def csv_user_assist_value_decode_before_win7(str_value_datatmp, count_offset): """ The Count registry key contains values representing the programs Each value is separated as : first 4 bytes are session following 4 bytes are number of times the program has been run next 8 bytes are the timestamp of last execution each of those values are in big endian which have to be converted in little endian :return: An array containing these information """ # 16 bytes data str_value_data_session = str_value_datatmp[0:4] str_value_data_session = unicode(get_int_from_reversed_string(str_value_data_session)) str_value_data_count = str_value_datatmp[4:8] str_value_data_count = unicode(get_int_from_reversed_string(str_value_data_count) + count_offset + 1) str_value_data_timestamp = str_value_datatmp[8:16] try: timestamp = get_int_from_reversed_string(str_value_data_timestamp) date_last_exec = convert_windate(timestamp) except ValueError: date_last_exec = None arr_data = [str_value_data_session, str_value_data_count] if date_last_exec: arr_data.append(date_last_exec) else: arr_data.append("") return arr_data
def __decode_section_a(self, format_version, content, section_a): hash_table = dict() if format_version == 17: hash_table['start_time'] = get_int_from_reversed_string(content[section_a:section_a + 4]) hash_table['duration'] = get_int_from_reversed_string(content[section_a + 4:section_a + 4 + 4]) hash_table['average_duration'] = '' hash_table['filename_offset'] = get_int_from_reversed_string(content[section_a + 8:section_a + 8 + 4]) hash_table['filename_nb_char'] = get_int_from_reversed_string(content[section_a + 12:section_a + 12 + 4]) else: hash_table['start_time'] = get_int_from_reversed_string(content[section_a:section_a + 4]) hash_table['duration'] = get_int_from_reversed_string(content[section_a + 4:section_a + 4 + 4]) hash_table['average_duration'] = get_int_from_reversed_string(content[section_a + 8:section_a + 8 + 4]) hash_table['filename_offset'] = get_int_from_reversed_string(content[section_a + 12:section_a + 12 + 4]) hash_table['filename_nb_char'] = get_int_from_reversed_string(content[section_a + 16:section_a + 16 + 4]) return hash_table
def csv_user_assist_value_decode_win7_and_after(str_value_datatmp, count_offset): """The value in user assist has changed since Win7. It is taken into account here.""" # 16 bytes data str_value_data_session = str_value_datatmp[0:4] str_value_data_session = unicode(get_int_from_reversed_string(str_value_data_session)) str_value_data_count = str_value_datatmp[4:8] str_value_data_count = unicode(get_int_from_reversed_string(str_value_data_count) + count_offset + 1) str_value_data_focus = str_value_datatmp[12:16] str_value_data_focus = unicode(get_int_from_reversed_string(str_value_data_focus)) str_value_data_timestamp = str_value_datatmp[60:68] try: timestamp = get_int_from_reversed_string(str_value_data_timestamp) date_last_exec = convert_windate(timestamp) except ValueError: date_last_exec = None arr_data = [str_value_data_session, str_value_data_count, str_value_data_focus] if date_last_exec: arr_data.append(date_last_exec) else: arr_data.append("") return arr_data
def __decode_section_a(self, format_version, content, section_a): hash_table = dict() if format_version == 17: hash_table['start_time'] = get_int_from_reversed_string( content[section_a:section_a + 4]) hash_table['duration'] = get_int_from_reversed_string( content[section_a + 4:section_a + 4 + 4]) hash_table['average_duration'] = '' hash_table['filename_offset'] = get_int_from_reversed_string( content[section_a + 8:section_a + 8 + 4]) hash_table['filename_nb_char'] = get_int_from_reversed_string( content[section_a + 12:section_a + 12 + 4]) else: hash_table['start_time'] = get_int_from_reversed_string( content[section_a:section_a + 4]) hash_table['duration'] = get_int_from_reversed_string( content[section_a + 4:section_a + 4 + 4]) hash_table['average_duration'] = get_int_from_reversed_string( content[section_a + 8:section_a + 8 + 4]) hash_table['filename_offset'] = get_int_from_reversed_string( content[section_a + 12:section_a + 12 + 4]) hash_table['filename_nb_char'] = get_int_from_reversed_string( content[section_a + 16:section_a + 16 + 4]) return hash_table
def _list_windows_prefetch(self): """Outputs windows prefetch files in a csv""" """See http://www.forensicswiki.org/wiki/Windows_Prefetch_File_Format""" prefetch_path = self.systemroot + '\Prefetch\*.pf' list_prefetch_files = look_for_files(prefetch_path) for prefetch_file in list_prefetch_files: content = '' with open(prefetch_file, 'rb') as file_input: content = file_input.read() try: format_version = content[:4] format_version = get_int_from_reversed_string(format_version) # scca_sig = content[0x4:][:4] unknown_values = content[0x0008:0x0008 + 4] unknown_values = ' '.join(c.encode('hex') for c in unknown_values) file_size = content[0x000c:0x000c + 4] file_size = get_int_from_reversed_string(file_size) exec_name = content[0x0010:0x0010 + 60] for i in range(30): # 60 / 2 if 2 * i + 1 < len(exec_name): if exec_name[2 * i] == '\x00' and exec_name[2 * i + 1] == '\x00': exec_name = exec_name[:2 * (i + 1)].decode('utf-16-le') prefetch_hash = content[0x004c:0x004c + 4] tc = os.path.getctime(prefetch_file) tm = os.path.getmtime(prefetch_file) section_a = get_int_from_reversed_string(content[0x0054:0x0054 + 4]) num_entries_a = get_int_from_reversed_string(content[0x0058:0x0058 + 4]) section_b = get_int_from_reversed_string(content[0x005c:0x005c + 4]) num_entries_b = get_int_from_reversed_string(content[0x0060:0x0060 + 4]) section_c = get_int_from_reversed_string(content[0x0064:0x0064 + 4]) length_c = get_int_from_reversed_string(content[0x0068:0x0068 + 4]) section_d = get_int_from_reversed_string(content[0x006c:0x006c + 4]) num_entries_d = get_int_from_reversed_string(content[0x0070:0x0070 + 4]) length_d = get_int_from_reversed_string(content[0x0074:0x0074 + 4]) if format_version == 17: latest_exec_date = content[0x0078:0x0078 + 8] exec_count = get_int_from_reversed_string(content[0x0090:0x0090 + 4]) # section a elif format_version == 23: latest_exec_date = content[0x0080:0x0080 + 8] exec_count = get_int_from_reversed_string(content[0x0098:0x0098 + 4]) else: # format version 26 latest_exec_date = [] for i in range(8): latest_exec_date.append(content[0x0088 + i * 8:0x0088 + (i + 1) * 8]) exec_count = get_int_from_reversed_string(content[0x00D0:0x00D0 + 4]) hash_table_a = self.__decode_section_a(format_version, content, section_a) list_str_c = self.__decode_section_c(content, section_c, length_c) yield prefetch_file, format_version, file_size, exec_name, datetime.datetime.fromtimestamp( tc), datetime.datetime.fromtimestamp(tm), exec_count, hash_table_a, list_str_c except: logging.error(traceback.format_exc())
def _list_windows_prefetch(self, is_compressed=False): """Outputs windows prefetch files in a csv""" """See http://www.forensicswiki.org/wiki/Windows_Prefetch_File_Format""" prefetch_path = self.systemroot + '\Prefetch\*.pf' list_prefetch_files = look_for_files(prefetch_path) for prefetch_file in list_prefetch_files: content = '' with open(prefetch_file, 'rb') as file_input: content = file_input.read() try: if is_compressed: header = content[:8] content = content[8:] signature, uncompressed_size = struct.unpack('<LL', header) algo = (signature & 0x0F000000) >> 24 RtlDecompressBufferEx = ctypes.windll.ntdll.RtlDecompressBufferEx RtlGetCompressionWorkSpaceSize = ctypes.windll.ntdll.RtlGetCompressionWorkSpaceSize CompressBufferWorkSpaceSize = ctypes.c_uint32() CompressFragmentWorkSpaceSize = ctypes.c_uint32() RtlGetCompressionWorkSpaceSize( algo, ctypes.byref(CompressBufferWorkSpaceSize), ctypes.byref(CompressFragmentWorkSpaceSize)) Compressed = (ctypes.c_ubyte * len(content)).from_buffer_copy(content) Uncompressed = (ctypes.c_ubyte * uncompressed_size)() FinalUncompressedSize = ctypes.c_uint32() Workspace = (ctypes.c_ubyte * CompressFragmentWorkSpaceSize.value)() ntstatus = RtlDecompressBufferEx( ctypes.c_uint16(algo), ctypes.byref(Uncompressed), ctypes.c_uint32(uncompressed_size), ctypes.byref(Compressed), ctypes.c_uint32(len(content)), ctypes.byref(FinalUncompressedSize), ctypes.byref(Workspace)) uncompressed = list(Uncompressed) content = b"".join([chr(c) for c in uncompressed]) format_version = content[:4] format_version = get_int_from_reversed_string(format_version) # scca_sig = content[0x4:][:4] unknown_values = content[0x0008:0x0008 + 4] unknown_values = ' '.join( c.encode('hex') for c in unknown_values) file_size = content[0x000c:0x000c + 4] file_size = get_int_from_reversed_string(file_size) exec_name = content[0x0010:0x0010 + 60] for i in range(30): # 60 / 2 if 2 * i + 1 < len(exec_name): if exec_name[2 * i] == '\x00' and exec_name[2 * i + 1] == '\x00': exec_name = exec_name[:2 * (i + 1)].decode('utf-16-le') prefetch_hash = content[0x004c:0x004c + 4] tc = os.path.getctime(prefetch_file) tm = os.path.getmtime(prefetch_file) section_a = get_int_from_reversed_string( content[0x0054:0x0054 + 4]) num_entries_a = get_int_from_reversed_string( content[0x0058:0x0058 + 4]) section_b = get_int_from_reversed_string( content[0x005c:0x005c + 4]) num_entries_b = get_int_from_reversed_string( content[0x0060:0x0060 + 4]) section_c = get_int_from_reversed_string( content[0x0064:0x0064 + 4]) length_c = get_int_from_reversed_string(content[0x0068:0x0068 + 4]) section_d = get_int_from_reversed_string( content[0x006c:0x006c + 4]) num_entries_d = get_int_from_reversed_string( content[0x0070:0x0070 + 4]) length_d = get_int_from_reversed_string(content[0x0074:0x0074 + 4]) if format_version == 17: latest_exec_date = content[0x0078:0x0078 + 8] exec_count = get_int_from_reversed_string( content[0x0090:0x0090 + 4]) # section a elif format_version == 23: latest_exec_date = content[0x0080:0x0080 + 8] exec_count = get_int_from_reversed_string( content[0x0098:0x0098 + 4]) else: # format version 26 latest_exec_date = [] for i in range(8): latest_exec_date.append(content[0x0088 + i * 8:0x0088 + (i + 1) * 8]) exec_count = get_int_from_reversed_string( content[0x00D0:0x00D0 + 4]) hash_table_a = self.__decode_section_a(format_version, content, section_a) list_str_c = self.__decode_section_c(content, section_c, length_c) yield prefetch_file, format_version, file_size, exec_name, datetime.datetime.fromtimestamp( tc), datetime.datetime.fromtimestamp( tm), exec_count, hash_table_a, list_str_c except: logging.error(traceback.format_exc())
def _list_windows_prefetch(self): """Outputs windows prefetch files in a csv""" """See http://www.forensicswiki.org/wiki/Windows_Prefetch_File_Format""" prefetch_path = self.systemroot + '\Prefetch\*.pf' list_prefetch_files = look_for_files(prefetch_path) for prefetch_file in list_prefetch_files: content = '' with open(prefetch_file, 'rb') as file_input: content = file_input.read() try: format_version = content[:4] format_version = get_int_from_reversed_string(format_version) # scca_sig = content[0x4:][:4] unknown_values = content[0x0008:0x0008 + 4] unknown_values = ' '.join( c.encode('hex') for c in unknown_values) file_size = content[0x000c:0x000c + 4] file_size = get_int_from_reversed_string(file_size) exec_name = content[0x0010:0x0010 + 60] for i in range(30): # 60 / 2 if 2 * i + 1 < len(exec_name): if exec_name[2 * i] == '\x00' and exec_name[2 * i + 1] == '\x00': exec_name = exec_name[:2 * (i + 1)].decode('utf-16-le') prefetch_hash = content[0x004c:0x004c + 4] tc = os.path.getctime(prefetch_file) tm = os.path.getmtime(prefetch_file) section_a = get_int_from_reversed_string( content[0x0054:0x0054 + 4]) num_entries_a = get_int_from_reversed_string( content[0x0058:0x0058 + 4]) section_b = get_int_from_reversed_string( content[0x005c:0x005c + 4]) num_entries_b = get_int_from_reversed_string( content[0x0060:0x0060 + 4]) section_c = get_int_from_reversed_string( content[0x0064:0x0064 + 4]) length_c = get_int_from_reversed_string(content[0x0068:0x0068 + 4]) section_d = get_int_from_reversed_string( content[0x006c:0x006c + 4]) num_entries_d = get_int_from_reversed_string( content[0x0070:0x0070 + 4]) length_d = get_int_from_reversed_string(content[0x0074:0x0074 + 4]) if format_version == 17: latest_exec_date = content[0x0078:0x0078 + 8] exec_count = get_int_from_reversed_string( content[0x0090:0x0090 + 4]) # section a elif format_version == 23: latest_exec_date = content[0x0080:0x0080 + 8] exec_count = get_int_from_reversed_string( content[0x0098:0x0098 + 4]) else: # format version 26 latest_exec_date = [] for i in range(8): latest_exec_date.append(content[0x0088 + i * 8:0x0088 + (i + 1) * 8]) exec_count = get_int_from_reversed_string( content[0x00D0:0x00D0 + 4]) hash_table_a = self.__decode_section_a(format_version, content, section_a) list_str_c = self.__decode_section_c(content, section_c, length_c) yield prefetch_file, format_version, file_size, exec_name, datetime.datetime.fromtimestamp( tc), datetime.datetime.fromtimestamp( tm), exec_count, hash_table_a, list_str_c except: logging.error(traceback.format_exc())
def _list_windows_prefetch(self, is_compressed=False): """Outputs windows prefetch files in a csv""" """See http://www.forensicswiki.org/wiki/Windows_Prefetch_File_Format""" prefetch_path = self.systemroot + '\Prefetch\*.pf' list_prefetch_files = look_for_files(prefetch_path) for prefetch_file in list_prefetch_files: content = '' with open(prefetch_file, 'rb') as file_input: content = file_input.read() try: if is_compressed: header = content[:8] content = content[8:] signature, uncompressed_size = struct.unpack('<LL', header) algo = (signature & 0x0F000000) >> 24 RtlDecompressBufferEx = ctypes.windll.ntdll.RtlDecompressBufferEx RtlGetCompressionWorkSpaceSize = ctypes.windll.ntdll.RtlGetCompressionWorkSpaceSize CompressBufferWorkSpaceSize = ctypes.c_uint32() CompressFragmentWorkSpaceSize = ctypes.c_uint32() RtlGetCompressionWorkSpaceSize(algo, ctypes.byref(CompressBufferWorkSpaceSize), ctypes.byref(CompressFragmentWorkSpaceSize)) Compressed = (ctypes.c_ubyte * len(content)).from_buffer_copy(content) Uncompressed = (ctypes.c_ubyte * uncompressed_size)() FinalUncompressedSize = ctypes.c_uint32() Workspace = (ctypes.c_ubyte * CompressFragmentWorkSpaceSize.value)() ntstatus = RtlDecompressBufferEx( ctypes.c_uint16(algo), ctypes.byref(Uncompressed), ctypes.c_uint32(uncompressed_size), ctypes.byref(Compressed), ctypes.c_uint32(len(content)), ctypes.byref(FinalUncompressedSize), ctypes.byref(Workspace)) uncompressed = list(Uncompressed) content = b"".join([chr(c) for c in uncompressed]) format_version = content[:4] format_version = get_int_from_reversed_string(format_version) # scca_sig = content[0x4:][:4] unknown_values = content[0x0008:0x0008 + 4] unknown_values = ' '.join(c.encode('hex') for c in unknown_values) file_size = content[0x000c:0x000c + 4] file_size = get_int_from_reversed_string(file_size) exec_name = content[0x0010:0x0010 + 60] for i in range(30): # 60 / 2 if 2 * i + 1 < len(exec_name): if exec_name[2 * i] == '\x00' and exec_name[2 * i + 1] == '\x00': exec_name = exec_name[:2 * (i + 1)].decode('utf-16-le') prefetch_hash = content[0x004c:0x004c + 4] tc = os.path.getctime(prefetch_file) tm = os.path.getmtime(prefetch_file) section_a = get_int_from_reversed_string(content[0x0054:0x0054 + 4]) num_entries_a = get_int_from_reversed_string(content[0x0058:0x0058 + 4]) section_b = get_int_from_reversed_string(content[0x005c:0x005c + 4]) num_entries_b = get_int_from_reversed_string(content[0x0060:0x0060 + 4]) section_c = get_int_from_reversed_string(content[0x0064:0x0064 + 4]) length_c = get_int_from_reversed_string(content[0x0068:0x0068 + 4]) section_d = get_int_from_reversed_string(content[0x006c:0x006c + 4]) num_entries_d = get_int_from_reversed_string(content[0x0070:0x0070 + 4]) length_d = get_int_from_reversed_string(content[0x0074:0x0074 + 4]) if format_version == 17: latest_exec_date = content[0x0078:0x0078 + 8] exec_count = get_int_from_reversed_string(content[0x0090:0x0090 + 4]) # section a elif format_version == 23: latest_exec_date = content[0x0080:0x0080 + 8] exec_count = get_int_from_reversed_string(content[0x0098:0x0098 + 4]) else: # format version 26 latest_exec_date = [] for i in range(8): latest_exec_date.append(content[0x0088 + i * 8:0x0088 + (i + 1) * 8]) exec_count = get_int_from_reversed_string(content[0x00D0:0x00D0 + 4]) hash_table_a = self.__decode_section_a(format_version, content, section_a) list_str_c = self.__decode_section_c(content, section_c, length_c) yield prefetch_file, format_version, file_size, exec_name, datetime.datetime.fromtimestamp( tc), datetime.datetime.fromtimestamp(tm), exec_count, hash_table_a, list_str_c except: logging.error(traceback.format_exc())