def find_usbstor_info(config):
"""
Find all usb informations present in the
SYSTEM\CurrentControlSet\Enum\USBSTOR registry key.
Arguments: The Configuration object for the analyzed disk.
Return: A list of all the present informations by tuple.
For Windows XP, a tuple contains the usb type, vendor, product,
version, serial number and parent prefix id.
For other Windows versions, a tuple contains the same informations
with the exception of the parent prefix id which doesn't exist
anymore.
"""
usbstor_info_list = []
serial_number_list = []
try:
for usb_info in registry.find_key_start_with(config.system_hive,
config.current_control_set + "\\Enum\\USBSTOR"):
if "FriendlyName" in usb_info['Name']:
last_write = usb_info['Last Write Time']
serial_number = str(usb_info['Name'].split("\\")[4])
usb_type, usb_vendor, usb_product_id, usb_revision = \
usb_info['Name'].split("\\")[3].split("&")
friendly_name = str(usb_info['Value'])
if serial_number not in serial_number_list:
usbstor_info_list.append([last_write, serial_number,
usb_type, usb_vendor, usb_product_id, usb_revision,
friendly_name])
serial_number_list.append(serial_number)
finally:
return usbstor_info_list
def get_sid_and_folder_from_username(config, username):
try:
for key in (k for k in registry.find_key_start_with(
config.software_hive,
"Microsoft\\Windows NT\\CurrentVersion\\ProfileList")
if "ProfileImagePath" in k['Name']):
if key['Value'].split("\\")[-1] == username:
sid = str(key['Name'].split("\\")[4])
user_folder = str(key['Value'])
return [sid, user_folder]
return ['Unknown', 'Unknown']
except:
return ['Unknown', 'Unknown']
def get_users_hives(self, users_hives):
if users_hives:
for (username, hive) in users_hives:
if not os.path.isfile(hive):
raise Exception("Given user hive " + hive + " not found !")
return users_hives
else:
users_hives=[]
sam_info = registry.samparse(self.sam_hive)
for user in sam_info['users']:
username = user
for key in (k for k in registry.find_key_start_with(
self.software_hive,
"Microsoft\\Windows NT\\CurrentVersion\\ProfileList")
if "ProfileImagePath" in k['Name']):
if key['Value'].split("\\")[-1] == username:
user_folder = str(key['Value'][3:].replace("\\", "/"))
if os.path.isfile(self.folder + user_folder +
"/NTUSER.DAT"):
users_hives.append((username,
self.folder + user_folder + "/NTUSER.DAT"))
return users_hives
def find_usb_user(config, guid):
"""
Find the user (if any) that used the specific usb device.
This information is contained in the NTUSER.DAT\SOFTWARE\Microsoft\Windows\
CurrentVersion\Explorer\MountPoints2 registry key.
Arguments: The Configuration object for the analyzed disk.
The guid of the device.
Return: The username of the user who used the device.
A None object if the information can't be retrieved.
"""
try:
for user, user_hive in config.users_hives:
for key in registry.find_key_start_with(user_hive,
"Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\" +
"MountPoints2"):
if guid in key['Name']:
return user
return "User couldn't be found :("
except:
return "User couldn't be found :("
def find_usb_info(config):
"""
Find all usb informations present in the SYSTEM\CurrentControlSet\Enum\USB
registry key.
Arguments: The Configuration object for the analyzed disk.
Return: A list of all the present informations by tuple.
A tuple contains the serial number of the device and the
identifiant of the device composed by a vendor id (VID), a product
id (PID) and eventually a MI number.
"""
usb_info_list = []
serial_number_list = []
for usb_info in registry.find_key_start_with(config.system_hive,
config.current_control_set + "\\Enum\\USB"):
last_write = usb_info['Last Write Time']
pid_vid = usb_info['Name'].split("\\")[3]
serial_number = str(usb_info['Name'].split("\\")[4])
if serial_number not in serial_number_list:
usb_info_list.append([last_write, serial_number, pid_vid])
serial_number_list.append(serial_number)
return usb_info_list
