def Main():
"""The main program function.
Returns:
bool: True if successful or False if not.
"""
argument_parser = argparse.ArgumentParser(description=(
'Extracts the program cache from a NTUSER.DAT Registry file.'))
argument_parser.add_argument(
'-d', '--debug', dest='debug', action='store_true', default=False,
help='enable debug output.')
argument_parser.add_argument(
'source', nargs='?', action='store', metavar='PATH', default=None,
help=(
'path of the volume containing C:\\Windows, the filename of '
'a storage media image containing the C:\\Windows directory, '
'or the path of a NTUSER.DAT Registry file.'))
options = argument_parser.parse_args()
if not options.source:
print('Source value is missing.')
print('')
argument_parser.print_help()
print('')
return False
logging.basicConfig(
level=logging.INFO, format='[%(levelname)s] %(message)s')
output_writer = output_writers.StdoutOutputWriter()
if not output_writer.Open():
print('Unable to open output writer.')
print('')
return False
# TODO: add support to select user.
volume_scanner_mediator = dfvfs_command_line.CLIVolumeScannerMediator()
registry_collector = collector.WindowsRegistryCollector(
mediator=volume_scanner_mediator)
if not registry_collector.ScanForWindowsVolume(options.source):
print('Unable to retrieve the Windows Registry from: {0:s}.'.format(
options.source))
print('')
return False
# TODO: map collector to available Registry keys.
collector_object = programscache.ProgramsCacheCollector(
debug=options.debug, output_writer=output_writer)
result = collector_object.Collect(registry_collector.registry)
if not result:
print('No Explorer StartPage or StartPage2 keys found.')
output_writer.Close()
return True
def testOpenClose(self):
"""Tests the Open and Close functions."""
test_output_writer = output_writers.StdoutOutputWriter()
result = test_output_writer.Open()
self.assertTrue(result)
test_output_writer.Close()
def testFormatDataInHexadecimal(self):
"""Tests the _FormatDataInHexadecimal function."""
test_output_writer = output_writers.StdoutOutputWriter()
data = b'\x00\x01\x02\x03\x04\x05\x06'
expected_formatted_data = (
'0x00000000 00 01 02 03 04 05 06 '
'.......\n'
'\n')
formatted_data = test_output_writer._FormatDataInHexadecimal(data)
self.assertEqual(formatted_data, expected_formatted_data)
data = b'\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09'
expected_formatted_data = (
'0x00000000 00 01 02 03 04 05 06 07 08 09 '
'..........\n'
'\n')
formatted_data = test_output_writer._FormatDataInHexadecimal(data)
self.assertEqual(formatted_data, expected_formatted_data)
data = b'\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f'
expected_formatted_data = (
'0x00000000 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f '
'................\n'
'\n')
formatted_data = test_output_writer._FormatDataInHexadecimal(data)
self.assertEqual(formatted_data, expected_formatted_data)
data = (
b'\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f'
b'\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f'
b'\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f'
)
expected_formatted_data = (
'0x00000000 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f '
'................\n'
'...\n'
'0x00000020 00 01 02 03 04 05 06 07 08 09 0a 0b 0c 0d 0e 0f '
'................\n'
'\n')
formatted_data = test_output_writer._FormatDataInHexadecimal(data)
self.assertEqual(formatted_data, expected_formatted_data)
def Main():
"""The main program function.
Returns:
bool: True if successful or False if not.
"""
argument_parser = argparse.ArgumentParser(description=(
'Extracts the system information from a SOFTWARE Registry file.'))
argument_parser.add_argument('-d',
'--debug',
dest='debug',
action='store_true',
default=False,
help=('enable debug output.'))
argument_parser.add_argument(
'source',
nargs='?',
action='store',
metavar='PATH',
default=None,
help=('path of the volume containing C:\\Windows, the filename of '
'a storage media image containing the C:\\Windows directory, '
'or the path of a SOFTWARE Registry file.'))
options = argument_parser.parse_args()
if not options.source:
print('Source value is missing.')
print('')
argument_parser.print_help()
print('')
return False
logging.basicConfig(level=logging.INFO,
format='[%(levelname)s] %(message)s')
output_writer = output_writers.StdoutOutputWriter()
if not output_writer.Open():
print('Unable to open output writer.')
print('')
return False
volume_scanner_mediator = dfvfs_command_line.CLIVolumeScannerMediator()
registry_collector = collector.WindowsRegistryCollector(
mediator=volume_scanner_mediator)
if not registry_collector.ScanForWindowsVolume(options.source):
print('Unable to retrieve the Windows Registry from: {0:s}.'.format(
options.source))
print('')
return False
# TODO: map collector to available Registry keys.
collector_object = sysinfo.SystemInfoCollector(debug=options.debug,
output_writer=output_writer)
result = collector_object.Collect(registry_collector.registry)
if not result:
print('No Current Version key found.')
else:
output_writer.WriteValue(
'Product name', collector_object.system_information.product_name)
output_writer.WriteValue(
'Product identifier',
collector_object.system_information.product_identifier)
output_writer.WriteValue(
'Current version',
collector_object.system_information.current_version)
output_writer.WriteValue(
'Current type', collector_object.system_information.current_type)
output_writer.WriteValue(
'Current build number',
collector_object.system_information.current_build_number)
output_writer.WriteValue(
'CSD version', collector_object.system_information.csd_version)
output_writer.WriteValue(
'Registered organization',
collector_object.system_information.registered_organization)
output_writer.WriteValue(
'Registered owner',
collector_object.system_information.registered_owner)
date_time_value = collector_object.system_information.installation_date
date_time_string = date_time_value.CopyToDateTimeString()
output_writer.WriteValue('Installation date', date_time_string)
output_writer.WriteValue('Path name',
collector_object.system_information.path_name)
output_writer.WriteValue(
'%SystemRoot%', collector_object.system_information.system_root)
output_writer.WriteText('\n')
output_writer.Close()
return True
def Main():
"""The main program function.
Returns:
bool: True if successful or False if not.
"""
argument_parser = argparse.ArgumentParser(description=(
'Extracts the UserAssist information from a NTUSER.DAT Registry file.'
))
argument_parser.add_argument(
'--codepage',
dest='codepage',
action='store',
metavar='CODEPAGE',
default='cp1252',
help='the codepage of the extended ASCII strings.')
argument_parser.add_argument('-d',
'--debug',
dest='debug',
action='store_true',
default=False,
help='enable debug output.')
argument_parser.add_argument(
'source',
nargs='?',
action='store',
metavar='PATH',
default=None,
help=('path of the volume containing C:\\Windows, the filename of '
'a storage media image containing the C:\\Windows directory, '
'or the path of a NTUSER.DAT Registry file.'))
options = argument_parser.parse_args()
if not options.source:
print('Source value is missing.')
print('')
argument_parser.print_help()
print('')
return False
logging.basicConfig(level=logging.INFO,
format='[%(levelname)s] %(message)s')
output_writer = output_writers.StdoutOutputWriter()
if not output_writer.Open():
print('Unable to open output writer.')
print('')
return False
mediator = volume_scanner.WindowsRegistryVolumeScannerMediator()
scanner = volume_scanner.WindowsRegistryVolumeScanner(mediator=mediator)
volume_scanner_options = dfvfs_volume_scanner.VolumeScannerOptions()
volume_scanner_options.partitions = ['all']
volume_scanner_options.snapshots = ['none']
volume_scanner_options.volumes = ['none']
if not scanner.ScanForWindowsVolume(options.source,
options=volume_scanner_options):
print(
('Unable to retrieve the volume with the Windows directory from: '
'{0:s}.').format(options.source))
print('')
return False
# TODO: map collector to available Registry keys.
collector_object = userassist.UserAssistCollector(
debug=options.debug, output_writer=output_writer)
result = collector_object.Collect(scanner.registry)
if not result:
print('No UserAssist key found.')
else:
guid = None
for user_assist_entry in collector_object.user_assist_entries:
if user_assist_entry.guid != guid:
print('GUID\t\t: {0:s}'.format(user_assist_entry.guid))
guid = user_assist_entry.guid
print('Name\t\t: {0:s}'.format(user_assist_entry.name))
print('Original name\t: {0:s}'.format(
user_assist_entry.value_name))
print('')
output_writer.Close()
return True
def testWriteText(self):
"""Tests the WriteText function."""
test_output_writer = output_writers.StdoutOutputWriter()
test_output_writer.WriteText('Test')
def testWriteValue(self):
"""Tests the WriteValue function."""
test_output_writer = output_writers.StdoutOutputWriter()
test_output_writer.WriteValue('Description', 'Value')
def testWriteDebugData(self):
"""Tests the WriteDebugData function."""
test_output_writer = output_writers.StdoutOutputWriter()
test_output_writer.WriteDebugData('Description', b'DATA')
def Main():
"""The main program function.
Returns:
bool: True if successful or False if not.
"""
argument_parser = argparse.ArgumentParser(description=(
'Extracts Application Compatibility Cache information from '
'a SYSTEM Registry file.'))
argument_parser.add_argument(
'--all',
dest='all_control_sets',
action='store_true',
default=False,
help=(
'Process all control sets instead of only the current control set.'
))
argument_parser.add_argument('-d',
'--debug',
dest='debug',
action='store_true',
default=False,
help='enable debug output.')
argument_parser.add_argument(
'source',
nargs='?',
action='store',
metavar='PATH',
default=None,
help=('path of the volume containing C:\\Windows, the filename of '
'a storage media image containing the C:\\Windows directory, '
'or the path of a SYSTEM Registry file.'))
options = argument_parser.parse_args()
if not options.source:
print('Source value is missing.')
print('')
argument_parser.print_help()
print('')
return False
logging.basicConfig(level=logging.INFO,
format='[%(levelname)s] %(message)s')
mediator = volume_scanner.WindowsRegistryVolumeScannerMediator()
scanner = volume_scanner.WindowsRegistryVolumeScanner(mediator=mediator)
volume_scanner_options = dfvfs_volume_scanner.VolumeScannerOptions()
volume_scanner_options.partitions = ['all']
volume_scanner_options.snapshots = ['none']
volume_scanner_options.volumes = ['none']
if not scanner.ScanForWindowsVolume(options.source,
options=volume_scanner_options):
print(
('Unable to retrieve the volume with the Windows directory from: '
'{0:s}.').format(options.source))
print('')
return False
output_writer = output_writers.StdoutOutputWriter()
if not output_writer.Open():
print('Unable to open output writer.')
print('')
return False
try:
collector_object = appcompatcache.AppCompatCacheCollector(
debug=options.debug, output_writer=output_writer)
# TODO: change collector to generate AppCompatCacheCachedEntry
has_results = collector_object.Collect(
scanner.registry, all_control_sets=options.all_control_sets)
if has_results:
for cached_entry in collector_object.cached_entries:
output_writer.WriteFiletimeValue(
'Last modification time',
cached_entry.last_modification_time)
output_writer.WriteValue('Path', cached_entry.path)
output_writer.WriteText('\n')
finally:
output_writer.Close()
if not has_results:
print('No application compatibility cache entries found.')
return True
def Main():
"""The main program function.
Returns:
bool: True if successful or False if not.
"""
argument_parser = argparse.ArgumentParser(description=(
'Extracts the cached credentials from a SECURITY Registry file.'))
argument_parser.add_argument('-d',
'--debug',
dest='debug',
action='store_true',
default=False,
help=('enable debug output.'))
argument_parser.add_argument(
'source',
nargs='?',
action='store',
metavar='PATH',
default=None,
help=('path of the volume containing C:\\Windows, the filename of '
'a storage media image containing the C:\\Windows directory, '
'or the path of a SECURITY and SYSTEM Registry file.'))
options = argument_parser.parse_args()
if not options.source:
print('Source value is missing.')
print('')
argument_parser.print_help()
print('')
return False
logging.basicConfig(level=logging.INFO,
format='[%(levelname)s] %(message)s')
output_writer = output_writers.StdoutOutputWriter()
if not output_writer.Open():
print('Unable to open output writer.')
print('')
return False
mediator = volume_scanner.WindowsRegistryVolumeScannerMediator()
scanner = volume_scanner.WindowsRegistryVolumeScanner(mediator=mediator)
volume_scanner_options = dfvfs_volume_scanner.VolumeScannerOptions()
volume_scanner_options.partitions = ['all']
volume_scanner_options.snapshots = ['none']
volume_scanner_options.volumes = ['none']
if not scanner.ScanForWindowsVolume(options.source,
options=volume_scanner_options):
print(
('Unable to retrieve the volume with the Windows directory from: '
'{0:s}.').format(options.source))
print('')
return False
if scanner.IsSingleFileRegistry():
print('Both SECURITY and SYSYEM Registry files are required.')
print('')
return False
# TODO: map collector to available Registry keys.
collector_object = cached_credentials.CachedCredentialsKeyCollector(
debug=options.debug, output_writer=output_writer)
result = collector_object.Collect(scanner.registry)
if not result:
print('No Cache key found.')
else:
output_writer.WriteText('\n')
output_writer.Close()
return True
def Main():
"""The main program function.
Returns:
bool: True if successful or False if not.
"""
argument_parser = argparse.ArgumentParser(description=(
'Extracts Application Compatibility Cache information from '
'a SYSTEM Registry file.'))
argument_parser.add_argument(
'--all',
dest='all_control_sets',
action='store_true',
default=False,
help=(
'Process all control sets instead of only the current control set.'
))
argument_parser.add_argument('-d',
'--debug',
dest='debug',
action='store_true',
default=False,
help='enable debug output.')
argument_parser.add_argument(
'source',
nargs='?',
action='store',
metavar='PATH',
default=None,
help=('path of the volume containing C:\\Windows, the filename of '
'a storage media image containing the C:\\Windows directory,'
'or the path of a SYSTEM Registry file.'))
options = argument_parser.parse_args()
if not options.source:
print('Source value is missing.')
print('')
argument_parser.print_help()
print('')
return False
logging.basicConfig(level=logging.INFO,
format='[%(levelname)s] %(message)s')
output_writer = output_writers.StdoutOutputWriter()
if not output_writer.Open():
print('Unable to open output writer.')
print('')
return False
volume_scanner_mediator = dfvfs_command_line.CLIVolumeScannerMediator()
registry_collector = collector.WindowsRegistryCollector(
mediator=volume_scanner_mediator)
if not registry_collector.ScanForWindowsVolume(options.source):
print('Unable to retrieve the Windows Registry from: {0:s}.'.format(
options.source))
print('')
return False
# TODO: map collector to available Registry keys.
collector_object = appcompatcache.AppCompatCacheCollector(
debug=options.debug, output_writer=output_writer)
result = collector_object.Collect(
registry_collector.registry, all_control_sets=options.all_control_sets)
if not result:
output_writer.WriteText(
'No Application Compatibility Cache key found.')
output_writer.WriteText('')
else:
for cached_entry in collector_object.cached_entries:
output_writer.WriteFiletimeValue(
'Last modification time', cached_entry.last_modification_time)
output_writer.WriteText('\n')
output_writer.WriteValue('Path', cached_entry.path)
output_writer.WriteText('\n')
output_writer.WriteText('')
output_writer.WriteText('\n')
output_writer.Close()
return True
def Main():
"""The main program function.
Returns:
bool: True if successful or False if not.
"""
argument_parser = argparse.ArgumentParser(description=(
'Extracts Security Account Manager information from a SAM Registry '
'file.'))
argument_parser.add_argument('-d',
'--debug',
dest='debug',
action='store_true',
default=False,
help='enable debug output.')
argument_parser.add_argument(
'source',
nargs='?',
action='store',
metavar='PATH',
default=None,
help=('path of the volume containing C:\\Windows, the filename of '
'a storage media image containing the C:\\Windows directory, '
'or the path of a SAM Registry file.'))
options = argument_parser.parse_args()
if not options.source:
print('Source value is missing.')
print('')
argument_parser.print_help()
print('')
return False
logging.basicConfig(level=logging.INFO,
format='[%(levelname)s] %(message)s')
output_writer = output_writers.StdoutOutputWriter()
if not output_writer.Open():
print('Unable to open output writer.')
print('')
return False
volume_scanner_mediator = dfvfs_command_line.CLIVolumeScannerMediator()
registry_collector = collector.WindowsRegistryCollector(
mediator=volume_scanner_mediator)
if not registry_collector.ScanForWindowsVolume(options.source):
print('Unable to retrieve the Windows Registry from: {0:s}.'.format(
options.source))
print('')
return False
# TODO: map collector to available Registry keys.
collector_object = sam.SecurityAccountManagerCollector(
debug=options.debug, output_writer=output_writer)
result = collector_object.Collect(registry_collector.registry)
if not result:
output_writer.WriteText('No Security Account Manager key found.')
output_writer.WriteText('')
else:
for user_account in collector_object.user_accounts:
output_writer.WriteValue('Username', user_account.username)
output_writer.WriteValue('Relative identifier (RID)',
user_account.rid)
output_writer.WriteValue('Primary group identifier',
user_account.primary_gid)
if user_account.full_name:
output_writer.WriteValue('Full name', user_account.full_name)
if user_account.comment:
output_writer.WriteValue('Comment', user_account.comment)
if user_account.user_comment:
output_writer.WriteValue('User comment',
user_account.user_comment)
output_writer.WriteFiletimeValue('Last log-in time',
user_account.last_login_time)
output_writer.WriteFiletimeValue(
'Last password set time', user_account.last_password_set_time)
output_writer.WriteFiletimeValue(
'Account expiration time',
user_account.account_expiration_time)
output_writer.WriteFiletimeValue(
'Last password failure time',
user_account.last_password_failure_time)
output_writer.WriteValue('Number of log-ons',
user_account.number_of_logons)
output_writer.WriteValue('Number of password failures',
user_account.number_of_password_failures)
if user_account.codepage:
output_writer.WriteValue('Codepage', user_account.codepage)
output_writer.WriteText('')
output_writer.Close()
return True
def Main():
"""The main program function.
Returns:
bool: True if successful or False if not.
"""
argument_parser = argparse.ArgumentParser(description=(
'Extracts the program cache from a NTUSER.DAT Registry file.'))
argument_parser.add_argument('-d',
'--debug',
dest='debug',
action='store_true',
default=False,
help='enable debug output.')
argument_parser.add_argument(
'source',
nargs='?',
action='store',
metavar='PATH',
default=None,
help=('path of the volume containing C:\\Windows, the filename of '
'a storage media image containing the C:\\Windows directory, '
'or the path of a NTUSER.DAT Registry file.'))
options = argument_parser.parse_args()
if not options.source:
print('Source value is missing.')
print('')
argument_parser.print_help()
print('')
return False
logging.basicConfig(level=logging.INFO,
format='[%(levelname)s] %(message)s')
# TODO: add support to select user.
mediator = volume_scanner.WindowsRegistryVolumeScannerMediator()
scanner = volume_scanner.WindowsRegistryVolumeScanner(mediator=mediator)
volume_scanner_options = dfvfs_volume_scanner.VolumeScannerOptions()
volume_scanner_options.partitions = ['all']
volume_scanner_options.snapshots = ['none']
volume_scanner_options.volumes = ['none']
if not scanner.ScanForWindowsVolume(options.source,
options=volume_scanner_options):
print(
('Unable to retrieve the volume with the Windows directory from: '
'{0:s}.').format(options.source))
print('')
return False
output_writer = output_writers.StdoutOutputWriter()
if not output_writer.Open():
print('Unable to open output writer.')
print('')
return False
try:
collector_object = programscache.ProgramsCacheCollector(
debug=options.debug, output_writer=output_writer)
# TODO: change collector to generate ProgramCacheEntry
has_results = collector_object.Collect(scanner.registry)
finally:
output_writer.Close()
if not has_results:
print('No program cache entries found.')
return True
def Main():
"""The main program function.
Returns:
bool: True if successful or False if not.
"""
argument_parser = argparse.ArgumentParser(
description=('Extracts the type libraries from the Windows Registry.'))
argument_parser.add_argument('-d',
'--debug',
dest='debug',
action='store_true',
default=False,
help='enable debug output.')
argument_parser.add_argument(
'source',
nargs='?',
action='store',
metavar='PATH',
default=None,
help=('path of the volume containing C:\\Windows, the filename of '
'a storage media image containing the C:\\Windows directory, '
'or the path of a SOFTWARE Registry file.'))
options = argument_parser.parse_args()
if not options.source:
print('Source value is missing.')
print('')
argument_parser.print_help()
print('')
return False
logging.basicConfig(level=logging.INFO,
format='[%(levelname)s] %(message)s')
output_writer = output_writers.StdoutOutputWriter()
if not output_writer.Open():
print('Unable to open output writer.')
print('')
return False
mediator = volume_scanner.WindowsRegistryVolumeScannerMediator()
scanner = volume_scanner.WindowsRegistryVolumeScanner(mediator=mediator)
volume_scanner_options = dfvfs_volume_scanner.VolumeScannerOptions()
volume_scanner_options.partitions = ['all']
volume_scanner_options.snapshots = ['none']
volume_scanner_options.volumes = ['none']
if not scanner.ScanForWindowsVolume(options.source,
options=volume_scanner_options):
print(
('Unable to retrieve the volume with the Windows directory from: '
'{0:s}.').format(options.source))
print('')
return False
# TODO: map collector to available Registry keys.
collector_object = type_libraries.TypeLibrariesCollector(
debug=options.debug, output_writer=output_writer)
result = collector_object.Collect(scanner.registry)
if not result:
print('No TypeLib key found.')
else:
for type_library in collector_object.type_libraries:
print('{0:s}\t{1:s}\t{2:s}\t{3:s}'.format(
type_library.guid, type_library.version,
type_library.description, type_library.typelib_filename))
output_writer.Close()
return True
