def get_USB(self): ret_list = list() stor_list = list() usb_obj = dict() temp_list = list() try: path = "ControlSet00%s\\Enum\\USBSTOR" % self.__control_set_check( self.__reg) recent = self.__reg.open(path) except: print("Plz Check the file. This file is ", self.__reg.hive_type()) return -1 for v in recent.subkeys(): stor_list.append(v.name()) for i in stor_list: key2 = self.__reg.open(path + "\\%s" % i) for v in key2.subkeys(): usb_obj = dict() key3 = self.__reg.open(path + "\\%s\\%s" % (i, v.name())) for k in key3.values(): usb_obj["TimeZone"] = r_time( key3.timestamp()).strftime("%Z") usb_obj["Last Written Time"] = r_time( key3.timestamp()).strftime("%Y-%m-%d %H:%M:%S") usb_obj["Device Name"] = i usb_obj[k.name()] = k.value() ret_list.append(usb_obj) return ret_list
def find_value(self, key): ret_list = list() try: key_path = self.__reg.open(key) except: print("[-] Plz Check the path or file") return -1 all_value = dict() time_pattern = re.compile("Time") for i in key_path.values(): if time_pattern.findall( i.name()) and i.value_type() == Registry.RegBin: all_value[i.name()] = c_time(self.__bin_to_int( i.value())).strftime("%Y-%m-%d %H:%M:%S") else: all_value["TimeZone"] = r_time( key_path.timestamp()).strftime("%Z") all_value["Key Path"] = key all_value["Last Written Time"] = r_time( key_path.timestamp()).strftime("%Y-%m-%d %H:%M:%S") all_value[i.name()] = i.value() ret_list.append(all_value) return ret_list
def get_recent_docs(self): ret_list = list() try: recent = self.__reg.open( "SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs" ) except: print("Plz Check the file. This file is ", self.__reg.hive_type()) return -1 for i, v in enumerate(recent.values()): if i == 0: continue # print(v.value().decode('utf-16')) reg_obj = { "TimeZone": r_time(recent.timestamp()).strftime('%Z'), "Last Written time": r_time(recent.timestamp()).strftime('%Y-%m-%d %H:%M:%S'), "name": v.name(), "data": v.value().decode('utf-16').split('\x00')[0] } ret_list.append(reg_obj) return ret_list
def get_os_info(self): ret_list = list() try: os_info = self.__reg.open("Microsoft\\Windows NT\\CurrentVersion") os_dict = dict() except: print("Plz Check the file. This file is ", self.__reg.hive_type()) return -1 for v in os_info.values(): if v.name() == "CurrentVersion": os_dict['CurrentVersion'] = v.value() if v.name() == "CurrentBuild": os_dict['CurrentBuild'] = v.value() if v.name() == "InstallDate": # os_dict['InstallDate'] = reg_time(v.value()).strftime("%Y-%m-%d %H:%M:%S"), # os_dict['TimeZone'] = c_time(v.value()).strftime("%Z") value_time = datetime.fromtimestamp( mktime(time.gmtime(v.value()))) os_dict['TimeZone'] = r_time(value_time).strftime("%Z") os_dict['InstallDate'] = r_time(value_time).strftime( "%Y-%m-%d %H:%M:%S") if v.name() == "RegisteredOwner": os_dict['RegisteredOwner'] = v.value() if v.name() == "EditionID": os_dict['EditionID'] = v.value() if v.name() == "ProductName": os_dict['ProductName'] = v.value() if (not 'CurrentVersion' in os_dict) or (os_dict['CurrentVersion'] == ''): os_dict['CurrentVersion'] = "N/A" if (not 'CurrentBuild' in os_dict) or (os_dict['CurrentBuild'] == ''): os_dict['CurrentBuild'] = "N/A" if (not 'TimeZone' in os_dict) or (os_dict['TimeZone'] == ''): os_dict['TimeZone'] = "N/A" if (not 'InstallDate' in os_dict) or (os_dict['InstallDate'] == ''): os_dict['InstallDate'] = "N/A" if (not 'RegisteredOwner' in os_dict) or (os_dict['RegisteredOwner'] == ''): os_dict['RegisteredOwner'] = "N/A" if (not 'EditionID' in os_dict) or (os_dict['EditionID'] == ''): os_dict['EditionID'] = "N/A" if (not 'ProductName' in os_dict) or (os_dict['ProductName'] == ''): os_dict['ProductName'] = "N/A" os_obj = { "CurrentVersion": os_dict['CurrentVersion'], "CurrentBuild": os_dict['CurrentBuild'], "TimeZone": os_dict['TimeZone'], "InstallDate": os_dict['InstallDate'], "RegisteredOwner": os_dict['RegisteredOwner'], "EditionID": os_dict['EditionID'], "ProductName": os_dict['ProductName'] } ret_list.append(os_obj) return ret_list
def __print_path(self, find_val, reg_key, ktime): split_list = reg_key.split("\\") key_obj = { "TimeZone": r_time(ktime).strftime("%Z"), "Last Written Time": r_time(ktime).strftime("%Y-%m-%d %H:%M:%S"), "Search Keyword": find_val, "Root Key": split_list[0], "Search Key Path": "\\".join(split_list[1:]) } self.__ret_list.append(key_obj) return self.__ret_list
def __print_ms(self, recent, version): ms_list = list() # print("recent.values : ", dir(recent.values()[0])) # print("raw_data : ", recent.values()[0].raw_data()) # print("raw_data : ", recent.values()[0].raw_data().decode("utf-16")) for i, v in enumerate(recent.values()): file_name = v.raw_data().decode('utf-16').split("*")[1] reg_obj = { "Version": version, "TimeZone": r_time(recent.timestamp()).strftime('%Z'), "MS Key Last Written time": r_time(recent.timestamp()).strftime('%Y-%m-%d %H:%M:%S'), "path": file_name[:-1] } ms_list.append(reg_obj) return ms_list
def get_IE_visit(self): ret_list = list() try: recent = self.__reg.open( "Software\Microsoft\Internet Explorer\TypedURLs") except: print("Plz Check the file. This file is ", self.__reg.hive_type()) return -1 for i, v in enumerate(recent.values()): # print(v.value().decode('utf-16')) reg_obj = { "time": r_time(recent.timestamp()).strftime("%Y-%m-%d %H:%M:%S"), "TimeZone": r_time(recent.timestamp()).strftime("%Z"), "data": v.value() } ret_list.append(reg_obj) return ret_list
def user_name(self): ret_list = list() try: user_path = "SAM\\Domains\\Account\\Users\\Names" user = self.__reg.open(user_path) except: print("Plz Check the file. This file is ", self.__reg.hive_type()) return -1 for items in user.subkeys(): user_obj = { 'UserName': items.name(), 'TimeZone': r_time(items.timestamp()).strftime("%Z"), 'Last Written Time': r_time(items.timestamp()).strftime("%Y-%m-%d %H:%M:%S") } ret_list.append(user_obj) return ret_list
def get_recent_MRU(self): ret_list = list() try: recent = self.__reg.open( "Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU") except: print("Plz Check the file. This file is ", self.__reg.hive_type()) return -1 for i, v in enumerate(recent.values()): reg_obj = { "TimeZone": r_time(recent.timestamp()).strftime('%Z'), "Last Written time": r_time(recent.timestamp()).strftime('%Y-%m-%d %H:%M:%S'), "name": v.name(), "data": v.value() } ret_list.append(reg_obj) return ret_list
def __processing(self, reg_list, keyList): ret_list = list() time_pattern = re.compile("Date") time_pattern2 = re.compile("Time") for i in range(2, len(reg_list)): tmp = reg_list[i].replace('\n', '') tSplit = tmp.split('\t') ret_obj = dict() for splitIndex, splitValue in enumerate(tSplit): # ret_obj[keyList[splitIndex]] = splitValue if time_pattern.findall(keyList[splitIndex]) or time_pattern2.findall(keyList[splitIndex]): if splitValue == "N/A": # print(splitValue) ret_obj[keyList[splitIndex]] = splitValue else: replace_time = datetime.strptime(splitValue[:-1], "%Y-%m-%d %H:%M:%S.%f") ret_obj["TimeZone"] = r_time(replace_time).strftime("%Z") ret_obj[keyList[splitIndex]] = r_time(replace_time).strftime("%Y-%m-%d %H:%M:%S") else: ret_obj[keyList[splitIndex]] = splitValue ret_list.append(ret_obj) return ret_list
def __print_hwp(self, recent, version): hwp_list = list() # print("recent.values : ", dir(recent.values()[0])) # print("raw_data : ", recent.values()[0].raw_data()) # print("raw_data : ", recent.values()[0].raw_data().decode("utf-16")) for i, v in enumerate(recent.values()): if v.value_type() == Registry.RegBin: reg_obj = { "Version": version, "TimeZone": r_time(recent.timestamp()).strftime('%Z'), "MS Key Last Written time": r_time(recent.timestamp()).strftime('%Y-%m-%d %H:%M:%S'), "Name": v.name(), "Path": v.value().decode("utf-16").split("\x00")[0] } hwp_list.append(reg_obj) else: pass return hwp_list
def get_path(self, path, length): ret_list = list() for partition in self.__vol: self.__partition_list.append(partition.start) print("please input argument partition start sector : ", self.__partition_list) try: fs = self.open_fs(length) except: print("[-] Plz Check Disk Area") try: f = fs.open_dir(path) for i in f: file_type = str(i.info.name.type) if file_type == "TSK_FS_NAME_TYPE_REG": file_type = "FILE" elif file_type == "TSK_FS_NAME_TYPE_DIR": file_type = "DIR" else: file_type = str(i.info.name.type) if i.info.meta is None: f_path_obj = { "file_name": i.info.name.name.decode(), "file_type": file_type, "Type": "Delete", "size": "None", "TimeZone": "None", "ctime": "None", "mtime": "None", "atime": "None", "change time": "None" } ret_list.append(f_path_obj) else: f_path_obj = { "file_name": i.info.name.name.decode(), "file_type": file_type, "Type": "Exist", "size": str(i.info.meta.size), "TimeZone": r_time(self.__cal_time( i.info.meta.crtime)).strftime("%Z"), "ctime": r_time(self.__cal_time( i.info.meta.crtime)).strftime("%Y-%m-%d %H:%M:%S"), "mtime": r_time(self.__cal_time( i.info.meta.mtime)).strftime("%Y-%m-%d %H:%M:%S"), "atime": r_time(self.__cal_time( i.info.meta.atime)).strftime("%Y-%m-%d %H:%M:%S"), "change time": r_time(self.__cal_time( i.info.meta.ctime)).strftime("%Y-%m-%d %H:%M:%S") } ret_list.append(f_path_obj) return ret_list except: print("[-] This is not included this path or Not data") return -1
def get_ms_office(self): ret_list = list() try: path = "Software\\Microsoft\\Office" version = self.__reg.open(path) except: print("Plz Check the file. This file is ", self.__reg.hive_type()) return -1 temp_list = list() a = list() for items in version.subkeys(): try: float(items.name()) a.append(items.name()) except: pass for i in range(len(a)): if a[i] == '11.0': try: recent1 = self.__reg.open(path + "\\%s\\Excel\\Recent Files" % (a[i])) xls = self.__print_ms(recent1, a[i]) except: xls = [] try: recent2 = self.__reg.open( path + "\\%s\\PowerPoint\\Recent File List" % (a[i])) ppt = self.__print_ms(recent2, a[i]) except: ppt = [] try: recent3 = self.__reg.open(path + "\\%s\\Word\\Recent File List" % (a[i])) word = self.__print_ms(recent3, a[i]) except: word = [] temp_list = xls + ppt + word if a[i] == '15.0' or a[i] == '12.0': outlook = list() try: recent0 = self.__reg.open(path + "\\%s\\Outlook\\PST" % a[i]) for i, v in enumerate(recent0.values()): file_name = v.raw_data().decode('utf-16') reg_obj = { "Version": a[i], "TimeZone": r_time(recent0.timestamp()).strftime('%Z'), "MS Key Last Written time": r_time(recent0.timestamp()).strftime( '%Y-%m-%d %H:%M:%S'), "path": file_name[:-1] } outlook.append(reg_obj) except: outlook = [] try: recent1 = self.__reg.open(path + "\\%s\\Excel\\File MRU" % a[i]) xls = self.__print_ms(recent1, a[i]) except: xls = [] try: recent2 = self.__reg.open(path + "\\%s\\PowerPoint\\File MRU" % a[i]) ppt = self.__print_ms(recent2, a[i]) except: ppt = [] try: recent3 = self.__reg.open(path + "\\%s\\Word\\File MRU" % a[i]) word = self.__print_ms(recent3, a[i]) except: word = [] temp_list = outlook + xls + ppt + word if a[i] == '16.0': try: path2 = path + "\\%s\\Excel\\User MRU" % (a[i]) path2 = path + "\\%s\\PowerPoint\\User MRU" % (a[i]) path2 = path + "\\%s\\Word\\User MRU" % (a[i]) LiveId = self.__reg.open(path2) outlook = list() b = list() for items in LiveId.subkeys(): b.append(items.name()) except: try: outlook = list() recent0 = self.__reg.open(path + "\\%s\\Outlook\\Search" % a[i]) for v in recent0.values(): ret_obj = { "Version": a[i], "TimeZone": r_time(recent0.timestamp()).strftime('%Z'), "MS Key Last Written time": r_time(recent0.timestamp()).strftime( '%Y-%m-%d %H:%M:%S'), "path": v.name() } outlook.append(ret_obj) except: outlook = [] try: recent0 = self.__reg.open(path + "\\%s\\Outlook\\Search" % a[i]) for v in recent0.values(): ret_obj = { "Version": a[i], "TimeZone": r_time(recent0.timestamp()).strftime('%Z'), "MS Key Last Written time": r_time(recent0.timestamp()).strftime( '%Y-%m-%d %H:%M:%S'), "path": v.name() } outlook.append(ret_obj) except: outlook = [] try: recent1 = self.__reg.open( path + "\\%s\\Excel\\User MRU\\%s\\File MRU" % (a[i], b[0])) xls = self.__print_ms(recent1, a[i]) except: xls = [] try: recent2 = self.__reg.open( path + "\\%s\\PowerPoint\\User MRU\\%s\\File MRU" % (a[i], b[0])) ppt = self.__print_ms(recent2, a[i]) except: ppt = [] try: recent3 = self.__reg.open( path + "\\%s\\Word\\User MRU\\%s\\File MRU" % (a[i], b[0])) word = self.__print_ms(recent3, a[i]) except: word = [] temp_list = outlook + xls + ppt + word ret_list = ret_list + temp_list return ret_list