예제 #1
0
def csv_user_assist_value_decode_before_win7(str_value_datatmp, count_offset):
    """
    The Count registry key contains values representing the programs
    Each value is separated as :
    first 4 bytes are session
    following 4 bytes are number of times the program has been run
    next 8 bytes are the timestamp of last execution
    each of those values are in big endian which have to be converted in little endian
    :return: An array containing these information
    """

    # 16 bytes data
    str_value_data_session = str_value_datatmp[0:4]
    str_value_data_session = unicode(get_int_from_reversed_string(str_value_data_session))
    str_value_data_count = str_value_datatmp[4:8]
    str_value_data_count = unicode(get_int_from_reversed_string(str_value_data_count) + count_offset + 1)
    str_value_data_timestamp = str_value_datatmp[8:16]
    try:
        timestamp = get_int_from_reversed_string(str_value_data_timestamp)
        date_last_exec = convert_windate(timestamp)
    except ValueError:
        date_last_exec = None
    arr_data = [str_value_data_session, str_value_data_count]
    if date_last_exec:
        arr_data.append(date_last_exec)
    else:
        arr_data.append("")
    return arr_data
예제 #2
0
 def __decode_section_a(self, format_version, content, section_a):
     hash_table = dict()
     if format_version == 17:
         hash_table['start_time'] = get_int_from_reversed_string(content[section_a:section_a + 4])
         hash_table['duration'] = get_int_from_reversed_string(content[section_a + 4:section_a + 4 + 4])
         hash_table['average_duration'] = ''
         hash_table['filename_offset'] = get_int_from_reversed_string(content[section_a + 8:section_a + 8 + 4])
         hash_table['filename_nb_char'] = get_int_from_reversed_string(content[section_a + 12:section_a + 12 + 4])
     else:
         hash_table['start_time'] = get_int_from_reversed_string(content[section_a:section_a + 4])
         hash_table['duration'] = get_int_from_reversed_string(content[section_a + 4:section_a + 4 + 4])
         hash_table['average_duration'] = get_int_from_reversed_string(content[section_a + 8:section_a + 8 + 4])
         hash_table['filename_offset'] = get_int_from_reversed_string(content[section_a + 12:section_a + 12 + 4])
         hash_table['filename_nb_char'] = get_int_from_reversed_string(content[section_a + 16:section_a + 16 + 4])
     return hash_table
예제 #3
0
def csv_user_assist_value_decode_win7_and_after(str_value_datatmp, count_offset):
    """The value in user assist has changed since Win7. It is taken into account here."""
    # 16 bytes data
    str_value_data_session = str_value_datatmp[0:4]
    str_value_data_session = unicode(get_int_from_reversed_string(str_value_data_session))
    str_value_data_count = str_value_datatmp[4:8]
    str_value_data_count = unicode(get_int_from_reversed_string(str_value_data_count) + count_offset + 1)
    str_value_data_focus = str_value_datatmp[12:16]
    str_value_data_focus = unicode(get_int_from_reversed_string(str_value_data_focus))
    str_value_data_timestamp = str_value_datatmp[60:68]
    try:
        timestamp = get_int_from_reversed_string(str_value_data_timestamp)
        date_last_exec = convert_windate(timestamp)
    except ValueError:
        date_last_exec = None
    arr_data = [str_value_data_session, str_value_data_count, str_value_data_focus]
    if date_last_exec:
        arr_data.append(date_last_exec)
    else:
        arr_data.append("")
    return arr_data
예제 #4
0
 def __decode_section_a(self, format_version, content, section_a):
     hash_table = dict()
     if format_version == 17:
         hash_table['start_time'] = get_int_from_reversed_string(
             content[section_a:section_a + 4])
         hash_table['duration'] = get_int_from_reversed_string(
             content[section_a + 4:section_a + 4 + 4])
         hash_table['average_duration'] = ''
         hash_table['filename_offset'] = get_int_from_reversed_string(
             content[section_a + 8:section_a + 8 + 4])
         hash_table['filename_nb_char'] = get_int_from_reversed_string(
             content[section_a + 12:section_a + 12 + 4])
     else:
         hash_table['start_time'] = get_int_from_reversed_string(
             content[section_a:section_a + 4])
         hash_table['duration'] = get_int_from_reversed_string(
             content[section_a + 4:section_a + 4 + 4])
         hash_table['average_duration'] = get_int_from_reversed_string(
             content[section_a + 8:section_a + 8 + 4])
         hash_table['filename_offset'] = get_int_from_reversed_string(
             content[section_a + 12:section_a + 12 + 4])
         hash_table['filename_nb_char'] = get_int_from_reversed_string(
             content[section_a + 16:section_a + 16 + 4])
     return hash_table
예제 #5
0
    def _list_windows_prefetch(self):
        """Outputs windows prefetch files in a csv"""
        """See http://www.forensicswiki.org/wiki/Windows_Prefetch_File_Format"""
        prefetch_path = self.systemroot + '\Prefetch\*.pf'
        list_prefetch_files = look_for_files(prefetch_path)

        for prefetch_file in list_prefetch_files:
            content = ''
            with open(prefetch_file, 'rb') as file_input:
                content = file_input.read()
            try:
                format_version = content[:4]
                format_version = get_int_from_reversed_string(format_version)
                # scca_sig = content[0x4:][:4]
                unknown_values = content[0x0008:0x0008 + 4]
                unknown_values = ' '.join(c.encode('hex') for c in unknown_values)
                file_size = content[0x000c:0x000c + 4]
                file_size = get_int_from_reversed_string(file_size)
                exec_name = content[0x0010:0x0010 + 60]
                for i in range(30):  # 60 / 2
                    if 2 * i + 1 < len(exec_name):
                        if exec_name[2 * i] == '\x00' and exec_name[2 * i + 1] == '\x00':
                            exec_name = exec_name[:2 * (i + 1)].decode('utf-16-le')
                prefetch_hash = content[0x004c:0x004c + 4]
                tc = os.path.getctime(prefetch_file)
                tm = os.path.getmtime(prefetch_file)

                section_a = get_int_from_reversed_string(content[0x0054:0x0054 + 4])
                num_entries_a = get_int_from_reversed_string(content[0x0058:0x0058 + 4])
                section_b = get_int_from_reversed_string(content[0x005c:0x005c + 4])
                num_entries_b = get_int_from_reversed_string(content[0x0060:0x0060 + 4])
                section_c = get_int_from_reversed_string(content[0x0064:0x0064 + 4])
                length_c = get_int_from_reversed_string(content[0x0068:0x0068 + 4])
                section_d = get_int_from_reversed_string(content[0x006c:0x006c + 4])
                num_entries_d = get_int_from_reversed_string(content[0x0070:0x0070 + 4])
                length_d = get_int_from_reversed_string(content[0x0074:0x0074 + 4])

                if format_version == 17:
                    latest_exec_date = content[0x0078:0x0078 + 8]
                    exec_count = get_int_from_reversed_string(content[0x0090:0x0090 + 4])

                # section a
                elif format_version == 23:
                    latest_exec_date = content[0x0080:0x0080 + 8]
                    exec_count = get_int_from_reversed_string(content[0x0098:0x0098 + 4])
                else:
                    # format version 26
                    latest_exec_date = []
                    for i in range(8):
                        latest_exec_date.append(content[0x0088 + i * 8:0x0088 + (i + 1) * 8])
                    exec_count = get_int_from_reversed_string(content[0x00D0:0x00D0 + 4])

                hash_table_a = self.__decode_section_a(format_version, content, section_a)

                list_str_c = self.__decode_section_c(content, section_c, length_c)
                yield prefetch_file, format_version, file_size, exec_name, datetime.datetime.fromtimestamp(
                    tc), datetime.datetime.fromtimestamp(tm), exec_count, hash_table_a, list_str_c
            except:
                logging.error(traceback.format_exc())
예제 #6
0
    def _list_windows_prefetch(self, is_compressed=False):
        """Outputs windows prefetch files in a csv"""
        """See http://www.forensicswiki.org/wiki/Windows_Prefetch_File_Format"""
        prefetch_path = self.systemroot + '\Prefetch\*.pf'
        list_prefetch_files = look_for_files(prefetch_path)

        for prefetch_file in list_prefetch_files:
            content = ''
            with open(prefetch_file, 'rb') as file_input:
                content = file_input.read()
            try:
                if is_compressed:
                    header = content[:8]
                    content = content[8:]
                    signature, uncompressed_size = struct.unpack('<LL', header)
                    algo = (signature & 0x0F000000) >> 24
                    RtlDecompressBufferEx = ctypes.windll.ntdll.RtlDecompressBufferEx
                    RtlGetCompressionWorkSpaceSize = ctypes.windll.ntdll.RtlGetCompressionWorkSpaceSize
                    CompressBufferWorkSpaceSize = ctypes.c_uint32()
                    CompressFragmentWorkSpaceSize = ctypes.c_uint32()
                    RtlGetCompressionWorkSpaceSize(
                        algo, ctypes.byref(CompressBufferWorkSpaceSize),
                        ctypes.byref(CompressFragmentWorkSpaceSize))
                    Compressed = (ctypes.c_ubyte *
                                  len(content)).from_buffer_copy(content)
                    Uncompressed = (ctypes.c_ubyte * uncompressed_size)()
                    FinalUncompressedSize = ctypes.c_uint32()
                    Workspace = (ctypes.c_ubyte *
                                 CompressFragmentWorkSpaceSize.value)()
                    ntstatus = RtlDecompressBufferEx(
                        ctypes.c_uint16(algo), ctypes.byref(Uncompressed),
                        ctypes.c_uint32(uncompressed_size),
                        ctypes.byref(Compressed),
                        ctypes.c_uint32(len(content)),
                        ctypes.byref(FinalUncompressedSize),
                        ctypes.byref(Workspace))
                    uncompressed = list(Uncompressed)
                    content = b"".join([chr(c) for c in uncompressed])
                format_version = content[:4]
                format_version = get_int_from_reversed_string(format_version)
                # scca_sig = content[0x4:][:4]
                unknown_values = content[0x0008:0x0008 + 4]
                unknown_values = ' '.join(
                    c.encode('hex') for c in unknown_values)
                file_size = content[0x000c:0x000c + 4]
                file_size = get_int_from_reversed_string(file_size)
                exec_name = content[0x0010:0x0010 + 60]
                for i in range(30):  # 60 / 2
                    if 2 * i + 1 < len(exec_name):
                        if exec_name[2 *
                                     i] == '\x00' and exec_name[2 * i +
                                                                1] == '\x00':
                            exec_name = exec_name[:2 *
                                                  (i + 1)].decode('utf-16-le')
                prefetch_hash = content[0x004c:0x004c + 4]
                tc = os.path.getctime(prefetch_file)
                tm = os.path.getmtime(prefetch_file)

                section_a = get_int_from_reversed_string(
                    content[0x0054:0x0054 + 4])
                num_entries_a = get_int_from_reversed_string(
                    content[0x0058:0x0058 + 4])
                section_b = get_int_from_reversed_string(
                    content[0x005c:0x005c + 4])
                num_entries_b = get_int_from_reversed_string(
                    content[0x0060:0x0060 + 4])
                section_c = get_int_from_reversed_string(
                    content[0x0064:0x0064 + 4])
                length_c = get_int_from_reversed_string(content[0x0068:0x0068 +
                                                                4])
                section_d = get_int_from_reversed_string(
                    content[0x006c:0x006c + 4])
                num_entries_d = get_int_from_reversed_string(
                    content[0x0070:0x0070 + 4])
                length_d = get_int_from_reversed_string(content[0x0074:0x0074 +
                                                                4])

                if format_version == 17:
                    latest_exec_date = content[0x0078:0x0078 + 8]
                    exec_count = get_int_from_reversed_string(
                        content[0x0090:0x0090 + 4])

                # section a
                elif format_version == 23:
                    latest_exec_date = content[0x0080:0x0080 + 8]
                    exec_count = get_int_from_reversed_string(
                        content[0x0098:0x0098 + 4])
                else:
                    # format version 26
                    latest_exec_date = []
                    for i in range(8):
                        latest_exec_date.append(content[0x0088 + i * 8:0x0088 +
                                                        (i + 1) * 8])
                    exec_count = get_int_from_reversed_string(
                        content[0x00D0:0x00D0 + 4])

                hash_table_a = self.__decode_section_a(format_version, content,
                                                       section_a)

                list_str_c = self.__decode_section_c(content, section_c,
                                                     length_c)
                yield prefetch_file, format_version, file_size, exec_name, datetime.datetime.fromtimestamp(
                    tc), datetime.datetime.fromtimestamp(
                        tm), exec_count, hash_table_a, list_str_c
            except:
                logging.error(traceback.format_exc())
예제 #7
0
    def _list_windows_prefetch(self):
        """Outputs windows prefetch files in a csv"""
        """See http://www.forensicswiki.org/wiki/Windows_Prefetch_File_Format"""
        prefetch_path = self.systemroot + '\Prefetch\*.pf'
        list_prefetch_files = look_for_files(prefetch_path)

        for prefetch_file in list_prefetch_files:
            content = ''
            with open(prefetch_file, 'rb') as file_input:
                content = file_input.read()
            try:
                format_version = content[:4]
                format_version = get_int_from_reversed_string(format_version)
                # scca_sig = content[0x4:][:4]
                unknown_values = content[0x0008:0x0008 + 4]
                unknown_values = ' '.join(
                    c.encode('hex') for c in unknown_values)
                file_size = content[0x000c:0x000c + 4]
                file_size = get_int_from_reversed_string(file_size)
                exec_name = content[0x0010:0x0010 + 60]
                for i in range(30):  # 60 / 2
                    if 2 * i + 1 < len(exec_name):
                        if exec_name[2 *
                                     i] == '\x00' and exec_name[2 * i +
                                                                1] == '\x00':
                            exec_name = exec_name[:2 *
                                                  (i + 1)].decode('utf-16-le')
                prefetch_hash = content[0x004c:0x004c + 4]
                tc = os.path.getctime(prefetch_file)
                tm = os.path.getmtime(prefetch_file)

                section_a = get_int_from_reversed_string(
                    content[0x0054:0x0054 + 4])
                num_entries_a = get_int_from_reversed_string(
                    content[0x0058:0x0058 + 4])
                section_b = get_int_from_reversed_string(
                    content[0x005c:0x005c + 4])
                num_entries_b = get_int_from_reversed_string(
                    content[0x0060:0x0060 + 4])
                section_c = get_int_from_reversed_string(
                    content[0x0064:0x0064 + 4])
                length_c = get_int_from_reversed_string(content[0x0068:0x0068 +
                                                                4])
                section_d = get_int_from_reversed_string(
                    content[0x006c:0x006c + 4])
                num_entries_d = get_int_from_reversed_string(
                    content[0x0070:0x0070 + 4])
                length_d = get_int_from_reversed_string(content[0x0074:0x0074 +
                                                                4])

                if format_version == 17:
                    latest_exec_date = content[0x0078:0x0078 + 8]
                    exec_count = get_int_from_reversed_string(
                        content[0x0090:0x0090 + 4])

                # section a
                elif format_version == 23:
                    latest_exec_date = content[0x0080:0x0080 + 8]
                    exec_count = get_int_from_reversed_string(
                        content[0x0098:0x0098 + 4])
                else:
                    # format version 26
                    latest_exec_date = []
                    for i in range(8):
                        latest_exec_date.append(content[0x0088 + i * 8:0x0088 +
                                                        (i + 1) * 8])
                    exec_count = get_int_from_reversed_string(
                        content[0x00D0:0x00D0 + 4])

                hash_table_a = self.__decode_section_a(format_version, content,
                                                       section_a)

                list_str_c = self.__decode_section_c(content, section_c,
                                                     length_c)
                yield prefetch_file, format_version, file_size, exec_name, datetime.datetime.fromtimestamp(
                    tc), datetime.datetime.fromtimestamp(
                        tm), exec_count, hash_table_a, list_str_c
            except:
                logging.error(traceback.format_exc())
예제 #8
0
    def _list_windows_prefetch(self, is_compressed=False):
        """Outputs windows prefetch files in a csv"""
        """See http://www.forensicswiki.org/wiki/Windows_Prefetch_File_Format"""
        prefetch_path = self.systemroot + '\Prefetch\*.pf'
        list_prefetch_files = look_for_files(prefetch_path)

        for prefetch_file in list_prefetch_files:
            content = ''
            with open(prefetch_file, 'rb') as file_input:
                content = file_input.read()
            try:
                if is_compressed:
                    header = content[:8]
                    content = content[8:]
                    signature, uncompressed_size = struct.unpack('<LL', header)
                    algo = (signature & 0x0F000000) >> 24
                    RtlDecompressBufferEx = ctypes.windll.ntdll.RtlDecompressBufferEx
                    RtlGetCompressionWorkSpaceSize = ctypes.windll.ntdll.RtlGetCompressionWorkSpaceSize
                    CompressBufferWorkSpaceSize = ctypes.c_uint32()
                    CompressFragmentWorkSpaceSize = ctypes.c_uint32()
                    RtlGetCompressionWorkSpaceSize(algo, ctypes.byref(CompressBufferWorkSpaceSize),
                                                   ctypes.byref(CompressFragmentWorkSpaceSize))
                    Compressed = (ctypes.c_ubyte * len(content)).from_buffer_copy(content)
                    Uncompressed = (ctypes.c_ubyte * uncompressed_size)()
                    FinalUncompressedSize = ctypes.c_uint32()
                    Workspace = (ctypes.c_ubyte * CompressFragmentWorkSpaceSize.value)()
                    ntstatus = RtlDecompressBufferEx(
                            ctypes.c_uint16(algo),
                            ctypes.byref(Uncompressed),
                            ctypes.c_uint32(uncompressed_size),
                            ctypes.byref(Compressed),
                            ctypes.c_uint32(len(content)),
                            ctypes.byref(FinalUncompressedSize),
                            ctypes.byref(Workspace))
                    uncompressed = list(Uncompressed)
                    content = b"".join([chr(c) for c in uncompressed])
                format_version = content[:4]
                format_version = get_int_from_reversed_string(format_version)
                # scca_sig = content[0x4:][:4]
                unknown_values = content[0x0008:0x0008 + 4]
                unknown_values = ' '.join(c.encode('hex') for c in unknown_values)
                file_size = content[0x000c:0x000c + 4]
                file_size = get_int_from_reversed_string(file_size)
                exec_name = content[0x0010:0x0010 + 60]
                for i in range(30):  # 60 / 2
                    if 2 * i + 1 < len(exec_name):
                        if exec_name[2 * i] == '\x00' and exec_name[2 * i + 1] == '\x00':
                            exec_name = exec_name[:2 * (i + 1)].decode('utf-16-le')
                prefetch_hash = content[0x004c:0x004c + 4]
                tc = os.path.getctime(prefetch_file)
                tm = os.path.getmtime(prefetch_file)

                section_a = get_int_from_reversed_string(content[0x0054:0x0054 + 4])
                num_entries_a = get_int_from_reversed_string(content[0x0058:0x0058 + 4])
                section_b = get_int_from_reversed_string(content[0x005c:0x005c + 4])
                num_entries_b = get_int_from_reversed_string(content[0x0060:0x0060 + 4])
                section_c = get_int_from_reversed_string(content[0x0064:0x0064 + 4])
                length_c = get_int_from_reversed_string(content[0x0068:0x0068 + 4])
                section_d = get_int_from_reversed_string(content[0x006c:0x006c + 4])
                num_entries_d = get_int_from_reversed_string(content[0x0070:0x0070 + 4])
                length_d = get_int_from_reversed_string(content[0x0074:0x0074 + 4])

                if format_version == 17:
                    latest_exec_date = content[0x0078:0x0078 + 8]
                    exec_count = get_int_from_reversed_string(content[0x0090:0x0090 + 4])

                # section a
                elif format_version == 23:
                    latest_exec_date = content[0x0080:0x0080 + 8]
                    exec_count = get_int_from_reversed_string(content[0x0098:0x0098 + 4])
                else:
                    # format version 26
                    latest_exec_date = []
                    for i in range(8):
                        latest_exec_date.append(content[0x0088 + i * 8:0x0088 + (i + 1) * 8])
                    exec_count = get_int_from_reversed_string(content[0x00D0:0x00D0 + 4])

                hash_table_a = self.__decode_section_a(format_version, content, section_a)

                list_str_c = self.__decode_section_c(content, section_c, length_c)
                yield prefetch_file, format_version, file_size, exec_name, datetime.datetime.fromtimestamp(
                    tc), datetime.datetime.fromtimestamp(tm), exec_count, hash_table_a, list_str_c
            except:
                logging.error(traceback.format_exc())