mstoeck3/autopsy-flatpak
1
0
Fork 0
mirror of https://github.com/overcuriousity/autopsy-flatpak.git synced 2025-07-06 21:00:22 +00:00
Code Issues Packages Projects Releases Wiki Activity

Fix Undefined Value in Autopsy Regripper Plugins

Browse Source 
Check for undefined values in Autopsy regripper plugins, this is for Autopsy version of regripper not full version of regripper.
This commit is contained in:
Mark McKinnon 2020-06-19 14:34:32 -04:00
parent fbcb565b3a
commit 01494b3fb2
7 changed files with 485 additions and 471 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
thirdparty/rr/plugins/arunmru.pl vendored
View File

@ -36,6 +36,7 @@ sub pluginmain {
my $class = shift; my $class = shift;
my $ntuser = shift; my $ntuser = shift;
#::logMsg("autospyrunmru"); #::logMsg("autospyrunmru");
if (defined(Parse::Win32Registry->new($ntuser))) {
my $reg = Parse::Win32Registry->new($ntuser); my $reg = Parse::Win32Registry->new($ntuser);
my $root_key = $reg->get_root_key; my $root_key = $reg->get_root_key;
@ -72,7 +73,7 @@ sub pluginmain {
#::rptMsg($key_path." not found."); #::rptMsg($key_path." not found.");
#::logMsg($key_path." not found."); #::logMsg($key_path." not found.");
} }
}
} }
1; 1;

2
thirdparty/rr/plugins/autopsylogin.pl vendored
View File

@ -35,6 +35,7 @@ sub pluginmain {
my $class = shift; my $class = shift;
my $ntuser = shift; my $ntuser = shift;
#::logMsg("||logonusername||"); #::logMsg("||logonusername||");
if (defined(Parse::Win32Registry->new($ntuser))) {
my $reg = Parse::Win32Registry->new($ntuser); my $reg = Parse::Win32Registry->new($ntuser);
my $root_key = $reg->get_root_key; my $root_key = $reg->get_root_key;
@ -65,6 +66,7 @@ sub pluginmain {
#::rptMsg($key_path." not found."); #::rptMsg($key_path." not found.");
#::logMsg($key_path." not found."); #::logMsg($key_path." not found.");
} }
}
} }
1; 1;

3
thirdparty/rr/plugins/autopsyntusernetwork.pl vendored
View File

@ -31,6 +31,8 @@ sub pluginmain {
#::logMsg("Launching ntusernetwork v.".$VERSION); #::logMsg("Launching ntusernetwork v.".$VERSION);
#::rptMsg("ntusernetwork v.".$VERSION); # banner #::rptMsg("ntusernetwork v.".$VERSION); # banner
#::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner #::rptMsg("(".$config{hive}.") ".getShortDescr()."\n"); # banner
if (defined(Parse::Win32Registry->new($ntuser))) {
my $reg = Parse::Win32Registry->new($ntuser); my $reg = Parse::Win32Registry->new($ntuser);
my $root_key = $reg->get_root_key; my $root_key = $reg->get_root_key;
@ -89,5 +91,6 @@ sub pluginmain {
#::rptMsg($key_path." key not found."); #::rptMsg($key_path." key not found.");
} }
::rptMsg("</artifacts></NtuserNetwork>"); ::rptMsg("</artifacts></NtuserNetwork>");
}
} }
1; 1;

6
thirdparty/rr/plugins/autopsyrecentdocs.pl vendored
View File

@ -41,6 +41,7 @@ sub pluginmain {
my $class = shift; my $class = shift;
my $ntuser = shift; my $ntuser = shift;
#::logMsg("||recentdocs||"); #::logMsg("||recentdocs||");
if (defined(Parse::Win32Registry->new($ntuser))) {
my $reg = Parse::Win32Registry->new($ntuser); my $reg = Parse::Win32Registry->new($ntuser);
my $root_key = $reg->get_root_key; my $root_key = $reg->get_root_key;
my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RecentDocs"; my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RecentDocs";
@ -50,7 +51,7 @@ sub pluginmain {
#::rptMsg("**All values printed in MRUList\\MRUListEx order."); #::rptMsg("**All values printed in MRUList\\MRUListEx order.");
#::rptMsg($key_path); #::rptMsg($key_path);
::rptMsg("<recentdocs><mtime>".gmtime($key->get_timestamp())."</mtime><artifacts>"); ::rptMsg("<recentdocs><mtime>".gmtime($key->get_timestamp())."</mtime><artifacts>");
# Get RecentDocs values # Get RecentDocs values
my %rdvals = getRDValues($key); my %rdvals = getRDValues($key);
if (%rdvals) { if (%rdvals) {
my $tag; my $tag;
@ -75,7 +76,7 @@ sub pluginmain {
#::logMsg("Error: ".$key_path." has no values."); #::logMsg("Error: ".$key_path." has no values.");
} }
::rptMsg("</artifacts></recentdocs>"); ::rptMsg("</artifacts></recentdocs>");
# Get RecentDocs subkeys' values # Get RecentDocs subkeys' values
my @subkeys = $key->get_list_of_subkeys(); my @subkeys = $key->get_list_of_subkeys();
if (scalar(@subkeys) > 0) { if (scalar(@subkeys) > 0) {
foreach my $s (@subkeys) { foreach my $s (@subkeys) {
@ -115,6 +116,7 @@ sub pluginmain {
else { else {
#::rptMsg($key_path." not found."); #::rptMsg($key_path." not found.");
} }
}
} }

3
thirdparty/rr/plugins/autopsyshellfolders.pl vendored
View File

@ -41,7 +41,9 @@ sub pluginmain {
my $class = shift; my $class = shift;
my $hive = shift; my $hive = shift;
#::logMsg("Launching shellfolders v.".$VERSION); #::logMsg("Launching shellfolders v.".$VERSION);
if (defined(Parse::Win32Registry->new($hive))) {
my $reg = Parse::Win32Registry->new($hive); my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key; my $root_key = $reg->get_root_key;
my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders"; my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders";
@ -68,5 +70,6 @@ sub pluginmain {
#::rptMsg($key_path." not found."); #::rptMsg($key_path." not found.");
#::logMsg($key_path." not found."); #::logMsg($key_path." not found.");
} }
}
} }
1; 1;

20
thirdparty/rr/plugins/officedocs.pl vendored
View File

@ -37,10 +37,11 @@ sub pluginmain {
# ::rptMsg("officedocs v.".$VERSION); # 20110830 [fpi] + banner # ::rptMsg("officedocs v.".$VERSION); # 20110830 [fpi] + banner
# ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # 20110830 [fpi] + banner # ::rptMsg("(".getHive().") ".getShortDescr()."\n"); # 20110830 [fpi] + banner
::rptMsg("<office>"); ::rptMsg("<office>");
if (defined(Parse::Win32Registry->new($ntuser))) {
my $reg = Parse::Win32Registry->new($ntuser); my $reg = Parse::Win32Registry->new($ntuser);
my $root_key = $reg->get_root_key; my $root_key = $reg->get_root_key;
#::rptMsg("officedocs v.".$VERSION); #::rptMsg("officedocs v.".$VERSION);
# First, let's find out which version of Office is installed # First, let's find out which version of Office is installed
my $version; my $version;
my $tag = 0; my $tag = 0;
my @versions = ("7\.0","8\.0", "9\.0", "10\.0", "11\.0","12\.0"); my @versions = ("7\.0","8\.0", "9\.0", "10\.0", "11\.0","12\.0");
@ -59,7 +60,7 @@ sub pluginmain {
::rptMsg("<mtime> ".gmtime($of_key->get_timestamp())."</mtime>"); ::rptMsg("<mtime> ".gmtime($of_key->get_timestamp())."</mtime>");
::rptMsg("<artifacts>"); ::rptMsg("<artifacts>");
if ($of_key) { if ($of_key) {
# Attempt to retrieve Word docs # Attempt to retrieve Word docs
my @funcs = ("Open","Save As","File Save"); my @funcs = ("Open","Save As","File Save");
foreach my $func (@funcs) { foreach my $func (@funcs) {
my $word = "Common\\Open Find\\Microsoft Office Word\\Settings\\".$func."\\File Name MRU"; my $word = "Common\\Open Find\\Microsoft Office Word\\Settings\\".$func."\\File Name MRU";
@ -74,11 +75,11 @@ sub pluginmain {
#map{::rptMsg("$_");}@data; #map{::rptMsg("$_");}@data;
} }
else { else {
# ::rptMsg("Could not access ".$word); # ::rptMsg("Could not access ".$word);
} }
#::rptMsg(""); #::rptMsg("");
} }
# Attempt to retrieve Excel docs # Attempt to retrieve Excel docs
my $excel = 'Excel\\Recent Files'; my $excel = 'Excel\\Recent Files';
if (my $excel_key = $of_key->get_subkey($excel)) { if (my $excel_key = $of_key->get_subkey($excel)) {
#::rptMsg($key_path."\\".$excel); #::rptMsg($key_path."\\".$excel);
@ -86,14 +87,14 @@ sub pluginmain {
my @vals = $excel_key->get_list_of_values(); my @vals = $excel_key->get_list_of_values();
if (scalar(@vals) > 0) { if (scalar(@vals) > 0) {
my %files; my %files;
# Retrieve values and load into a hash for sorting # Retrieve values and load into a hash for sorting
foreach my $v (@vals) { foreach my $v (@vals) {
my $val = $v->get_name(); my $val = $v->get_name();
my $data = $v->get_data(); my $data = $v->get_data();
my $tag = (split(/File/,$val))[1]; my $tag = (split(/File/,$val))[1];
$files{$tag} = $val.":".$data; $files{$tag} = $val.":".$data;
} }
# Print sorted content to report file # Print sorted content to report file
foreach my $u (sort {$a <=> $b} keys %files) { foreach my $u (sort {$a <=> $b} keys %files) {
my ($val,$data) = split(/:/,$files{$u},2); my ($val,$data) = split(/:/,$files{$u},2);
::rptMsg("<Excel name=\"".$val."\">".$data . "</Excel>"); ::rptMsg("<Excel name=\"".$val."\">".$data . "</Excel>");
@ -107,7 +108,7 @@ sub pluginmain {
#::rptMsg($key_path.$excel." not found."); #::rptMsg($key_path.$excel." not found.");
} }
#::rptMsg(""); #::rptMsg("");
# Attempt to retrieve PowerPoint docs # Attempt to retrieve PowerPoint docs
my $ppt = 'PowerPoint\\Recent File List'; my $ppt = 'PowerPoint\\Recent File List';
if (my $ppt_key = $of_key->get_subkey($ppt)) { if (my $ppt_key = $of_key->get_subkey($ppt)) {
#::rptMsg($key_path."\\".$ppt); #::rptMsg($key_path."\\".$ppt);
@ -115,14 +116,14 @@ sub pluginmain {
my @vals = $ppt_key->get_list_of_values(); my @vals = $ppt_key->get_list_of_values();
if (scalar(@vals) > 0) { if (scalar(@vals) > 0) {
my %files; my %files;
# Retrieve values and load into a hash for sorting # Retrieve values and load into a hash for sorting
foreach my $v (@vals) { foreach my $v (@vals) {
my $val = $v->get_name(); my $val = $v->get_name();
my $data = $v->get_data(); my $data = $v->get_data();
my $tag = (split(/File/,$val))[1]; my $tag = (split(/File/,$val))[1];
$files{$tag} = $val.":".$data; $files{$tag} = $val.":".$data;
} }
# Print sorted content to report file # Print sorted content to report file
foreach my $u (sort {$a <=> $b} keys %files) { foreach my $u (sort {$a <=> $b} keys %files) {
my ($val,$data) = split(/:/,$files{$u},2); my ($val,$data) = split(/:/,$files{$u},2);
::rptMsg("<PowerPoint name=\"".$val."\">".$data . "</PowerPoint>"); ::rptMsg("<PowerPoint name=\"".$val."\">".$data . "</PowerPoint>");
@ -146,6 +147,7 @@ sub pluginmain {
#::logMsg("MSOffice version not found."); #::logMsg("MSOffice version not found.");
#::rptMsg("MSOffice version not found."); #::rptMsg("MSOffice version not found.");
} }
}
::rptMsg("</office>"); ::rptMsg("</office>");
} }

27
thirdparty/rr/plugins/officedocs2010.pl vendored
View File

@ -72,7 +72,7 @@ sub pluginmain {
#::logMsg("Launching officedocs2010 v.".$VERSION); #::logMsg("Launching officedocs2010 v.".$VERSION);
#::rptMsg("officedocs2010 v.".$VERSION); # 20110830 [fpi] + banner #::rptMsg("officedocs2010 v.".$VERSION); # 20110830 [fpi] + banner
#::rptMsg("(".getHive().") ".getShortDescr()."\n"); # 20110830 [fpi] + banner #::rptMsg("(".getHive().") ".getShortDescr()."\n"); # 20110830 [fpi] + banner
if (defined(Parse::Win32Registry->new($ntuser))) {
my $reg = Parse::Win32Registry->new($ntuser); my $reg = Parse::Win32Registry->new($ntuser);
my $root_key = $reg->get_root_key; my $root_key = $reg->get_root_key;
# ::rptMsg("officedocs v.".$VERSION); # 20110830 [fpi] - redundant # ::rptMsg("officedocs v.".$VERSION); # 20110830 [fpi] - redundant
@ -87,7 +87,7 @@ sub pluginmain {
my $key_path = "Software\\Microsoft\\Office\\14.0"; my $key_path = "Software\\Microsoft\\Office\\14.0";
my $of_key = $root_key->get_subkey($key_path); my $of_key = $root_key->get_subkey($key_path);
if ($of_key) { if ($of_key) {
# Attempt to retrieve Word docs # Attempt to retrieve Word docs
my $word = 'Word\\File MRU'; my $word = 'Word\\File MRU';
if (my $word_key = $of_key->get_subkey($word)) { if (my $word_key = $of_key->get_subkey($word)) {
#::rptMsg($key_path."\\".$word); #::rptMsg($key_path."\\".$word);
@ -95,7 +95,7 @@ sub pluginmain {
my @vals = $word_key->get_list_of_values(); my @vals = $word_key->get_list_of_values();
if (scalar(@vals) > 0) { if (scalar(@vals) > 0) {
my %files; my %files;
# Retrieve values and load into a hash for sorting # Retrieve values and load into a hash for sorting
foreach my $v (@vals) { foreach my $v (@vals) {
my $val = $v->get_name(); my $val = $v->get_name();
if ($val eq "Max Display") { next; } if ($val eq "Max Display") { next; }
@ -103,7 +103,7 @@ sub pluginmain {
my $tag = (split(/Item/,$val))[1]; my $tag = (split(/Item/,$val))[1];
$files{$tag} = $val.":".$data; $files{$tag} = $val.":".$data;
} }
# Print sorted content to report file # Print sorted content to report file
foreach my $u (sort {$a <=> $b} keys %files) { foreach my $u (sort {$a <=> $b} keys %files) {
my ($val,$data) = split(/:/,$files{$u},2); my ($val,$data) = split(/:/,$files{$u},2);
::rptMsg("<Word name=\"".$val."\">".$data . "</Word>"); ::rptMsg("<Word name=\"".$val."\">".$data . "</Word>");
@ -117,7 +117,7 @@ sub pluginmain {
#::rptMsg($key_path.$word." not found."); #::rptMsg($key_path.$word." not found.");
} }
#::rptMsg(""); #::rptMsg("");
# Attempt to retrieve Excel docs # Attempt to retrieve Excel docs
my $excel = 'Excel\\File MRU'; my $excel = 'Excel\\File MRU';
if (my $excel_key = $of_key->get_subkey($excel)) { if (my $excel_key = $of_key->get_subkey($excel)) {
#::rptMsg($key_path."\\".$excel); #::rptMsg($key_path."\\".$excel);
@ -125,7 +125,7 @@ sub pluginmain {
my @vals = $excel_key->get_list_of_values(); my @vals = $excel_key->get_list_of_values();
if (scalar(@vals) > 0) { if (scalar(@vals) > 0) {
my %files; my %files;
# Retrieve values and load into a hash for sorting # Retrieve values and load into a hash for sorting
foreach my $v (@vals) { foreach my $v (@vals) {
my $val = $v->get_name(); my $val = $v->get_name();
if ($val eq "Max Display") { next; } if ($val eq "Max Display") { next; }
@ -133,7 +133,7 @@ sub pluginmain {
my $tag = (split(/Item/,$val))[1]; my $tag = (split(/Item/,$val))[1];
$files{$tag} = $val.":".$data; $files{$tag} = $val.":".$data;
} }
# Print sorted content to report file # Print sorted content to report file
foreach my $u (sort {$a <=> $b} keys %files) { foreach my $u (sort {$a <=> $b} keys %files) {
my ($val,$data) = split(/:/,$files{$u},2); my ($val,$data) = split(/:/,$files{$u},2);
::rptMsg("<Excel name=\"".$val."\">".$data . "</Excel>"); ::rptMsg("<Excel name=\"".$val."\">".$data . "</Excel>");
@ -147,7 +147,7 @@ sub pluginmain {
#::rptMsg($key_path.$excel." not found."); #::rptMsg($key_path.$excel." not found.");
} }
#::rptMsg(""); #::rptMsg("");
# Attempt to retrieve Access docs # Attempt to retrieve Access docs
my $access = 'Access\\File MRU'; my $access = 'Access\\File MRU';
if (my $access_key = $of_key->get_subkey($access)) { if (my $access_key = $of_key->get_subkey($access)) {
#::rptMsg($key_path."\\".$access); #::rptMsg($key_path."\\".$access);
@ -155,7 +155,7 @@ sub pluginmain {
my @vals = $access_key->get_list_of_values(); my @vals = $access_key->get_list_of_values();
if (scalar(@vals) > 0) { if (scalar(@vals) > 0) {
my %files; my %files;
# Retrieve values and load into a hash for sorting # Retrieve values and load into a hash for sorting
foreach my $v (@vals) { foreach my $v (@vals) {
my $val = $v->get_name(); my $val = $v->get_name();
if ($val eq "Max Display") { next; } if ($val eq "Max Display") { next; }
@ -163,7 +163,7 @@ sub pluginmain {
my $tag = (split(/Item/,$val))[1]; my $tag = (split(/Item/,$val))[1];
$files{$tag} = $val.":".$data; $files{$tag} = $val.":".$data;
} }
# Print sorted content to report file # Print sorted content to report file
foreach my $u (sort {$a <=> $b} keys %files) { foreach my $u (sort {$a <=> $b} keys %files) {
my ($val,$data) = split(/:/,$files{$u},2); my ($val,$data) = split(/:/,$files{$u},2);
::rptMsg("<Access name=\"".$val."\">".$data . "</Access>"); ::rptMsg("<Access name=\"".$val."\">".$data . "</Access>");
@ -177,7 +177,7 @@ sub pluginmain {
# ::rptMsg($key_path.$access." not found."); # ::rptMsg($key_path.$access." not found.");
} }
#::rptMsg(""); #::rptMsg("");
# Attempt to retrieve PowerPoint docs # Attempt to retrieve PowerPoint docs
my $ppt = 'PowerPoint\\File MRU'; my $ppt = 'PowerPoint\\File MRU';
if (my $ppt_key = $of_key->get_subkey($ppt)) { if (my $ppt_key = $of_key->get_subkey($ppt)) {
#::rptMsg($key_path."\\".$ppt); #::rptMsg($key_path."\\".$ppt);
@ -185,7 +185,7 @@ sub pluginmain {
my @vals = $ppt_key->get_list_of_values(); my @vals = $ppt_key->get_list_of_values();
if (scalar(@vals) > 0) { if (scalar(@vals) > 0) {
my %files; my %files;
# Retrieve values and load into a hash for sorting # Retrieve values and load into a hash for sorting
foreach my $v (@vals) { foreach my $v (@vals) {
my $val = $v->get_name(); my $val = $v->get_name();
if ($val eq "Max Display") { next; } if ($val eq "Max Display") { next; }
@ -193,7 +193,7 @@ sub pluginmain {
my $tag = (split(/Item/,$val))[1]; my $tag = (split(/Item/,$val))[1];
$files{$tag} = $val.":".$data; $files{$tag} = $val.":".$data;
} }
# Print sorted content to report file # Print sorted content to report file
foreach my $u (sort {$a <=> $b} keys %files) { foreach my $u (sort {$a <=> $b} keys %files) {
my ($val,$data) = split(/:/,$files{$u},2); my ($val,$data) = split(/:/,$files{$u},2);
::rptMsg("<PowerPoint name=\"".$val."\">".$data . "</PowerPoint>"); ::rptMsg("<PowerPoint name=\"".$val."\">".$data . "</PowerPoint>");
@ -216,6 +216,7 @@ sub pluginmain {
# ::logMsg("MSOffice version not found."); # ::logMsg("MSOffice version not found.");
# ::rptMsg("MSOffice version not found."); # ::rptMsg("MSOffice version not found.");
} }
}
} }
1; 1;