Exemplo n.º 1
0
Arquivo: usb.py Projeto: Daudau/daf
def find_usbstor_info(config):
    """ 
    Find all usb informations present in the 
        SYSTEM\CurrentControlSet\Enum\USBSTOR registry key.

    Arguments: The Configuration object for the analyzed disk.

    Return: A list of all the present informations by tuple.
            For Windows XP, a tuple contains the usb type, vendor, product,
                version, serial number and parent prefix id.
            For other Windows versions, a tuple contains the same informations
                with the exception of the parent prefix id which doesn't exist
                anymore.
    """
    usbstor_info_list = []
    serial_number_list = []
    try:
        for usb_info in registry.find_key_start_with(config.system_hive,
            config.current_control_set + "\\Enum\\USBSTOR"):
            if "FriendlyName" in usb_info['Name']:
                last_write = usb_info['Last Write Time']
                serial_number = str(usb_info['Name'].split("\\")[4])
                usb_type, usb_vendor, usb_product_id, usb_revision = \
                    usb_info['Name'].split("\\")[3].split("&")
                friendly_name = str(usb_info['Value'])
                if serial_number not in serial_number_list:
                    usbstor_info_list.append([last_write, serial_number,
                    usb_type, usb_vendor, usb_product_id, usb_revision,
                    friendly_name])
                    serial_number_list.append(serial_number)
    finally:
        return usbstor_info_list
Exemplo n.º 2
0
Arquivo: user.py Projeto: Daudau/daf
def get_sid_and_folder_from_username(config, username):
    try:
        for key in (k for k in registry.find_key_start_with(
            config.software_hive,
            "Microsoft\\Windows NT\\CurrentVersion\\ProfileList")
            if "ProfileImagePath" in k['Name']):
            if key['Value'].split("\\")[-1] == username:
                sid = str(key['Name'].split("\\")[4])
                user_folder = str(key['Value'])
                return [sid, user_folder]
        return ['Unknown', 'Unknown']
    except:
        return ['Unknown', 'Unknown']
Exemplo n.º 3
0
Arquivo: config.py Projeto: Daudau/daf
 def get_users_hives(self, users_hives):
     if users_hives:
         for (username, hive) in users_hives:
             if not os.path.isfile(hive):
                 raise Exception("Given user hive " + hive + " not found !")
         return users_hives
     else:
         users_hives=[]
         sam_info = registry.samparse(self.sam_hive)
         for user in sam_info['users']:
             username = user
             for key in (k for k in registry.find_key_start_with(
                 self.software_hive,
                 "Microsoft\\Windows NT\\CurrentVersion\\ProfileList")
                 if "ProfileImagePath" in k['Name']):
                 if key['Value'].split("\\")[-1] == username:
                     user_folder = str(key['Value'][3:].replace("\\", "/"))
                     if os.path.isfile(self.folder + user_folder +
                         "/NTUSER.DAT"):
                         users_hives.append((username,
                             self.folder + user_folder + "/NTUSER.DAT"))
         return users_hives
Exemplo n.º 4
0
Arquivo: usb.py Projeto: Daudau/daf
def find_usb_user(config, guid):
    """
    Find the user (if any) that used the specific usb device.
    This information is contained in the NTUSER.DAT\SOFTWARE\Microsoft\Windows\
        CurrentVersion\Explorer\MountPoints2 registry key.

    Arguments:  The Configuration object for the analyzed disk.
                The guid of the device.
    
    Return: The username of the user who used the device.
            A None object if the information can't be retrieved.
    """
    try:
        for user, user_hive in config.users_hives:
            for key in registry.find_key_start_with(user_hive, 
                "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\" + 
                "MountPoints2"):
                if guid in key['Name']:
                    return user
        return "User couldn't be found :("
    except:
        return "User couldn't be found :("
Exemplo n.º 5
0
Arquivo: usb.py Projeto: Daudau/daf
def find_usb_info(config):
    """
    Find all usb informations present in the SYSTEM\CurrentControlSet\Enum\USB 
        registry key.

    Arguments: The Configuration object for the analyzed disk.

    Return: A list of all the present informations by tuple.
            A tuple contains the serial number of the device and the 
            identifiant of the device composed by a vendor id (VID), a product
            id (PID) and eventually a MI number.
    """
    usb_info_list = []
    serial_number_list = []
    for usb_info in registry.find_key_start_with(config.system_hive,
        config.current_control_set + "\\Enum\\USB"):
        last_write = usb_info['Last Write Time']
        pid_vid = usb_info['Name'].split("\\")[3]
        serial_number = str(usb_info['Name'].split("\\")[4])
        if serial_number not in serial_number_list:
            usb_info_list.append([last_write, serial_number, pid_vid])
            serial_number_list.append(serial_number)
    return usb_info_list