def init_win_vista_and_above(self): users = registry_obj.get_registry_key( registry_obj.HKEY_LOCAL_MACHINE, r"SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList") drive, p = os.path.splitdrive(self.systemroot) params = {"logger": self.logger} self.vss = _VSS._get_instance(params, drive) if users: for i in xrange(users.get_number_of_sub_keys()): user = users.get_sub_key(i) tmp = user.get_value_by_name("ProfileImagePath").get_data() path = tmp.replace(drive, self.vss._return_root()) + r"\NTUSER.DAT" path_usrclass = tmp.replace(drive, self.vss._return_root( )) + r"\AppData\Local\Microsoft\Windows\\UsrClass.dat" try: regf_file = registry_obj.RegfFile() regf_file.open(path) regf_file_usrclass = registry_obj.RegfFile() regf_file_usrclass.open(path_usrclass) self.user_hives.append( (user.get_name(), regf_file.get_root_key(), regf_file_usrclass.get_root_key())) except IOError: # not a user pass
def __init__(self, params): super(WindowsXPFiles, self).__init__(params) drive, p = os.path.splitdrive(self.systemroot) self.vss = None try: self.vss = _VSS._get_instance(params, drive) except Exception as e: self.logger.warn("Shadow Copy Erreur")
def csv_registry(self): arch = _Archives(os.path.join(self.output_dir,'dump_registry.zip'), self.logger) if hasattr(self, 'root_reg'): files_to_zip = [os.path.join(self.root_reg, f) for f in os.listdir(self.root_reg) if os.path.isfile(os.path.join(self.root_reg, f))] path_ntuserdat = os.path.join(self.userprofile, '*', 'NTUSER.DAT') files_to_zip.extend([ os.path.join(_VSS._get_instance(self.params,os.path.splitdrive(f)[0])._return_root(),os.path.splitdrive(f)[1]) for f in glob.glob(path_ntuserdat) if os.path.isfile(f)]) for f in files_to_zip: arch.record(f)
def csv_registry(self): arch = _Archives(os.path.join(self.output_dir, 'dump_registry.zip'), self.logger) if hasattr(self, 'root_reg'): files_to_zip = [ os.path.join(self.root_reg, f) for f in os.listdir(self.root_reg) if os.path.isfile(os.path.join(self.root_reg, f)) ] path_ntuserdat = os.path.join(self.userprofile, '*', 'NTUSER.DAT') files_to_zip.extend([ os.path.join( _VSS._get_instance( self.params, os.path.splitdrive(f)[0])._return_root(), os.path.splitdrive(f)[1]) for f in glob.glob(path_ntuserdat) if os.path.isfile(f) ]) for f in files_to_zip: arch.record(f)
def init_win_vista_and_above(self): users = registry_obj.get_registry_key(registry_obj.HKEY_LOCAL_MACHINE, r"SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList") drive, p = os.path.splitdrive(self.systemroot) params = {"logger": self.logger} self.vss = _VSS._get_instance(params, drive) if users: for i in xrange(users.get_number_of_sub_keys()): user = users.get_sub_key(i) tmp = user.get_value_by_name("ProfileImagePath").get_data() path = tmp.replace(drive, self.vss._return_root()) + r"\NTUSER.DAT" path_usrclass = tmp.replace(drive, self.vss._return_root()) + r"\AppData\Local\Microsoft\Windows\\UsrClass.dat" try: regf_file = registry_obj.RegfFile() regf_file.open(path) regf_file_usrclass = registry_obj.RegfFile() regf_file_usrclass.open(path_usrclass) self.user_hives.append( (user.get_name(), regf_file.get_root_key(), regf_file_usrclass.get_root_key())) except IOError: # not a user pass
def __init__(self, params): super(Windows2008ServerFiles, self).__init__(params) drive, p = os.path.splitdrive(self.systemroot) self.vss = _VSS._get_instance(params, drive)
def __init__(self, params): super(Windows8Files, self).__init__(params) drive, p = os.path.splitdrive(self.systemroot) self.vss = _VSS._get_instance(params, drive)
def __init__(self, params): super(Windows8Dump, self).__init__(params) self.root_reg = os.path.join(_VSS._get_instance(params)._return_root(), 'Windows\System32\config')
def __init__(self, params): super(Windows8_1Files, self).__init__(params) self.userprofile = params['USERPROFILE'] drive, p = os.path.splitdrive(self.systemroot) self.vss = _VSS._get_instance(params, drive)