (k for k in registry.find_key_start_with( config.software_hive, "Microsoft\\Windows NT\\CurrentVersion\\ProfileList") if "ProfileImagePath" in k['Name']): if key['Value'].split("\\")[-1] == username: sid = str(key['Name'].split("\\")[4]) user_folder = str(key['Value']) return [sid, user_folder] return ['Unknown', 'Unknown'] except: return ['Unknown', 'Unknown']
def get_users_hives(self, users_hives): if users_hives: for (username, hive) in users_hives: if not os.path.isfile(hive): raise Exception("Given user hive " + hive + " not found !") return users_hives else: users_hives=[] sam_info = registry.samparse(self.sam_hive) for user in sam_info['users']: username = user for key in (k for k in registry.find_key_start_with( self.software_hive, "Microsoft\\Windows NT\\CurrentVersion\\ProfileList") if "ProfileImagePath" in k['Name']): if key['Value'].split("\\")[-1] == username: user_folder = str(key['Value'][3:].replace("\\", "/")) if os.path.isfile(self.folder + user_folder + "/NTUSER.DAT"): users_hives.append((username, self.folder + user_folder + "/NTUSER.DAT")) return users_hives
def find_usb_user(config, guid): """ Find the user (if any) that used the specific usb device. This information is contained in the NTUSER.DAT\SOFTWARE\Microsoft\Windows\ CurrentVersion\Explorer\MountPoints2 registry key. Arguments: The Configuration object for the analyzed disk. The guid of the device. Return: The username of the user who used the device. A None object if the information can't be retrieved. """ try: for user, user_hive in config.users_hives: for key in registry.find_key_start_with(user_hive, "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\" + "MountPoints2"): if guid in key['Name']: return user return "User couldn't be found :(" except: return "User couldn't be found :("
def find_usb_info(config): """ Find all usb informations present in the SYSTEM\CurrentControlSet\Enum\USB registry key. Arguments: The Configuration object for the analyzed disk. Return: A list of all the present informations by tuple. A tuple contains the serial number of the device and the identifiant of the device composed by a vendor id (VID), a product id (PID) and eventually a MI number. """ usb_info_list = [] serial_number_list = [] for usb_info in registry.find_key_start_with(config.system_hive, config.current_control_set + "\\Enum\\USB"): last_write = usb_info['Last Write Time'] pid_vid = usb_info['Name'].split("\\")[3] serial_number = str(usb_info['Name'].split("\\")[4]) if serial_number not in serial_number_list: usb_info_list.append([last_write, serial_number, pid_vid]) serial_number_list.append(serial_number) return usb_info_list