diff --git a/.gitignore b/.gitignore index a9e5de6768..804b0e96ed 100644 --- a/.gitignore +++ b/.gitignore @@ -15,4 +15,5 @@ /KeywordSearch/release/solr/start.jar /KeywordSearch/release/solr/webapps/solr.war -/DataModel/release/modules/ext/sqlite-jdbc-3.7.2.jar \ No newline at end of file +/DataModel/release/modules/ext/sqlite-jdbc-3.7.2.jar +/DataModel/release/modules/lib/zlib.dll \ No newline at end of file diff --git a/BUILDING.txt b/BUILDING.txt index ea4ef9b7ab..68a7e43249 100644 --- a/BUILDING.txt +++ b/BUILDING.txt @@ -13,7 +13,7 @@ needed even if you have a 64-bit system). 3) Download and install Netbeans IDE 7.0.1 (http://netbeans.org/) -4) Download and build the release version of Libewf2 (20120304 or later). All you need is the dll file. +4) Download and build the release version of Libewf2 (20120304 or later). All you need is the dll file. Note that you will get a launching error if you use libewf 1. - http://sourceforge.net/projects/libewf/ 5) Set LIBEWF_HOME environment variable to root directory of LIBEWF diff --git a/CoreComponentInterfaces/src/org/sleuthkit/autopsy/images/usb_devices.png b/CoreComponentInterfaces/src/org/sleuthkit/autopsy/images/usb_devices.png new file mode 100644 index 0000000000..e49540dccc Binary files /dev/null and b/CoreComponentInterfaces/src/org/sleuthkit/autopsy/images/usb_devices.png differ diff --git a/CoreComponents/src/org/sleuthkit/autopsy/corecomponents/Bundle.properties b/CoreComponents/src/org/sleuthkit/autopsy/corecomponents/Bundle.properties index 135af4fab0..232db96621 100644 --- a/CoreComponents/src/org/sleuthkit/autopsy/corecomponents/Bundle.properties +++ b/CoreComponents/src/org/sleuthkit/autopsy/corecomponents/Bundle.properties @@ -70,13 +70,13 @@ DataContentViewerString.selectAllMenuItem.text=Select All DataContentViewerHex.selectAllMenuItem.text=Select All DataContentViewerArtifact.totalPageLabel.text=100 DataContentViewerArtifact.prevPageButton.text= -DataContentViewerArtifact.pageLabel2.text=Artifact +DataContentViewerArtifact.pageLabel2.text=Result DataContentViewerArtifact.nextPageButton.text= DataContentViewerArtifact.currentPageLabel.text=1 DataContentViewerArtifact.ofLabel.text=of DataContentViewerArtifact.copyMenuItem.text=Copy DataContentViewerArtifact.selectAllMenuItem.text=Select All -DataContentViewerArtifact.pageLabel.text=Artifact: +DataContentViewerArtifact.pageLabel.text=Result: AdvancedConfigurationDialog.applyButton.text=OK DataContentViewerMedia.pauseButton.text=\u25ba diff --git a/CoreComponents/src/org/sleuthkit/autopsy/corecomponents/DataContentViewerArtifact.java b/CoreComponents/src/org/sleuthkit/autopsy/corecomponents/DataContentViewerArtifact.java index f283e18987..b49113ca7c 100644 --- a/CoreComponents/src/org/sleuthkit/autopsy/corecomponents/DataContentViewerArtifact.java +++ b/CoreComponents/src/org/sleuthkit/autopsy/corecomponents/DataContentViewerArtifact.java @@ -94,7 +94,7 @@ public class DataContentViewerArtifact extends javax.swing.JPanel implements Dat jPanel1.setPreferredSize(new java.awt.Dimension(622, 424)); outputViewPane.setEditable(false); - outputViewPane.setFont(new java.awt.Font("Courier New", 0, 11)); + outputViewPane.setFont(new java.awt.Font("Courier New", 0, 11)); // NOI18N outputViewPane.setPreferredSize(new java.awt.Dimension(700, 400)); jScrollPane1.setViewportView(outputViewPane); @@ -244,12 +244,12 @@ public class DataContentViewerArtifact extends javax.swing.JPanel implements Dat @Override public String getTitle() { - return "Artifact View"; + return "Result View"; } @Override public String getToolTip() { - return "Displays Blackboard Artifacts associated with the file"; + return "Displays Results associated with the file"; } @Override @@ -307,7 +307,7 @@ public class DataContentViewerArtifact extends javax.swing.JPanel implements Dat int size = content.getAllArtifacts().size(); return size > 0; } catch (TskException ex) { - logger.log(Level.WARNING, "Couldn't get All blackboard Artifacts", ex); + logger.log(Level.WARNING, "Couldn't get All Blackboard Artifacts", ex); } } return false; diff --git a/DataModel/src/org/sleuthkit/autopsy/datamodel/ArtifactStringContent.java b/DataModel/src/org/sleuthkit/autopsy/datamodel/ArtifactStringContent.java index cb7ac4c564..623abff65d 100644 --- a/DataModel/src/org/sleuthkit/autopsy/datamodel/ArtifactStringContent.java +++ b/DataModel/src/org/sleuthkit/autopsy/datamodel/ArtifactStringContent.java @@ -52,11 +52,11 @@ public class ArtifactStringContent implements StringContent { buffer.append("p {font-family:Arial;font-size:10pt;}"); buffer.append(""); buffer.append(""); + buffer.append("

"); + buffer.append(wrapped.getDisplayName()); + buffer.append("

"); buffer.append(""); buffer.append(""); - buffer.append(""); - buffer.append(""); - buffer.append(""); buffer.append(""); for (BlackboardAttribute attr : wrapped.getAttributes()) { buffer.append(""); - buffer.append(""); buffer.append(""); diff --git a/DataModel/src/org/sleuthkit/autopsy/datamodel/ArtifactTypeNode.java b/DataModel/src/org/sleuthkit/autopsy/datamodel/ArtifactTypeNode.java index 1775c5fe3b..a78a5f892e 100644 --- a/DataModel/src/org/sleuthkit/autopsy/datamodel/ArtifactTypeNode.java +++ b/DataModel/src/org/sleuthkit/autopsy/datamodel/ArtifactTypeNode.java @@ -96,6 +96,8 @@ public class ArtifactTypeNode extends AbstractNode implements DisplayableItemNod return "programs.png"; case TSK_RECENT_OBJECT: return "recent_docs.png"; + case TSK_DEVICE_ATTACHED: + return "usb_devices.png"; } return "artifact-icon.png"; } diff --git a/DataModel/src/org/sleuthkit/autopsy/datamodel/ExtractedContentChildren.java b/DataModel/src/org/sleuthkit/autopsy/datamodel/ExtractedContentChildren.java index 6b1e7c29b0..61e20b1e66 100644 --- a/DataModel/src/org/sleuthkit/autopsy/datamodel/ExtractedContentChildren.java +++ b/DataModel/src/org/sleuthkit/autopsy/datamodel/ExtractedContentChildren.java @@ -46,6 +46,7 @@ public class ExtractedContentChildren extends ChildFactory visit(DirectoryNode dir) { List actions = new ArrayList(); + if(!dir.getDirectoryBrowseMode()) { + actions.add(new ViewContextAction("View File in Directory", dir)); + actions.add(null); // creates a menu separator + } actions.add(new NewWindowViewAction("View in New Window", dir)); - actions.add(new ChangeViewAction("View", 0, dir)); + actions.add(null); // creates a menu separator actions.add(new ExtractAction("Extract Directory", dir)); - if(!dir.getDirectoryBrowseMode()) - actions.add(new ViewContextAction("View in Parent Directory", dir)); return actions; } @Override public List visit(FileNode f) { List actions = new ArrayList(); + if(!f.getDirectoryBrowseMode()) { + actions.add(new ViewContextAction("View File in Directory", f)); + actions.add(null); // creates a menu separator + } actions.add(new NewWindowViewAction("View in New Window", f)); actions.add(new ExternalViewerAction("Open in External Viewer", f)); + actions.add(null); // creates a menu separator actions.add(new ExtractAction("Extract File", f)); - if(!f.getDirectoryBrowseMode()) - actions.add(new ViewContextAction("View in Parent Directory", f)); return actions; } @Override - public List visit(BlackboardArtifactNode ba) { + public List visit(BlackboardArtifactNode ban) { List actions = new ArrayList(); - //actions.add(new ViewAssociatedContentAction("View Associated Content", ba)); - actions.add(new ViewContextAction("View Source in Directory", ba)); - Content c = findLinked(ba); - if(c != null) - actions.add(new ViewContextAction("View Linked in Directory", c)); + BlackboardArtifact ba = ban.getLookup().lookup(BlackboardArtifact.class); + if(ba.getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_HASHSET_HIT.getTypeID() + || ba.getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_KEYWORD_HIT.getTypeID()) { + actions.add(new ViewContextAction("View File in Directory", ban)); + } else { + Content c = findLinked(ban); + if (c != null) { + actions.add(new ViewContextAction("View File in Directory", c)); + } + actions.add(new ViewContextAction("View Source File in Directory", ban)); + } + File f = ban.getLookup().lookup(File.class); + if(f != null) { + actions.add(null); // creates a menu separator + actions.add(new NewWindowViewAction("View in New Window", new FileNode(f))); + actions.add(new ExternalViewerAction("Open in External Viewer", new FileNode(f))); + actions.add(null); // creates a menu separator + actions.add(new ExtractAction("Extract File", new FileNode(f))); + } return actions; } @@ -201,16 +221,20 @@ public class DataResultFilterNode extends FilterNode{ if(attr.getAttributeTypeID() == BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PATH_ID.getTypeID()) { switch(attr.getValueType()) { case INTEGER: - c = art.getSleuthkitCase().getContentById(attr.getValueInt()); + int i = attr.getValueInt(); + if(i != -1) + c = art.getSleuthkitCase().getContentById(i); break; case LONG: - c = art.getSleuthkitCase().getContentById(attr.getValueLong()); + long l = attr.getValueLong(); + if(l != -1) + c = art.getSleuthkitCase().getContentById(l); break; } } } } catch(TskException ex) { - Logger.getLogger(this.getClass().getName()).log(Level.WARNING, "Error getting linked file"); + Logger.getLogger(this.getClass().getName()).log(Level.WARNING, "Error getting linked file", ex); } return c; } diff --git a/FileSearch/src/org/sleuthkit/autopsy/filesearch/layer.xml b/FileSearch/src/org/sleuthkit/autopsy/filesearch/layer.xml index 9af0b1419e..c5fa2b2bdf 100644 --- a/FileSearch/src/org/sleuthkit/autopsy/filesearch/layer.xml +++ b/FileSearch/src/org/sleuthkit/autopsy/filesearch/layer.xml @@ -16,10 +16,18 @@ + + + + + + + + diff --git a/HashDatabase/src/org/sleuthkit/autopsy/hashdatabase/HashDbMgmtAction.java b/HashDatabase/src/org/sleuthkit/autopsy/hashdatabase/HashDbMgmtAction.java index 7a5692330c..cf8c3cec38 100644 --- a/HashDatabase/src/org/sleuthkit/autopsy/hashdatabase/HashDbMgmtAction.java +++ b/HashDatabase/src/org/sleuthkit/autopsy/hashdatabase/HashDbMgmtAction.java @@ -36,7 +36,7 @@ import org.sleuthkit.autopsy.coreutils.Log; */ class HashDbMgmtAction extends CallableSystemAction { - private static final String ACTION_NAME = "Hash Database Management"; + private static final String ACTION_NAME = "Hash Database Configuration"; @Override public void performAction() { diff --git a/HashDatabase/src/org/sleuthkit/autopsy/hashdatabase/HashDbPanel.java b/HashDatabase/src/org/sleuthkit/autopsy/hashdatabase/HashDbPanel.java index 1ab3b213ae..0aa92ca3e1 100644 --- a/HashDatabase/src/org/sleuthkit/autopsy/hashdatabase/HashDbPanel.java +++ b/HashDatabase/src/org/sleuthkit/autopsy/hashdatabase/HashDbPanel.java @@ -30,6 +30,8 @@ import java.io.IOException; import java.util.logging.Level; import java.util.logging.Logger; import javax.swing.JFileChooser; +import javax.swing.filechooser.FileFilter; +import javax.swing.filechooser.FileNameExtensionFilter; import org.sleuthkit.autopsy.coreutils.Log; import org.sleuthkit.datamodel.TskException; @@ -66,6 +68,10 @@ class HashDbPanel extends javax.swing.JPanel { fc.setDragEnabled(false); fc.setFileSelectionMode(JFileChooser.FILES_ONLY); + String[] EXTENSION = new String[] { "txt", "idx", "hash", "Hash" }; + FileNameExtensionFilter filter = new FileNameExtensionFilter( + "Hash Database File", EXTENSION); + fc.setFileFilter(filter); fc.setMultiSelectionEnabled(false); this.initComponents(); diff --git a/HashDatabase/src/org/sleuthkit/autopsy/hashdatabase/layer.xml b/HashDatabase/src/org/sleuthkit/autopsy/hashdatabase/layer.xml index 0216f3a70d..e84dcb7f23 100644 --- a/HashDatabase/src/org/sleuthkit/autopsy/hashdatabase/layer.xml +++ b/HashDatabase/src/org/sleuthkit/autopsy/hashdatabase/layer.xml @@ -14,10 +14,6 @@ - - - - diff --git a/Ingest/src/org/sleuthkit/autopsy/ingest/Bundle.properties b/Ingest/src/org/sleuthkit/autopsy/ingest/Bundle.properties index 3c858798ba..c6a88df93a 100644 --- a/Ingest/src/org/sleuthkit/autopsy/ingest/Bundle.properties +++ b/Ingest/src/org/sleuthkit/autopsy/ingest/Bundle.properties @@ -20,8 +20,8 @@ IngestDialogPanel.freqSliderLabel.text=Refresh interval (minutes) IngestDialogPanel.freqSliderLabel.toolTipText=null IngestDialogPanel.freqSlider.toolTipText=Maximum time in minutes for ingest modules to refresh and report data to user.
Lower value presents data more frequently but may impact performance and lenghten the overall ingest run.
Higher value is improves performance, but data will be refreshed less frequently (recommended for an unattended run).
The value can be adjusted only when no ingest module is currently running IngestMessageDetailsPanel.backButton.text= -IngestMessageDetailsPanel.viewArtifactButton.text=View Artifact -IngestMessageDetailsPanel.viewContentButton.text=View Content +IngestMessageDetailsPanel.viewArtifactButton.text=Go to Result +IngestMessageDetailsPanel.viewContentButton.text=Go to Directory IngestMessagePanel.sortByLabel.text=Sort by: IngestMessagePanel.sortByComboBox.toolTipText=Sort messages by time (chronological order) or message priority IngestDialogPanel.advancedButton.text=Advanced @@ -30,3 +30,4 @@ IngestMessageDetailsPanel.messageDetailsPane.toolTipText= IngestMessagesToolbar.toolTipText= IngestMessageDetailsPanel.copyMenuItem.text=Copy IngestMessageDetailsPanel.selectAllMenuItem.text=Select All +IngestMessageTopComponent.displayName=Ingest Inbox diff --git a/Ingest/src/org/sleuthkit/autopsy/ingest/IngestManager.java b/Ingest/src/org/sleuthkit/autopsy/ingest/IngestManager.java index 3703798513..ccfb959c7e 100755 --- a/Ingest/src/org/sleuthkit/autopsy/ingest/IngestManager.java +++ b/Ingest/src/org/sleuthkit/autopsy/ingest/IngestManager.java @@ -46,6 +46,7 @@ import org.openide.util.Lookup; import org.sleuthkit.autopsy.ingest.IngestMessage.MessageType; import org.sleuthkit.datamodel.FsContent; import org.sleuthkit.datamodel.Image; +import org.sleuthkit.datamodel.TskData; /** * IngestManager sets up and manages ingest services @@ -553,8 +554,6 @@ public class IngestManager { return ret; } - - //image worker to remove itself when complete or interrupted void removeImageIngestWorker(IngestImageThread worker) { //remove worker @@ -642,7 +641,7 @@ public class IngestManager { void enqueue(FsContent fsContent, IngestServiceFsContent service) { //fsContentUnits.put(fsContent, Collections.singletonList(service)); List services = fsContentUnits.get(fsContent); - if(services == null) { + if (services == null) { services = new ArrayList(); fsContentUnits.put(fsContent, services); } @@ -652,7 +651,7 @@ public class IngestManager { void enqueue(FsContent fsContent, List services) { List oldServices = fsContentUnits.get(fsContent); - if(oldServices == null) { + if (oldServices == null) { oldServices = new ArrayList(); fsContentUnits.put(fsContent, oldServices); } @@ -690,9 +689,10 @@ public class IngestManager { * @return true if the service is enqueued to do work */ boolean hasServiceEnqueued(IngestServiceFsContent service) { - for(List list : fsContentUnits.values()) { - if(list.contains(service)) + for (List list : fsContentUnits.values()) { + if (list.contains(service)) { return true; + } } return false; } @@ -705,8 +705,8 @@ public class IngestManager { public String printQueue() { StringBuilder sb = new StringBuilder(); /*for (QueueUnit u : fsContentUnits) { - sb.append(u.toString()); - sb.append("\n"); + sb.append(u.toString()); + sb.append("\n"); }*/ return sb.toString(); } @@ -731,7 +731,7 @@ public class IngestManager { void enqueue(Image image, IngestServiceImage service) { List services = imageUnits.get(image); - if(services == null) { + if (services == null) { services = new ArrayList(); imageUnits.put(image, services); } @@ -740,7 +740,7 @@ public class IngestManager { void enqueue(Image image, List services) { List oldServices = imageUnits.get(image); - if(oldServices == null) { + if (oldServices == null) { oldServices = new ArrayList(); imageUnits.put(image, oldServices); } @@ -817,19 +817,19 @@ public class IngestManager { public String toHtmlString() { StringBuilder sb = new StringBuilder(); sb.append(""); - + sb.append("Ingest time: ").append(getTotalTimeString()).append("
"); sb.append("Total errors: ").append(errorsTotal).append("
"); /* if (errorsTotal > 0) { - sb.append("Errors per service:"); - for (IngestServiceAbstract service : errors.keySet()) { - final int errorsService = errors.get(service); - sb.append("\t").append(service.getName()).append(": ").append(errorsService).append("
"); - } + sb.append("Errors per service:"); + for (IngestServiceAbstract service : errors.keySet()) { + final int errorsService = errors.get(service); + sb.append("\t").append(service.getName()).append(": ").append(errorsService).append("
"); + } } * */ - + sb.append(""); return sb.toString(); } @@ -926,13 +926,18 @@ public class IngestManager { fsContentServiceResults.clear(); } + final FsContent fileToProcess = unit.getKey(); + + progress.progress(fileToProcess.getName(), processedFiles); + for (IngestServiceFsContent service : unit.getValue()) { if (isCancelled()) { return null; } + try { - IngestServiceFsContent.ProcessResult result = service.process(unit.getKey()); + IngestServiceFsContent.ProcessResult result = service.process(fileToProcess); //handle unconditional stop if (result == IngestServiceFsContent.ProcessResult.STOP) { break; @@ -956,7 +961,7 @@ public class IngestManager { progress.switchToIndeterminate(); progress.switchToDeterminate(numFsContents); } - progress.progress(unit.getKey().getName(), ++processedFiles); + ++processedFiles; --numFsContents; } //end of this fsContent logger.log(Level.INFO, "Done background processing"); @@ -1001,7 +1006,6 @@ public class IngestManager { } - private void handleInterruption() { for (IngestServiceFsContent s : fsContentServices) { s.stop(); @@ -1099,10 +1103,10 @@ public class IngestManager { //addImage((IngestServiceImage) service, image); break; case FsContent: - if(fsContents == null) { + if (fsContents == null) { long start = System.currentTimeMillis(); fsContents = new GetAllFilesContentVisitor().visit(image); - logger.info("Get all files took " + (System.currentTimeMillis()-start) + "ms"); + logger.info("Get all files took " + (System.currentTimeMillis() - start) + "ms"); } //enqueue the same singleton fscontent service logger.log(Level.INFO, "Adding image " + image.getName() + " with " + fsContents.size() + " number of fsContent to service " + service.getName()); @@ -1113,8 +1117,9 @@ public class IngestManager { } progress.progress(serviceName + " " + imageName, ++processed); } - if(fsContents != null) + if (fsContents != null) { fsContents.clear(); + } } //logger.log(Level.INFO, fsContentQueue.printQueue()); diff --git a/Ingest/src/org/sleuthkit/autopsy/ingest/IngestMessageDetailsPanel.form b/Ingest/src/org/sleuthkit/autopsy/ingest/IngestMessageDetailsPanel.form index be1bc1e202..e6a0f06036 100644 --- a/Ingest/src/org/sleuthkit/autopsy/ingest/IngestMessageDetailsPanel.form +++ b/Ingest/src/org/sleuthkit/autopsy/ingest/IngestMessageDetailsPanel.form @@ -42,7 +42,7 @@ - + @@ -70,7 +70,7 @@ - + diff --git a/Ingest/src/org/sleuthkit/autopsy/ingest/IngestMessageDetailsPanel.java b/Ingest/src/org/sleuthkit/autopsy/ingest/IngestMessageDetailsPanel.java index 6dcfdea207..ed2fca3f79 100644 --- a/Ingest/src/org/sleuthkit/autopsy/ingest/IngestMessageDetailsPanel.java +++ b/Ingest/src/org/sleuthkit/autopsy/ingest/IngestMessageDetailsPanel.java @@ -107,7 +107,7 @@ class IngestMessageDetailsPanel extends javax.swing.JPanel { selectAllMenuItem.setText(org.openide.util.NbBundle.getMessage(IngestMessageDetailsPanel.class, "IngestMessageDetailsPanel.selectAllMenuItem.text")); // NOI18N rightClickMenu.add(selectAllMenuItem); - backButton.setIcon(new javax.swing.ImageIcon(getClass().getResource("/org/sleuthkit/autopsy/ingest/arrow_left.gif"))); // NOI18N + backButton.setIcon(new javax.swing.ImageIcon(getClass().getResource("/org/sleuthkit/autopsy/ingest/btn_step_back.png"))); // NOI18N backButton.setText(org.openide.util.NbBundle.getMessage(IngestMessageDetailsPanel.class, "IngestMessageDetailsPanel.backButton.text")); // NOI18N backButton.setAlignmentY(0.0F); backButton.setHorizontalTextPosition(javax.swing.SwingConstants.CENTER); @@ -152,7 +152,7 @@ class IngestMessageDetailsPanel extends javax.swing.JPanel { layout.createParallelGroup(javax.swing.GroupLayout.Alignment.LEADING) .addGroup(layout.createSequentialGroup() .addComponent(backButton, javax.swing.GroupLayout.PREFERRED_SIZE, 23, javax.swing.GroupLayout.PREFERRED_SIZE) - .addPreferredGap(javax.swing.LayoutStyle.ComponentPlacement.RELATED, 153, Short.MAX_VALUE) + .addPreferredGap(javax.swing.LayoutStyle.ComponentPlacement.RELATED, 147, Short.MAX_VALUE) .addComponent(viewArtifactButton) .addPreferredGap(javax.swing.LayoutStyle.ComponentPlacement.UNRELATED) .addComponent(viewContentButton)) diff --git a/Ingest/src/org/sleuthkit/autopsy/ingest/IngestMessageTopComponent.form b/Ingest/src/org/sleuthkit/autopsy/ingest/IngestMessageTopComponent.form index 37e264e504..d5baf08ac5 100644 --- a/Ingest/src/org/sleuthkit/autopsy/ingest/IngestMessageTopComponent.form +++ b/Ingest/src/org/sleuthkit/autopsy/ingest/IngestMessageTopComponent.form @@ -1,6 +1,12 @@
+ + + + + + diff --git a/Ingest/src/org/sleuthkit/autopsy/ingest/IngestMessageTopComponent.java b/Ingest/src/org/sleuthkit/autopsy/ingest/IngestMessageTopComponent.java index 026b954c46..da91895b05 100644 --- a/Ingest/src/org/sleuthkit/autopsy/ingest/IngestMessageTopComponent.java +++ b/Ingest/src/org/sleuthkit/autopsy/ingest/IngestMessageTopComponent.java @@ -90,6 +90,9 @@ public final class IngestMessageTopComponent extends TopComponent implements Ing // //GEN-BEGIN:initComponents private void initComponents() { + setDisplayName(org.openide.util.NbBundle.getMessage(IngestMessageTopComponent.class, "IngestMessageTopComponent.displayName")); // NOI18N + setName("Ingest Inbox"); // NOI18N + javax.swing.GroupLayout layout = new javax.swing.GroupLayout(this); this.setLayout(layout); layout.setHorizontalGroup( diff --git a/Ingest/src/org/sleuthkit/autopsy/ingest/arrow_left.gif b/Ingest/src/org/sleuthkit/autopsy/ingest/arrow_left.gif deleted file mode 100644 index d0d85dba4b..0000000000 Binary files a/Ingest/src/org/sleuthkit/autopsy/ingest/arrow_left.gif and /dev/null differ diff --git a/Ingest/src/org/sleuthkit/autopsy/ingest/back-button.png b/Ingest/src/org/sleuthkit/autopsy/ingest/back-button.png deleted file mode 100644 index b6c02aa3dd..0000000000 Binary files a/Ingest/src/org/sleuthkit/autopsy/ingest/back-button.png and /dev/null differ diff --git a/Ingest/src/org/sleuthkit/autopsy/ingest/btn_step_back.png b/Ingest/src/org/sleuthkit/autopsy/ingest/btn_step_back.png new file mode 100644 index 0000000000..b9d9ffe622 Binary files /dev/null and b/Ingest/src/org/sleuthkit/autopsy/ingest/btn_step_back.png differ diff --git a/KNOWN_ISSUES.txt b/KNOWN_ISSUES.txt index a7f2d71804..ef59e5fe5c 100644 --- a/KNOWN_ISSUES.txt +++ b/KNOWN_ISSUES.txt @@ -2,10 +2,19 @@ Known issues and limitations We plan to address the following issues in future releases. +General: +- Only a single instance of the application can be started at once. +There is no check if another instance is already running. Running a second instance will cause issues. + +Case: +- Closing a case in certain situations (when ingest is running or processing is being done in the background) may cause stability issues. +If case cannot be cleanly closed, try closing the application. + Ingest: -- Ingest can fail and cause unexpected behavior if "Add image" action is performed while ingest is running. +- Ingest may fail and cause unexpected behavior if "Add image" action is performed while ingest is running on a previously added image. + Keyword search module: - Keyword search module does not currently search unallocated space, -- Keyword search maximum size of files to be indexed and searched is 200MB, -- Keyword search maximum size of unknown files to be searched is 10MB. +- Keyword search maximum size of files to be indexed and searched is 100MB, +- Keyword search maximum size of unknown types of files to be indexed and searched (using string extraction) is 1MB. diff --git a/KeywordSearch/src/org/sleuthkit/autopsy/keywordsearch/KeywordSearchIngestService.java b/KeywordSearch/src/org/sleuthkit/autopsy/keywordsearch/KeywordSearchIngestService.java index f06beb1c4d..be71fbdb26 100644 --- a/KeywordSearch/src/org/sleuthkit/autopsy/keywordsearch/KeywordSearchIngestService.java +++ b/KeywordSearch/src/org/sleuthkit/autopsy/keywordsearch/KeywordSearchIngestService.java @@ -18,8 +18,6 @@ */ package org.sleuthkit.autopsy.keywordsearch; -import java.beans.PropertyChangeListener; -import java.beans.PropertyChangeSupport; import java.util.ArrayList; import java.util.Collection; import java.util.HashMap; @@ -476,7 +474,7 @@ public final class KeywordSearchIngestService implements IngestServiceFsContent boolean ingestible = false; final String fileName = fsContent.getName(); for (String ext : ingestibleExtensions) { - if (fileName.endsWith(ext)) { + if (fileName.toLowerCase().endsWith(ext)) { ingestible = true; break; } diff --git a/MenuActions/src/org/sleuthkit/autopsy/menuactions/layer.xml b/MenuActions/src/org/sleuthkit/autopsy/menuactions/layer.xml index 32809373ab..402308b497 100644 --- a/MenuActions/src/org/sleuthkit/autopsy/menuactions/layer.xml +++ b/MenuActions/src/org/sleuthkit/autopsy/menuactions/layer.xml @@ -16,6 +16,7 @@ + diff --git a/RecentActivity/nbproject/genfiles.properties b/RecentActivity/nbproject/genfiles.properties index edf146affb..9e5bb239dc 100644 --- a/RecentActivity/nbproject/genfiles.properties +++ b/RecentActivity/nbproject/genfiles.properties @@ -1,8 +1,8 @@ -build.xml.data.CRC32=9b8a08d3 +build.xml.data.CRC32=dacaa05a build.xml.script.CRC32=d323407a build.xml.stylesheet.CRC32=a56c6a5b@1.46.1 # This file is used by a NetBeans-based IDE to track changes in generated files such as build-impl.xml. # Do not edit this file. You may delete it but then the IDE will never regenerate such files for you. -nbproject/build-impl.xml.data.CRC32=9b8a08d3 +nbproject/build-impl.xml.data.CRC32=dacaa05a nbproject/build-impl.xml.script.CRC32=aef16a21 nbproject/build-impl.xml.stylesheet.CRC32=238281d1@1.46.1 diff --git a/RecentActivity/nbproject/project.properties b/RecentActivity/nbproject/project.properties index b9c82fbb81..c2587f0f66 100644 --- a/RecentActivity/nbproject/project.properties +++ b/RecentActivity/nbproject/project.properties @@ -1,4 +1,4 @@ -file.reference.jcalendarbutton-1.4.5.jar=release/modules/ext/jcalendarbutton-1.4.5.jar +file.reference.gson-2.1.jar=release/modules/ext/gson-2.1.jar file.reference.jdom-1.1.2.jar=release/modules/ext/jdom-1.1.2.jar file.reference.sqlite-jdbc-3.7.6.3-20110609.081603-3.jar=release/modules/ext/sqlite-jdbc-3.7.6.3-20110609.081603-3.jar javac.source=1.6 diff --git a/RecentActivity/nbproject/project.xml b/RecentActivity/nbproject/project.xml index 1184a96e43..c6387afb84 100644 --- a/RecentActivity/nbproject/project.xml +++ b/RecentActivity/nbproject/project.xml @@ -195,12 +195,12 @@ release/modules/ext/gson-2.1.jar - ext/jdom-1.1.2.jar - release/modules/ext/jdom-1.1.2.jar + ext/commons-lang3-3.1.jar + release/modules/ext/commons-lang3-3.1.jar - ext/jcalendarbutton-1.4.5.jar - release/modules/ext/jcalendarbutton-1.4.5.jar + ext/jdom-1.1.2.jar + release/modules/ext/jdom-1.1.2.jar diff --git a/RecentActivity/release/modules/ext/commons-lang3-3.1.jar b/RecentActivity/release/modules/ext/commons-lang3-3.1.jar new file mode 100644 index 0000000000..a85e539b17 Binary files /dev/null and b/RecentActivity/release/modules/ext/commons-lang3-3.1.jar differ diff --git a/RecentActivity/release/rr/plugins/acmru.pl b/RecentActivity/release/rr/plugins/acmru.pl deleted file mode 100644 index 55efea5f5d..0000000000 --- a/RecentActivity/release/rr/plugins/acmru.pl +++ /dev/null @@ -1,72 +0,0 @@ -#----------------------------------------------------------- -# acmru.pl -# Plugin for Registry Ripper, NTUSER.DAT edition - gets the -# ACMru values -# -# Change history -# -# -# References -# -# -# copyright 2008 H. Carvey -#----------------------------------------------------------- -package acmru; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20080324); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets contents of user's ACMru key"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching acmru v.".$VERSION); - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $key_path = 'Software\\Microsoft\\Search Assistant\\ACMru'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("ACMru - Search Assistant"); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - my @subkeys = $key->get_list_of_subkeys(); - if (scalar(@subkeys) > 0) { - foreach my $s (@subkeys) { - ::rptMsg($s->get_name()." [".gmtime($s->get_timestamp())." (UTC)]"); - my @vals = $s->get_list_of_values(); - my %ac_vals; - foreach my $v (@vals) { - $ac_vals{$v->get_name()} = $v->get_data(); - } - foreach my $a (sort {$a <=> $b} keys %ac_vals) { - ::rptMsg("\t".$a." -> ".$ac_vals{$a}); - } - ::rptMsg(""); - } - } - else { - ::rptMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} - -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/adoberdr.pl b/RecentActivity/release/rr/plugins/adoberdr.pl deleted file mode 100644 index f46e5ebd67..0000000000 --- a/RecentActivity/release/rr/plugins/adoberdr.pl +++ /dev/null @@ -1,93 +0,0 @@ -#----------------------------------------------------------- -# adoberdr.pl -# Plugin for Registry Ripper -# Parse Adobe Reader MRU keys -# -# Change history -# 20100218 - added checks for versions 4.0, 5.0, 9.0 -# 20091125 - modified output to make a bit more clear -# -# References -# -# Note: LastWrite times on c subkeys will all be the same, -# as each subkey is modified as when a new entry is added -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package adoberdr; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20100218); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets user's Adobe Reader cRecentFiles values"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching adoberdr v.".$VERSION); - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - ::rptMsg("Adoberdr v.".$VERSION); -# First, let's find out which version of Adobe Acrobat Reader is installed - my $version; - my $tag = 0; - my @versions = ("4\.0","5\.0","6\.0","7\.0","8\.0","9\.0"); - foreach my $ver (@versions) { - my $key_path = "Software\\Adobe\\Acrobat Reader\\".$ver."\\AVGeneral\\cRecentFiles"; - if (defined($root_key->get_subkey($key_path))) { - $version = $ver; - $tag = 1; - } - } - - if ($tag) { - ::rptMsg("Adobe Acrobat Reader version ".$version." located."); - my $key_path = "Software\\Adobe\\Acrobat Reader\\".$version."\\AVGeneral\\cRecentFiles"; - my $key = $root_key->get_subkey($key_path); - if ($key) { - ::rptMsg($key_path); - ::rptMsg(""); -# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - my %arkeys; - my @subkeys = $key->get_list_of_subkeys(); - if (scalar @subkeys > 0) { - foreach my $s (@subkeys) { - my $num = $s->get_name(); - my $data = $s->get_value('sDI')->get_data(); - $num =~ s/^c//; - $arkeys{$num}{lastwrite} = $s->get_timestamp(); - $arkeys{$num}{data} = $data; - } - ::rptMsg("Most recent PDF opened: ".gmtime($arkeys{1}{lastwrite})." (UTC)"); - foreach my $k (sort keys %arkeys) { - ::rptMsg(" c".$k." ".$arkeys{$k}{data}); - } - } - else { - ::rptMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg("Could not access ".$key_path); - } - } - else { - ::rptMsg("Adobe Acrobat Reader version not found."); - } -} - -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/aim.pl b/RecentActivity/release/rr/plugins/aim.pl deleted file mode 100644 index 32eeeae713..0000000000 --- a/RecentActivity/release/rr/plugins/aim.pl +++ /dev/null @@ -1,95 +0,0 @@ -#----------------------------------------------------------- -# aim -# -# copyright 2008 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package aim; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20080325); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets info from the AOL Instant Messenger (not AIM) install"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching aim plugin v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - my $key_path = 'Software\\America Online\\AOL Instant Messenger (TM)\\CurrentVersion\\Users'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("AIM"); - ::rptMsg($key_path); - ::rptMsg(""); - - my @subkeys = $key->get_list_of_subkeys(); - - if (scalar(@subkeys) > 0) { - foreach my $s (@subkeys) { - my $user = $s->get_name(); - ::rptMsg("User: $user [".gmtime($s->get_timestamp())."]"); - - my $login = "Login"; - my $recent = "recent IM ScreenNames"; - my $recent2 = "recent ScreenNames"; - - my @userkeys = $s->get_list_of_subkeys(); - foreach my $u (@userkeys) { - my $us = $u->get_name(); -# See if we can get the encrypted password - if ($us =~ m/^$login/) { - my $pwd = ""; - eval { - $pwd = $u->get_value("Password1")->get_data(); - }; - ::rptMsg("Pwd: ".$pwd) if ($pwd ne ""); - } -# See if we can get recent folks they've chatted with... - if ($us eq $recent || $us eq $recent2) { - - my @vals = $u->get_list_of_values(); - if (scalar(@vals) > 0) { - ::rptMsg($user."\\".$us); - my %sns; - foreach my $v (@vals) { - $sns{$v->get_name()} = $v->get_data(); - } - - foreach my $i (sort {$a <=> $b} keys %sns) { - ::rptMsg("\t\t".$i." -> ".$sns{$i}); - } - } - else { -# No values - } - } - } - ::rptMsg(""); - } - } - else { - ::rptMsg($key_path." has no subkeys."); - ::logMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/all b/RecentActivity/release/rr/plugins/all deleted file mode 100644 index 5f28a06eb6..0000000000 --- a/RecentActivity/release/rr/plugins/all +++ /dev/null @@ -1,3 +0,0 @@ -#------------------------------------- -# All -regtime \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/appinitdlls.pl b/RecentActivity/release/rr/plugins/appinitdlls.pl deleted file mode 100644 index 29c75915b1..0000000000 --- a/RecentActivity/release/rr/plugins/appinitdlls.pl +++ /dev/null @@ -1,61 +0,0 @@ -#----------------------------------------------------------- -# appinitdlls -# -# -# copyright 2008 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package appinitdlls; -use strict; - -my %config = (hive => "Software", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 1, - osmask => 22, - version => 20080324); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets contents of AppInit_DLLs value"; -} -sub getDescr{} -sub getRefs { - my %refs = ("Working with the AppInit_DLLs Reg Value" => - "http://support.microsoft.com/kb/q197571"); - return %refs; -} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching appinitdlls v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = 'Microsoft\\Windows NT\\CurrentVersion\\Windows'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("AppInit_DLLs"); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - my @vals = $key->get_list_of_values(); - foreach my $v (@vals) { - my $name = $v->get_name(); - if ($name eq "AppInit_DLLs") { - my $data = $v->get_data(); - $data = "{blank}" if ($data eq ""); - ::rptMsg($name." -> ".$data); - } - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/applets.pl b/RecentActivity/release/rr/plugins/applets.pl deleted file mode 100644 index e29fffa083..0000000000 --- a/RecentActivity/release/rr/plugins/applets.pl +++ /dev/null @@ -1,96 +0,0 @@ -#----------------------------------------------------------- -# applets.pl -# Plugin for Registry Ripper -# Windows\CurrentVersion\Applets Recent File List values -# -# Change history -# -# -# References -# -# -# copyright 2008 H. Carvey -#----------------------------------------------------------- -package applets; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20080324); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets contents of user's Applets key"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching applets v.".$VERSION); - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $key_path = 'Software\\Microsoft\\Windows\\CurrentVersion\\Applets'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("Applets"); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); -# Locate files opened in MS Paint - my $paint_key = 'Paint\\Recent File List'; - my $paint = $key->get_subkey($paint_key); - if (defined $paint) { - ::rptMsg($key_path."\\".$paint_key); - ::rptMsg("LastWrite Time ".gmtime($paint->get_timestamp())." (UTC)"); - - my @vals = $paint->get_list_of_values(); - if (scalar(@vals) > 0) { - my %files; -# Retrieve values and load into a hash for sorting - foreach my $v (@vals) { - my $val = $v->get_name(); - my $data = $v->get_data(); - my $tag = (split(/File/,$val))[1]; - $files{$tag} = $val.":".$data; - } -# Print sorted content to report file - foreach my $u (sort {$a <=> $b} keys %files) { - my ($val,$data) = split(/:/,$files{$u},2); - ::rptMsg(" ".$val." -> ".$data); - } - } - else { - ::rptMsg($key_path."\\".$paint_key." has no values."); - } - } - else { - ::rptMsg($key_path."\\".$paint_key." not found."); - } -# Get Last Registry key opened in RegEdit - my $reg_key = "Regedit"; - my $reg = $key->get_subkey($reg_key); - if (defined $reg) { - ::rptMsg(""); - ::rptMsg($key_path."\\".$reg_key); - ::rptMsg("LastWrite Time ".gmtime($reg->get_timestamp())." (UTC)"); - my $lastkey = $reg->get_value("LastKey")->get_data(); - ::rptMsg("RegEdit LastKey value -> ".$lastkey); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} - -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/apppaths.pl b/RecentActivity/release/rr/plugins/apppaths.pl deleted file mode 100644 index 85e00aab25..0000000000 --- a/RecentActivity/release/rr/plugins/apppaths.pl +++ /dev/null @@ -1,83 +0,0 @@ -#----------------------------------------------------------- -# apppaths -# Gets contents of App Paths subkeys from the Software hive, -# diplaying the EXE name and path; all entries are sorted by -# LastWrite time -# -# References -# -# copyright 2008 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package apppaths; -use strict; - -my %config = (hive => "Software", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 1, - version => 20080404); - -sub getConfig{return %config} - -sub getShortDescr { - return "Gets content of App Paths key"; -} -sub getDescr{} -sub getRefs { - my %refs = ("You cannot open Help and Support Center in Windows XP" => - "http://support.microsoft.com/kb/888018", - "Another installation program starts..." => - "http://support.microsoft.com/kb/888470"); - return %refs; -} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching apppaths v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Microsoft\\Windows\\CurrentVersion\\App Paths"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("App Paths"); - ::rptMsg($key_path); - ::rptMsg(""); - my %apps; - my @subkeys = $key->get_list_of_subkeys(); - if (scalar(@subkeys) > 0) { - foreach my $s (@subkeys) { - - my $name = $s->get_name(); - my $lastwrite = $s->get_timestamp(); - my $path; - eval { - $path = $s->get_value("")->get_data(); - }; - push(@{$apps{$lastwrite}},$name." [".$path."]"); - } - - foreach my $t (reverse sort {$a <=> $b} keys %apps) { - ::rptMsg(gmtime($t)." (UTC)"); - foreach my $item (@{$apps{$t}}) { - ::rptMsg(" $item"); - } - } - } - else { - ::rptMsg($key_path." has no subkeys."); - ::logMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/arpcache.pl b/RecentActivity/release/rr/plugins/arpcache.pl deleted file mode 100644 index b8ed74f88f..0000000000 --- a/RecentActivity/release/rr/plugins/arpcache.pl +++ /dev/null @@ -1,133 +0,0 @@ -#----------------------------------------------------------- -# arpcache.pl -# Retrieves CurrentVersion\App Management\ARPCache entries; subkeys appear -# to maintain information about paths to installed applications in the -# SlowInfoCache value(0x10 - FILETIME object, null term. string with path -# starts at 0x1c) -# -# Change history -# 20090413 - Created -# -# References -# No references, but the subkeys appear to hold information about -# installed applications; some SlowInfoCache values appear to contain -# timestamp data (FILETIME object) and/or path information. Posts on -# the Internet indicate the existence of Kazaa beneath the APRCache key, -# as well as possibly an "Outerinfo" subkey indicating that spyware is -# installed. -# -# copyright 2009 H. Carvey -#----------------------------------------------------------- -package arpcache; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20090413); - -sub getConfig{return %config} -sub getShortDescr { - return "Retrieves CurrentVersion\\App Management\\ARPCache entries"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -my %arpcache; - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching arpcache v.".$VERSION); - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $key_path = 'Software\\Microsoft\\Windows\\CurrentVersion\\App Management\\ARPCache'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - my @subkeys = $key->get_list_of_subkeys(); - if (scalar(@subkeys) > 0) { - foreach my $s (@subkeys) { - my $lw = $s->get_timestamp(); - my $name = $s->get_name(); - - my $path; - eval { - my $i = $s->get_value("SlowInfoCache")->get_data(); - $path = parsePath($i); - }; - ($@) ? ($name .= "|") : ($name .= "|".$path); - - my $date; - eval { - my $i = $s->get_value("SlowInfoCache")->get_data(); - $date = parseDate($i); - }; - ($@) ? ($name .= "|") : ($name .= "|".$date); - push(@{$arpcache{$lw}},$name); - } - - - foreach my $t (reverse sort {$a <=> $b} keys %arpcache) { - ::rptMsg(gmtime($t)." (UTC)"); - foreach my $item (@{$arpcache{$t}}) { - my ($name,$path,$date) = split(/\|/,$item,3); - ::rptMsg(" ".$name); - my $str = $path unless ($path eq ""); - $str .= " [".gmtime($date)."]" unless ($date == 0); - ::rptMsg(" -> ".$str) unless ($str eq ""); - } - } - } - else { - ::rptMsg($key_path." has no subkeys."); - ::logMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} - -1; - -sub parseDate { - my $data = shift; - my ($t1,$t2) = unpack("VV",substr($data,0x10,8)); - return ::getTime($t1,$t2); -} - -sub parsePath { - my $data = shift; - my $ofs = 0x1c; - my $tag = 1; - - my $str = substr($data,$ofs,2); - if (unpack("v",$str) == 0) { - return ""; - } - else { - while($tag) { - $ofs += 2; - my $i = substr($data,$ofs,2); - if (unpack("v",$i) == 0) { - $tag = 0; - } - else { - $str .= $i; - } - } - } - $str =~ s/\00//g; - return $str; -} \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/assoc.pl b/RecentActivity/release/rr/plugins/assoc.pl deleted file mode 100644 index a2587da110..0000000000 --- a/RecentActivity/release/rr/plugins/assoc.pl +++ /dev/null @@ -1,87 +0,0 @@ -#----------------------------------------------------------- -# assoc.pl -# Plugin to extract file association data from the Software hive file -# Can take considerable time to run; recommend running it via rip.exe -# -# copyright 2008 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package assoc; -use strict; - -my %config = (hive => "Software", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20080815); - -sub getConfig{return %config} - -sub getShortDescr { - return "Get list of file ext associations"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching assoc v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Classes"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("assoc"); - ::rptMsg($key_path); -# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); -# First step will be to get a list of all of the file extensions - my %ext; - my @sk = $key->get_list_of_subkeys(); - if (scalar(@sk) > 0) { - foreach my $s (@sk) { - my $name = $s->get_name(); - next unless ($name =~ m/^\.\w+$/); - my $data; - eval { - $data = $s->get_value("")->get_data(); - }; - if ($@) { -# Error generated, as "(Default)" value was not found - } - else { - $ext{$name} = $data if ($data ne ""); - } - } -# Once a list of all file ext subkeys has been compiled, access the file type -# to determine the command line used to launch files with that extension - foreach my $e (keys %ext) { - my $cmd; - eval { - $cmd = $key->get_subkey($ext{$e}."\\shell\\open\\command")->get_value("")->get_data(); - }; - if ($@) { -# error generated attempting to locate .\shell\open\command\(Default) value - } - else { - ::rptMsg($e." : ".$cmd); - } - } - } - else { - ::rptMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } - -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/auditfail.pl b/RecentActivity/release/rr/plugins/auditfail.pl deleted file mode 100644 index 019ec15eda..0000000000 --- a/RecentActivity/release/rr/plugins/auditfail.pl +++ /dev/null @@ -1,66 +0,0 @@ -#----------------------------------------------------------- -# auditfail.pl -# -# Ref: -# http://support.microsoft.com/kb/140058 -# -# copyright 2008 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package auditfail; -use strict; - -my %config = (hive => "System", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20081212); - -sub getConfig{return %config} - -sub getShortDescr { - return "Get CrashOnAuditFail value"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); -my %val = (0 => "Feature is off; the system will not halt", - 1 => "Feature is on; the system will halt when events cannot be written to the ". - "Security Event Log", - 2 => "Feature is on and has been triggered; only Administrators can log in"); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching auditfail v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - -# Code for System file, getting CurrentControlSet - my $current; - my $key_path = 'Select'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - $current = $key->get_value("Current")->get_data(); - - my $lsa_path = "ControlSet00".$current."\\Control\\Lsa"; - my $lsa; - if ($lsa = $root_key->get_subkey($lsa_path)) { - - eval { - my $crash = $lsa->get_value("crashonauditfail")->get_data(); - ::rptMsg("CrashOnAuditFail = ".$crash); - ::rptMsg($val{$crash}); - }; - ::rptMsg($@) if ($@); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} -1; diff --git a/RecentActivity/release/rr/plugins/auditpol.pl b/RecentActivity/release/rr/plugins/auditpol.pl deleted file mode 100644 index 11ea9a1096..0000000000 --- a/RecentActivity/release/rr/plugins/auditpol.pl +++ /dev/null @@ -1,88 +0,0 @@ -#----------------------------------------------------------- -# auditpol -# Get the audit policy from the Security hive file -# -# copyright 2008 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package auditpol; -use strict; - -my %config = (hive => "Security", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 1, - osmask => 22, - version => 20080327); - -sub getConfig{return %config} -sub getShortDescr { - return "Get audit policy from the Security hive file"; -} -sub getDescr{} -sub getRefs { - my %refs = ("How To Determine Audit Policies from the Registry" => - "http://support.microsoft.com/default.aspx?scid=kb;EN-US;q246120"); - return %refs; -} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -my %audit = (0 => "N", - 1 => "S", - 2 => "F", - 3 => "S/F"); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching auditpol v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Policy\\PolAdtEv"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("auditpol"); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - - my $data; - eval { - $data = $key->get_value("")->get_data(); - }; - if ($@) { - ::rptMsg("Error occurred getting data from ".$key_path); - ::rptMsg(" - ".$@); - } - else { -# Check to see if auditing is enabled - my $enabled = unpack("C",substr($data,0,1)); - if ($enabled) { - ::rptMsg("Auditing is enabled."); -# Get audit configuration settings - my @vals = unpack("V*",$data); - ::rptMsg("\tAudit System Events = ".$audit{$vals[1]}); - ::rptMsg("\tAudit Logon Events = ".$audit{$vals[2]}); - ::rptMsg("\tAudit Object Access = ".$audit{$vals[3]}); - ::rptMsg("\tAudit Privilege Use = ".$audit{$vals[4]}); - ::rptMsg("\tAudit Process Tracking = ".$audit{$vals[5]}); - ::rptMsg("\tAudit Policy Change = ".$audit{$vals[6]}); - ::rptMsg("\tAudit Account Management = ".$audit{$vals[7]}); - ::rptMsg("\tAudit Dir Service Access = ".$audit{$vals[8]}); - ::rptMsg("\tAudit Account Logon Events = ".$audit{$vals[9]}); - } - else { - ::rptMsg("**Auditing is NOT enabled."); - } - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } - -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/autoendtasks.pl b/RecentActivity/release/rr/plugins/autoendtasks.pl deleted file mode 100644 index 29b89d20ae..0000000000 --- a/RecentActivity/release/rr/plugins/autoendtasks.pl +++ /dev/null @@ -1,66 +0,0 @@ -#----------------------------------------------------------- -# autoendtasks.pl -# -# History -# 20081128 - created -# -# Ref: -# http://support.microsoft.com/kb/555619 -# This Registry setting tells XP (and Vista) to automatically -# end non-responsive tasks; value may not exist on Vista. -# -# copyright 2008 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package autoendtasks; -use strict; - -my %config = (hive => "NTUSER\.DAT", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20081128); - -sub getConfig{return %config} - -sub getShortDescr { - return "Automatically end a non-responsive task"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching autoendtasks v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = 'Control Panel\\Desktop'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { -# ::rptMsg("autoendtasks"); - ::rptMsg($key_path); -# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - my $autoend; - eval { - $autoend = $key->get_value("AutoEndTasks")->get_data(); - }; - if ($@) { - ::rptMsg("AutoEndTasks value not found."); - } - else { - ::rptMsg("AutoEndTasks = ".$autoend); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/autopsysystem b/RecentActivity/release/rr/plugins/autopsysystem new file mode 100644 index 0000000000..eebd89d7e9 --- /dev/null +++ b/RecentActivity/release/rr/plugins/autopsysystem @@ -0,0 +1,6 @@ +# List of plugins for the Registry Ripper + +#------------------------------------- +# system +autopsyusb +#autopsyusbdevices \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/usb.pl b/RecentActivity/release/rr/plugins/autopsyusb.pl similarity index 86% rename from RecentActivity/release/rr/plugins/usb.pl rename to RecentActivity/release/rr/plugins/autopsyusb.pl index 2a4c438c7c..9f5b97fdbd 100644 --- a/RecentActivity/release/rr/plugins/usb.pl +++ b/RecentActivity/release/rr/plugins/autopsyusb.pl @@ -6,7 +6,7 @@ # # copyright 2008 H. Carvey, keydet89@yahoo.com #----------------------------------------------------------- -package usb; +package autopsyusb; use strict; my %config = (hive => "System", @@ -45,7 +45,7 @@ sub pluginmain { $ccs = "ControlSet00".$current; } else { - ::rptMsg($key_path." not found."); + #::rptMsg($key_path." not found."); return; } @@ -58,7 +58,8 @@ sub pluginmain { my $key_path = $ccs."\\Enum\\USB"; my $key; - if ($key = $root_key->get_subkey($key_path)) { + if ($key = $root_key->get_subkey($key_path)) { + ::rptMsg(""); my @subkeys = $key->get_list_of_subkeys(); if (scalar(@subkeys) > 0) { @@ -93,19 +94,20 @@ sub pluginmain { }; - ::rptMsg($str); + ::rptMsg("" . $serial . ""); } } } } else { ::rptMsg($key_path." has no subkeys."); - ::logMsg($key_path." has no subkeys."); + #::logMsg($key_path." has no subkeys."); } + ::rptMsg(""); } else { ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); + #::logMsg($key_path." not found."); } } 1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/usbdevices.pl b/RecentActivity/release/rr/plugins/autopsyusbdevices.pl similarity index 95% rename from RecentActivity/release/rr/plugins/usbdevices.pl rename to RecentActivity/release/rr/plugins/autopsyusbdevices.pl index 27f7ef8a29..b853d80c66 100644 --- a/RecentActivity/release/rr/plugins/usbdevices.pl +++ b/RecentActivity/release/rr/plugins/autopsyusbdevices.pl @@ -7,7 +7,7 @@ # # copyright 2010 Quantum Analytics Research, LLC #----------------------------------------------------------- -package usbdevices; +package autopsyusbdevices; use strict; my %config = (hive => "System", @@ -98,11 +98,11 @@ sub pluginmain { } } else { - ::rptMsg($key_path." has no subkeys."); + #::rptMsg($key_path." has no subkeys."); } } else { - ::rptMsg($key_path." not found."); + #::rptMsg($key_path." not found."); } } 1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/autorun.pl b/RecentActivity/release/rr/plugins/autorun.pl deleted file mode 100644 index 50604cf4dd..0000000000 --- a/RecentActivity/release/rr/plugins/autorun.pl +++ /dev/null @@ -1,74 +0,0 @@ -#----------------------------------------------------------- -# autorun.pl -# Get autorun settings -# -# Change history -# -# -# References -# http://support.microsoft.com/kb/953252 -# http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit -# /regentry/91525.mspx?mfr=true -# -# copyright 2008-2009 H. Carvey -#----------------------------------------------------------- -package autorun; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20081212); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets autorun settings"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching autorun v.".$VERSION); - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { -# ::rptMsg($key_path); -# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - - eval { - my $nodrive = $key->get_value("NoDriveTypeAutoRun")->get_data(); - my $str = sprintf "%-20s 0x%x","NoDriveTypeAutoRun",$nodrive; - ::rptMsg($str); - }; - ::rptMsg("Error: ".$@) if ($@); - -# http://support.microsoft.com/kb/953252 - eval { - my $honor = $key->get_value("HonorAutorunSetting")->get_data(); - my $str = sprintf "%-20s 0x%x","HonorAutorunSetting",$honor; - ::rptMsg($str); - }; - ::rptMsg("HonorAutorunSetting not found.") if ($@); - ::rptMsg(""); - ::rptMsg("Autorun settings in the HKLM hive take precedence over those in"); - ::rptMsg("the HKCU hive."); - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } - -} - -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/bagtest.pl b/RecentActivity/release/rr/plugins/bagtest.pl deleted file mode 100644 index cdc5600d5c..0000000000 --- a/RecentActivity/release/rr/plugins/bagtest.pl +++ /dev/null @@ -1,170 +0,0 @@ -#----------------------------------------------------------- -# bagtest.pl -# -# copyright 2009 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package bagtest; -use strict; - -my %config = (hive => "NTUSER\.DAT", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20090828); - -sub getConfig{return %config} - -sub getShortDescr { - return "Test -- BagMRU"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching bagtest v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Software\\Microsoft\\Windows\\Shell\\BagMRU"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); -# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - - my $subtree_iter = $key->get_subtree_iterator; - while (my ($k, $val) = $subtree_iter->get_next) { - if (defined $val) { - next unless ($val->get_name() =~ m/^\d+/); - - my $path; - my $data = $val->get_data(); - my $size = unpack("v",substr($data,0,20)); - my $type = unpack("C",substr($data,2,1)); - my $name = (split(/BagMRU/,$k->get_path()))[1]; - - if ($type == 0x47 || $type == 0x46 || $type == 0x42 || $type == 0x41 || - $type == 0xc3) { - - my $str1 = getStrings1($data); - $path = $str1; - - } - elsif ($type == 0x31 || $type == 0x32) { - my($ascii,$uni) = getStrings2($data); - $path = $uni; - } - elsif ($type == 0x2f) { -# bytes 3-5 of $data contain a drive letter - $path = substr($data,0x03,3); - } - else { -# Nothing - } -# my $str = sprintf "%-30s %-3s %-4s 0x%x",$name."\\".$val->get_name(),$size,length($data),$type; - my $str = sprintf "%-25s ".$path,$name."\\".$val->get_name(); - ::rptMsg($str); - - } - else { - - } - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} - -#sub getStrings1 { -# my $data = shift; -# my $str; -# my $cursor = 0x05; -# my $tag = 1; -# -# while($tag) { -# my $byte = substr($data,$cursor,1); -# if (unpack("C",$byte) == 0x00) { -# $tag = 0; -# } -# else { -# $str .= $byte; -# $cursor += 1; -# } -# } -# return $str; -#} - -sub getStrings1 { - my $data = shift; - my $d = substr($data,0x05,length($data) - 1); - $d =~ s/\00/-/g; - $d =~ s/[[:cntrl:]]//g; - - my @t = split(/-/,$d); - - my @s; - for my $i (1..scalar(@t) - 1) { - push(@s,$t[$i]) if (length($t[$i]) > 2); - } - - return $t[0]." (".join(',',@s).")"; -} - -sub getStrings2 { -# ASCII short name starts at 0x0E, and is \00 terminated; 0x14 bytes -# after that is the null-term Unicode name - my $data = shift; - my ($ascii,$uni); - my $cursor = 0x0e; - my $tag = 1; - - while($tag) { - my $byte = substr($data,$cursor,1); - if (unpack("C",$byte) == 0x00) { - $tag = 0; - } - else { - $ascii .= $byte; - $cursor += 1; - } - } - - $cursor += 0x14; - - $uni = substr($data,$cursor,length($data) - 1); - $uni =~ s/\00//g; - $uni =~ s/[[:cntrl:]]//g; - return ($ascii,$uni); -} - -1; - - - - - -# Original code to traverse through values and subkeys -# Retain for legacy code purposes -#sub traverse { -# my $key = shift; -# -# foreach my $val ($key->get_list_of_values()) { -# next unless ($val->get_name() =~ m/\d+/); -# -# ::rptMsg($val->get_name()); -# -# } -# -# foreach my $subkey ($key->get_list_of_subkeys()) { -# traverse($subkey); -# } -#} \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/bagtest2.pl b/RecentActivity/release/rr/plugins/bagtest2.pl deleted file mode 100644 index 59716d2fd8..0000000000 --- a/RecentActivity/release/rr/plugins/bagtest2.pl +++ /dev/null @@ -1,161 +0,0 @@ -#----------------------------------------------------------- -# bagtest2.pl -# -# copyright 2009 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package bagtest2; -use strict; - -my %config = (hive => "NTUSER\.DAT", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20090828); - -sub getConfig{return %config} - -sub getShortDescr { - return "Test -- BagMRU"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -my %bagmru; -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching bagtest v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Software\\Microsoft\\Windows\\Shell\\BagMRU"; - my $key; - - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); -# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - - traverse($key); - - foreach my $i (sort keys %bagmru) { - my $str = sprintf "%-30s ".$bagmru{$i},$i; - ::rptMsg($str); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} - -sub traverse { - my $key = shift; - my $name = (split(/BagMRU/,$key->get_path()))[1]; - - my @bags; - - foreach my $val ($key->get_list_of_values()) { - next unless ($val->get_name() =~ m/\d+/); - - my $path; - my $data = $val->get_data(); - my $size = unpack("v",substr($data,0,20)); - my $type = unpack("C",substr($data,2,1)); - - - if ($type == 0x47 || $type == 0x46 || $type == 0x42 || $type == 0x41 || - $type == 0xc3) { - - my $str1 = getStrings1($data); - $path = $str1; - - } - elsif ($type == 0x31 || $type == 0x32 || $type == 0xb1) { - my($ascii,$uni) = getStrings2($data); - $path = $uni; - } - elsif ($type == 0x2f) { -# bytes 3-5 of $data contain a drive letter - $path = substr($data,0x03,3); - } - else { -# Nothing - } - $bagmru{$name."\\".$val->get_name()} = $path; - } - - foreach my $subkey ($key->get_list_of_subkeys()) { - traverse($subkey); - } -} - - -sub getStrings1 { - my $data = shift; - my $d = substr($data,0x05,length($data) - 1); - $d =~ s/\00/-/g; - $d =~ s/[[:cntrl:]]//g; - - my @t = split(/-/,$d); - - my @s; - for my $i (1..scalar(@t) - 1) { - push(@s,$t[$i]) if (length($t[$i]) > 2); - } - - return $t[0]." (".join(',',@s).")"; -} - -sub getStrings2 { -# ASCII short name starts at 0x0E, and is \00 terminated; 0x14 bytes -# after that is the null-term Unicode name - my $data = shift; - my ($ascii,$uni); - my $cursor = 0x0e; - my $tag = 1; - - while($tag) { - my $byte = substr($data,$cursor,1); - if (unpack("C",$byte) == 0x00) { - $tag = 0; - } - else { - $ascii .= $byte; - $cursor += 1; - } - } - - $cursor += 0x14; - - if ($ascii eq "RECENT") { - $uni = substr($data,$cursor,length($data) - 1); - $uni =~ s/\00//g; - $uni =~ s/[[:cntrl:]]//g; - } - else { - my $tag = 1; - my $count = 0; - while($tag) { - my $byte = substr($data,$cursor,2); - if ($count > 2 && unpack("v",$byte) == 0x00) { - $tag = 0; - } - else { - $uni .= $byte; - $count++; - $cursor += 2; - } - } - $uni =~ s/\00//g; - $uni =~ s/[[:cntrl:]]//g; - } - return ($ascii,$uni); -} - -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/banner.pl b/RecentActivity/release/rr/plugins/banner.pl deleted file mode 100644 index 44ae62a274..0000000000 --- a/RecentActivity/release/rr/plugins/banner.pl +++ /dev/null @@ -1,127 +0,0 @@ -#----------------------------------------------------------- -# banner -# Get banner information from the SOFTWARE hive file (if any) -# -# Written By: -# Special Agent Brook William Minnick -# Brook_Minnick@doioig.gov -# U.S. Department of the Interior - Office of Inspector General -# Computer Crimes Unit -# 12030 Sunrise Valley Drive Suite 250 -# Reston, VA 20191 -#----------------------------------------------------------- -package banner; -use strict; - -my %config = (hive => "Software", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20081119); - -sub getConfig{return %config} - -sub getShortDescr { - return "Get HKLM\\SOFTWARE.. Logon Banner Values"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching banner v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Microsoft\\Windows\\CurrentVersion\\policies\\system"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("Logon Banner Information"); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - -# GET LEGALNOTICECAPTION -- - - my $caption; - eval { - $caption = $key->get_value("Legalnoticecaption")->get_data(); - }; - if ($@) { - ::rptMsg("Legalnoticecaption value not found."); - } - else { - ::rptMsg("Legalnoticecaption value = ".$caption); - } - ::rptMsg(""); - -# GET LEGALNOTICETEXT -- - - my $banner; - eval { - $banner = $key->get_value("Legalnoticetext")->get_data(); - }; - if ($@) { - ::rptMsg("Legalnoticetext value not found."); - } - else { - ::rptMsg("Legalnoticetext value = ".$banner); - } - ::rptMsg(""); - - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } - -my $key_path = "Microsoft\\Windows NT\\CurrentVersion\\Winlogon"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - -# GET LEGALNOTICECAPTION -- - - my $caption2; - eval { - $caption2 = $key->get_value("Legalnoticecaption")->get_data(); - }; - if ($@) { - ::rptMsg("Legalnoticecaption value not found."); - } - else { - ::rptMsg("Legalnoticecaption value = ".$caption2); - } - ::rptMsg(""); - -# GET LEGALNOTICETEXT -- - - my $banner2; - eval { - $banner2 = $key->get_value("Legalnoticetext")->get_data(); - }; - if ($@) { - ::rptMsg("Legalnoticetext value not found."); - } - else { - ::rptMsg("Legalnoticetext value = ".$banner2); - } - ::rptMsg(""); - - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } - -} - -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/bho.pl b/RecentActivity/release/rr/plugins/bho.pl deleted file mode 100644 index be3b8f6c85..0000000000 --- a/RecentActivity/release/rr/plugins/bho.pl +++ /dev/null @@ -1,107 +0,0 @@ -#----------------------------------------------------------- -# bho -# -# copyright 2008 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package bho; -use strict; - -my %config = (hive => "Software", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 1, - osmask => 22, - version => 20080418); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets Browser Helper Objects from Software hive"; -} -sub getDescr{} -sub getRefs { - my %refs = ("Browser Helper Objects" => - "http://msdn2.microsoft.com/en-us/library/bb250436.aspx"); - return %refs; -} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - my %bhos; - ::logMsg("Launching bho v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - my $key_path = "Microsoft\\Windows\\CurrentVersion\\Explorer\\Browser Helper Objects";; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("Browser Helper Objects"); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - my @subkeys = $key->get_list_of_subkeys(); - if (scalar (@subkeys) > 0) { - foreach my $s (@subkeys) { - my $name = $s->get_name(); - next if ($name =~ m/^-/); - my $clsid_path = "Classes\\CLSID\\".$name; - my $clsid; - if ($clsid = $root_key->get_subkey($clsid_path)) { - my $class; - my $mod; - my $lastwrite; - - eval { - $class = $clsid->get_value("")->get_data(); - $bhos{$name}{class} = $class; - }; - if ($@) { - ::logMsg("\tError getting Class name for CLSID\\".$name); - ::logMsg("\t".$@); - } - eval { - $mod = $clsid->get_subkey("InProcServer32")->get_value("")->get_data(); - $bhos{$name}{module} = $mod; - }; - if ($@) { - ::logMsg("\tError getting Module name for CLSID\\".$name); - ::logMsg("\t".$@); - } - eval{ - $lastwrite = $clsid->get_subkey("InProcServer32")->get_timestamp(); - $bhos{$name}{lastwrite} = $lastwrite; - }; - if ($@) { - ::logMsg("\tError getting LastWrite time for CLSID\\".$name); - ::logMsg("\t".$@); - } - - foreach my $b (keys %bhos) { - ::rptMsg($b); - ::rptMsg("\tClass => ".$bhos{$b}{class}); - ::rptMsg("\tModule => ".$bhos{$b}{module}); - ::rptMsg("\tLastWrite => ".gmtime($bhos{$b}{lastwrite})); - ::rptMsg(""); - } - } - else { - ::rptMsg($clsid_path." not found."); - ::rptMsg(""); - ::logMsg($clsid_path." not found."); - } - } - } - else { - ::rptMsg($key_path." has no subkeys. No BHOs installed."); - ::logMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/bitbucket.pl b/RecentActivity/release/rr/plugins/bitbucket.pl deleted file mode 100644 index 16e61480e9..0000000000 --- a/RecentActivity/release/rr/plugins/bitbucket.pl +++ /dev/null @@ -1,81 +0,0 @@ -#----------------------------------------------------------- -# bitbucket -# Get HKLM\..\BitBucket keys\values (if any) -# -# Change history -# 20091020 - Updated; collected additional values -# -# References -# -# copyright 2009 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package bitbucket; -use strict; - -my %config = (hive => "Software", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20080418); - -sub getConfig{return %config} - -sub getShortDescr { - return "Get HKLM\\..\\BitBucket keys\\values"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching bitbucket v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Microsoft\\Windows\\CurrentVersion\\Explorer\\BitBucket"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - - eval { - my $global = $key->get_value("UseGlobalSettings")->get_data(); - ::rptMsg("UseGlobalSettings = ".$global); - }; - - eval { - my $nuke = $key->get_value("NukeOnDelete")->get_data(); - ::rptMsg("NukeOnDelete = ".$nuke); - }; - ::rptMsg(""); - - my @subkeys = $key->get_list_of_subkeys(); - if (scalar(@subkeys) > 0) { - foreach my $s (@subkeys) { - ::rptMsg($key_path."\\".$s->get_name()); - ::rptMsg("LastWrite Time = ".gmtime($s->get_timestamp())." (UTC)"); - eval { - my $vol = $s->get_value("VolumeSerialNumber")->get_data(); - ::rptMsg("VolumeSerialNumber = 0x".uc(sprintf "%1x",$vol)); - }; - ::rptMsg(""); - } - } - else { - ::rptMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} - -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/bitbucket_user.pl b/RecentActivity/release/rr/plugins/bitbucket_user.pl deleted file mode 100644 index e3374fd193..0000000000 --- a/RecentActivity/release/rr/plugins/bitbucket_user.pl +++ /dev/null @@ -1,71 +0,0 @@ -#----------------------------------------------------------- -# bitbucket_user -# Get HKLM\..\BitBucket keys\values (if any) -# -# Change history -# -# References -# -# NOTE: In limited testing, the volume letter subkeys beneath the -# BitBucket key appear to be volatile. -# -# copyright 2009 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package bitbucket_user; -use strict; - -my %config = (hive => "NTUSER\.DAT", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20091020); - -sub getConfig{return %config} - -sub getShortDescr { - return "TEST - Get user BitBucket values"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching bitbucket_user v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\BitBucket"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - - my @subkeys = $key->get_list_of_subkeys(); - if (scalar(@subkeys) > 0) { - foreach my $s (@subkeys) { - ::rptMsg($key_path."\\".$s->get_name()); - ::rptMsg("LastWrite Time = ".gmtime($s->get_timestamp())." (UTC)"); - eval { - my $purge = $s->get_value("NeedToPurge")->get_data(); - ::rptMsg(" NeedToPurge = ".$purge); - }; - ::rptMsg(""); - } - } - else { - ::rptMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} - -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/brisv.pl b/RecentActivity/release/rr/plugins/brisv.pl deleted file mode 100644 index c79aa3e651..0000000000 --- a/RecentActivity/release/rr/plugins/brisv.pl +++ /dev/null @@ -1,63 +0,0 @@ -#----------------------------------------------------------- -# brisv.pl -# Plugin to detect the presence of Trojan.Brisv.A -# Symantec write-up: http://www.symantec.com/security_response/writeup.jsp -# ?docid=2008-071823-1655-99 -# -# Change History: -# 20090210: Created -# -# Info on URLAndExitCommandsEnabled value: -# http://support.microsoft.com/kb/828026 -# -# copyright 2009 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package brisv; -use strict; - -my %config = (hive => "NTUSER\.DAT", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20090210); - -sub getConfig{return %config} - -sub getShortDescr { - return "Detect artifacts of a Troj\.Brisv\.A infection"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching brisv v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Software\\Microsoft\\PIMSRV"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - - my $mp_path = "Software\\Microsoft\\MediaPlayer\\Preferences"; - my $url; - eval { - $url = $key->get_subkey($mp_path)->get_value("URLAndExitCommandsEnabled")->get_data(); - ::rptMsg($mp_path."\\URLAndExitCommandsEnabled value set to ".$url); - }; -# if an error occurs within the eval{} statement, do nothing - } - else { - ::rptMsg($key_path." not found."); - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/clampi.pl b/RecentActivity/release/rr/plugins/clampi.pl deleted file mode 100644 index abf0ae537a..0000000000 --- a/RecentActivity/release/rr/plugins/clampi.pl +++ /dev/null @@ -1,120 +0,0 @@ -#----------------------------------------------------------- -# clampi.pl -# Checks keys/values set by new version of Trojan.Clampi -# -# Change history -# 20091019 - created -# -# NOTE: This is purely a test plugin, and based solely on the below -# reference. It has not been tested on any systems that were -# known to be infected. -# -# References -# http://www.symantec.com/connect/blogs/inside-trojanclampi-stealing-your-information -# -# copyright 2009 H. Carvey -#----------------------------------------------------------- -package clampi; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20091019); - -sub getConfig{return %config} -sub getShortDescr { - return "TEST - Checks for keys set by Trojan\.Clampi PROT module"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching clampi v.".$VERSION); - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $count = 0; - - my $key_path = 'Software\\Microsoft\\Internet Explorer\\Main'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - - my ($form1, $form2, $form3); - - eval { - $form1 = $key->get_value("Use FormSuggest")->get_data(); - ::rptMsg("\tUse FormSuggest = ".$form1); - $count++ if ($form1 eq "true"); - }; - - eval { - $form2 = $key->get_value("FormSuggest_Passwords")->get_data(); - ::rptMsg("\tFormSuggest_Passwords = ".$form2); - $count++ if ($form2 eq "true"); - }; - - eval { - $form3 = $key->get_value("FormSuggest_PW_Ask")->get_data(); - ::rptMsg("\tUse FormSuggest = ".$form3); - $count++ if ($form3 eq "no"); - }; - } - else { - ::rptMsg($key_path." not found."); - } - ::rptMsg(""); - my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AutoComplete"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - my $auto; - eval { - $auto = $key->get_value("AutoSuggest")->get_data(); - ::rptMsg("\tAutoSuggest = ".$auto); - $count++ if ($auto eq "true"); - }; - } - else { - ::rptMsg($key_path." not found."); - } - ::rptMsg(""); - my $key_path = "Software\\Microsoft\\Internet Account Manager\\Accounts"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - my $prompt; - eval { - $prompt = $key->get_value("POP3 Prompt for Password")->get_data(); - ::rptMsg("\tPOP3 Prompt for Password = ".$prompt); - $count++ if ($prompt eq "true"); - }; - } - else { - ::rptMsg($key_path." not found."); - } - ::rptMsg(""); - if ($count == 5) { - ::rptMsg("The system may have been infected with the Trojan.Clampi PROT module."); - } - else { - ::rptMsg("The system does not appear to have been infected with the Trojan.Clampi"); - ::rptMsg("PROT module."); - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/clampitm.pl b/RecentActivity/release/rr/plugins/clampitm.pl deleted file mode 100644 index 60f21738c6..0000000000 --- a/RecentActivity/release/rr/plugins/clampitm.pl +++ /dev/null @@ -1,78 +0,0 @@ -#----------------------------------------------------------- -# clampitm.pl -# Checks keys/values set by new version of Trojan.Clampi -# -# Change history -# 20100624 - created -# -# NOTE: This is purely a test plugin, and based solely on the below -# reference. It has not been tested on any systems that were -# known to be infected. -# -# References -# http://us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/ilomo_external.pdf -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package clampitm; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20100624); - -sub getConfig{return %config} -sub getShortDescr { - return "Checks for IOCs for Clampi (per Trend Micro)"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching clampitm v.".$VERSION); - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $count = 0; - - my $key_path = 'Software\\Microsoft\\Internet Explorer\\Settings'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("ClampiTM plugin"); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - - my $tag = 1; - my @list = qw/GatesList GID KeyE KeyM PID/; - my @vals = $key->get_list_of_values(); - if (scalar (@vals) > 0) { - foreach my $v (@vals) { - my $name = $v->get_name(); - if (grep(/$name/,@list)) { - ::rptMsg(sprintf "%-10s %-30s",$name,$v->get_data()); - $tag = 0; - } - } - if ($tag) { - ::rptMsg("No Clampi values found."); - } - } - else { - ::rptMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/clsid.pl b/RecentActivity/release/rr/plugins/clsid.pl deleted file mode 100644 index 1823600295..0000000000 --- a/RecentActivity/release/rr/plugins/clsid.pl +++ /dev/null @@ -1,80 +0,0 @@ -#----------------------------------------------------------- -# clsid.pl -# Plugin to extract file association data from the Software hive file -# Can take considerable time to run; recommend running it via rip.exe -# -# History -# 20100227 - created -# -# References -# http://msdn.microsoft.com/en-us/library/ms724475%28VS.85%29.aspx -# -# copyright 2010, Quantum Analytics Research, LLC -#----------------------------------------------------------- -package clsid; -use strict; - -my %config = (hive => "Software", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20100227); - -sub getConfig{return %config} - -sub getShortDescr { - return "Get list of CLSID/registered classes"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - my %clsid; - ::logMsg("Launching clsid v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Classes\\CLSID"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); -# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); -# First step will be to get a list of all of the file extensions - my %ext; - my @sk = $key->get_list_of_subkeys(); - if (scalar(@sk) > 0) { - foreach my $s (@sk) { - - my $name = $s->get_name(); - eval { - my $n = $s->get_value("")->get_data(); - $name .= " ".$n unless ($n eq ""); - }; - - push(@{$clsid{$s->get_timestamp()}},$name); - } - - foreach my $t (reverse sort {$a <=> $b} keys %clsid) { - ::rptMsg(gmtime($t)." Z"); - foreach my $item (@{$clsid{$t}}) { - ::rptMsg(" ".$item); - } - } - } - else { - ::rptMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/cmd_shell.pl b/RecentActivity/release/rr/plugins/cmd_shell.pl deleted file mode 100644 index 84e40a7735..0000000000 --- a/RecentActivity/release/rr/plugins/cmd_shell.pl +++ /dev/null @@ -1,75 +0,0 @@ -#----------------------------------------------------------- -# cmd_shell -# -# -# Change History -# 20100830 - added "cs" shell command to the path -# 20080328 - created -# -# References -# http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx? -# Name=TrojanClicker%3AWin32%2FVB.GE -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package cmd_shell; -use strict; - -my %config = (hive => "Software", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 1, - version => 20100830); - -sub getConfig{return %config} - -sub getShortDescr { - return "Gets shell open cmds for various file types"; -} -sub getDescr{} -sub getRefs { - my %refs = ("You Are Unable to Start a Program with an .exe File Extension" => - "http://support.microsoft.com/kb/310585"); - return %refs; -} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching cmd_shell v.".$VERSION); - - my @shells = ("exe","cmd","bat","cs","hta","pif"); - - foreach my $sh (@shells) { - - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Classes\\".$sh."file\\shell\\open\\command"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("cmd_shell"); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - my $val; - eval { - $val = $key->get_value("")->get_data(); - ::rptMsg("\tCmd: ".$val); - }; - ::rptMsg("Error: ".$@) if ($@); - - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } - } - ::rptMsg(""); -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/codeid.pl b/RecentActivity/release/rr/plugins/codeid.pl deleted file mode 100644 index f3eec03151..0000000000 --- a/RecentActivity/release/rr/plugins/codeid.pl +++ /dev/null @@ -1,75 +0,0 @@ -#----------------------------------------------------------- -# codeid -# Get DefaultLevel value from CodeIdentifiers key -# -# -# Change History -# 20100608 - created -# -# References -# SANS ISC blog - http://isc.sans.edu/diary.html?storyid=8917 -# CodeIdentifiers key -# - http://technet.microsoft.com/en-us/library/bb457006.aspx -# SAFER_LEVELID_FULLYTRUSTED value -# - http://msdn.microsoft.com/en-us/library/ms722424%28VS.85%29.aspx -# (262144 == Unrestricted) -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package codeid; -use strict; - -my %config = (hive => "Software", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20100608); - -sub getConfig{return %config} - -sub getShortDescr { - return "Gets CodeIdentifier DefaultLevel value"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching codeid v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Policies\\Microsoft\\Windows\\Safer\\CodeIdentifiers"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("CodeID"); - ::rptMsg($key_path); - my $lastwrite = $key->get_timestamp(); - ::rptMsg(" LastWrite time: ".gmtime($lastwrite)." Z"); - ::rptMsg(""); - - my $level; - eval { - $level = $key->get_value("DefaultLevel")->get_data(); - ::rptMsg(sprintf "DefaultLevel = 0x%08x",$level); - }; - - my $exe; - eval { - $exe = $key->get_value("ExecutableTypes")->get_data(); - $exe =~ s/\s/,/g; - ::rptMsg("ExecutableTypes = ".$exe); - - }; - } - else { - ::rptMsg($key_path." not found."); - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/comdlg32.pl b/RecentActivity/release/rr/plugins/comdlg32.pl deleted file mode 100644 index 61cda3c1e6..0000000000 --- a/RecentActivity/release/rr/plugins/comdlg32.pl +++ /dev/null @@ -1,145 +0,0 @@ -#----------------------------------------------------------- -# comdlg32.pl -# Plugin for Registry Ripper -# -# Change history -# 20100402 - updated IAW Chad Tilbury's post to SANS -# Forensic Blog -# 20080324 - created -# -# References -# Win2000 - http://support.microsoft.com/kb/319958 -# XP - http://support.microsoft.com/kb/322948/EN-US/ -# -# copyright 20100402 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package comdlg32; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20100402); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets contents of user's ComDlg32 key"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching comdlg32 v.".$VERSION); - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - ::rptMsg("comdlg32 v.".$VERSION); - -# LastVistedMRU - my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComDlg32\\LastVisitedMRU"; - my $key; - my @vals; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("ComDlg32\\LastVisitedMRU"); - ::rptMsg("**All values printed in MRUList order."); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - - my %lvmru; - my @mrulist; - @vals = $key->get_list_of_values(); - - if (scalar(@vals) > 0) { -# First, read in all of the values and the data - foreach my $v (@vals) { - $lvmru{$v->get_name()} = $v->get_data(); - } -# Then, remove the MRUList value - if (exists $lvmru{MRUList}) { - ::rptMsg(" MRUList = ".$lvmru{MRUList}); - @mrulist = split(//,$lvmru{MRUList}); - delete($lvmru{MRUList}); - foreach my $m (@mrulist) { - my ($file,$dir) = split(/\00\00/,$lvmru{$m},2); - $file =~ s/\00//g; - $dir =~ s/\00//g; - ::rptMsg(" ".$m." -> EXE: ".$file); - ::rptMsg(" -> Last Dir: ".$dir); - } - } - else { - ::rptMsg($key_path." does not have an MRUList value."); - } - } - else { - ::rptMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - } - ::rptMsg(""); - -# OpenSaveMRU - my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComDlg32\\OpenSaveMRU"; - my $key; - my @vals; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("ComDlg32\\OpenSaveMRU"); - ::rptMsg("**All values printed in MRUList order."); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); -# First, process OpenSaveMRU key values - parseOpenSaveValues($key); - ::rptMsg(""); -# Now, let's get the subkeys - my @sk = $key->get_list_of_subkeys(); - if (scalar(@sk) > 0) { - foreach my $s (@sk) { - parseOpenSaveValues($s); - ::rptMsg(""); - } - } - else { - ::rptMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} - -sub parseOpenSaveValues { - my $key = shift; - ::rptMsg("OpenSaveMRU\\".$key->get_name()); - ::rptMsg("LastWrite Time: ".gmtime($key->get_timestamp())." Z"); - my %osmru; - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - map{$osmru{$_->get_name()} = $_->get_data()}(@vals); - if (exists $osmru{MRUList}) { - ::rptMsg(" MRUList = ".$osmru{MRUList}); - my @mrulist = split(//,$osmru{MRUList}); - delete($osmru{MRUList}); - foreach my $m (@mrulist) { - ::rptMsg(" ".$m." -> ".$osmru{$m}); - } - } - else { - ::rptMsg($key->get_name()." does not have an MRUList value."); - } - } - else { - ::rptMsg($key->get_name()." has no values."); - } -} - - -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/comdlg32a.pl b/RecentActivity/release/rr/plugins/comdlg32a.pl deleted file mode 100644 index 0187b945d5..0000000000 --- a/RecentActivity/release/rr/plugins/comdlg32a.pl +++ /dev/null @@ -1,225 +0,0 @@ -#----------------------------------------------------------- -# comdlg32a.pl -# Plugin for Registry Ripper -# -# Change history -# 20100409 - updated to include Vista and above -# 20100402 - updated IAW Chad Tilbury's post to SANS -# Forensic Blog -# 20080324 - created -# -# References -# Win2000 - http://support.microsoft.com/kb/319958 -# XP - http://support.microsoft.com/kb/322948/EN-US/ -# -# copyright 20100402 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package comdlg32a; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20100409); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets contents of user's ComDlg32 key"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching comdlg32a v.".$VERSION); - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - ::rptMsg("comdlg32 v.".$VERSION); - -# LastVistedMRU - my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComDlg32"; - my $key; - my @vals; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - - my @subkeys = $key->get_list_of_subkeys(); - - if (scalar @subkeys > 0) { - foreach my $s (@subkeys) { - parseLastVisitedMRU($s) if ($s->get_name() eq "LastVisitedMRU"); - parseOpenSaveMRU($s) if ($s->get_name() eq "OpenSaveMRU"); - } - } - else { - ::rptMsg($key_path." has no subkeys."); - } - } -} - -sub parseLastVisitedMRU { - my $key = shift; - my %lvmru; - my @mrulist; - my @vals = $key->get_list_of_values(); - - if (scalar(@vals) > 0) { -# First, read in all of the values and the data - foreach my $v (@vals) { - $lvmru{$v->get_name()} = $v->get_data(); - } -# Then, remove the MRUList value - if (exists $lvmru{MRUList}) { - ::rptMsg(" MRUList = ".$lvmru{MRUList}); - @mrulist = split(//,$lvmru{MRUList}); - delete($lvmru{MRUList}); - foreach my $m (@mrulist) { - my ($file,$dir) = split(/\00\00/,$lvmru{$m},2); - $file =~ s/\00//g; - $dir =~ s/\00//g; - ::rptMsg(" ".$m." -> EXE: ".$file); - ::rptMsg(" -> Last Dir: ".$dir); - } - } - else { - ::rptMsg("LastVisitedMRU key does not have an MRUList value."); - } - } - else { - ::rptMsg("LastVisitedMRU key has no values."); - } - ::rptMsg(""); -} - -sub parseOpenSaveMRU { - my $key = shift; - - parseOpenSaveValues($key); - ::rptMsg(""); -# Now, let's get the subkeys - my @sk = $key->get_list_of_subkeys(); - if (scalar(@sk) > 0) { - foreach my $s (@sk) { - parseOpenSaveValues($s); - ::rptMsg(""); - } - } - else { - ::rptMsg("OpenSaveMRU key has no subkeys."); - } - ::rptMsg(""); -} - -sub parseOpenSaveValues { - my $key = shift; - ::rptMsg("OpenSaveMRU\\".$key->get_name()); - ::rptMsg("LastWrite Time: ".gmtime($key->get_timestamp())." Z"); - my %osmru; - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - map{$osmru{$_->get_name()} = $_->get_data()}(@vals); - if (exists $osmru{MRUList}) { - ::rptMsg(" MRUList = ".$osmru{MRUList}); - my @mrulist = split(//,$osmru{MRUList}); - delete($osmru{MRUList}); - foreach my $m (@mrulist) { - ::rptMsg(" ".$m." -> ".$osmru{$m}); - } - } - else { - ::rptMsg($key->get_name()." does not have an MRUList value."); - } - } - else { - ::rptMsg($key->get_name()." has no values."); - } -} - -sub parseCIDSizeMRU { - my $key = shift; - my %lvmru; - my @mrulist; - my @vals = $key->get_list_of_values(); - - if (scalar(@vals) > 0) { -# First, read in all of the values and the data - foreach my $v (@vals) { - $lvmru{$v->get_name()} = $v->get_data(); - } -# Then, remove the MRUList value - if (exists $lvmru{MRUListEx}) { - delete($lvmru{MRUListEx}); - foreach my $m (keys %lvmru) { - my $file = parseStr($lvmru{$m}); - my $str = sprintf "%-4s ".$file,$m; - ::rptMsg(" ".$str); - } - } - else { - ::rptMsg($key_path." does not have an MRUList value."); - } - } - else { - ::rptMsg($key_path." has no values."); - } -} - - -sub parseLastVisitedPidlMRU { - my $key = shift; - my %lvmru; - my @mrulist; - @vals = $key->get_list_of_values(); - - if (scalar(@vals) > 0) { -# First, read in all of the values and the data - foreach my $v (@vals) { - $lvmru{$v->get_name()} = $v->get_data(); - } -# Then, remove the MRUList value - if (exists $lvmru{MRUListEx}) { - delete($lvmru{MRUListEx}); - foreach my $m (keys %lvmru) { - my $file = parseStr($lvmru{$m}); - my $str = sprintf "%-4s ".$file,$m; - ::rptMsg(" ".$str); - } - } - else { - ::rptMsg("LastVisitedPidlMRU key does not have an MRUList value."); - } - } - else { - ::rptMsg("LastVisitedPidlMRU key has no values."); - } -} - -sub parseStr { - my $data = $_[0]; - my $temp; - my $tag = 1; - my $ofs = 0; - - while ($tag) { - my $t = substr($data,$ofs,2); - if (unpack("v",$t) == 0x00) { - $tag = 0; - } - else { - $temp .= $t; - $ofs += 2; - } - } - $temp =~ s/\00//g; - return $temp; -} - -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/compdesc.pl b/RecentActivity/release/rr/plugins/compdesc.pl deleted file mode 100644 index fc1f292089..0000000000 --- a/RecentActivity/release/rr/plugins/compdesc.pl +++ /dev/null @@ -1,65 +0,0 @@ -#----------------------------------------------------------- -# compdesc.pl -# Plugin for Registry Ripper, -# ComputerDescriptions key parser -# -# Change history -# -# -# References -# -# -# copyright 2008 H. Carvey -#----------------------------------------------------------- -package compdesc; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20080324); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets contents of user's ComputerDescriptions key"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching compdesc v.".$VERSION); - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $key_path = 'Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComputerDescriptions'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("ComputerDescriptions"); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - foreach my $v (@vals) { - ::rptMsg(" ".$v->get_name()." ".$v->get_data()); - } - } - else { - ::rptMsg($key_path." has no values."); - ::logMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} - -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/compname.pl b/RecentActivity/release/rr/plugins/compname.pl deleted file mode 100644 index b07c44183c..0000000000 --- a/RecentActivity/release/rr/plugins/compname.pl +++ /dev/null @@ -1,75 +0,0 @@ -#----------------------------------------------------------- -# compname.pl -# Plugin for Registry Ripper; Access System hive file to get the -# computername -# -# Change history -# 20090727 - added Hostname -# -# References -# http://support.microsoft.com/kb/314053/ -# -# copyright 2009 H. Carvey -#----------------------------------------------------------- -package compname; -use strict; - -my %config = (hive => "System", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20090727); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets ComputerName and Hostname values from System hive"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching compname v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; -# First thing to do is get the ControlSet00x marked current...this is -# going to be used over and over again in plugins that access the system -# file - my ($current,$ccs); - my $key_path = 'Select'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - $current = $key->get_value("Current")->get_data(); - $ccs = "ControlSet00".$current; - my $cn_path = $ccs."\\Control\\ComputerName\\ComputerName"; - my $cn; - if ($cn = $root_key->get_subkey($cn_path)) { - my $name = $cn->get_value("ComputerName")->get_data(); - ::rptMsg("ComputerName = ".$name); - } - else { - ::rptMsg($cn_path." not found."); - ::logMsg($cn_path." not found."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } - - my $hostname; - eval { - my $host_path = $ccs."\\Services\\Tcpip\\Parameters"; - $hostname = $root_key->get_subkey($host_path)->get_value("Hostname")->get_data(); - ::rptMsg("TCP/IP Hostname = ".$hostname); - }; - -} - -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/controlpanel.pl b/RecentActivity/release/rr/plugins/controlpanel.pl deleted file mode 100644 index 67e06a906a..0000000000 --- a/RecentActivity/release/rr/plugins/controlpanel.pl +++ /dev/null @@ -1,64 +0,0 @@ -#----------------------------------------------------------- -# controlpanel.pl -# Vista ControlPanel key seems to contain some interesting info about the -# user's activities... -# -# copyright 2008 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package controlpanel; -use strict; - -my %config = (hive => "NTUSER\.DAT", - osmask => 64, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20080428); - -sub getConfig{return %config} - -sub getShortDescr { - return "Look for RecentTask* values in ControlPanel key (Vista)"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching controlpanel v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ControlPanel"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - ::rptMsg("Analysis Tip: The RecentTask* entries appear to only be populated through the"); - ::rptMsg("choices in the Control Panel Home view (in Vista). As each new choice is"); - ::rptMsg("selected, the most recent choice is added as RecentTask1, and each "); - ::rptMsg("RecentTask* entry is incremented and pushed down in the stack."); - ::rptMsg(""); - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - foreach my $v (@vals) { - my $str = sprintf "%-15s %-45s",$v->get_name(),$v->get_data(); - ::rptMsg($str); - } - ::rptMsg(""); - } - else { - ::rptMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/cpldontload.pl b/RecentActivity/release/rr/plugins/cpldontload.pl deleted file mode 100644 index 620419ef9b..0000000000 --- a/RecentActivity/release/rr/plugins/cpldontload.pl +++ /dev/null @@ -1,72 +0,0 @@ -#----------------------------------------------------------- -# cpldontload.pl -# Check contents of user's Control Panel\don't load key -# -# Change history -# 20100116 - created -# -# References -# W32.Nekat - http://www.symantec.com/security_response/ -# writeup.jsp?docid=2008-011419-0705-99&tabid=2 -# http://www.2-viruses.com/remove-antispywarexp2009 -# -# Notes: Some malware appears to hide various Control Panel applets -# using this means. If some sort of malware/spyware is thought -# to be on the system, check the settings and note the key -# LastWrite time. -# -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package cpldontload; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20100116); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets contents of user's Control Panel don't load key"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching cpldontload v.".$VERSION); - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $key_path = "Control Panel\\don\'t load"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - - my @vals = $key->get_list_of_values(); - if (scalar @vals > 0) { - foreach my $v (@vals) { - my $str = sprintf "%-20s %-5s",$v->get_name(),$v->get_data(); - ::rptMsg($str); - } - } - else { - ::rptMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} - -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/crashcontrol.pl b/RecentActivity/release/rr/plugins/crashcontrol.pl deleted file mode 100644 index 61cc30b815..0000000000 --- a/RecentActivity/release/rr/plugins/crashcontrol.pl +++ /dev/null @@ -1,93 +0,0 @@ -#----------------------------------------------------------- -# crashcontrol.pl -# -# Ref: -# http://support.microsoft.com/kb/254649 -# http://support.microsoft.com/kb/274598 -# -# copyright 2008-2009 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package crashcontrol; -use strict; - -my %config = (hive => "System", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20081212); - -sub getConfig{return %config} - -sub getShortDescr { - return "Get crash control information"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); -my %dumpenabled = (0 => "None", - 1 => "Complete memory dump", - 2 => "Kernel memory dump", - 3 => "Small (64kb) memory dump"); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching crashcontrol v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - -# Code for System file, getting CurrentControlSet - my $current; - my $key_path = 'Select'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - $current = $key->get_value("Current")->get_data(); - - my $cc_path = "ControlSet00".$current."\\Control\\CrashControl"; - my $cc; - - if ($cc = $root_key->get_subkey($cc_path)) { - - eval { - my $cde = $cc->get_value("CrashDumpEnabled")->get_data(); - ::rptMsg("CrashDumpEnabled = ".$cde." [".$dumpenabled{$cde}."]"); - }; - - eval { - my $df = $cc->get_value("DumpFile")->get_data(); - ::rptMsg("DumpFile = ".$df); - }; - - eval { - my $mini = $cc->get_value("MinidumpDir")->get_data(); - ::rptMsg("MinidumpDir = ".$mini); - }; - - eval { - my $logevt = $cc->get_value("LogEvent")->get_data(); - ::rptMsg("LogEvent = ".$logevt); - ::rptMsg(" Logs an event to the System Event Log (event ID = 1001, source = Save Dump)") if ($logevt == 1); - }; - - eval { - my $sendalert = $cc->get_value("SendAlert")->get_data(); - ::rptMsg("SendAlert = ".$sendalert); - ::rptMsg(" Sends a \'net send\' pop-up if a crash occurs") if ($sendalert == 1); - }; - - - } - else { - ::rptMsg($cc_path." not found."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} -1; diff --git a/RecentActivity/release/rr/plugins/crashdump.pl b/RecentActivity/release/rr/plugins/crashdump.pl deleted file mode 100644 index eea639e827..0000000000 --- a/RecentActivity/release/rr/plugins/crashdump.pl +++ /dev/null @@ -1,115 +0,0 @@ -#----------------------------------------------------------- -# crashdump.pl -# Author: Don C. Weber -# Plugin for Registry Ripper; Access System hive file to get the -# crashdump settings from System hive -# -# Change history -# -# -# References -# Overview of memory dump file options for Windows Server 2003, Windows XP, and Windows 2000: http://support.microsoft.com/kb/254649/ -# -# Author: Don C. Weber, http://www.cutawaysecurity.com/blog/cutaway-security -#----------------------------------------------------------- -package crashdump; -use strict; - -my %config = (hive => "System", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20081219); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets crashdump settings from System hive"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching crashdump v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; -# First thing to do is get the ControlSet00x marked current...this is -# going to be used over and over again in plugins that access the system -# file - my $current; - my $key_path = 'Select'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - $current = $key->get_value("Current")->get_data(); - my $ccs = "ControlSet00".$current; - my $win_path = $ccs."\\Control\\CrashControl"; - my $win; - if ($win = $root_key->get_subkey($win_path)) { - ::rptMsg("CrashControl Configuration"); - ::rptMsg($win_path); - ::rptMsg("LastWrite Time ".gmtime($win->get_timestamp())." (UTC)"); - } - else { - ::rptMsg($win_path." not found."); - } - - my %vals = getKeyValues($win); - if (scalar(keys %vals) > 0) { - foreach my $v (keys %vals) { - if ($v eq "CrashDumpEnabled"){ - if ($vals{$v} == 0x00){ - ::rptMsg("\t".$v." -> None"); - } elsif ($vals{$v} == 0x01){ - ::rptMsg("\t".$v." -> Complete memory dump"); - } elsif ($vals{$v} == 0x02){ - ::rptMsg("\t".$v." -> Kernel memory dump"); - } elsif ($vals{$v} == 0x03){ - ::rptMsg("\t".$v." -> Small memory dump (64KB)"); - } else{ - ::rptMsg($v." has no value."); - } - }else{ - if (($v eq "MinidumpDir") || ($v eq "DumpFile")){ - ::rptMsg("\t".$v." location ".$vals{$v}); - } else{ - ($vals{$v}) ? ::rptMsg("\t".$v." is Enabled") : ::rptMsg("\t".$v." is Disabled"); - } - } - } - } - else { -# ::rptMsg($key_path." has no values."); - } - ::rptMsg(""); - ::rptMsg("Analysis Tips: For crash dump information and tools check http://support.microsoft.com/kb/254649/"); - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} - -sub getKeyValues { - my $key = shift; - my %vals; - - my @vk = $key->get_list_of_values(); - if (scalar(@vk) > 0) { - foreach my $v (@vk) { - next if ($v->get_name() eq "" && $v->get_data() eq ""); - $vals{$v->get_name()} = $v->get_data(); - } - } - else { - - } - return %vals; -} - -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/ctrlpnl.pl b/RecentActivity/release/rr/plugins/ctrlpnl.pl deleted file mode 100644 index 13ce7bf906..0000000000 --- a/RecentActivity/release/rr/plugins/ctrlpnl.pl +++ /dev/null @@ -1,143 +0,0 @@ -#----------------------------------------------------------- -# ctrlpnl.pl -# Get Control Panel info from the Software hive -# -# Change history: -# 20100116 - created -# -# References: -# http://support.microsoft.com/kb/292463 -# http://learning.infocollections.com/ebook%202/Computer/ -# Operating%20Systems/Windows/Windows.XP.Hacks/ -# 0596005113_winxphks-chp-2-sect-3.html -# http://msdn.microsoft.com/en-us/library/cc144195%28VS.85%29.aspx -# -# Notes: -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package ctrlpnl; -use strict; - -my %config = (hive => "Software", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20100116); - -sub getConfig{return %config} - -sub getShortDescr { - return "Get Control Panel info from Software hive"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -my %comp; - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching ctrlpnl v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Microsoft\\Windows\\CurrentVersion\\Control Panel"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg(""); - ::rptMsg($key_path); - ::rptMsg(""); - -# Cpls section - if (my $cpl = $key->get_subkey("Cpls")) { - my @vals = $cpl->get_list_of_values(); - if (scalar @vals > 0) { - ::rptMsg("Cpls key"); - foreach my $v (@vals) { - my $str = sprintf "%-10s %-50s",$v->get_name(),$v->get_data(); - ::rptMsg($str); - } - ::rptMsg(""); - } - else { - ::rptMsg("Cpls key has no values."); - } - } - else { - ::rptMsg("Cpls key not found."); - } - -# don't load section -# The 'don't load' key prevents applets from being loaded -# Be sure to check the user's don't load key, as well - if (my $cpl = $key->get_subkey("don't load")) { - my @vals = $cpl->get_list_of_values(); - if (scalar @vals > 0) { - ::rptMsg("don't load key"); - foreach my $v (@vals) { - ::rptMsg($v->get_name()); - } - ::rptMsg(""); - } - else { - ::rptMsg("don't load key has no values."); - } - } - else { - ::rptMsg("don't load key not found."); - } - -# Extended Properties section - if (my $ext = $key->get_subkey("Extended Properties")) { - my @sk = $ext->get_list_of_subkeys(); - if (scalar @sk > 0) { - foreach my $s (@sk) { - my @vals = $s->get_list_of_values(); - if (scalar @vals > 0) { - ::rptMsg($s->get_name()." [".gmtime($s->get_timestamp)." UTC]"); - -# Ref: http://support.microsoft.com/kb/292463 - my %cat = (0x00000000 => "Other Control Panel Options", - 0x00000001 => "Appearance and Themes", - 0x00000002 => "Printers and Other Hardware", - 0x00000003 => "Network and Internet Connections", - 0x00000004 => "Sounds, Speech, and Audio Devices", - 0x00000005 => "Performance and Maintenance", - 0x00000006 => "Date, Time, Language, and Regional Options", - 0x00000007 => "Accessibility Options", - 0xFFFFFFFF => "No Category"); - my %prop; - foreach my $v (@vals) { - push(@{$prop{$v->get_data()}},$v->get_name()); - } - - foreach my $t (sort {$a <=> $b} keys %prop) { - (exists $cat{$t}) ? (::rptMsg($cat{$t})) : (::rptMsg("Category ".$t)); - foreach my $i (@{$prop{$t}}) { - ::rptMsg(" ".$i); - } - ::rptMsg(""); - } - } - } - ::rptMsg(""); - } - else { - ::rptMsg("Extended Properties key has no subkeys."); - } - } - else { - ::rptMsg("Extended Properties key not found."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/ddm.pl b/RecentActivity/release/rr/plugins/ddm.pl deleted file mode 100644 index e66fb2697f..0000000000 --- a/RecentActivity/release/rr/plugins/ddm.pl +++ /dev/null @@ -1,82 +0,0 @@ -#----------------------------------------------------------- -# ddm.pl -# -# History: -# 20081129 - created -# -# Note - Not really sure what this is for or could be used for, other -# than to show devices that had been connected to the system -# -# -# copyright 2008 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package ddm; -use strict; - -my %config = (hive => "System", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20081129); - -sub getConfig{return %config} - -sub getShortDescr { - return "Get DDM data from Control Subkey"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching ddm v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - -# Code for System file, getting CurrentControlSet - my $current; - my $key_path = 'Select'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - $current = $key->get_value("Current")->get_data(); - my $ccs = "ControlSet00".$current; - - my $key_path = $ccs."\\Control\\DDM"; - my $key; - my %dev; - if ($key = $root_key->get_subkey($key_path)) { - my @subkeys = $key->get_list_of_subkeys(); - if (scalar (@subkeys) > 0) { - foreach my $s (@subkeys) { - my $name = $s->get_name(); - my $tag = (split(/\./,$name,2))[1]; - $dev{$tag}{timestamp} = $s->get_timestamp(); - eval { - $dev{$tag}{make} = $s->get_value("MakeName")->get_data(); - $dev{$tag}{model} = $s->get_value("ModelName")->get_data(); - }; - } - foreach my $d (sort keys %dev) { - ::rptMsg(gmtime($dev{$d}{timestamp})."Z Device\.".$d." ".$dev{$d}{make}." ".$dev{$d}{model}); - } - } - else { - ::rptMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); -# ::logMsg($key_path." not found."); - } - } - else { - ::logMsg("Current value not found."); - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/defbrowser.pl b/RecentActivity/release/rr/plugins/defbrowser.pl deleted file mode 100644 index ae7055aba1..0000000000 --- a/RecentActivity/release/rr/plugins/defbrowser.pl +++ /dev/null @@ -1,78 +0,0 @@ -#----------------------------------------------------------- -# defbrowser.pl -# Get default browser information - check #1 can apply to HKLM -# as well as to HKCU -# -# Change History: -# 20091116 - Added Check #1 -# 20081105 - created -# -# copyright 2009 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package defbrowser; -use strict; - -my %config = (hive => "Software", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20091116); - -sub getConfig{return %config} - -sub getShortDescr { - return "Gets default browser setting from HKLM"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching defbrowser v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Clients\\StartMenuInternet"; - if (my $key = $root_key->get_subkey($key_path)) { - ::rptMsg("Default Browser Check #1"); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - my $browser = $key->get_value("")->get_data(); - ::rptMsg("Default Browser : ".$browser); - } - else { - ::rptMsg($key_path." not found."); - } - - ::rptMsg(""); - - my $key_path = "Classes\\HTTP\\shell\\open\\command"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("Default Browser Check #2"); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - my $browser; - eval { - $browser = $key->get_value("")->get_data(); - }; - if ($@) { - ::rptMsg("Error locating default browser setting."); - } - else { - ::rptMsg("Default Browser = ".$browser); - } - } - else { - ::rptMsg($key_path." not found."); - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/devclass.pl b/RecentActivity/release/rr/plugins/devclass.pl deleted file mode 100644 index b6a57fff2f..0000000000 --- a/RecentActivity/release/rr/plugins/devclass.pl +++ /dev/null @@ -1,125 +0,0 @@ -#----------------------------------------------------------- -# devclass -# Get USB device info from the DeviceClasses keys in the System -# hive (Disks and Volumes GUIDs) -# -# Change History: -# 20100901 - spelling error in output corrected -# 20080331 - created -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package devclass; -use strict; - -my %config = (hive => "System", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20100901); - -sub getConfig{return %config} - -sub getShortDescr { - return "Get USB device info from the DeviceClasses keys in the System hive"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching devclass v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - -# Code for System file, getting CurrentControlSet - my $current; - my $ccs; - my $key_path = 'Select'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - $current = $key->get_value("Current")->get_data(); - $ccs = "ControlSet00".$current; - } - else { - ::logMsg("Could not find ".$key_path); - return - } -# Get devices from the Disk GUID - my $key_path = $ccs."\\Control\\DeviceClasses\\{53f56307-b6bf-11d0-94f2-00a0c91efb8b}"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("DevClasses - Disks"); - ::rptMsg($key_path); - ::rptMsg(""); - my %disks; - my @subkeys = $key->get_list_of_subkeys(); - if (scalar(@subkeys) > 0) { - foreach my $s (@subkeys) { - my $name = $s->get_name(); - next unless (grep(/USBSTOR/,$name)); - my $lastwrite = $s->get_timestamp(); - my ($dev, $serial) = (split(/#/,$name))[4,5]; - push(@{$disks{$lastwrite}},$dev.",".$serial); - } - - foreach my $t (reverse sort {$a <=> $b} keys %disks) { - ::rptMsg(gmtime($t)." (UTC)"); - foreach my $item (@{$disks{$t}}) { - ::rptMsg("\t$item"); - } - } - - } - else { - ::rptMsg($key_path." has no subkeys."); - ::logMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } - ::rptMsg(""); -# Get devices from the Volume GUID - my $key_path = $ccs."\\Control\\DeviceClasses\\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("DevClasses - Volumes"); - ::rptMsg($key_path); - ::rptMsg(""); - my %vols; - my @subkeys = $key->get_list_of_subkeys(); - if (scalar(@subkeys) > 0) { - foreach my $s (@subkeys) { - my $name = $s->get_name(); - next unless (grep(/RemovableMedia/,$name)); - my $lastwrite = $s->get_timestamp(); - my $ppi = (split(/#/,$name))[5]; - push(@{$vols{$lastwrite}},$ppi); - } - - foreach my $t (reverse sort {$a <=> $b} keys %vols) { - ::rptMsg(gmtime($t)." (UTC)"); - foreach my $item (@{$vols{$t}}) { - ::rptMsg("\tParentIdPrefix: ".$item); - } - } - } - else { - ::rptMsg($key_path." has no subkeys."); - ::logMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/dfrg.pl b/RecentActivity/release/rr/plugins/dfrg.pl deleted file mode 100644 index 29ac3b80ec..0000000000 --- a/RecentActivity/release/rr/plugins/dfrg.pl +++ /dev/null @@ -1,63 +0,0 @@ -#----------------------------------------------------------- -# dfrg.pl -# Gets contents of Dfrg\BootOptimizeFunction key -# -# Change history: -# 20110321 - created -# -# References -# http://technet.microsoft.com/en-us/library/cc784391%28WS.10%29.aspx -# -# copyright 2011 Quantum Analytics Research, LLC (keydet89@yahoo.com) -#----------------------------------------------------------- -package dfrg; -use strict; - -my %config = (hive => "Software", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20110321); - -sub getConfig{return %config} - -sub getShortDescr { - return "Gets content of Dfrg BootOptim. key"; -} -sub getDescr{} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching dfrg v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Microsoft\\Dfrg\\BootOptimizeFunction"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("Dfrg"); - ::rptMsg($key_path); - ::rptMsg(""); - - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - foreach my $v (@vals) { - ::rptMsg(sprintf "%-20s %-20s",$v->get_name(),$v->get_data()); - } - } - else { - ::rptMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/disablelastaccess.pl b/RecentActivity/release/rr/plugins/disablelastaccess.pl deleted file mode 100644 index e064521726..0000000000 --- a/RecentActivity/release/rr/plugins/disablelastaccess.pl +++ /dev/null @@ -1,73 +0,0 @@ -#----------------------------------------------------------- -# disablelastaccess.pl -# -# References: -# http://support.microsoft.com/kb/555041 -# http://support.microsoft.com/kb/894372 -# -# copyright 2008 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package disablelastaccess; -use strict; - -my %config = (hive => "System", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20090118); - -sub getConfig{return %config} - -sub getShortDescr { - return "Get NTFSDisableLastAccessUpdate value"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching disablelastaccess v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - -# Code for System file, getting CurrentControlSet - my $current; - my $key_path = 'Select'; - my $key; - my $ccs; - if ($key = $root_key->get_subkey($key_path)) { - $current = $key->get_value("Current")->get_data(); - $ccs = "ControlSet00".$current; - } - - my $key_path = $ccs."\\Control\\FileSystem"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("NtfsDisableLastAccessUpdate"); - ::rptMsg($key_path); - my @vals = $key->get_list_of_values(); - my $found = 0; - if (scalar(@vals) > 0) { - foreach my $v (@vals) { - if ($v->get_name() eq "NtfsDisableLastAccessUpdate") { - ::rptMsg("NtfsDisableLastAccessUpdate = ".$v->get_data()); - $found = 1; - } - } - ::rptMsg("NtfsDisableLastAccessUpdate value not found.") if ($found == 0); - } - else { - ::rptMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/dllsearch.pl b/RecentActivity/release/rr/plugins/dllsearch.pl deleted file mode 100644 index 767042a8ec..0000000000 --- a/RecentActivity/release/rr/plugins/dllsearch.pl +++ /dev/null @@ -1,69 +0,0 @@ -#----------------------------------------------------------- -# dllsearch.pl -# -# References: -# http://support.microsoft.com/kb/2264107 -# -# Change History: -# 20100824: created -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package dllsearch; -use strict; - -my %config = (hive => "System", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20100824); - -sub getConfig{return %config} - -sub getShortDescr { - return "Get crash control information"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching dllsearch v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - -# Code for System file, getting CurrentControlSet - my $current; - my $key_path = 'Select'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - $current = $key->get_value("Current")->get_data(); - - my $cc_path = "ControlSet00".$current."\\Control\\Session Manager"; - my $cc; - if ($cc = $root_key->get_subkey($cc_path)) { - ::rptMsg("dllsearch v.".$VERSION); - ::rptMsg(""); - my $found = 1; - eval { - my $cde = $cc->get_value("CWDIllegalInDllSearch")->get_data(); - $found = 0; - ::rptMsg(sprintf "CWDIllegalInDllSearch = 0x%x",$cde); - }; - ::rptMsg("CWDIllegalInDllSearch value not found.") if ($found); - } - else { - ::rptMsg($cc_path." not found."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} -1; diff --git a/RecentActivity/release/rr/plugins/domains.pl b/RecentActivity/release/rr/plugins/domains.pl deleted file mode 100644 index 633ad87cfd..0000000000 --- a/RecentActivity/release/rr/plugins/domains.pl +++ /dev/null @@ -1,74 +0,0 @@ -#----------------------------------------------------------- -# domains.pl -# -# -# Change history -# 20100116 - Created -# -# References -# http://support.microsoft.com/kb/919748 -# http://support.microsoft.com/kb/922704 -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package domains; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20100116); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets contents Internet Settings\\ZoneMap\\Domains key"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching domains v.".$VERSION); - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap"; - my $key; - if ($key = $root_key->get_subkey($key_path."\\Domains")) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - - my @subkeys = $key->get_list_of_subkeys(); - if (scalar(@subkeys) > 0) { - foreach my $s (@subkeys) { - ::rptMsg($s->get_name()." [".gmtime($s->get_timestamp())." (UTC)]"); - - my @vals = $s->get_list_of_values(); - if (scalar @vals > 0) { - foreach my $v (@vals) { - ::rptMsg(" ".$v->get_name()." -> ".$v->get_data); - } - } - ::rptMsg(""); - } - } - else { - ::rptMsg($key_path." has no subkeys."); - ::logMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} - -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/drwatson.pl b/RecentActivity/release/rr/plugins/drwatson.pl deleted file mode 100644 index 0360c33fb3..0000000000 --- a/RecentActivity/release/rr/plugins/drwatson.pl +++ /dev/null @@ -1,77 +0,0 @@ -#----------------------------------------------------------- -# drwatson.pl -# Author: Don C. Weber -# Plugin for Registry Ripper; Access Software hive file to get the -# Dr. Watson settings from Software hive -# -# Change history -# -# -# References -# Dr Watson: http://www.windowsnetworking.com/kbase/WindowsTips/Windows2000/RegistryTips/RegistryTools/DrWatson.html -# -# Author: Don C. Weber, http://www.cutawaysecurity.com/blog/cutaway-security -#----------------------------------------------------------- -package drwatson; -use strict; - -my %config = (hive => "Software", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20081219); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets Dr. Watson settings from Software hive"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching drwatson v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - my $key_path = "Microsoft\\Windows NT\\CurrentVersion\\AeDebug"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ($key->get_value('Auto') == 0x0) ? ::rptMsg("Debugging is Disabled") : ::rptMsg("Debugging is Enabled"); - eval { - ::rptMsg("Debugger: ".$key->get_value('Debugger')->get_data()); - }; - - } else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } - - ::rptMsg(""); - my $key_path = "Microsoft\\DrWatson"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ($key->get_value('LogFilePath')) ? ::rptMsg("DrWatson LogFile Path location: ".$key->get_value('LogFilePath')->get_data()) : ::rptMsg("DrWatson LogFile Path location: %SystemRoot%\\Documents and Settings\\All Users\\Documents\\DrWatson"); - ($key->get_value('CreateCrashDump') == 0x0) ? ::rptMsg("CreateCrashDump is Disabled") : ::rptMsg("CreateCrashDump is Enabled"); - ($key->get_value('CrashDumpFile')) ? ::rptMsg("Crash Dump Path and Name: ".$key->get_value('CrashDumpFile')->get_data()) : ::rptMsg("CrashDumpFile is not set"); - ($key->get_value('AppendToLogFile') == 0x0) ? ::rptMsg("AppendToLogFile is set to create a new file each time") : ::rptMsg("AppendToLogFile is set to append"); - - } else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } - - ::rptMsg(""); - ::rptMsg("Analysis Tips: For Dr. Watson settings information check: http://www.windowsnetworking.com/kbase/WindowsTips/Windows2000/RegistryTips/RegistryTools/DrWatson.html"); -} - -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/esent.pl b/RecentActivity/release/rr/plugins/esent.pl deleted file mode 100644 index 4ae7cd21b5..0000000000 --- a/RecentActivity/release/rr/plugins/esent.pl +++ /dev/null @@ -1,78 +0,0 @@ -#----------------------------------------------------------- -# esent -# Get contents of Esent\Process key from Software hive -# -# Note: Not sure why I wrote this one; just thought it might come -# in handy as info about this key is developed. -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package esent; -use strict; - -my %config = (hive => "Software", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 1, - version => 20101202); - -sub getConfig{return %config} - -sub getShortDescr { - return "Get ESENT\\Process key contents"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching esent v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Microsoft\\ESENT\\Process"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); -# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - - my @sk = $key->get_list_of_subkeys(); - - if (scalar(@sk) > 0) { - my %esent; - - foreach my $s (@sk) { - my $sk = $s->get_subkey("DEBUG"); -# my $lw = $s->get_timestamp(); - my $lw = $sk->get_timestamp(); - - my $name = $s->get_name(); - - push(@{$esent{$lw}},$name); - } - - foreach my $t (reverse sort {$a <=> $b} keys %esent) { - ::rptMsg(gmtime($t)." (UTC)"); - foreach my $item (@{$esent{$t}}) { - ::rptMsg(" $item"); - } - } - - } - else { - ::rptMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} - -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/eventlog.pl b/RecentActivity/release/rr/plugins/eventlog.pl deleted file mode 100644 index a51ca91282..0000000000 --- a/RecentActivity/release/rr/plugins/eventlog.pl +++ /dev/null @@ -1,156 +0,0 @@ -#----------------------------------------------------------- -# eventlog.pl -# -# copyright 2008 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package eventlog; -use strict; - -my %config = (hive => "System", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20090112); - -sub getConfig{return %config} - -sub getShortDescr { - return "Get EventLog configuration info"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching eventlog v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - -# Code for System file, getting CurrentControlSet - my $current; - my $key_path = 'Select'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - $current = $key->get_value("Current")->get_data(); - - my $evt_path = "ControlSet00".$current."\\Services\\Eventlog"; - my $evt; - if ($evt = $root_key->get_subkey($evt_path)) { - ::rptMsg(""); - my @subkeys = $evt->get_list_of_subkeys(); - if (scalar (@subkeys) > 0) { - foreach my $s (@subkeys) { - my $logname = $s->get_name(); - ::rptMsg($logname." \\ ".scalar gmtime($s->get_timestamp())."Z"); - eval { - my $file = $s->get_value("File")->get_data(); - ::rptMsg(" File = ".$file); - }; - - eval { - my $display = $s->get_value("DisplayNameFile")->get_data(); - ::rptMsg(" DisplayNameFile = ".$display); - }; - - eval { - my $max = $s->get_value("MaxSize")->get_data(); - ::rptMsg(" MaxSize = ".processSize($max)); - }; - - eval { - my $ret = $s->get_value("Retention")->get_data(); - ::rptMsg(" Retention = ".processRetention($ret)); - }; - -# AutoBackupLogFiles; http://support.microsoft.com/kb/312571/ - eval { - my $auto = $s->get_value("AutoBackupLogFiles")->get_data(); - ::rptMsg(" AutoBackupLogFiles = ".$auto); - }; - -# Check WarningLevel value on Security EventLog; http://support.microsoft.com/kb/945463 - eval { - if ($logname eq "Security") { - my $wl = $s->get_value("WarningLevel")->get_data(); - ::rptMsg(" WarningLevel = ".$wl); - } - }; - - ::rptMsg(""); - } - - } - else { - ::rptMsg($evt_path." has no subkeys."); - } - } - else { - ::rptMsg($evt_path." not found."); - ::logMsg($evt_path." not found."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} -1; - -sub processSize { - my $sz = shift; - - my $kb = 1024; - my $mb = $kb * 1024; - my $gb = $mb * 1024; - - if ($sz > $gb) { - my $d = $sz/$gb; - my $l = length((split(/\./,$d,2))[0]) + 2; - return sprintf "%$l.2fGB",$d; - } - elsif ($sz > $mb) { - my $d = $sz/$mb; - my $l = length((split(/\./,$d,2))[0]) + 2; - return sprintf "%$l.2fMB",$d; - } - elsif ($sz > $kb) { - my $d = $sz/$kb; - my $l = length((split(/\./,$d,2))[0]) + 2; - return sprintf "%$l.2fKB",$d; - } - else {return $sz."B"}; -} - -sub processRetention { -# Retention maintained in seconds -# http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/ -# regentry/30709.mspx?mfr=true - my $ret = shift; - - my $min = 60; - my $hr = $min * 60; - my $day = $hr * 24; - - if ($ret > $day) { - my $d = $ret/$day; - my $l = length((split(/\./,$d,2))[0]) + 2; - return sprintf "%$l.2f days",$d; - } - elsif ($ret > $hr) { - my $d = $ret/$hr; - my $l = length((split(/\./,$d,2))[0]) + 2; - return sprintf "%$l.2f hr",$d; - } - elsif ($ret > $min) { - my $d = $ret/$min; - my $l = length((split(/\./,$d,2))[0]) + 2; - return sprintf "%$l.2f min",$d; - } - else {return $ret." sec"}; -} \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/eventlogs.pl b/RecentActivity/release/rr/plugins/eventlogs.pl deleted file mode 100644 index d7557218c2..0000000000 --- a/RecentActivity/release/rr/plugins/eventlogs.pl +++ /dev/null @@ -1,98 +0,0 @@ -#----------------------------------------------------------- -# eventlogs.pl -# Author: Don C. Weber -# Plugin for Registry Ripper; Access System hive file to get the -# Event Log settings from System hive -# -# Change history -# -# -# References -# Eventlog Key: http://msdn.microsoft.com/en-us/library/aa363648(VS.85).aspx -# -# Author: Don C. Weber, http://www.cutawaysecurity.com/blog/cutaway-security -#----------------------------------------------------------- -package eventlogs; -use strict; - -my %config = (hive => "System", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20081219); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets Event Log settings from System hive"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching eventlogs v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; -# First thing to do is get the ControlSet00x marked current...this is -# going to be used over and over again in plugins that access the system -# file - my $current; - my $key_path = 'Select'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - $current = $key->get_value("Current")->get_data(); - my $ccs = "ControlSet00".$current; - my $win_path = $ccs."\\Services\\Eventlog"; - my $win; - if ($win = $root_key->get_subkey($win_path)) { - ::rptMsg("EventLog Configuration"); - ::rptMsg($win_path); - ::rptMsg("LastWrite Time ".gmtime($win->get_timestamp())." (UTC)"); - my $cn; - if ($cn = $win->get_value("ComputerName")->get_data()) { - ::rptMsg("ComputerName = ".$cn); - } - else { - ::rptMsg("ComputerName value not found."); - } - } - else { - ::rptMsg($win_path." not found."); - } - -# Cycle through each type of log - my $logname; - my $evpath; - my $evlog; - my @list_logs = $win->get_list_of_subkeys(); - foreach $logname (@list_logs){ - ::rptMsg(""); - $evpath = $win_path."\\".$logname->get_name(); - if ($evlog = $root_key->get_subkey($evpath)) { - ::rptMsg(" ".$logname->get_name()." EventLog"); - ::rptMsg(" ".$evpath); - ::rptMsg(" LastWrite Time ".gmtime($evlog->get_timestamp())." (UTC)"); - ::rptMsg(" Configuration Settings"); - ::rptMsg(" Log location: ".$evlog->get_value('File')->get_data()); - ::rptMsg(" Log Size: ".$evlog->get_value('MaxSize')->get_data()." Bytes"); - ($evlog->get_value('AutoBackupLogFiles') == 0x0) ? ::rptMsg(" AutoBackupLogFiles is Disabled") : ::rptMsg(" AutoBackupLogFiles is Enabled") - } - else { - ::rptMsg($logname->get_name()." Event Log not found."); - } - } - ::rptMsg(""); - ::rptMsg("Analysis Tips: For Event Log settings information check: http://msdn.microsoft.com/en-us/library/aa363648(VS.85).aspx"); - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/fileexts.pl b/RecentActivity/release/rr/plugins/fileexts.pl deleted file mode 100644 index 5bd04db825..0000000000 --- a/RecentActivity/release/rr/plugins/fileexts.pl +++ /dev/null @@ -1,73 +0,0 @@ -#----------------------------------------------------------- -# fileexts.pl -# -# copyright 2008 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package fileexts; -use strict; - -my %config = (hive => "NTUSER\.DAT", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20080818); - -sub getConfig{return %config} - -sub getShortDescr { - return "Get user FileExts values"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching fileexts v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("fileexts"); - ::rptMsg($key_path); - ::rptMsg(""); - - my @sk = $key->get_list_of_subkeys(); - if (scalar(@sk) > 0) { - foreach my $s (@sk) { - my $name = $s->get_name(); - next unless ($name =~ m/^\.\w+/); - - eval { - my $data = $s->get_subkey("OpenWithList")->get_value("MRUList")->get_data(); - if ($data =~ m/^\w/) { - ::rptMsg("File Extension: ".$name); - ::rptMsg("LastWrite: ".gmtime($s->get_subkey("OpenWithList")->get_timestamp())); - ::rptMsg("MRUList: ".$data); - my @list = split(//,$data); - foreach my $l (@list) { - my $valdata = $s->get_subkey("OpenWithList")->get_value($l)->get_data(); - ::rptMsg(" ".$l." => ".$valdata); - } - ::rptMsg(""); - } - }; - } - } - else { - ::rptMsg($key_path." does not have subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/findexes.pl b/RecentActivity/release/rr/plugins/findexes.pl deleted file mode 100644 index ee2f027b35..0000000000 --- a/RecentActivity/release/rr/plugins/findexes.pl +++ /dev/null @@ -1,95 +0,0 @@ -#! c:\perl\bin\perl.exe -#----------------------------------------------------------- -# findexes.pl -# Plugin for RegRipper; traverses through a Registry hive, -# looking for values with binary data types, and checks to see -# if they start with "MZ"; if so, records the value path, key -# LastWrite time, and length of the data -# -# Change history -# 20090728 - Created -# -# copyright 2009 H. Carvey -#----------------------------------------------------------- -package findexes; -use strict; - -my %config = (hive => "All", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20090728); - -sub getConfig{return %config} -sub getShortDescr { - return "Scans a hive file looking for binary value data that contains MZ"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -my %vals; -my $bin_count = 0; -my $exe_count = 0; - -sub pluginmain { - my $class = shift; - my $file = shift; - my $reg = Parse::Win32Registry->new($file); - my $root_key = $reg->get_root_key; - ::logMsg("Launching findexes v.".$VERSION); - - traverse($root_key); -# Data structure containing findings is a hash of hashes - foreach my $k (keys %vals) { - ::rptMsg("Key: ".$k." LastWrite time: ".gmtime($vals{$k}{lastwrite})); - foreach my $i (keys %{$vals{$k}}) { - next if ($i eq "lastwrite"); - ::rptMsg(" Value: ".$i." Length: ".$vals{$k}{$i}." bytes"); - } - ::rptMsg(""); - } - ::rptMsg("Number of values w/ binary data types: ".$bin_count); - ::rptMsg("Number of values w/ MZ in binary data: ".$exe_count); -} - -sub traverse { - my $key = shift; -# my $ts = $key->get_timestamp(); - - foreach my $val ($key->get_list_of_values()) { - my $type = $val->get_type(); - if ($type == 0 || $type == 3) { - $bin_count++; - my $data = $val->get_data(); -# This code looks for data that starts with MZ -# my $i = unpack("v",substr($data,0,2)); -# if ($i == 0x5a4d) { - if (grep(/MZ/,$data)) { - $exe_count++; - my $path; - my @p = split(/\\/,$key->get_path()); - if (scalar(@p) == 1) { - $path = "root"; - } - else { - shift(@p); - $path = join('\\',@p); - } - - $vals{$path}{lastwrite} = $key->get_timestamp(); - $vals{$path}{$val->get_name()} = length($data); - } - } - } - - foreach my $subkey ($key->get_list_of_subkeys()) { - traverse($subkey); - } -} - -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/fw_config.pl b/RecentActivity/release/rr/plugins/fw_config.pl deleted file mode 100644 index e43e245837..0000000000 --- a/RecentActivity/release/rr/plugins/fw_config.pl +++ /dev/null @@ -1,116 +0,0 @@ -#----------------------------------------------------------- -# fw_config -# -# References -# http://technet2.microsoft.com/WindowsServer/en/library/47f25d7d- -# 882b-4f87-b05f-31e5664fc15e1033.mspx?mfr=true -# -# -# copyright 2008 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package fw_config; -use strict; - -my %config = (hive => "System", - osmask => 20, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20080328); - -sub getConfig{return %config} - -sub getShortDescr { - return "Gets the Windows Firewall config from the System hive"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching fw_config v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; -# Code for System file, getting CurrentControlSet - my $current; - my $ccs; - my $select_path = 'Select'; - my $sel; - if ($sel = $root_key->get_subkey($select_path)) { - $current = $sel->get_value("Current")->get_data(); - $ccs = "ControlSet00".$current; - } - else { - ::rptMsg($select_path." could not be found."); - ::logMsg($select_path." could not be found."); - return; - } - - my @profiles = ("DomainProfile","StandardProfile"); - foreach my $profile (@profiles) { - my $key_path = $ccs."\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\".$profile; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("Windows Firewall Configuration"); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - - my %vals = getKeyValues($key); - if (scalar(keys %vals) > 0) { - foreach my $v (keys %vals) { - ::rptMsg("\t".$v." -> ".$vals{$v}); - } - } - else { -# ::rptMsg($key_path." has no values."); - } - - my @configs = ("RemoteAdminSettings", - "IcmpSettings", - "GloballyOpenPorts\\List", - "AuthorizedApplications\\List"); - - foreach my $config (@configs) { - eval { - my %vals = getKeyValues($key->get_subkey($config)); - if (scalar(keys %vals) > 0) { - ::rptMsg(""); - ::rptMsg($key_path."\\".$config); - ::rptMsg("LastWrite Time ".gmtime($key->get_subkey($config)->get_timestamp())." (UTC)"); - foreach my $v (keys %vals) { - ::rptMsg("\t".$v." -> ".$vals{$v}); - } - } - }; - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } - ::rptMsg(""); - } # end foreach -} - -sub getKeyValues { - my $key = shift; - my %vals; - - my @vk = $key->get_list_of_values(); - if (scalar(@vk) > 0) { - foreach my $v (@vk) { - next if ($v->get_name() eq "" && $v->get_data() eq ""); - $vals{$v->get_name()} = $v->get_data(); - } - } - else { - - } - return %vals; -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/gthist.pl b/RecentActivity/release/rr/plugins/gthist.pl deleted file mode 100644 index bc52f909a9..0000000000 --- a/RecentActivity/release/rr/plugins/gthist.pl +++ /dev/null @@ -1,71 +0,0 @@ -#----------------------------------------------------------- -# gthist.pl -# Google Toolbar Search History plugin -# -# -# Change history -# 20100218 - created -# -# References -# -# -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package gthist; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20100218); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets Google Toolbar Search History"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - my %hist; - ::logMsg("Launching gthist v.".$VERSION); - - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $key_path = 'Software\\Google\\NavClient\\1.1\\History'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - my @vals = $key->get_list_of_values(); - if (scalar @vals > 0) { - ::rptMsg(""); - foreach my $v (@vals) { - my $tv = unpack("V",$v->get_data()); - $hist{$tv} = $v->get_name(); - } - - foreach my $t (reverse sort {$a <=> $b} keys %hist) { - my $str = gmtime($t)." ".$hist{$t}; - ::rptMsg($str); - } - } - else { - ::rptMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} - -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/gtwhitelist.pl b/RecentActivity/release/rr/plugins/gtwhitelist.pl deleted file mode 100644 index e8d0695eea..0000000000 --- a/RecentActivity/release/rr/plugins/gtwhitelist.pl +++ /dev/null @@ -1,74 +0,0 @@ -#----------------------------------------------------------- -# gtwhitelist.pl -# Google Toolbar Search History plugin -# -# -# Change history -# 20100218 - created -# -# References -# -# -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package gtwhitelist; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20100218); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets Google Toolbar whitelist values"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - my %hist; - ::logMsg("Launching gtwhitelist v.".$VERSION); - - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $key_path = 'Software\\Google\\Google Toolbar\\4.0\\whitelist'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - my $allow2; - eval { - $allow2 = $key->get_value("allow2")->get_data(); - my @vals = split(/\|/,$allow2); - ::rptMsg(""); - ::rptMsg("whitelist"); - foreach my $v (@vals) { - next if ($v eq ""); - ::rptMsg(" ".$v); - } - ::rptMsg(""); - }; - - my $lastmod; - eval { - $lastmod = $key->get_value("lastmod")->get_data(); - ::rptMsg("lastmod ".gmtime($lastmod)." (UTC)"); - }; - - } - else { - ::rptMsg($key_path." not found."); - } -} - -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/hibernate.pl b/RecentActivity/release/rr/plugins/hibernate.pl deleted file mode 100644 index 64c5b3e359..0000000000 --- a/RecentActivity/release/rr/plugins/hibernate.pl +++ /dev/null @@ -1,78 +0,0 @@ -#----------------------------------------------------------- -# hibernate.pl -# -# Ref: -# http://support.microsoft.com/kb/293399 & testing -# -# copyright 2008-2009 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package hibernate; -use strict; - -my %config = (hive => "System", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20081216); - -sub getConfig{return %config} - -sub getShortDescr { - return "Check hibernation status"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching hibernate v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - -# Code for System file, getting CurrentControlSet - my $current; - my $key_path = 'Select'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - $current = $key->get_value("Current")->get_data(); - my $ccs = "ControlSet00".$current; - - my $power_path = $ccs."\\Control\\Session Manager\\Power"; - my $power; - if ($power = $root_key->get_subkey($power_path)) { - - my $heur; - eval { - my $bin_val = $power->get_value("Heuristics")->get_data(); - $heur = (unpack("v*",$bin_val))[3]; - if ($heur == 0) { - ::rptMsg("Hibernation disabled."); - } - elsif ($heur == 1) { - ::rptMsg("Hibernation enabled."); - } - else { - ::rptMsg("Unknown hibernation value: ".$heur); - } - - }; - ::rptMsg("Error reading Heuristics value.") if ($@); - - } - else { - ::rptMsg($power_path." not found."); - } - } - else { - ::rptMsg($key_path." not found."); -# ::logMsg($key_path." not found."); - } - -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/ide.pl b/RecentActivity/release/rr/plugins/ide.pl deleted file mode 100644 index 789cbd1495..0000000000 --- a/RecentActivity/release/rr/plugins/ide.pl +++ /dev/null @@ -1,123 +0,0 @@ -#----------------------------------------------------------- -# ide.pl -# Get IDE device info from the System hive file -# -# copyright 2008 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package ide; -use strict; - -my %config = (hive => "System", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20080418); - -sub getConfig{return %config} - -sub getShortDescr { - return "Get IDE device info from the System hive file"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching ide v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - ::rptMsg("IDE"); - -# Code for System file, getting CurrentControlSet - my $current; - my $ccs; - my $key_path = 'Select'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - $current = $key->get_value("Current")->get_data(); - $ccs = "ControlSet00".$current; - } - else { - ::logMsg("Could not find ".$key_path); - return - } - - my $key_path = $ccs."\\Enum\\IDE"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - - my @subkeys = $key->get_list_of_subkeys(); - if (scalar(@subkeys) > 0) { - foreach my $s (@subkeys) { - ::rptMsg(""); - ::rptMsg($s->get_name()." [".gmtime($s->get_timestamp())."]"); - my @sk = $s->get_list_of_subkeys(); - if (scalar(@sk) > 0) { - foreach my $s2 (@sk) { - ::rptMsg($s2->get_name()." [".gmtime($s2->get_timestamp())." (UTC)]"); - eval { - ::rptMsg("FriendlyName : ".$s2->get_value("FriendlyName")->get_data()); - }; - ::rptMsg(""); - } - } - - } - } - else { - ::rptMsg($key_path." has no subkeys."); - ::logMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } - - my $key_path = $ccs."\\Control\\DeviceClasses\\{53f56307-b6bf-11d0-94f2-00a0c91efb8b}"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("DevClasses - Disks"); - ::rptMsg($key_path); - my %disks; - my @subkeys = $key->get_list_of_subkeys(); - if (scalar(@subkeys) > 0) { - foreach my $s (@subkeys) { - my $name = $s->get_name(); - next unless (grep(/IDE/,$name)); - my $lastwrite = $s->get_timestamp(); - my ($dev, $serial) = (split(/#/,$name))[4,5]; - push(@{$disks{$lastwrite}},$dev.",".$serial); - } - - if (scalar(keys %disks) == 0) { - ::rptMsg("No IDE subkeys were found."); - return; - } - ::rptMsg(""); - foreach my $t (reverse sort {$a <=> $b} keys %disks) { - ::rptMsg(gmtime($t)." (UTC)"); - foreach my $item (@{$disks{$t}}) { - ::rptMsg("\t$item"); - } - } - } - else { - ::rptMsg($key_path." has no subkeys."); - ::logMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/ie_main.pl b/RecentActivity/release/rr/plugins/ie_main.pl deleted file mode 100644 index aa48c4d4a3..0000000000 --- a/RecentActivity/release/rr/plugins/ie_main.pl +++ /dev/null @@ -1,82 +0,0 @@ -#----------------------------------------------------------- -# ie_main.pl -# Checks keys/values set by new version of Trojan.Clampi -# -# Change history -# 20091019 - created -# -# -# References -# http://support.microsoft.com/kb/895339 -# http://support.microsoft.com/kb/176497 -# -# copyright 2009 H. Carvey -#----------------------------------------------------------- -package ie_main; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20091019); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets values beneath user's Internet Explorer\\Main key"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching ie_main v.".$VERSION); - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $key_path = 'Software\\Microsoft\\Internet Explorer\\Main'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - - my %main; - - my @vals = $key->get_list_of_values(); - - if (scalar(@vals) > 0) { - foreach my $v (@vals) { - my $name = $v->get_name(); - my $data = $v->get_data(); - next if ($name eq "Window_Placement"); - - $data = unpack("V",$data) if ($name eq "Do404Search"); - - if ($name eq "IE8RunOnceLastShown_TIMESTAMP" || $name eq "IE8TourShownTime") { - my ($t0,$t1) = unpack("VV",$data); - $data = gmtime(::getTime($t0,$t1))." UTC"; - } - $main{$name} = $data; - } - - foreach my $n (keys %main) { - my $str = sprintf "%-35s %-20s",$n,$main{$n}; - ::rptMsg($str); - } - } - else { - ::rptMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/ie_settings.pl b/RecentActivity/release/rr/plugins/ie_settings.pl deleted file mode 100644 index fd3ee3857e..0000000000 --- a/RecentActivity/release/rr/plugins/ie_settings.pl +++ /dev/null @@ -1,72 +0,0 @@ -#! c:\perl\bin\perl.exe -#----------------------------------------------------------- -# ie_settings.pl -# Gets IE settings -# -# Change history -# -# -# References -# -# -# -# copyright 2009 H. Carvey -#----------------------------------------------------------- -package ie_settings; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 1, - osmask => 22, - version => 20091016); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets IE settings"; -} -sub getDescr{} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching ie_settings v.".$VERSION); - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $key_path = 'Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); -# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - - my $ua; - eval { - $ua = $key->get_value("User Agent")->get_data(); - ::rptMsg("User Agent = ".$ua); - }; - - my $zonessecupgrade; - eval { - $zonessecupgrade = $key->get_value("ZonesSecurityUpgrade")->get_data(); - my ($z0,$z1) = unpack("VV",$zonessecupgrade); - ::rptMsg("ZonesSecurityUpgrade = ".gmtime(::getTime($z0,$z1))." (UTC)"); - }; - - my $daystokeep; - eval { - $daystokeep = $key->get_subkey("Url History")->get_value("DaysToKeep")->get_data(); - ::rptMsg("DaysToKeep = ".$daystokeep); - }; - - } - else { - ::rptMsg($key_path." not found."); - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/ie_version.pl b/RecentActivity/release/rr/plugins/ie_version.pl deleted file mode 100644 index 64ce73b046..0000000000 --- a/RecentActivity/release/rr/plugins/ie_version.pl +++ /dev/null @@ -1,60 +0,0 @@ -#----------------------------------------------------------- -# ie_version -# Get IE version and build -# -# copyright 2009 H. Carvey -#----------------------------------------------------------- -package ie_version; -use strict; - -my %config = (hive => "Software", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20091016); - -sub getConfig{return %config} - -sub getShortDescr { - return "Get IE version and build"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching ie_version v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Microsoft\\Internet Explorer"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - - my $version; - my $build; - eval { - $build = $key->get_value("Build")->get_data(); - ::rptMsg("IE Build = ".$build); - }; - - eval { - $version= $key->get_value("Version")->get_data(); - ::rptMsg("IE Version = ".$version); - }; - } - else { - ::rptMsg($key_path." not found."); - } -} - -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/imagedev.pl b/RecentActivity/release/rr/plugins/imagedev.pl deleted file mode 100644 index 5822ae7a15..0000000000 --- a/RecentActivity/release/rr/plugins/imagedev.pl +++ /dev/null @@ -1,85 +0,0 @@ -#----------------------------------------------------------- -# imagedev.pl -# -# copyright 2008 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package imagedev; -use strict; - -my %config = (hive => "System", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20080730); - -sub getConfig{return %config} - -sub getShortDescr { - return " -- "; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching imagedev v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - -# Code for System file, getting CurrentControlSet - my $current; - my $ccs; - eval { - my $key_path = 'Select'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - $current = $key->get_value("Current")->get_data(); - $ccs = "ControlSet00".$current; - } - }; - if ($@) { - ::rptMsg("Problem locating proper controlset: $@"); - return; - } - - my $key_path = $ccs."\\Control\\Class\\{6BDD1FC6-810F-11D0-BEC7-08002BE2092F}"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("imagedev"); - ::rptMsg($key_path); -# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - - my @sk = $key->get_list_of_subkeys(); - - if (scalar(@sk) > 0) { - ::rptMsg("Still Image Capture Devices"); - foreach my $s (@sk) { - my $name = $s->get_name(); - next unless ($name =~ m/^\d{4}$/); - my $friendly; - eval { - $friendly = $s->get_value("FriendlyName")->get_data(); - ::rptMsg(" ".$friendly); - }; - if ($@) { - ::logMsg("Error getting device FriendlyName in imagedev: ".$@); - } - } - } - else { - ::rptMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/imagefile.pl b/RecentActivity/release/rr/plugins/imagefile.pl deleted file mode 100644 index 1f31f674b7..0000000000 --- a/RecentActivity/release/rr/plugins/imagefile.pl +++ /dev/null @@ -1,99 +0,0 @@ -#----------------------------------------------------------- -# imagefile -# -# References: -# http://msdn2.microsoft.com/en-us/library/a329t4ed(VS\.80)\.aspx -# http://support.microsoft.com/kb/2264107 -# -# Change history: -# 20100824 - added check for "CWDIllegalInDllSearch" value -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package imagefile; -use strict; - -my %config = (hive => "Software", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20100824); - -sub getConfig{return %config} -sub getShortDescr { - return "Checks IFEO subkeys for Debugger/CWDIllegalInDllSearch values"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching imagefile v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - my $key_path = "Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("Image File Execution Options"); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - - my @subkeys = $key->get_list_of_subkeys(); - if (scalar(@subkeys) > 0) { - my %debug; - my $i = "Your Image File Name here without a path"; - foreach my $s (@subkeys) { - my $name = $s->get_name(); - next if ($name =~ m/^$i/i); - my $debugger = ""; - eval { - $debugger = $s->get_value("Debugger")->get_data(); - }; -# If the eval{} throws an error, it's b/c the Debugger value isn't -# found within the key, so we don't need to do anything w/ the error - if ($debugger ne "") { - $debug{$name}{debug} = $debugger; - $debug{$name}{lastwrite} = $s->get_timestamp(); - } - - my $dllsearch = ""; - eval { - $dllsearch = $s->get_value("CWDIllegalInDllSearch")->get_data(); - }; -# If the eval{} throws an error, it's b/c the Debugger value isn't -# found within the key, so we don't need to do anything w/ the error - if ($dllsearch ne "") { - $debug{$name}{dllsearch} = $debugger; - $debug{$name}{lastwrite} = $s->get_timestamp(); - } - } - - if (scalar (keys %debug) > 0) { - foreach my $d (keys %debug) { - ::rptMsg($d." LastWrite: ".gmtime($debug{$d}{lastwrite})); - ::rptMsg(" Debugger : ".$debug{$d}{debug}) if (exists $debug{$d}{debug}); - ::rptMsg(" CWDIllegalInDllSearch: ".$debug{$d}{dllsearch}) if (exists $debug{$d}{dllsearch}); - } - } - else { - ::rptMsg("No Debugger/CWDIllegalInDllSearch values found."); - } - } - else { - ::rptMsg($key_path." has no subkeys."); - ::logMsg($key_path." has no subkeys"); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/init_dlls.pl b/RecentActivity/release/rr/plugins/init_dlls.pl deleted file mode 100644 index d729a6b716..0000000000 --- a/RecentActivity/release/rr/plugins/init_dlls.pl +++ /dev/null @@ -1,77 +0,0 @@ -#----------------------------------------------------------- -# init_dlls.pl -# Plugin to assist in the detection of malware per Mark Russinovich's -# blog post (References, below) -# -# Change History: -# 20110309 - created -# -# References -# http://blogs.technet.com/b/markrussinovich/archive/2011/02/27/3390475.aspx -# -# copyright 2011 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package init_dlls; -use strict; - -my %config = (hive => "Software", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20110309); - -sub getConfig{return %config} - -sub getShortDescr { - return "Check for odd **pInit_Dlls keys"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); -my @init; - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching init_dlls v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Microsoft\\Windows NT\\CurrentVersion\\Windows"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("init_dlls"); - ::rptMsg($key_path); - ::rptMsg("LastWrite: ".gmtime($key->get_timestamp())); - ::rptMsg(""); - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - foreach my $v (@vals) { - my $name = $v->get_name(); - next if ($name eq "AppInit_DLLs"); - push(@init,$name) if ($name =~ m/Init_DLLs$/); - } - - if (scalar @init > 0) { - foreach my $n (@init) { - ::rptMsg($n); - } - } - else { - ::rptMsg("No additional values named *Init_DLLs located."); - } - - } - else { - ::rptMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/installedcomp.pl b/RecentActivity/release/rr/plugins/installedcomp.pl deleted file mode 100644 index 9fd730301f..0000000000 --- a/RecentActivity/release/rr/plugins/installedcomp.pl +++ /dev/null @@ -1,120 +0,0 @@ -#----------------------------------------------------------- -# installedcomp.pl -# Get info about Installed Components -# -# Change history: -# 20100116 - updated for slightly better coverage -# 20100115 - created -# -# References: -# -# Notes: Look for out of place entries, particularly those -# that point to the Recycle Bin or a temp directory -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package installedcomp; -use strict; - -my %config = (hive => "Software", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20100116); - -sub getConfig{return %config} - -sub getShortDescr { - return "Get info about Installed Components/StubPath"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -my %comp; - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching installedcomp v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Microsoft\\Active Setup\\Installed Components"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg(""); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - - my @subkeys = $key->get_list_of_subkeys(); - if (scalar(@subkeys) > 0) { - foreach my $s (@subkeys) { - my $lastwrite = $s->get_timestamp(); - - my $str; - eval { - $str = $s->get_value("ComponentID")->get_data(); - }; - - eval { - my $ver = $s->get_value("Version")->get_data(); - $str .= " v.".$ver if ($ver && $s->get_value("Version")->get_type() == 1); - }; - - eval { - my $stub = $s->get_value("StubPath")->get_data(); - $str .= "; ".$stub if ($stub ne ""); - }; - -# If the $str scalar is empty at this point, that means that for -# some reason, we haven't been able to populate the information -# we're looking for; in this case, we'll go looking for some info -# in a different area of the hive; the BHO.pl plugin does this, as -# well. I'd rather that the plugin look for the Classes info than -# leave a blank entry in the output. - if ($str eq "") { - my $name = $s->get_name(); - my $class_path = "Classes\\CLSID\\".$name; - my $proc; - if ($proc = $root_key->get_subkey($class_path)) { -# Try these two eval{} statements because I've seen the different -# spellings for InProcServer32/InprocServer32 in sequential keys - eval { - $str = $proc->get_subkey("InprocServer32")->get_value("")->get_data(); - }; - - eval { - $str = $proc->get_subkey("InProcServer32")->get_value("")->get_data(); - }; - } - else { - $str = $name." class not found."; - } - } - - push(@{$comp{$lastwrite}},$str); - } - - foreach my $t (reverse sort {$a <=> $b} keys %comp) { - ::rptMsg(gmtime($t)." (UTC)"); - foreach my $item (@{$comp{$t}}) { - ::rptMsg(" ".$item); - } - ::rptMsg(""); - } - } - else { - ::rptMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/javafx.pl b/RecentActivity/release/rr/plugins/javafx.pl deleted file mode 100644 index 118e82cb58..0000000000 --- a/RecentActivity/release/rr/plugins/javafx.pl +++ /dev/null @@ -1,67 +0,0 @@ -#----------------------------------------------------------- -# javafx.pl -# Plugin written based on Cory Harrell's Exploit Artifacts posts at -# http://journeyintoir.blogspot.com/ -# -# Change history -# 20110322 - created -# -# References -# http://java.sun.com/j2se/1.4.2/runtime_win32.html -# -# copyright 2011 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package javafx; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20110322); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets contents of user's JavaFX key"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching javafx v.".$VERSION); - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $key_path = "Software\\JavaSoft\\Java Update\\Policy\\JavaFX"; - my $key; - my @vals; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("javafx v.".$VERSION); - ::rptMsg($key_path); - ::rptMsg("LastWrite time: ".gmtime($key->get_timestamp())); - ::rptMsg(""); - @vals = $key->get_list_of_values(); - - if (scalar(@vals) > 0) { -# First, read in all of the values and the data - foreach my $v (@vals) { - ::rptMsg(sprintf "%-25s %-20s",$v->get_name(), $v->get_data()); - } - } - else { - ::rptMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} - -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/kb950582.pl b/RecentActivity/release/rr/plugins/kb950582.pl deleted file mode 100644 index 4e24fe3dd2..0000000000 --- a/RecentActivity/release/rr/plugins/kb950582.pl +++ /dev/null @@ -1,90 +0,0 @@ -#----------------------------------------------------------- -# kb950582.pl -# Get autorun settings WRT KB950582 -# -# Change history -# 18 Dec 2008 - Updated to new name; added checks for Registry -# keys -# -# References -# http://support.microsoft.com/kb/953252 -# http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit -# /regentry/91525.mspx?mfr=true -# -# copyright 2008-2009 H. Carvey -#----------------------------------------------------------- -package kb950582; -use strict; - -my %config = (hive => "Software", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20081212); - -sub getConfig{return %config} -sub getShortDescr { - return "KB950582 - Gets autorun settings from HKLM hive"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching kb950582 v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - eval { - my $path = "Microsoft\\Windows\\CurrentVersion\\Uninstall\\KB950582"; - if (my $kbkey = $root_key->get_subkey($path)) { - my $install = $kbkey->get_value("InstallDate")->get_data(); - ::rptMsg("KB950528 Uninstall Key ".gmtime($kbkey->get_timestamp())); - ::rptMsg(" InstallDate = ".$install."\n"); - } - }; - ::rptMsg("Uninstall\\KB950528 does not appear to be installed.\n") if ($@); - - eval { - my $path = "Microsoft\\Updates\\Windows XP\\SP4\\KB950582"; - if (my $kbkey = $root_key->get_subkey($path)) { - my $install = $kbkey->get_value("InstalledDate")->get_data(); - ::rptMsg("KB950528 Update Key ".gmtime($kbkey->get_timestamp())); - ::rptMsg(" InstalledDate = ".$install."\n"); - } - }; - ::rptMsg("KB950528 does not appear to be installed.\n") if ($@); - - my $key_path = "Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - - eval { - my $nodrive = $key->get_value("NoDriveTypeAutoRun")->get_data(); - my $str = sprintf "%-20s 0x%x","NoDriveTypeAutoRun",$nodrive; - ::rptMsg($str); - }; - ::rptMsg("Error: ".$@) if ($@); - -# http://support.microsoft.com/kb/953252 - eval { - my $honor = $key->get_value("HonorAutorunSetting")->get_data(); - my $str = sprintf "%-20s 0x%x","HonorAutorunSetting",$honor; - ::rptMsg($str); - }; - ::rptMsg("HonorAutorunSetting not found.") if ($@); - ::rptMsg(""); - ::rptMsg("Autorun settings in the HKLM hive take precedence over those in"); - ::rptMsg("the HKCU hive."); - } - else { - ::rptMsg($key_path." not found."); - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/kbdcrash.pl b/RecentActivity/release/rr/plugins/kbdcrash.pl deleted file mode 100644 index 560aef9785..0000000000 --- a/RecentActivity/release/rr/plugins/kbdcrash.pl +++ /dev/null @@ -1,65 +0,0 @@ -#----------------------------------------------------------- -# kbdcrash.pl -# -# Ref: -# http://support.microsoft.com/kb/244139 -# -# copyright 2008-2009 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package kbdcrash; -use strict; - -my %config = (hive => "System", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20081212); - -sub getConfig{return %config} - -sub getShortDescr { - return "Checks to see if system is config to crash via keyboard"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); -my $enabled = 0; - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching kbdcrash v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - -# Code for System file, getting CurrentControlSet - my $current; - my $key_path = 'Select'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - $current = $key->get_value("Current")->get_data(); - my $svc = "ControlSet00".$current."\\Services"; - - eval { - my $ps2 = $svc->get_subkey("i8042prt\\Parameters")->get_value("CrashOnCtrlScroll")->get_data(); - ::rptMsg("CrashOnCtrlScroll set for PS2 keyboard") if ($ps2 == 1); - $enabled = 1 if ($ps2 == 1); - }; - - eval { - my $usb = $svc->get_subkey("kbdhid\\Parameters")->get_value("CrashOnCtrlScroll")->get_data(); - ::rptMsg("CrashOnCtrlScroll set for USB keyboard") if ($usb == 1); - $enabled = 1 if ($usb == 1); - }; - ::rptMsg("CrashOnCtrlScroll not set"); - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} -1; diff --git a/RecentActivity/release/rr/plugins/landesk.pl b/RecentActivity/release/rr/plugins/landesk.pl deleted file mode 100644 index d3dd8c5320..0000000000 --- a/RecentActivity/release/rr/plugins/landesk.pl +++ /dev/null @@ -1,71 +0,0 @@ -#----------------------------------------------------------- -# LANDESK Monitor Logs -# -# -# Change history -# 20090729 - updates, H. Carvey -# -# copyright 2009 Don C. Weber -#----------------------------------------------------------- -package landesk; -use strict; - -my %config = (hive => "Software", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20090729); - -sub getConfig{return %config} - -sub getShortDescr { - return "Get list of programs monitored by LANDESK from Software hive file"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); -my %ls; - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching LANDESK v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "LANDesk\\ManagementSuite\\WinClient\\SoftwareMonitoring\\MonitorLog"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg(""); - my @subkeys = $key->get_list_of_subkeys(); - if (scalar(@subkeys) > 0) { - foreach my $s (@subkeys) { - eval { - my ($val1,$val2) = unpack("VV",$s->get_value("Last Started")->get_data()); -# Push the data into a hash of arrays - push(@{$ls{::getTime($val1,$val2)}},$s->get_name()); - }; - } - - foreach my $t (reverse sort {$a <=> $b} keys %ls) { - ::rptMsg(gmtime($t)." (UTC)"); - foreach my $item (@{$ls{$t}}) { - ::rptMsg("\t$item"); - } - } - } - else { - ::rptMsg($key_path." does not appear to have any subkeys.") - } - } - else { - ::rptMsg($key_path." not found."); - } -} - -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/legacy.pl b/RecentActivity/release/rr/plugins/legacy.pl deleted file mode 100644 index 3c34a1a26a..0000000000 --- a/RecentActivity/release/rr/plugins/legacy.pl +++ /dev/null @@ -1,96 +0,0 @@ -#----------------------------------------------------------- -# legacy.pl -# -# -# Change history -# 20090429 - created -# -# Reference: http://support.microsoft.com/kb/310592 -# -# -# Analysis Tip: -# -# copyright 2009 H. Carvey -#----------------------------------------------------------- -package legacy; - -my %config = (hive => "System", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20090429); - -sub getConfig{return %config} -sub getShortDescr { - return "Lists LEGACY_ entries in Enum\\Root key"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key(); -# First thing to do is get the ControlSet00x marked current...this is -# going to be used over and over again in plugins that access the system -# file - my $current; - my $key_path = 'Select'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - $current = $key->get_value("Current")->get_data(); - my $ccs = "ControlSet00".$current; - my $root_path = $ccs."\\Enum\\Root"; - - my %legacy; - if (my $root = $root_key->get_subkey($root_path)) { - my @sk = $root->get_list_of_subkeys(); - if (scalar(@sk) > 0) { - foreach my $s (@sk) { - my $name = $s->get_name(); - next unless ($name =~ m/^LEGACY_/); - push(@{$legacy{$s->get_timestamp()}},$name); - - eval { - my @s_sk = $s->get_list_of_subkeys(); - if (scalar(@s_sk) > 0) { - foreach my $s_s (@s_sk) { - - my $desc; - eval { - $desc = $s_s->get_value("DeviceDesc")->get_data(); - push(@{$legacy{$s_s->get_timestamp()}},$name."\\".$s_s->get_name()." - ".$desc); - }; - push(@{$legacy{$s_s->get_timestamp()}},$name."\\".$s_s->get_name()) if ($@); - } - } - }; - } - } - else { - ::rptMsg($root_path." has no subkeys."); - } - - foreach my $t (reverse sort {$a <=> $b} keys %legacy) { - ::rptMsg(gmtime($t)." (UTC)"); - foreach my $item (@{$legacy{$t}}) { - ::rptMsg("\t$item"); - } - } - } - else { - ::rptMsg($root_path." not found."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} - -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/listsoft.pl b/RecentActivity/release/rr/plugins/listsoft.pl deleted file mode 100644 index ae1c50a540..0000000000 --- a/RecentActivity/release/rr/plugins/listsoft.pl +++ /dev/null @@ -1,69 +0,0 @@ -#! c:\perl\bin\perl.exe -#----------------------------------------------------------- -# listsoft.pl -# Plugin for Registry Ripper; traverses thru the Software -# key of an NTUSER.DAT file, extracting all of the subkeys -# and listing them in order by LastWrite time. -# -# Change history -# -# -# copyright 2008 H. Carvey -#----------------------------------------------------------- -package listsoft; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20080324); - -sub getConfig{return %config} -sub getShortDescr { - return "Lists contents of user's Software key"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $file = shift; - my $reg = Parse::Win32Registry->new($file); - my $root_key = $reg->get_root_key; - ::logMsg("Launching listsoft v.".$VERSION); - my %soft; - my $key_path = 'Software'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("listsoft v.".$VERSION); - ::rptMsg("List the contents of the Software key in the NTUSER\.DAT hive"); - ::rptMsg("file, in order by LastWrite time."); - ::rptMsg(""); - my @subkeys = $key->get_list_of_subkeys(); - if (scalar(@subkeys) > 0) { - foreach my $s (@subkeys) { - push(@{$soft{$s->get_timestamp()}},$s->get_name()); - } - - foreach my $t (reverse sort {$a <=> $b} keys %soft) { - foreach my $item (@{$soft{$t}}) { - ::rptMsg(gmtime($t)."Z \t".$item); - } - } - } - else { - ::logMsg($key_path." has no subkeys."); - } - } - else { - ::logMsg("Could not access ".$key_path); - } -} - -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/load.pl b/RecentActivity/release/rr/plugins/load.pl deleted file mode 100644 index 3ce6ca655e..0000000000 --- a/RecentActivity/release/rr/plugins/load.pl +++ /dev/null @@ -1,81 +0,0 @@ -#----------------------------------------------------------- -# load.pl -# The load and run values in the Windows NT\CurrentVersion\Windows -# key are throw-backs to the old win.ini file, and can be/are used -# by malware. -# -# Change history -# 20100811 - created -# -# References -# http://support.microsoft.com/kb/103865 -# http://security.fnal.gov/cookbook/WinStartup.html -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package load; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20100811); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets load and run values from user hive"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching load v.".$VERSION); - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $key_path = 'Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("load"); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - ::rptMsg(""); - my %win; - foreach my $v (@vals) { - $win{$v->get_name()} = $v->get_data(); - } - - if (exists $win{"load"}) { - ::rptMsg("load = ".$win{"load"}); - } - else { - ::rptMsg("load value not found."); - } - - if (exists $win{"run"}) { - ::rptMsg("run = ".$win{"run"}); - } - else { - ::rptMsg("run value not found."); - } - } - else { - ::rptMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} - -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/logon_xp_run.pl b/RecentActivity/release/rr/plugins/logon_xp_run.pl deleted file mode 100644 index 831a5cd910..0000000000 --- a/RecentActivity/release/rr/plugins/logon_xp_run.pl +++ /dev/null @@ -1,98 +0,0 @@ -#----------------------------------------------------------- -# logon_xp_run -# Get contents of Run key from Software hive -# -# References: -# http://support.microsoft.com/kb/314488 -# -# Note: Needs testing to see if it applies beyond XP/XP-64 -# -# copyright 2008 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package logon_xp_run; -use strict; - -my %config = (hive => "NTUSER\.DAT", - osmask => 12, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20080328); - -sub getConfig{return %config} - -sub getShortDescr { - return "Autostart - Get XP user logon Run key contents from NTUSER\.DAT hive"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching user_xp_run v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\policies\\Explorer\\Run"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - - my %vals = getKeyValues($key); - if (scalar(keys %vals) > 0) { - foreach my $v (keys %vals) { - ::rptMsg("\t".$v." -> ".$vals{$v}); - } - } - else { - ::rptMsg($key_path." has no values."); - } - -# my @sk = $key->get_list_of_subkeys(); -# if (scalar(@sk) > 0) { -# foreach my $s (@sk) { -# ::rptMsg(""); -# ::rptMsg($key_path."\\".$s->get_name()); -# ::rptMsg("LastWrite Time ".gmtime($s->get_timestamp())." (UTC)"); -# my %vals = getKeyValues($s); -# foreach my $v (keys %vals) { -# ::rptMsg("\t".$v." -> ".$vals{$v}); -# } -# } -# } -# else { -# ::rptMsg(""); -# ::rptMsg($key_path." has no subkeys."); -# } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } - -} - -sub getKeyValues { - my $key = shift; - my %vals; - - my @vk = $key->get_list_of_values(); - if (scalar(@vk) > 0) { - foreach my $v (@vk) { - next if ($v->get_name() eq "" && $v->get_data() eq ""); - $vals{$v->get_name()} = $v->get_data(); - } - } - else { -# do nothing - } - return %vals; -} - -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/logonusername.pl b/RecentActivity/release/rr/plugins/logonusername.pl deleted file mode 100644 index 098d89f5e6..0000000000 --- a/RecentActivity/release/rr/plugins/logonusername.pl +++ /dev/null @@ -1,68 +0,0 @@ -#! c:\perl\bin\perl.exe -#----------------------------------------------------------- -# logonusername.pl -# Plugin for Registry Ripper, NTUSER.DAT edition - gets the -# "Logon User Name" value -# -# Change history -# -# -# -# copyright 2008 H. Carvey -#----------------------------------------------------------- -package logonusername; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20080324); - -sub getConfig{return %config} -sub getShortDescr { - return "Get user's Logon User Name value"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching logonusername v.".$VERSION); - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $logon_name = "Logon User Name"; - - my $key_path = 'Software\\Microsoft\\Windows\\CurrentVersion\\Explorer'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - ::rptMsg("Logon User Name"); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time [".gmtime($key->get_timestamp())." (UTC)]"); - foreach my $v (@vals) { - if ($v->get_name() eq $logon_name) { - ::rptMsg($logon_name." = ".$v->get_data()); - } - } - } - else { - ::rptMsg($key_path." has no values."); - ::logMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} - -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/lsasecrets.pl b/RecentActivity/release/rr/plugins/lsasecrets.pl deleted file mode 100644 index 1e0048e973..0000000000 --- a/RecentActivity/release/rr/plugins/lsasecrets.pl +++ /dev/null @@ -1,71 +0,0 @@ -#----------------------------------------------------------- -# lsasecrets.pl -# Get update times for LSA Secrets from the Security hive file -# -# History -# 20100219 - created -# -# References -# http://moyix.blogspot.com/2008/02/decrypting-lsa-secrets.html -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package lsasecrets; -use strict; - -my %config = (hive => "Security", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20100219); - -sub getConfig{return %config} -sub getShortDescr { - return "TEST - Get update times for LSA Secrets"; -} -sub getDescr{} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching lsasecrets v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Policy\\Secrets"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - -# -# http://support.microsoft.com/kb/175468 - eval { - ::rptMsg(""); - ::rptMsg("Domain secret - \$MACHINE\.ACC"); - my $c = $key->get_subkey("\$MACHINE\.ACC\\CupdTime")->get_value("")->get_data(); - my @v = unpack("VV",$c); - my $cupd = gmtime(::getTime($v[0],$v[1])); - ::rptMsg("CupdTime = ".$cupd); - - my $o = $key->get_subkey("\$MACHINE\.ACC\\OupdTime")->get_value("")->get_data(); - my @v = unpack("VV",$c); - my $oupd = gmtime(::getTime($v[0],$v[1])); - ::rptMsg("OupdTime = ".$oupd); - }; - ::rptMsg("Error: ".$@) if ($@); - - - - - - - } - else { - ::rptMsg($key_path." not found."); - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/macaddr.pl b/RecentActivity/release/rr/plugins/macaddr.pl deleted file mode 100644 index 50a034981a..0000000000 --- a/RecentActivity/release/rr/plugins/macaddr.pl +++ /dev/null @@ -1,156 +0,0 @@ -#----------------------------------------------------------- -# macaddr.pl -# Attempt to locate MAC address in either Software or System hive files; -# The plugin will determine which one its in and use the appropriate -# code -# -# -# copyright 2008 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package macaddr; -use strict; - -my %config = (hive => "Software", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20090118); - -sub getConfig{return %config} - -sub getShortDescr { - return " -- "; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching macaddr v.".$VERSION); - - my $guess = guessHive($hive); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - if ($guess eq "System") { -# Code for System file, getting CurrentControlSet - my $current; - my $key_path = 'Select'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - $current = $key->get_value("Current")->get_data(); - my $ccs = "ControlSet00".$current; - - my $key_path = $ccs."\\Control\\Class\\{4D36E972-E325-11CE-BFC1-08002bE10318}"; - my $key; - my $found = 0; - ::rptMsg($key_path); - if ($key = $root_key->get_subkey($key_path)) { - my @subkeys = $key->get_list_of_subkeys(); - if (scalar (@subkeys) > 0) { - foreach my $s (@subkeys) { - my $name = $s->get_name(); - my $na; - eval { - $na = $key->get_subkey($name)->get_value("NetworkAddress")->get_data(); - ::rptMsg(" ".$name.": NetworkAddress = ".$na); - $found = 1; - }; - } - ::rptMsg("No NetworkAddress value found.") if ($found == 0); - } - else { - ::rptMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - } - } - else { - ::rptMsg($key_path." not found."); - } - } - elsif ($guess eq "Software") { - my $key_path = "Microsoft\\Windows Genuine Advantage"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - my $mac; - my $found = 0; - eval { - $mac = $key->get_value("MAC")->get_data(); - ::rptMsg("Mac Address(es) = ".$mac); - $found = 1; - }; - ::rptMsg("No MAC address(es) found.") if ($found == 0); - } - else { - ::rptMsg($key_path." not found."); - } - } - else { - ::rptMsg("Hive file ".$hive." appeared to be neither a Software nor a"); - ::rptMsg("System hive file."); - } -} - -#------------------------------------------------------------- -# guessHive() - attempts to determine the hive type; if NTUSER.DAT, -# attempt to retrieve the SID for the user; this function populates -# global variables (%config, @sids) -#------------------------------------------------------------- -sub guessHive { - my $hive = shift; - my $hive_guess; - my $reg; - my $root_key; - eval { - $reg = Parse::Win32Registry->new($hive); - $root_key = $reg->get_root_key; - }; - ::rptMsg($hive." may not be a valid hive.") if ($@); - -# Check for SAM - eval { - if (my $key = $root_key->get_subkey("SAM\\Domains\\Account\\Users")) { - $hive_guess = "SAM"; - } - }; -# Check for Software - eval { - if ($root_key->get_subkey("Microsoft\\Windows\\CurrentVersion") && - $root_key->get_subkey("Microsoft\\Windows NT\\CurrentVersion")) { - $hive_guess = "Software"; - } - }; - -# Check for System - eval { - if ($root_key->get_subkey("MountedDevices") && $root_key->get_subkey("Select")) { - $hive_guess = "System"; - } - }; - -# Check for Security - eval { - if ($root_key->get_subkey("Policy\\Accounts") && $root_key->get_subkey("Policy\\PolAdtEv")) { - $hive_guess = "Security"; - } - }; -# Check for NTUSER.DAT - eval { - if ($root_key->get_subkey("Software\\Microsoft\\Windows\\CurrentVersion")) { - $hive_guess = "NTUSER\.DAT"; - } - }; - return $hive_guess; -} - - -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/mmc.pl b/RecentActivity/release/rr/plugins/mmc.pl deleted file mode 100644 index d66557c5da..0000000000 --- a/RecentActivity/release/rr/plugins/mmc.pl +++ /dev/null @@ -1,75 +0,0 @@ -#----------------------------------------------------------- -# mmc.pl -# Plugin for Registry Ripper, NTUSER.DAT edition - gets the -# Microsoft Management Console Recent File List values -# -# Change history -# -# -# References -# -# -# copyright 2008 H. Carvey -#----------------------------------------------------------- -package mmc; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20080324); - -sub getConfig{return %config} -sub getShortDescr { - return "Get contents of user's MMC\\Recent File List key"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching mmc v.".$VERSION); - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $key_path = 'Software\\Microsoft\\Microsoft Management Console\\Recent File List'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("MMC - Recent File List"); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - my %files; -# Retrieve values and load into a hash for sorting - foreach my $v (@vals) { - my $val = $v->get_name(); - my $data = $v->get_data(); - my $tag = (split(/File/,$val))[1]; - $files{$tag} = $val.":".$data; - } -# Print sorted content to report file - foreach my $u (sort {$a <=> $b} keys %files) { - my ($val,$data) = split(/:/,$files{$u},2); - ::rptMsg(" ".$val." -> ".$data); - } - } - else { - ::rptMsg($key_path." has no values."); - ::logMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} - -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/mndmru.pl b/RecentActivity/release/rr/plugins/mndmru.pl deleted file mode 100644 index d223d7f49c..0000000000 --- a/RecentActivity/release/rr/plugins/mndmru.pl +++ /dev/null @@ -1,77 +0,0 @@ -#----------------------------------------------------------- -# mndmru.pl -# Plugin for Registry Ripper, -# Map Network Drive MRU parser -# -# Change history -# -# -# References -# -# -# copyright 2008 H. Carvey -#----------------------------------------------------------- -package mndmru; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20080324); - -sub getConfig{return %config} -sub getShortDescr { - return "Get contents of user's Map Network Drive MRU"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching mndmru v.".$VERSION); - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $key_path = 'Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Map Network Drive MRU'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("Map Network Drive MRU"); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - my %mnd; -# Retrieve values and load into a hash for sorting - foreach my $v (@vals) { - my $val = $v->get_name(); - my $data = $v->get_data(); - $mnd{$val} = $data; - } -# Print sorted content to report file - if (exists $mnd{"MRUList"}) { - ::rptMsg(" MRUList = ".$mnd{"MRUList"}); - delete $mnd{"MRUList"}; - } - foreach my $m (sort {$a <=> $b} keys %mnd) { - ::rptMsg(" ".$m." ".$mnd{$m}); - } - } - else { - ::rptMsg($key_path." has no values."); - ::logMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} - -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/mountdev.pl b/RecentActivity/release/rr/plugins/mountdev.pl deleted file mode 100644 index ae0d58b26b..0000000000 --- a/RecentActivity/release/rr/plugins/mountdev.pl +++ /dev/null @@ -1,101 +0,0 @@ -#----------------------------------------------------------- -# mountdev.pl -# Plugin for Registry Ripper; Access System hive file to get the -# MountedDevices -# -# Change history -# -# -# References -# -# -# copyright 2008 H. Carvey -#----------------------------------------------------------- -package mountdev; -use strict; - -my %config = (hive => "System", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20080324); - -sub getConfig{return %config} -sub getShortDescr { - return "Return contents of System hive MountedDevices key"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching mountdev v.".$VERSION); - ::rptMsg("mountdev v.".$VERSION); - ::rptMsg("Get MountedDevices key information from the System hive file."); - ::rptMsg(""); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - my $key_path = 'MountedDevices'; - my $key; - my %md; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite time = ".gmtime($key->get_timestamp())."Z"); - ::rptMsg(""); - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - foreach my $v (@vals) { - my $data = $v->get_data(); - my $len = length($data); - if ($len == 12) { - my $sig = _translateBinary(substr($data,0,4)); - ::rptMsg($v->get_name()); - ::rptMsg("\tDrive Signature = ".$sig); - } - elsif ($len > 12) { - $data =~ s/\00//g; - push(@{$md{$data}},$v->get_name()); - } - else { - ::logMsg("mountdev v.".$VERSION."\tData length = $len"); - } - } - - ::rptMsg(""); - foreach my $m (keys %md) { - ::rptMsg("Device: ".$m); - foreach my $item (@{$md{$m}}) { - ::rptMsg("\t".$item); - } - ::rptMsg(""); - } - } - else { - ::rptMsg($key_path." has no values."); - ::logMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} - -sub _translateBinary { - my $str = unpack("H*",$_[0]); - my $len = length($str); - my @nstr = split(//,$str,$len); - my @list = (); - foreach (0..($len/2)) { - push(@list,$nstr[$_*2].$nstr[($_*2)+1]); - } - return join(' ',@list); -} - -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/mountdev2.pl b/RecentActivity/release/rr/plugins/mountdev2.pl deleted file mode 100644 index d5b1c3e324..0000000000 --- a/RecentActivity/release/rr/plugins/mountdev2.pl +++ /dev/null @@ -1,106 +0,0 @@ -#----------------------------------------------------------- -# mountdev2.pl -# Plugin for Registry Ripper; Access System hive file to get the -# MountedDevices -# -# Change history -# 20091116 - changed output -# -# References -# -# -# copyright 2009 H. Carvey -#----------------------------------------------------------- -package mountdev2; -use strict; - -my %config = (hive => "System", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20091116); - -sub getConfig{return %config} -sub getShortDescr { - return "Return contents of System hive MountedDevices key"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching mountdev2 v.".$VERSION); - ::rptMsg(""); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - my $key_path = 'MountedDevices'; - my $key; - my (%md,%dos,%vol); - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite time = ".gmtime($key->get_timestamp())."Z"); - ::rptMsg(""); - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - foreach my $v (@vals) { - my $data = $v->get_data(); - my $len = length($data); - if ($len == 12) { - my $sig = _translateBinary(substr($data,0,4)); -# my $sig = _translateBinary($data); - $vol{$v->get_name()} = $sig; - } - elsif ($len > 12) { - $data =~ s/\00//g; - push(@{$md{$data}},$v->get_name()); - } - else { - ::logMsg("mountdev2 v.".$VERSION."\tData length = $len"); - } - } - - ::rptMsg(sprintf "%-50s %-20s","Volume","Disk Sig"); - ::rptMsg(sprintf "%-50s %-20s","-------","--------"); - foreach my $v (sort keys %vol) { - my $str = sprintf "%-50s %-20s",$v,$vol{$v}; - ::rptMsg($str); - } - - ::rptMsg(""); - foreach my $m (sort keys %md) { - ::rptMsg("Device: ".$m); - foreach my $item (@{$md{$m}}) { - ::rptMsg("\t".$item); - } - ::rptMsg(""); - } - } - else { - ::rptMsg($key_path." has no values."); - ::logMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} - -sub _translateBinary { - my $str = unpack("H*",$_[0]); - my $len = length($str); - my @nstr = split(//,$str,$len); - my @list = (); - foreach (0..($len/2)) { - push(@list,$nstr[$_*2].$nstr[($_*2)+1]); - } - return join(' ',@list); -} - -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/mountdev3.pl b/RecentActivity/release/rr/plugins/mountdev3.pl deleted file mode 100644 index ff4d4cfbf0..0000000000 --- a/RecentActivity/release/rr/plugins/mountdev3.pl +++ /dev/null @@ -1,110 +0,0 @@ -#----------------------------------------------------------- -# mountdev3.pl -# Plugin for Registry Ripper; Access System hive file to get the -# MountedDevices -# -# Change history -# -# -# References -# -# -# copyright 2009 H. Carvey -#----------------------------------------------------------- -package mountdev3; -use Math::BigInt; -use strict; - -my %config = (hive => "System", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20090909); - -sub getConfig{return %config} -sub getShortDescr { - return "Return contents of System hive MountedDevices key"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; -# ::logMsg("Launching mountdev3 v.".$VERSION); - ::rptMsg("mountdev3 v.".$VERSION); - ::rptMsg("Get MountedDevices key information from the System hive file."); - ::rptMsg(""); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - my $key_path = 'MountedDevices'; - my $key; - my %md; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite time = ".gmtime($key->get_timestamp())."Z"); - ::rptMsg(""); - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - foreach my $v (@vals) { - my $data = $v->get_data(); - my $len = length($data); - if ($len == 12) { - my $sig = _translateBinary(substr($data,0,4)); - my ($low,$high) = unpack("VV",substr($data,4,8)); - my $val64 = Math::BigInt->new($high)->blsft(32)->bxor($low); - my $driveoffset = ($val64/512); - ::rptMsg($v->get_name()); - ::rptMsg("\tDrive Signature = ".$sig); - ::rptMsg("\tPartition offset = ".$driveoffset); - } - elsif ($len == 16) { - ::rptMsg($v->get_name()); - ::rptMsg("\t".$data); - } - elsif ($len > 16) { - $data =~ s/\00//g; - push(@{$md{$data}},$v->get_name()); - } - else { - ::logMsg("mountdev v.".$VERSION."\tData length = $len"); - } - } - - ::rptMsg(""); - foreach my $m (keys %md) { - ::rptMsg("Device: ".$m); - foreach my $item (@{$md{$m}}) { - ::rptMsg("\t".$item); - } - ::rptMsg(""); - } - } - else { - ::rptMsg($key_path." has no values."); - ::logMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} - -sub _translateBinary { - my $str = unpack("H*",$_[0]); - my $len = length($str); - my @nstr = split(//,$str,$len); - my @list = (); - foreach (0..($len/2)) { - push(@list,$nstr[$_*2].$nstr[($_*2)+1]); - } - return join(' ',@list); -} - -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/mp2.pl b/RecentActivity/release/rr/plugins/mp2.pl deleted file mode 100644 index b7ef8f76d6..0000000000 --- a/RecentActivity/release/rr/plugins/mp2.pl +++ /dev/null @@ -1,114 +0,0 @@ -#----------------------------------------------------------- -# mp2.pl -# Plugin for Registry Ripper, -# MountPoints2 key parser -# -# Change history -# 20091116 - updated output/sorting; added getting -# _LabelFromReg value -# 20090115 - Removed printing of "volumes" -# -# References -# http://support.microsoft.com/kb/932463 -# -# copyright 2009 H. Carvey -#----------------------------------------------------------- -package mp2; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20090115); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets user's MountPoints2 key contents"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching mp2 v.".$VERSION); - - my %drives; - my %volumes; - my %remote; - - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $key_path = 'Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("MountPoints2"); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - my @subkeys = $key->get_list_of_subkeys(); - if (scalar @subkeys > 0) { - foreach my $s (@subkeys) { - my $name = $s->get_name(); - if ($name =~ m/^{/) { - my $label; - eval { - $label = $s->get_value("_LabelFromReg")->get_data(); - }; - $name = $name." (".$label.")" unless ($@); - push(@{$volumes{$s->get_timestamp()}},$name); - } - elsif ($name =~ m/^[A-Z]/) { - push(@{$drives{$s->get_timestamp()}},$name); - } - elsif ($name =~ m/^#/) { - push(@{$remote{$s->get_timestamp()}},$name); - } - else { - ::rptMsg(" Key name = ".$name); - } - } - ::rptMsg(""); - ::rptMsg("Remote Drives:"); - foreach my $t (reverse sort {$a <=> $b} keys %remote) { - ::rptMsg(gmtime($t)." (UTC)"); - foreach my $item (@{$remote{$t}}) { - ::rptMsg(" $item"); - } - } - - ::rptMsg(""); - ::rptMsg("Volumes:"); - foreach my $t (reverse sort {$a <=> $b} keys %volumes) { - ::rptMsg(gmtime($t)." (UTC)"); - foreach my $item (@{$volumes{$t}}) { - ::rptMsg(" $item"); - } - } - ::rptMsg(""); - ::rptMsg("Drives:"); - foreach my $t (reverse sort {$a <=> $b} keys %drives) { - my $d = join(',',(@{$drives{$t}})); - ::rptMsg(gmtime($t)." (UTC) - ".$d); - } - - ::rptMsg(""); - ::rptMsg("Analysis Tip: Correlate the Volume entries to those found in the MountedDevices"); - ::rptMsg("entries that begin with \"\\??\\Volume\"\."); - } - else { - ::rptMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} - -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/mpmru.pl b/RecentActivity/release/rr/plugins/mpmru.pl deleted file mode 100644 index 701f0a802d..0000000000 --- a/RecentActivity/release/rr/plugins/mpmru.pl +++ /dev/null @@ -1,75 +0,0 @@ -#----------------------------------------------------------- -# mpmru.pl -# Plugin for Registry Ripper, NTUSER.DAT edition - gets the -# Media Player RecentFileList values -# -# Change history -# -# -# References -# -# -# copyright 2008 H. Carvey -#----------------------------------------------------------- -package mpmru; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20080324); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets user's Media Player RecentFileList values"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching mpmru v.".$VERSION); - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $key_path = 'Software\\Microsoft\\MediaPlayer\\Player\\RecentFileList'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("Media Player - RecentFileList"); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - my %files; -# Retrieve values and load into a hash for sorting - foreach my $v (@vals) { - my $val = $v->get_name(); - my $data = $v->get_data(); - my $tag = (split(/File/,$val))[1]; - $files{$tag} = $val.":".$data; - } -# Print sorted content to report file - foreach my $u (sort {$a <=> $b} keys %files) { - my ($val,$data) = split(/:/,$files{$u},2); - ::rptMsg(" ".$val." -> ".$data); - } - } - else { - ::rptMsg($key_path." has no values."); - ::logMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} - -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/mrt.pl b/RecentActivity/release/rr/plugins/mrt.pl deleted file mode 100644 index 89e9ebddaf..0000000000 --- a/RecentActivity/release/rr/plugins/mrt.pl +++ /dev/null @@ -1,72 +0,0 @@ -#----------------------------------------------------------- -# mrt.pl -# -# Per http://support.microsoft.com/kb/891716/, whenever MRT is run, a new -# GUID is written to the Version value. Check the KB article to compare -# GUIDs against the last time the tool was run. Also be sure to check the -# MRT logs in %WinDir%\Debug (mrt.log) -# -# -# copyright 2008 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package mrt; -use strict; - -my %config = (hive => "Software", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 1, - version => 20080804); - -sub getConfig{return %config} - -sub getShortDescr { - return "Check to see if Malicious Software Removal Tool has been run"; -} -sub getDescr{} -sub getRefs {"Deployment of the Microsoft Windows Malicious Software Removal Tool" => - "http://support.microsoft.com/kb/891716/", - "The Microsoft Windows Malicious Software Removal Tool" => "http://support.microsoft.com/?kbid=890830"} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching MRT v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - - my $key_path = "Microsoft\\RemovalTools\\MRT"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("Key Path: ".$key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - - my $version; - eval { - $version = $key->get_value("Version")->get_data(); - }; - if ($@) { - ::rptMsg("Error getting Version information: ".$@); - - } - else { - ::rptMsg("Version: ".$version); - ::rptMsg(""); - ::rptMsg("Analysis Tip: Go to http://support.microsoft.com/kb/891716/ to see when MRT"); - ::rptMsg("was last run. According to the KB article, each time MRT is run, a new GUID"); - ::rptMsg("is written to the Version value."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/msis.pl b/RecentActivity/release/rr/plugins/msis.pl deleted file mode 100644 index cda7bc4cdd..0000000000 --- a/RecentActivity/release/rr/plugins/msis.pl +++ /dev/null @@ -1,96 +0,0 @@ -#----------------------------------------------------------- -# msis.pl -# Plugin to determine the MSI packages installed on the system -# -# Change history: -# 20090911 - created -# -# References: -# http://support.microsoft.com/kb/290134 -# http://support.microsoft.com/kb/931401 -# -# copyright 2009 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package msis; -use strict; - -my %config = (hive => "Software", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20090911); - -sub getConfig{return %config} - -sub getShortDescr { - return "Determine MSI packages installed on the system"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -my %msi; - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching msis v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Classes\\Installer\\Products"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg(""); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - - my @subkeys = $key->get_list_of_subkeys(); - if (scalar(@subkeys) > 0) { - foreach my $s (@subkeys) { - my $lastwrite = $s->get_timestamp(); - - my $product; - eval { - $product = $s->get_value("ProductName")->get_data(); - }; - - my $path; - my $pkg; - - eval { - my $p = $s->get_subkey("SourceList")->get_value("LastUsedSource")->get_data(); - $path = (split(/;/,$p,3))[2]; - }; - - eval { - $pkg = $s->get_subkey("SourceList")->get_value("PackageName")->get_data(); - }; - - push(@{$msi{$lastwrite}},$product.";".$path.$pkg); - } - - - foreach my $t (reverse sort {$a <=> $b} keys %msi) { - ::rptMsg(gmtime($t)." (UTC)"); - foreach my $item (@{$msi{$t}}) { - ::rptMsg(" ".$item); - } - } - - } - else { - ::rptMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/mspaper.pl b/RecentActivity/release/rr/plugins/mspaper.pl deleted file mode 100644 index da25ba65a0..0000000000 --- a/RecentActivity/release/rr/plugins/mspaper.pl +++ /dev/null @@ -1,100 +0,0 @@ -#----------------------------------------------------------- -# mspaper.pl -# Plugin for Registry Ripper, NTUSER.DAT edition - gets the -# MSPaper Recent File List values -# -# Change history -# -# -# References -# -# -# copyright 2008 H. Carvey -#----------------------------------------------------------- -package mspaper; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20080324); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets images listed in user's MSPaper key"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching mspaper v.".$VERSION); - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $tick = 0; - my $key_path = 'Software\\Microsoft'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - my @subkeys = $key->get_list_of_subkeys(); - - if (scalar @subkeys > 0) { - foreach my $sk (@subkeys) { - if ($sk->get_name() =~ m/^mspaper/i) { - $tick = 1; - my $nkey = $sk->get_name()."\\Recent File List"; - my $msp; - if ($msp = $key->get_subkey($nkey)) { - ::rptMsg("MSPaper - Recent File List"); - ::rptMsg($key_path."\\".$nkey); - ::rptMsg("LastWrite Time ".gmtime($msp->get_timestamp())." (UTC)"); - my @vals = $msp->get_list_of_values(); - if (scalar(@vals) > 0) { - my %files; -# Retrieve values and load into a hash for sorting - foreach my $v (@vals) { - my $val = $v->get_name(); - my $data = $v->get_data(); - my $tag = (split(/File/,$val))[1]; - $files{$tag} = $val.":".$data; - } -# Print sorted content to report file - foreach my $u (sort {$a <=> $b} keys %files) { - my ($val,$data) = split(/:/,$files{$u},2); - ::rptMsg(" ".$val." -> ".$data); - } - } - else { - ::rptMsg($key_path."\\".$nkey." has no values."); - } - } - else { - ::rptMsg($key_path."\\".$nkey." not found."); - ::logMsg("Error: ".$key_path."\\".$nkey." not found."); - } - } - } - if ($tick == 0) { - ::rptMsg("SOFTWARE\\Microsoft\\MSPaper* not found."); - ::logMsg("SOFTWARE\\Microsoft\\MSPaper* not found."); - } - } - else { - ::rptMsg($key_path." has no subkeys."); - ::logMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} - -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/muicache.pl b/RecentActivity/release/rr/plugins/muicache.pl deleted file mode 100644 index 8a980e3531..0000000000 --- a/RecentActivity/release/rr/plugins/muicache.pl +++ /dev/null @@ -1,66 +0,0 @@ -#! c:\perl\bin\perl.exe -#----------------------------------------------------------- -# muicache.pl -# Plugin for Registry Ripper, NTUSER.DAT edition - gets the -# MUICache values -# -# Change history -# -# -# -# copyright 2008 H. Carvey -#----------------------------------------------------------- -package muicache; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20080324); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets EXEs from user's MUICache key"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching muicache v.".$VERSION); - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - my $key_path = 'Software\\Microsoft\\Windows\\ShellNoRoam\\MUICache'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("MUICache"); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - foreach my $v (@vals) { - my $name = $v->get_name(); - next if ($name =~ m/^@/ || $name eq "LangID"); - my $data = $v->get_data(); - ::rptMsg("\t".$name." (".$data.")"); - } - } - else { - ::rptMsg($key_path." has no values."); - ::logMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} - -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/nero.pl b/RecentActivity/release/rr/plugins/nero.pl deleted file mode 100644 index 30b861326a..0000000000 --- a/RecentActivity/release/rr/plugins/nero.pl +++ /dev/null @@ -1,75 +0,0 @@ -#----------------------------------------------------------- -# nero.pl -# **Very Beta! Based on one sample hive file only! -# -# Change history -# 20100218 - created -# -# References -# -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package nero; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20100218); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets contents of Ahead\\Nero Recent File List subkeys"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -my @nerosubkeys = ("Cover Designer","FlmgPlg","Nero PhotoSnap", - "NSPluginMgr","PhotoEffects","XlmgPlg"); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - my %hist; - ::logMsg("Launching nero v.".$VERSION); - - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $key_path = 'Software\\Ahead'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg(""); - foreach my $nsk (@nerosubkeys) { - eval { - my $nk; - if ($nk = $key->get_subkey($nsk."\\Recent File List")) { - my @vals = $nk->get_list_of_values(); - if (scalar @vals > 0) { - ::rptMsg($nsk."\\Recent File List"); - ::rptMsg("LastWrite Time ".gmtime($nk->get_timestamp())." (UTC)"); - foreach my $v (@vals) { - ::rptMsg(" ".$v->get_name()." -> ".$v->get_data()); - } - ::rptMsg(""); - } - else { - ::rptMsg($nsk."\\Recent File List has no values."); - } - } - }; - } - } - else { - ::rptMsg($key_path." not found."); - } -} - -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/network.pl b/RecentActivity/release/rr/plugins/network.pl deleted file mode 100644 index 32853b3110..0000000000 --- a/RecentActivity/release/rr/plugins/network.pl +++ /dev/null @@ -1,95 +0,0 @@ -#----------------------------------------------------------- -# network.pl -# Plugin for Registry Ripper; Get information on network -# interfaces from the System hive file - from the -# Control\Network GUID subkeys... -# -# Change history -# -# -# References -# -# -# copyright 2008 H. Carvey -#----------------------------------------------------------- -package network; -use strict; - -my %config = (hive => "System", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20080324); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets info from System\\Control\\Network GUIDs"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - my %nics; - my $ccs; - ::logMsg("Launching network v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; -# First thing to do is get the ControlSet00x marked current...this is -# going to be used over and over again in plugins that access the system -# file - my $current; - my $key_path = 'Select'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - $current = $key->get_value("Current")->get_data(); - $ccs = "ControlSet00".$current; - my $nw_path = $ccs."\\Control\\Network\\{4D36E972-E325-11CE-BFC1-08002BE10318}"; - my $nw; - if ($nw = $root_key->get_subkey($nw_path)) { - ::rptMsg("Network key"); - ::rptMsg($nw_path); -# Get all of the subkey names - my @sk = $nw->get_list_of_subkeys(); - if (scalar(@sk) > 0) { - foreach my $s (@sk) { - my $name = $s->get_name(); - next if ($name eq "Descriptions"); - if (my $conn = $nw->get_subkey($name."\\Connection")) { - ::rptMsg("Interface ".$name); - ::rptMsg("LastWrite time ".gmtime($conn->get_timestamp())." (UTC)"); - my %conn_vals; - my @vals = $conn->get_list_of_values(); - map{$conn_vals{$_->get_name()} = $_->get_data()}@vals; - ::rptMsg("\tName = ".$conn_vals{Name}); - ::rptMsg("\tPnpInstanceID = ".$conn_vals{PnpInstanceID}); - ::rptMsg("\tMediaSubType = ".$conn_vals{MediaSubType}); - ::rptMsg("\tIpCheckingEnabled = ".$conn_vals{IpCheckingEnabled}) - if (exists $conn_vals{IpCheckingEnabled}); - - } - ::rptMsg(""); - } - - } - else { - ::rptMsg($nw_path." has no subkeys."); - } - } - else { - ::rptMsg($nw_path." could not be found."); - ::logMsg($nw_path." could not be found."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/networkcards.pl b/RecentActivity/release/rr/plugins/networkcards.pl deleted file mode 100644 index c0ce64f41d..0000000000 --- a/RecentActivity/release/rr/plugins/networkcards.pl +++ /dev/null @@ -1,62 +0,0 @@ -#----------------------------------------------------------- -# networkcards -# -# copyright 2008 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package networkcards; -use strict; - -my %config = (hive => "Software", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20080325); - -sub getConfig{return %config} -sub getShortDescr { - return "Get NetworkCards"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching networkcards v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - my $key_path = "Microsoft\\Windows NT\\CurrentVersion\\NetworkCards"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("NetworkCards"); - ::rptMsg($key_path); - ::rptMsg(""); - my @subkeys = $key->get_list_of_subkeys(); - if (scalar(@subkeys) > 0) { - my %nc; - foreach my $s (@subkeys) { - my $service = $s->get_value("ServiceName")->get_data(); - $nc{$service}{descr} = $s->get_value("Description")->get_data(); - $nc{$service}{lastwrite} = $s->get_timestamp(); - } - - foreach my $n (keys %nc) { - ::rptMsg($nc{$n}{descr}." [".gmtime($nc{$n}{lastwrite})."]"); - } - } - else { - ::rptMsg($key_path." has no subkeys."); - ::logMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/networklist.pl b/RecentActivity/release/rr/plugins/networklist.pl deleted file mode 100644 index babf87d7d6..0000000000 --- a/RecentActivity/release/rr/plugins/networklist.pl +++ /dev/null @@ -1,142 +0,0 @@ -#----------------------------------------------------------- -# networklist.pl - Plugin to extract information from the -# NetworkList key, including the MAC address of the default -# gateway -# -# -# Change History: -# 20090812 - updated code to parse DateCreated and DateLastConnected -# values; modified output, as well -# 20090811 - created -# -# References -# -# copyright 2009 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package networklist; -use strict; - -my %config = (hive => "Software", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20090811); - -sub getConfig{return %config} - -sub getShortDescr { - return "Collects network info from Vista NetworkList key"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching networklist v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - my $base_path = "Microsoft\\Windows NT\\CurrentVersion\\NetworkList"; - -# First, get profile info - my $key_path = $base_path."\\Profiles"; - my $key; - my %nl; # hash of hashes to hold data - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - - my @sk = $key->get_list_of_subkeys(); - if (scalar(@sk) > 0) { - foreach my $s (@sk) { - my $name = $s->get_name(); - $nl{$name}{LastWrite} = $s->get_timestamp(); - eval { - $nl{$name}{ProfileName} = $s->get_value("ProfileName")->get_data(); - $nl{$name}{Description} = $s->get_value("Description")->get_data(); - $nl{$name}{Managed} = $s->get_value("Managed")->get_data(); - - my $create = $s->get_value("DateCreated")->get_data(); - $nl{$name}{DateCreated} = parseDate128($create) if (length($create) == 16); - my $conn = $s->get_value("DateLastConnected")->get_data(); - $nl{$name}{DateLastConnected} = parseDate128($conn) if (length($conn) == 16); - -# $nl{$name}{NameType} = $s->get_value("ProfileName")->get_data(); - }; - } - -# Get additional information from the Signatures subkey - $key_path = $base_path."\\Signatures\\Managed"; - if ($key = $root_key->get_subkey($key_path)) { - my @sk = $key->get_list_of_subkeys(); - if (scalar(@sk) > 0) { - foreach my $s (@sk) { - eval { - my $prof = $s->get_value("ProfileGuid")->get_data(); - my $tmp = substr($s->get_value("DefaultGatewayMac")->get_data(),0,6); - my $mac = uc(unpack("H*",$tmp)); - my @t = split(//,$mac); - $nl{$prof}{DefaultGatewayMac} = $t[0].$t[1]."-".$t[2].$t[3]. - "-".$t[4].$t[5]."-".$t[6].$t[7]."-".$t[8].$t[9]."-".$t[10].$t[11]; - }; - } - } - } - - $key_path = $base_path."\\Signatures\\Unmanaged"; - if ($key = $root_key->get_subkey($key_path)) { - my @sk = $key->get_list_of_subkeys(); - if (scalar(@sk) > 0) { - foreach my $s (@sk) { - eval { - my $prof = $s->get_value("ProfileGuid")->get_data(); - my $tmp = substr($s->get_value("DefaultGatewayMac")->get_data(),0,6); - my $mac = uc(unpack("H*",$tmp)); - my @t = split(//,$mac); - $nl{$prof}{DefaultGatewayMac} = $t[0].$t[1]."-".$t[2].$t[3]. - "-".$t[4].$t[5]."-".$t[6].$t[7]."-".$t[8].$t[9]."-".$t[10].$t[11]; - }; - } - } - } - -# Now, display the information - foreach my $n (keys %nl) { - my $str = sprintf "%-15s Gateway Mac: ".$nl{$n}{DefaultGatewayMac},$nl{$n}{ProfileName}; - ::rptMsg($nl{$n}{ProfileName}); - ::rptMsg(" Key LastWrite : ".gmtime($nl{$n}{LastWrite})." UTC"); - ::rptMsg(" DateLastConnected: ".$nl{$n}{DateLastConnected}); - ::rptMsg(" DateCreated : ".$nl{$n}{DateCreated}); - ::rptMsg(" DefaultGatewayMac: ".$nl{$n}{DefaultGatewayMac}); - ::rptMsg(""); - } - - } - else { - ::rptMsg($key_path." has not subkeys"); - } - } - else { - ::rptMsg($key_path." not found."); - } -} - - - -sub parseDate128 { - my $date = $_[0]; - my @months = ("Jan","Feb","Mar","Apr","May","Jun","Jul", - "Aug","Sep","Oct","Nov","Dec"); - my @days = ("Sun","Mon","Tue","Wed","Thu","Fri","Sat"); - my ($yr,$mon,$dow,$dom,$hr,$min,$sec,$ms) = unpack("v*",$date); - $hr = "0".$hr if ($hr < 10); - $min = "0".$min if ($min < 10); - $sec = "0".$sec if ($sec < 10); - my $str = $days[$dow]." ".$months[$mon - 1]." ".$dom." ".$hr.":".$min.":".$sec." ".$yr; - return $str; -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/networkuid.pl b/RecentActivity/release/rr/plugins/networkuid.pl deleted file mode 100644 index 7a457e111f..0000000000 --- a/RecentActivity/release/rr/plugins/networkuid.pl +++ /dev/null @@ -1,57 +0,0 @@ -#----------------------------------------------------------- -# networkuid.pl -# Gets UID value from Network key -# -# References -# http://blogs.technet.com/mmpc/archive/2010/03/11/got-zbot.aspx -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package networkuid; -use strict; - -my %config = (hive => "Software", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20100312); - -sub getConfig{return %config} - -sub getShortDescr { - return "Gets Network key UID value"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching networkuid v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Microsoft\\Windows NT\\CurrentVersion\\Network"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite time = ".gmtime($key->get_timestamp())); - ::rptMsg(""); - - eval { - my $uid = $key->get_value("UID")->get_data(); - ::rptMsg("UID value = ".$uid); - }; - ::rptMsg("UID value not found.") if ($@); - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/nic.pl b/RecentActivity/release/rr/plugins/nic.pl deleted file mode 100644 index f176150a92..0000000000 --- a/RecentActivity/release/rr/plugins/nic.pl +++ /dev/null @@ -1,80 +0,0 @@ -#----------------------------------------------------------- -# nic.pl -# -# -# Change history -# 20100401 - created -# -# References -# LeaseObtainedTime - http://technet.microsoft.com/en-us/library/cc978465.aspx -# T1 - http://technet.microsoft.com/en-us/library/cc978470.aspx -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package nic; -use strict; - -my %config = (hive => "System", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20100401); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets NIC info from System hive"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - my %nics; - my $ccs; - ::logMsg("Launching nic v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; -# First thing to do is get the ControlSet00x marked current...this is -# going to be used over and over again in plugins that access the system -# file - my $current; - eval { - $current = $root_key->get_subkey("Select")->get_value("Current")->get_data(); - }; - my @nics; - my $key_path = "ControlSet00".$current."\\Services"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - my @svcs = $key->get_list_of_subkeys(); - foreach my $s (@svcs) { - push(@nics,$s) if ($s->get_name() =~ m/^{/); - } - foreach my $n (@nics) { - eval { - my @vals = $n->get_subkey("Parameters\\Tcpip")->get_list_of_values(); - ::rptMsg("Adapter: ".$n->get_name()); - ::rptMsg("LastWrite Time: ".gmtime($n->get_timestamp())." Z"); - foreach my $v (@vals) { - my $name = $v->get_name(); - my $data = $v->get_data(); - $data = gmtime($data)." Z" if ($name eq "T1" || $name eq "T2"); - $data = gmtime($data)." Z" if ($name =~ m/Time$/); - - ::rptMsg(sprintf " %-20s %-20s",$name,$data); - - } - ::rptMsg(""); - }; - } - } - else { - ::rptMsg($key_path." not found."); - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/nic2.pl b/RecentActivity/release/rr/plugins/nic2.pl deleted file mode 100644 index 44d4d8099a..0000000000 --- a/RecentActivity/release/rr/plugins/nic2.pl +++ /dev/null @@ -1,80 +0,0 @@ -#----------------------------------------------------------- -# nic2.pl -# -# -# Change history -# 20100401 - created -# -# References -# LeaseObtainedTime - http://technet.microsoft.com/en-us/library/cc978465.aspx -# T1 - http://technet.microsoft.com/en-us/library/cc978470.aspx -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package nic2; -use strict; - -my %config = (hive => "System", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20100401); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets NIC info from System hive"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - my %nics; - my $ccs; - ::logMsg("Launching nic v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; -# First thing to do is get the ControlSet00x marked current...this is -# going to be used over and over again in plugins that access the system -# file - my $current; - eval { - $current = $root_key->get_subkey("Select")->get_value("Current")->get_data(); - }; - my @nics; - my $key_path = "ControlSet00".$current."\\Services\\Tcpip\\Parameters\\Interfaces"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - my @guids = $key->get_list_of_subkeys(); - if (scalar @guids > 0) { - foreach my $g (@guids) { - ::rptMsg("Adapter: ".$g->get_name()); - ::rptMsg("LastWrite Time: ".gmtime($g->get_timestamp())." Z"); - eval { - my @vals = $g->get_list_of_values(); - foreach my $v (@vals) { - my $name = $v->get_name(); - my $data = $v->get_data(); - $data = gmtime($data)." Z" if ($name eq "T1" || $name eq "T2"); - $data = gmtime($data)." Z" if ($name =~ m/Time$/); - ::rptMsg(sprintf " %-28s %-20s",$name,$data); - } - ::rptMsg(""); - }; - } - } - else { - ::rptMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/nic_mst2.pl b/RecentActivity/release/rr/plugins/nic_mst2.pl deleted file mode 100644 index 36c98b4270..0000000000 --- a/RecentActivity/release/rr/plugins/nic_mst2.pl +++ /dev/null @@ -1,148 +0,0 @@ -#----------------------------------------------------------- -# nic_mst2.pl -# Plugin for Registry Ripper; Get information on network -# interfaces from the System hive file - start with the -# Control\Network GUID subkeys...within the Connection key, -# look for MediaSubType == 2, and maintain a list of GUIDs. -# Then go over to the Services\Tcpip\Parameters\Interfaces -# key and get the IP configurations for each of the interface -# GUIDs -# -# Change history -# -# -# References -# http://support.microsoft.com/kb/555382 -# http://support.microsoft.com/kb/894564 -# http://support.microsoft.com/kb/899868 -# -# copyright 2008 H. Carvey -#----------------------------------------------------------- -package nic_mst2; -use strict; - -my %config = (hive => "System", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20080324); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets NICs from System hive; looks for MediaType = 2"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - my %nics; - my $ccs; - ::logMsg("Launching nic_mst2 v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; -# First thing to do is get the ControlSet00x marked current...this is -# going to be used over and over again in plugins that access the system -# file - my $current; - my $key_path = 'Select'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - $current = $key->get_value("Current")->get_data(); - $ccs = "ControlSet00".$current; - my $nw_path = $ccs."\\Control\\Network\\{4D36E972-E325-11CE-BFC1-08002BE10318}"; - my $nw; - if ($nw = $root_key->get_subkey($nw_path)) { - ::rptMsg("Network key"); - ::rptMsg($nw_path); -# Get all of the subkey names - my @sk = $nw->get_list_of_subkeys(); - if (scalar(@sk) > 0) { - foreach my $s (@sk) { - my $name = $s->get_name(); - next if ($name eq "Descriptions"); - if (my $conn = $nw->get_subkey($name."\\Connection")) { - my %conn_vals; - my @vals = $conn->get_list_of_values(); - map{$conn_vals{$_->get_name()} = $_->get_data()}@vals; -# See what the active NICs were on the system; "active" based on PnpInstanceID having -# a string value -# Get the GUID of the interface, the name, and the LastWrite time of the Connection -# key - if (exists $conn_vals{PnpInstanceID} && $conn_vals{PnpInstanceID} ne "") { - $nics{$name}{Name} = $conn_vals{Name}; - $nics{$name}{LastWrite} = $conn->get_timestamp(); - } - } - } - - } - else { - ::rptMsg($nw_path." has no subkeys."); - } - } - else { - ::rptMsg($nw_path." could not be found."); - } - } - else { - ::rptMsg($key_path." not found."); - } - ::rptMsg(""); -# access the Tcpip Services key to get the IP address information - if (scalar(keys %nics) > 0) { - my $key_path = $ccs."\\Services\\Tcpip\\Parameters\\Interfaces"; - if ($key = $root_key->get_subkey($key_path)) { - my %guids; - ::rptMsg($key_path); - ::rptMsg("LastWrite time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); -# Dump the names of the subkeys under Parameters\Interfaces into a hash - my @sk = $key->get_list_of_subkeys(); - map{$guids{$_->get_name()} = 1}(@sk); - - foreach my $n (keys %nics) { - if (exists $guids{$n}) { - my $if = $key->get_subkey($n); - ::rptMsg("Interface ".$n); - ::rptMsg("Name: ".$nics{$n}{Name}); - ::rptMsg("Control\\Network key LastWrite time ".gmtime($nics{$n}{LastWrite})." (UTC)"); - ::rptMsg("Services\\Tcpip key LastWrite time ".gmtime($if->get_timestamp())." (UTC)"); - - my @vals = $if->get_list_of_values; - my %ip; - map{$ip{$_->get_name()} = $_->get_data()}@vals; - - if (exists $ip{EnableDHCP} && $ip{EnableDHCP} == 1) { - ::rptMsg("\tDhcpDomain = ".$ip{DhcpDomain}); - ::rptMsg("\tDhcpIPAddress = ".$ip{DhcpIPAddress}); - ::rptMsg("\tDhcpSubnetMask = ".$ip{DhcpSubnetMask}); - ::rptMsg("\tDhcpNameServer = ".$ip{DhcpNameServer}); - ::rptMsg("\tDhcpServer = ".$ip{DhcpServer}); - } - else { - ::rptMsg("\tIPAddress = ".$ip{IPAddress}); - ::rptMsg("\tSubnetMask = ".$ip{SubnetMask}); - ::rptMsg("\tDefaultGateway = ".$ip{DefaultGateway}); - } - - } - else { - ::rptMsg("Interface ".$n." not found in the ".$key_path." key."); - } - ::rptMsg(""); - } - } - } - else { - ::rptMsg("No active network interface cards were found."); - ::logMsg("No active network interface cards were found."); - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/nolmhash.pl b/RecentActivity/release/rr/plugins/nolmhash.pl deleted file mode 100644 index 94f253e63d..0000000000 --- a/RecentActivity/release/rr/plugins/nolmhash.pl +++ /dev/null @@ -1,74 +0,0 @@ -#----------------------------------------------------------- -# nolmhash.pl -# Gets NoLMHash value -# -# Change history -# 20100712 - created -# -# References -# http://support.microsoft.com/kb/299656 -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package nolmhash; -use strict; - -my %config = (hive => "System", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20100712); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets NoLMHash value"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching lsa v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; -# First thing to do is get the ControlSet00x marked current...this is -# going to be used over and over again in plugins that access the system -# file - my ($current,$ccs); - my $sel_path = 'Select'; - my $sel; - if ($sel = $root_key->get_subkey($sel_path)) { - $current = $sel->get_value("Current")->get_data(); - $ccs = "ControlSet00".$current; - my $key_path = $ccs."\\Control\\Lsa"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("nolmhash v.".$VERSION); - ::rptMsg($key_path); - ::rptMsg("LastWrite: ".gmtime($key->get_timestamp())); - ::rptMsg(""); - my $nolmhash; - eval { - $nolmhash = $key->get_value("NoLMHash")->get_data(); - ::rptMsg("NoLMHash value = ".$nolmhash); - ::rptMsg(""); - ::rptMsg("A value of 1 indicates that LMHashes are not stored in the SAM."); - }; - ::rptMsg("Error occurred getting NoLMHash value: $@") if ($@); - } - else { - ::rptMsg($key_path." not found."); - } - } - else { - ::rptMsg($sel_path." not found."); - ::logMsg($sel_path." not found."); - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/notify.pl b/RecentActivity/release/rr/plugins/notify.pl deleted file mode 100644 index 8919b6dbd9..0000000000 --- a/RecentActivity/release/rr/plugins/notify.pl +++ /dev/null @@ -1,79 +0,0 @@ -#----------------------------------------------------------- -# notify.pl -# -# -# Change History: -# 20110309 - updated output format to sort entries based on -# LastWrite time -# 20110308 - created -# -# References -# http://blogs.technet.com/b/markrussinovich/archive/2011/03/08/3392087.aspx -# -# copyright 2011 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package notify; -use strict; - -my %config = (hive => "Software", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20110309); - -sub getConfig{return %config} - -sub getShortDescr { - return "Get Notify subkey entries"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); -my %notify; - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching notify v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Notify"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("notify"); - ::rptMsg($key_path); - ::rptMsg(""); - my @sk = $key->get_list_of_subkeys(); - if (scalar(@sk) > 0) { - foreach my $s (@sk) { - my $name = $s->get_name(); - my $lw = $s->get_timestamp(); - my $dll; - eval { - $dll = $s->get_value("DLLName")->get_data(); - push(@{$notify{$lw}},sprintf "%-15s %-25s",$name,$dll); - }; - } - - foreach my $t (reverse sort {$a <=> $b} keys %notify) { - ::rptMsg(gmtime($t)." UTC"); - foreach my $i (@{$notify{$t}}) { - ::rptMsg(" ".$i); - } - ::rptMsg(""); - } - } - else { - ::rptMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/ntuser b/RecentActivity/release/rr/plugins/ntuser deleted file mode 100644 index f2d6b0a366..0000000000 --- a/RecentActivity/release/rr/plugins/ntuser +++ /dev/null @@ -1,50 +0,0 @@ -# List of plugins for the Registry Ripper - -#------------------------------------- -# NTUSER.DAT -logonusername -autoendtasks -autorun -acmru -adoberdr -aim -applets -comdlg32 -compdesc -# The controlpanel plugin is intended for Vista systems only -# User hives from systems prior to Vista will show 'not found' -controlpanel -listsoft -logon_xp_run -load -mmc -mndmru -mp2 -mpmru -mspaper -officedocs -oisc -recentdocs -realplayer6 -runmru -tsclient -ie_main -ie_settings -typedurls -muicache -#userassist -userassist2 -user_run -userlocsvc -vncviewer -winzip -user_win -winrar -winlogon_u -policies_u -wallpaper -vista_bitbucket -shellfolders -arpcache -clampitm -unreadmail \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/officedocs.pl b/RecentActivity/release/rr/plugins/officedocs.pl deleted file mode 100644 index 8182a3d177..0000000000 --- a/RecentActivity/release/rr/plugins/officedocs.pl +++ /dev/null @@ -1,145 +0,0 @@ -#----------------------------------------------------------- -# officedocs.pl -# Plugin for Registry Ripper -# -# Change history -# -# -# References -# -# -# copyright 2008 H. Carvey -#----------------------------------------------------------- -package officedocs; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20080324); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets contents of user's Office doc MRU keys"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching officedocs v.".$VERSION); - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - ::rptMsg("officedocs v.".$VERSION); -# First, let's find out which version of Office is installed - my $version; - my $tag = 0; - my @versions = ("7\.0","8\.0", "9\.0", "10\.0", "11\.0","12\.0"); - foreach my $ver (@versions) { - my $key_path = "Software\\Microsoft\\Office\\".$ver."\\Common\\Open Find"; - if (defined($root_key->get_subkey($key_path))) { - $version = $ver; - $tag = 1; - } - } - - if ($tag) { - ::rptMsg("MSOffice version ".$version." located."); - my $key_path = "Software\\Microsoft\\Office\\".$version; - my $of_key = $root_key->get_subkey($key_path); - if ($of_key) { -# Attempt to retrieve Word docs - my @funcs = ("Open","Save As","File Save"); - foreach my $func (@funcs) { - my $word = "Common\\Open Find\\Microsoft Office Word\\Settings\\".$func."\\File Name MRU"; - my $word_key = $of_key->get_subkey($word); - if ($word_key) { - ::rptMsg($word); - ::rptMsg("LastWrite Time ".gmtime($word_key->get_timestamp())." (UTC)"); - ::rptMsg(""); - my $value = $word_key->get_value("Value")->get_data(); - my @data = split(/\00/,$value); - map{::rptMsg("$_");}@data; - } - else { -# ::rptMsg("Could not access ".$word); - } - ::rptMsg(""); - } -# Attempt to retrieve Excel docs - my $excel = 'Excel\\Recent Files'; - if (my $excel_key = $of_key->get_subkey($excel)) { - ::rptMsg($key_path."\\".$excel); - ::rptMsg("LastWrite Time ".gmtime($excel_key->get_timestamp())." (UTC)"); - my @vals = $excel_key->get_list_of_values(); - if (scalar(@vals) > 0) { - my %files; -# Retrieve values and load into a hash for sorting - foreach my $v (@vals) { - my $val = $v->get_name(); - my $data = $v->get_data(); - my $tag = (split(/File/,$val))[1]; - $files{$tag} = $val.":".$data; - } -# Print sorted content to report file - foreach my $u (sort {$a <=> $b} keys %files) { - my ($val,$data) = split(/:/,$files{$u},2); - ::rptMsg(" ".$val." -> ".$data); - } - } - else { - ::rptMsg($key_path.$excel." has no values."); - } - } - else { - ::rptMsg($key_path.$excel." not found."); - } - ::rptMsg(""); -# Attempt to retrieve PowerPoint docs - my $ppt = 'PowerPoint\\Recent File List'; - if (my $ppt_key = $of_key->get_subkey($ppt)) { - ::rptMsg($key_path."\\".$ppt); - ::rptMsg("LastWrite Time ".gmtime($ppt_key->get_timestamp())." (UTC)"); - my @vals = $ppt_key->get_list_of_values(); - if (scalar(@vals) > 0) { - my %files; -# Retrieve values and load into a hash for sorting - foreach my $v (@vals) { - my $val = $v->get_name(); - my $data = $v->get_data(); - my $tag = (split(/File/,$val))[1]; - $files{$tag} = $val.":".$data; - } -# Print sorted content to report file - foreach my $u (sort {$a <=> $b} keys %files) { - my ($val,$data) = split(/:/,$files{$u},2); - ::rptMsg(" ".$val." -> ".$data); - } - } - else { - ::rptMsg($key_path."\\".$ppt." has no values."); - } - } - else { - ::rptMsg($key_path."\\".$ppt." not found."); - } - } - else { - ::rptMsg("Could not access ".$key_path); - ::logMsg("Could not access ".$key_path); - } - } - else { - ::logMsg("MSOffice version not found."); - ::rptMsg("MSOffice version not found."); - } -} - -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/oisc.pl b/RecentActivity/release/rr/plugins/oisc.pl deleted file mode 100644 index 2ddad06973..0000000000 --- a/RecentActivity/release/rr/plugins/oisc.pl +++ /dev/null @@ -1,123 +0,0 @@ -#----------------------------------------------------------- -# oisc.pl -# Plugin for Registry Ripper -# -# Change history -# 20091125 - modified by H. Carvey -# 20091110 - created -# -# References -# http://support.microsoft.com/kb/838028 -# http://support.microsoft.com/kb/916658 -# -# Derived from the officeDocs plugin -# copyright 2008-2009 H. Carvey, mangled 2009 M. Tarnawsky -# -# Michael Tarnawsky -# forensics@mialta.com -#----------------------------------------------------------- -package oisc; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20091125); - -my %prot = (0 => "Read-only HTTP", - 1 => "WEC to FPSE-enabled web folder", - 2 => "DAV to DAV-ext. web folder"); - -my %types = (0 => "no collaboration", - 1 => "SharePoint Team Server", - 2 => "Exchange 2000 Server", - 3 => "SharePoint Portal 2001 Server", - 4 => "SharePoint 2001 enhanced folder", - 5 => "Windows SharePoint Server/SharePoint Portal 2003 Server"); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets contents of user's Office Internet Server Cache"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching oisc v.".$VERSION); - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; -# First, let's find out which version of Office is installed - my $version; - my $tag = 0; - my @versions = ("7\.0","8\.0", "9\.0", "10\.0", "11\.0","12\.0"); - foreach my $ver (@versions) { - my $key_path = "Software\\Microsoft\\Office\\".$ver."\\Common\\Internet\\Server Cache"; - if (defined($root_key->get_subkey($key_path))) { - $version = $ver; - $tag = 1; - } - } - - if ($tag) { - - my %isc; - - ::rptMsg("MSOffice version ".$version." located."); - my $key_path = "Software\\Microsoft\\Office\\".$version."\\Common\\Internet\\Server Cache"; - my $sc_key; - if ($sc_key = $root_key->get_subkey($key_path)) { -# Attempt to retrieve Servers Cache subkeys - my @sc = ($sc_key->get_list_of_subkeys()); - if (scalar(@sc) > 0) { - foreach my $s (@sc) { - my $name = $s->get_name(); - $isc{$name}{lastwrite} = $s->get_timestamp(); - - eval { - my $t = $s->get_value("Type")->get_data(); - (exists $types{$t}) ? ($isc{$name}{type} = $types{$t}) - : ($isc{$name}{type} = $t); - }; - - eval { - my $p = $s->get_value("Protocol")->get_data(); - (exists $prot{$p}) ? ($isc{$name}{protocol} = $prot{$p}) - : ($isc{$name}{protocol} = $p); - }; - - eval { - my @e = unpack("VV",$s->get_value("Expiration")->get_data()); - $isc{$name}{expiry} = ::getTime($e[0],$e[1]); - }; - } - ::rptMsg(""); - foreach my $i (keys %isc) { - ::rptMsg($i); - ::rptMsg(" LastWrite : ".gmtime($isc{$i}{lastwrite})." UTC"); - ::rptMsg(" Expiry : ".gmtime($isc{$i}{expiry})." UTC"); - ::rptMsg(" Protocol : ".$isc{$i}{protocol}); - ::rptMsg(" Type : ".$isc{$i}{type}); - ::rptMsg(""); - } - } - else { - ::rptMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - } - } - else { - ::rptMsg("MSOffice version not found."); - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/outlook.pl b/RecentActivity/release/rr/plugins/outlook.pl deleted file mode 100644 index eafc9b3ade..0000000000 --- a/RecentActivity/release/rr/plugins/outlook.pl +++ /dev/null @@ -1,186 +0,0 @@ -#----------------------------------------------------------- -# outlook.pl -# **Very Beta! Based on one sample hive file only! -# -# Change history -# 20100218 - created -# -# References -# -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package outlook; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20100218); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets user's Outlook settings"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - my %hist; - ::logMsg("Launching outlook v.".$VERSION); - - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $key_path = 'Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - my @subkeys = $key->get_list_of_subkeys(); - if (scalar @subkeys > 0) { - ::rptMsg(""); - foreach my $s (@subkeys) { - - my $profile = $s->get_name(); - ::rptMsg($profile." Profile"); - -# AutoArchive settings -# http://support.microsoft.com/kb/198479 - eval { - my $data = $s->get_subkey("0a0d020000000000c000000000000046")->get_value("001f0324")->get_data(); - $data =~ s/\00//g; - ::rptMsg(" Outlook 2007 AutoArchive path -> ".$data); - }; - - eval { - my $data = $s->get_subkey("0a0d020000000000c000000000000046")->get_value("001e0324")->get_data(); - $data =~ s/\00//g; - ::rptMsg(" Outlook 2003 AutoArchive path -> ".$data); - }; - - eval { - my $data = $s->get_subkey("0a0d020000000000c000000000000046")->get_value("001e032c")->get_data(); - $data =~ s/\00//g; - ::rptMsg(" Outlook 2003 AutoArchive path (alt) -> ".$data); - }; - -# http://support.microsoft.com/kb/288570 - eval { - my $data = $s->get_subkey("0a0d020000000000c000000000000046")->get_value("101e0384")->get_data(); - $data =~ s/\00//g; - ::rptMsg(" Open Other Users MRU (Outlook 97) -> ".$data); - }; - - eval { - my $data = $s->get_subkey("0a0d020000000000c000000000000046")->get_value("101f0390")->get_data(); - $data =~ s/\00//g; - ::rptMsg(" Open Other Users MRU (Outlook 2003) -> ".$data); - }; - - - - eval { - my $data = unpack("V",$s->get_subkey("13dbb0c8aa05101a9bb000aa002fc45a")->get_value("00036601")->get_data()); - my $str; - if ($data == 4) { - $str = " Cached Exchange Mode disabled."; - } - elsif ($data == 4484) { - $str = " Cached Exchange Mode enabled."; - } - else { - $str = sprintf " Cached Exchange Mode: 0x%x",$data; - } - ::rptMsg($str); - }; - - eval { - my $data = $s->get_subkey("13dbb0c8aa05101a9bb000aa002fc45a")->get_value("001f6610")->get_data(); - $data =~ s/\00//g; - ::rptMsg(" Path to OST file: ".$data); - }; - - eval { - my $data = $s->get_subkey("13dbb0c8aa05101a9bb000aa002fc45a")->get_value("001f6607")->get_data(); - $data =~ s/\00//g; - ::rptMsg(" Email: ".$data); - }; - - eval { - my $data = $s->get_subkey("13dbb0c8aa05101a9bb000aa002fc45a")->get_value("001f6620")->get_data(); - $data =~ s/\00//g; - ::rptMsg(" Email: ".$data); - }; - -# http://support.microsoft.com/kb/959956 -# eval { -# my $data = $s->get_subkey("13dbb0c8aa05101a9bb000aa002fc45a")->get_value("01026687")->get_data(); -# $data =~ s/\00/\./g; -# $data =~ s/\W//g; -# ::rptMsg(" Non-SMTP Email: ".$data); -# }; - - - - - - - - - - - - - - - eval { - my $data = $s->get_subkey("0a0d020000000000c000000000000046")->get_value("001e032c")->get_data(); - $data =~ s/\00//g; - ::rptMsg(" Outlook 2003 AutoArchive path (alt) -> ".$data); - }; - - - - - - - eval { - my $data = $s->get_subkey("0a0d020000000000c000000000000046")->get_value("001f0418")->get_data(); - $data =~ s/\00//g; - ::rptMsg(" 001f0418 -> ".$data); - }; -# ::rptMsg("Error : ".$@) if ($@); - - -# Account Names and signatures -# http://support.microsoft.com/kb/938360 - my @subkeys = $s->get_subkey("9375CFF0413111d3B88A00104B2A6676")->get_list_of_subkeys(); - if (scalar @subkeys > 0) { - - foreach my $s2 (@subkeys) { - eval { - - - }; - } - } - - } - } - else { - ::rptMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} - -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/pagefile.pl b/RecentActivity/release/rr/plugins/pagefile.pl deleted file mode 100644 index f0484de431..0000000000 --- a/RecentActivity/release/rr/plugins/pagefile.pl +++ /dev/null @@ -1,71 +0,0 @@ -#----------------------------------------------------------- -# pagefile.pl -# -# Ref: -# -# http://support.microsoft.com/kb/314834 - ClearPagefileAtShutdown -# -# copyright 2008-2009 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package pagefile; -use strict; - -my %config = (hive => "System", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20081212); - -sub getConfig{return %config} - -sub getShortDescr { - return "Get info on pagefile(s)"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching pagefile v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - -# Code for System file, getting CurrentControlSet - my $current; - my $key_path = 'Select'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - $current = $key->get_value("Current")->get_data(); - - my $mm_path = "ControlSet00".$current."\\Control\\Session Manager\\Memory Management"; - my $mm; - if ($mm = $root_key->get_subkey($mm_path)) { - - eval { - my $files = $mm->get_value("PagingFiles")->get_data(); - ::rptMsg("PagingFiles = ".$files); - }; - ::rptMsg($@) if ($@); - - eval { - my $cpf = $mm->get_value("ClearPageFileAtShutdown")->get_data(); - ::rptMsg("ClearPageFileAtShutdown = ".$cpf); - }; - - } - else { - ::rptMsg($mm_path." not found."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} -1; diff --git a/RecentActivity/release/rr/plugins/polacdms.pl b/RecentActivity/release/rr/plugins/polacdms.pl deleted file mode 100644 index 83efc86670..0000000000 --- a/RecentActivity/release/rr/plugins/polacdms.pl +++ /dev/null @@ -1,93 +0,0 @@ -#----------------------------------------------------------- -# polacdms -# Get the audit policy from the Security hive file; also, gets -# -# -# Change History: -# 20100531 - Created -# -# References: -# http://en.wikipedia.org/wiki/Security_Identifier -# -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package polacdms; -use strict; - -my %config = (hive => "Security", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20100531); - -sub getConfig{return %config} -sub getShortDescr { - return "Get local machine SID from Security hive"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching polacdms v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Policy\\PolAcDmS"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("PolAcDmS"); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - - my $data; - eval { - $data = $key->get_value("")->get_data(); - }; - if ($@) { - ::rptMsg("Error occurred getting data from ".$key_path); - ::rptMsg(" - ".$@); - } - else { - my @d = unpack("V4",substr($data,8,16)); - ::rptMsg("Machine SID: S-1-5-".(join('-',@d))); - } - } - else { - ::rptMsg($key_path." not found."); - } - ::rptMsg(""); - my $key_path = "Policy\\PolPrDmS"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("PolPrDmS"); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - - my $data; - eval { - $data = $key->get_value("")->get_data(); - }; - if ($@) { - ::rptMsg("Error occurred getting data from ".$key_path); - ::rptMsg(" - ".$@); - } - else { - my @d = unpack("V4",substr($data,8,16)); - ::rptMsg("Primary Domain SID: S-1-5-".(join('-',@d))); - } - } - else { - ::rptMsg($key_path." not found."); - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/policies_u.pl b/RecentActivity/release/rr/plugins/policies_u.pl deleted file mode 100644 index 9a15c13112..0000000000 --- a/RecentActivity/release/rr/plugins/policies_u.pl +++ /dev/null @@ -1,73 +0,0 @@ -#----------------------------------------------------------- -# policies_u -# Get values from user's WinLogon key -# -# copyright 2009 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package policies_u; -use strict; - -my %config = (hive => "NTUSER\.DAT", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20091021); - -sub getConfig{return %config} - -sub getShortDescr { - return "Get values from the user's Policies key"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching policies_u v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion"; - my $key; - if ($key = $root_key->get_subkey($key_path."\\policies")) { -# ::rptMsg("policies key found."); - - } - elsif ($key = $root_key->get_subkey($key_path."\\Policies")) { -# ::rptMsg("Policies key found."); - - } - else { - ::rptMsg("Neither policies nor Policies key found."); - return; - } - - eval { - my @vals = $key->get_subkey("Explorer")->get_list_of_values(); - if (scalar(@vals) > 0) { - ::rptMsg(""); - ::rptMsg("Explorer subkey values:"); - foreach my $v (@vals) { - my $str = sprintf "%-20s %-20s",$v->get_name(),$v->get_data(); - ::rptMsg(" ".$str); - } - } - }; - ::rptMsg(""); - eval { - my $quota = $key->get_subkey("System")->get_value("EnableProfileQuota")->get_data(); - ::rptMsg("EnableProfileQuota = ".$quota); - ::rptMsg(""); - ::rptMsg("The EnableProfileQuota = 1 setting causes the proquota\.exe to be run"); - ::rptMsg("automatically in order to limit the size of roaming profiles\. This"); - ::rptMsg("corresponds to the Limit Profile Size GPO setting\."); - }; - ::rptMsg("System\\EnableProfileQuota value not found\.") if ($@); -} - -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/port_dev.pl b/RecentActivity/release/rr/plugins/port_dev.pl deleted file mode 100644 index 3ceaf1ae73..0000000000 --- a/RecentActivity/release/rr/plugins/port_dev.pl +++ /dev/null @@ -1,89 +0,0 @@ -#----------------------------------------------------------- -# port_dev -# Parse Microsoft\Windows Portable Devices\Devices key on Vista -# Get historical information about drive letter assigned to devices -# -# NOTE: Credit for "discovery" goes to Rob Lee -# -# Change History: -# 20090118 - changed the name of the plugin from "removdev" -# -# copyright 2008 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package port_dev; -use strict; - -my %config = (hive => "Software", - osmask => 192, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20090118); - -sub getConfig{return %config} - -sub getShortDescr { - return "Parses Windows Portable Devices key (Vista)"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching port_dev v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Microsoft\\Windows Portable Devices\\Devices"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("RemovDev"); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - my @subkeys = $key->get_list_of_subkeys(); - if (scalar(@subkeys) > 0) { - - foreach my $s (@subkeys) { - my $name = $s->get_name(); - my $lastwrite = $s->get_timestamp(); - - my $letter; - eval { - $letter = $s->get_value("FriendlyName")->get_data(); - }; - ::rptMsg($name." key error: $@") if ($@); - - my $half; - if (grep(/##/,$name)) { - $half = (split(/##/,$name))[1]; - } - - if (grep(/\?\?/,$name)) { - $half = (split(/\?\?/,$name))[1]; - } - - my ($dev,$sn) = (split(/#/,$half))[1,2]; - - ::rptMsg("Device : ".$dev); - ::rptMsg("LastWrite : ".gmtime($lastwrite)." (UTC)"); - ::rptMsg("SN : ".$sn); - ::rptMsg("Drive : ".$letter); - ::rptMsg(""); - - } - } - else { - ::rptMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/printermru.pl b/RecentActivity/release/rr/plugins/printermru.pl deleted file mode 100644 index 531f1f19ad..0000000000 --- a/RecentActivity/release/rr/plugins/printermru.pl +++ /dev/null @@ -1,74 +0,0 @@ -#----------------------------------------------------------- -# printermru.pl -# Plugin to get RealVNC MRU listings from NTUSER.DAT -# -# Change history -# 20091125 - created -# -# References -# -# copyright 2009 H. Carvey -#----------------------------------------------------------- -package printermru; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20091125); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets user's Printer Wizard MRU listing"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching printermru v.".$VERSION); - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $key_path = 'Printers\\Settings\\Wizard\\ConnectMRU'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - my %mru; - my @list; - foreach my $v (@vals) { - $mru{$v->get_name()} = $v->get_data(); - } - - if (exists $mru{MRUList}) { - @list = split(//,$mru{MRUList}); - } - - ::rptMsg("Printers listed in MRUList order."); - foreach my $i (0..scalar(@list) - 1) { - ::rptMsg(" ".$list[$i]." -> ".$mru{$list[$i]}); - } - - - } - else { - ::rptMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} - -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/printers.pl b/RecentActivity/release/rr/plugins/printers.pl deleted file mode 100644 index b01c920078..0000000000 --- a/RecentActivity/release/rr/plugins/printers.pl +++ /dev/null @@ -1,83 +0,0 @@ -#----------------------------------------------------------- -# printers.pl -# Get information about printers used by a user; System hive -# info is volatile -# -# Ref: -# http://support.microsoft.com/kb/102966 -# http://support.microsoft.com/kb/252388 -# http://support.microsoft.com/kb/102116 -# -# The following references contain information from the System -# hive that is volatile. -# http://www.undocprint.org/winspool/registry -# http://msdn.microsoft.com/en-us/library/aa394363(VS.85).aspx -# -# copyright 2008-2009 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package printers; -use strict; - -my %config = (hive => "NTUSER\.DAT", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20090223); - -sub getConfig{return %config} - -sub getShortDescr { - return "Get user's printers"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching printers v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Software\\Microsoft\\Windows NT\\CurrentVersion\\PrinterPorts"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time: ".gmtime($key->get_timestamp())); - ::rptMsg(""); - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - foreach my $v (@vals) { - ::rptMsg(" ".$v->get_name()." (".$v->get_data().")"); - } - } - else { - ::rptMsg($key_path." has no values."); - } - ::rptMsg(""); -# Get default printer - my $def_path = "Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows"; - my $def; - eval { - $def = $root_key->get_subkey($def_path)->get_value("Device")->get_data(); - ::rptMsg("Default Printer (via CurrentVersion\\Windows): ".$def); - }; -# another attempt to get the default printer - my $def_path = "Printers"; - my $def; - eval { - $def = $root_key->get_subkey($def_path)->get_value("DeviceOld")->get_data(); - ::rptMsg("Default Printer (via Printers->DeviceOld): ".$def); - }; - - } - else { - ::rptMsg($key_path." not found."); - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/product.pl b/RecentActivity/release/rr/plugins/product.pl deleted file mode 100644 index 6a70d719f4..0000000000 --- a/RecentActivity/release/rr/plugins/product.pl +++ /dev/null @@ -1,118 +0,0 @@ -#----------------------------------------------------------- -# product.pl -# Plugin to determine the MSI packages installed on the system -# -# Change history: -# 20100325 - created -# -# References: -# http://support.microsoft.com/kb/236590 -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package product; -use strict; - -my %config = (hive => "Software", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20100325); - -sub getConfig{return %config} - -sub getShortDescr { - return "Get installed product info"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -my %msi; - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching product v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Microsoft\\Windows\\CurrentVersion\\Installer\\UserData"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg(""); - ::rptMsg($key_path); -# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - - my @subkeys = $key->get_list_of_subkeys(); - if (scalar(@subkeys) > 0) { -# Each of these subkeys should be SIDs - foreach my $s (@subkeys) { - next unless ($s->get_name() =~ m/^S/); - ::rptMsg($s->get_name()); - if ($s->get_subkey("Products")) { - processSIDKey($s->get_subkey("Products")); - ::rptMsg(""); - } - else { - ::rptMsg($s->get_name()."\\Products subkey not found."); - } - } - } - else { - ::rptMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} - -sub processSIDKey { - my $key = shift; - my %prod; - my @subkeys = $key->get_list_of_subkeys(); - if (scalar(@subkeys) > 0) { -# ::rptMsg($key->get_name()); - foreach my $s (@subkeys) { - my ($displayname,$lastwrite); - eval { - $displayname = $s->get_subkey("InstallProperties")->get_value("DisplayName")->get_data(); - $lastwrite = $s->get_subkey("InstallProperties")->get_timestamp(); - }; - - my $displayversion; - eval { - $displayversion = $s->get_subkey("InstallProperties")->get_value("DisplayVersion")->get_data(); - }; - - my $installdate; - eval { - $installdate = $s->get_subkey("InstallProperties")->get_value("InstallDate")->get_data(); - }; - - my $str = $displayname." v.".$displayversion.", ".$installdate; - push(@{$prod{$lastwrite}},$str); - } - - foreach my $t (reverse sort {$a <=> $b} keys %prod) { - ::rptMsg(gmtime($t)." Z"); - foreach my $i (@{$prod{$t}}) { - ::rptMsg(" ".$i); - } - } - - - } - else { - ::rptMsg($key->get_name()." has no subkeys."); - return; - } -} - -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/productpolicy.pl b/RecentActivity/release/rr/plugins/productpolicy.pl deleted file mode 100644 index 9437b84fbe..0000000000 --- a/RecentActivity/release/rr/plugins/productpolicy.pl +++ /dev/null @@ -1,145 +0,0 @@ -#----------------------------------------------------------- -# productpolicy.pl -# Extract/parse the ControlSet00x\Control\ProductOptions\ProductPolicy value -# -# NOTE: For Vista and 2008 ONLY; the value structure changed with Windows 7 -# -# Change History: -# 20091116 - created -# -# Ref: -# http://www.geoffchappell.com/viewer.htm?doc=studies/windows/km/ntoskrnl/ -# api/ex/slmem/productpolicy.htm&tx=19 -# http://www.geoffchappell.com/viewer.htm?doc=notes/windows/license/ -# install.htm&tx=3,5,6;4 -# -# copyright 2009 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package productpolicy; -use strict; - -my %config = (hive => "System", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20091116); - -sub getConfig{return %config} - -sub getShortDescr { - return "Parse ProductPolicy value (Vista & Win2008 ONLY)"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); -my %prodinfo = (1 => "Ultimate", - 2 => "Home Basic", - 3 => "Home Premium", - 5 => "Home Basic N", - 6 => "Business", - 7 => "Standard", - 8 => "Data Center", - 10 => "Enterprise", - 11 => "Starter", - 12 => "Data Center Core", - 13 => "Standard Core", - 14 => "Enterprise Core", - 15 => "Business N"); - -sub pluginmain { - my $class = shift; - my $hive = shift; - - ::logMsg("Launching productpolicy v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $curr; - eval { - $curr = $root_key->get_subkey("Select")->get_value("Current")->get_data(); - }; - $curr = 1 if ($@); - - my $key; - my $key_path = "ControlSet00".$curr."\\Control\\ProductOptions"; - if ($key = $root_key->get_subkey($key_path)) { - my $prod; - eval { - $prod = $key->get_value("ProductPolicy")->get_data(); - }; - if ($@) { - ::rptMsg("Error getting ProductPolicy value: $@"); - } - else { - my %pol = parseData($prod); - ::rptMsg(""); - ::rptMsg("Note: This plugin applies to Vista and Windows 2008 ONLY."); - ::rptMsg("For a listing of names and values, see:"); - ::rptMsg("http://www.geoffchappell.com/viewer.htm?doc=notes/windows/license/install.htm&tx=3,5,6;4"); - ::rptMsg(""); - foreach my $p (sort keys %pol) { - ::rptMsg($p." - ".$pol{$p}); - } - - if (exists $prodinfo{$pol{"Kernel\-ProductInfo"}}) { - ::rptMsg(""); - ::rptMsg("Kernel\-ProductInfo = ".$prodinfo{$pol{"Kernel\-ProductInfo"}}); - } - } - } - else { - ::rptMsg($key_path." not found."); - } -} - -sub parseHeader { -# Ref: http://www.geoffchappell.com/viewer.htm?doc=studies/windows/km/ntoskrnl/ -# api/ex/slmem/productpolicy.htm&tx=19,21 - my %h; - my @v = unpack("V*",shift); - $h{size} = $v[0]; - $h{array} = $v[1]; - $h{marker} = $v[2]; - $h{version} = $v[4]; - return %h; -} - -sub parseData { - my $pd = shift; - my %policy; - my $h = substr($pd,0,0x14); - my %hdr = parseHeader($h); - my $total_size = $hdr{size}; - my $cursor = 0x14; - - while ($cursor <= $total_size) { - my @vals = unpack("v4V2", substr($pd,$cursor,0x10)); - my $value = substr($pd,$cursor,$vals[0]); - my $name = substr($value,0x10,$vals[1]); - $name =~ s/\00//g; - - my $data = substr($value,0x10 + $vals[1],$vals[3]); - if ($vals[2] == 4) { -# $data = sprintf "0x%x",unpack("V",$data); - $data = unpack("V",$data); - } - elsif ($vals[2] == 1) { - $data =~ s/\00//g; - } - elsif ($vals[2] == 3) { - $data = unpack("H*",$data); - } - else { - - } - $policy{$name} = $data; - $cursor += $vals[0]; - } - delete $policy{""}; - return %policy; -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/producttype.pl b/RecentActivity/release/rr/plugins/producttype.pl deleted file mode 100644 index 41b39677b6..0000000000 --- a/RecentActivity/release/rr/plugins/producttype.pl +++ /dev/null @@ -1,88 +0,0 @@ -#----------------------------------------------------------- -# producttype.pl -# Determine Windows product information -# -# History -# 20100713 - updated reference info, formatting -# 20100325 - renamed to producttype.pl -# -# References -# http://support.microsoft.com/kb/181412 -# http://support.microsoft.com/kb/152078 -# -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package producttype; -use strict; -my %config = (hive => "System", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20100325); - -sub getConfig{return %config} -sub getShortDescr { - return "Queries System hive for Windows Product info"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching producttype v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - my $current; - my $key_path = 'Select'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - $current = $key->get_value("Current")->get_data(); - my $ccs = "ControlSet00".$current; - my $prod_key_path = $ccs."\\Control\\ProductOptions"; - if (my $prod_key = $root_key->get_subkey($prod_key_path)) { - ::rptMsg($prod_key_path); - ::rptMsg("LastWrite = ".gmtime($prod_key->get_timestamp())); - ::rptMsg(""); - ::rptMsg("Ref: http://support.microsoft.com/kb/152078"); - ::rptMsg(" http://support.microsoft.com/kb/181412"); - ::rptMsg(""); - my $type; - eval { - $type = $prod_key->get_value("ProductType")->get_data(); - ::rptMsg("ProductType = ".$type); - ::rptMsg("Ref: http://technet.microsoft.com/en-us/library/cc782360%28WS.10%29.aspx"); - ::rptMsg("WinNT indicates a workstation."); - ::rptMsg("ServerNT indicates a standalone server."); - ::rptMsg("LanmanNT indicates a domain controller (pri/backup)."); - }; - ::rptMsg(""); -#----------------------------------------------------------- -# http://technet.microsoft.com/en-us/library/cc784364(WS.10).aspx -# -# http://www.geoffchappell.com/viewer.htm?doc=studies/windows/ -# km/ntoskrnl/api/ex/exinit/productsuite.htm -# -#----------------------------------------------------------- - my $suite; - eval { - $suite = $prod_key->get_value("ProductSuite")->get_data(); - ::rptMsg("ProductSuite = ".$suite); - ::rptMsg("Ref: http://technet.microsoft.com/en-us/library/cc784364%28WS.10%29.aspx"); - }; - } - else { - ::rptMsg($prod_key_path." not found."); - } - } - else { - ::rptMsg("Select key not found."); - } -} -1 \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/profilelist.pl b/RecentActivity/release/rr/plugins/profilelist.pl deleted file mode 100644 index bfeae8a6e7..0000000000 --- a/RecentActivity/release/rr/plugins/profilelist.pl +++ /dev/null @@ -1,137 +0,0 @@ -#----------------------------------------------------------- -# profilelist.pl -# Gets ProfileList subkeys and ProfileImagePath value; also -# gets the ProfileLoadTimeHigh and Low values, and translates them -# into a readable time -# -# History: -# 20100219 - updated to gather SpecialAccounts and domain -# user info -# 20080415 - created -# -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package profilelist; -use strict; - -my %config = (hive => "Software", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20100219); - -sub getConfig{return %config} - -sub getShortDescr { - return "Get content of ProfileList key"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - - my %profiles; - - ::logMsg("Launching profilelist v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - my $key_path = "Microsoft\\Windows NT\\CurrentVersion\\ProfileList"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - - my @subkeys = $key->get_list_of_subkeys(); - if (scalar(@subkeys) > 0) { - foreach my $s (@subkeys) { - my $path; - eval { - $path = $s->get_value("ProfileImagePath")->get_data(); - }; - - ::rptMsg("Path : ".$path); - ::rptMsg("SID : ".$s->get_name()); - ::rptMsg("LastWrite : ".gmtime($s->get_timestamp())." (UTC)"); - - my $user; - if ($path) { - my @a = split(/\\/,$path); - my $end = scalar @a - 1; - $user = $a[$end]; - $profiles{$s->get_name()} = $user; - } - - my @load; - eval { - $load[0] = $s->get_value("ProfileLoadTimeLow")->get_data(); - $load[1] = $s->get_value("ProfileLoadTimeHigh")->get_data(); - }; - if (@load) { - my $loadtime = ::getTime($load[0],$load[1]); - ::rptMsg("LoadTime : ".gmtime($loadtime)." (UTC)"); - } - ::rptMsg(""); - } - } - else { - ::rptMsg($key_path." has no subkeys."); - ::logMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } - -# The following was added 20100219 - my $key_path = "Microsoft\\Windows NT\\CurrentVersion\\Winlogon"; - if ($key = $root_key->get_subkey($key_path)) { - my @subkeys = $key->get_list_of_subkeys(); - if (scalar @subkeys > 0) { - ::rptMsg("Domain Accounts"); - foreach my $s (@subkeys) { - my $name = $s->get_name(); - next unless ($name =~ m/^S\-1/); - - (exists $profiles{$name}) ? (::rptMsg($name." [".$profiles{$name}."]")) - : (::rptMsg($name)); -# ::rptMsg("LastWrite time: ".gmtime($s->get_timestamp())); -# ::rptMsg(""); - } - } - else { - ::rptMsg($key_path." has no subkeys."); - } - -# Domain Cache? - eval { - my @cache = $key->get_subkey("DomainCache")->get_list_of_values(); - if (scalar @cache > 0) { - ::rptMsg(""); - ::rptMsg("DomainCache"); - foreach my $d (@cache) { - my $str = sprintf "%-15s %-20s",$d->get_name(),$d->get_data(); - ::rptMsg($str); - } - } - }; - - - } - else { - ::rptMsg($key_path." not found."); - } - - - -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/proxysettings.pl b/RecentActivity/release/rr/plugins/proxysettings.pl deleted file mode 100644 index d403c487d3..0000000000 --- a/RecentActivity/release/rr/plugins/proxysettings.pl +++ /dev/null @@ -1,70 +0,0 @@ -#----------------------------------------------------------- -# proxysettings.pl -# Plugin for Registry Ripper, -# Internet Explorer ProxySettings key parser -# -# Change history -# 20081224 - H. Carvey, updated sorting and printing routine -# -# -# copyright 2008 C. Bentley -#----------------------------------------------------------- -package proxysettings; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20081224); - -sub getConfig{return %config} -sub getShortDescr {return "Gets contents of user's Proxy Settings";} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching proxysettings v.".$VERSION); - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $key_path = 'Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("ProxySettings"); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - my %proxy; - foreach my $v (@vals) { - my $name = $v->get_name(); - my $data = $v->get_data(); - my $type = $v->get_type(); - $data = unpack("V",$data) if ($type == 3); - $proxy{$name} = $data; - } - foreach my $n (sort keys %proxy) { - my $str = sprintf " %-30s %-30s",$n,$proxy{$n}; - ::rptMsg($str); -# ::rptMsg(" ".$v->get_name()." ".$v->get_data()); - } - } - else { - ::rptMsg($key_path." key has no values."); - ::logMsg($key_path." key has no values."); - } - } - else { - ::rptMsg($key_path." hat key not found."); - ::logMsg($key_path." hat key not found."); - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/rdphint.pl b/RecentActivity/release/rr/plugins/rdphint.pl deleted file mode 100644 index 680165812a..0000000000 --- a/RecentActivity/release/rr/plugins/rdphint.pl +++ /dev/null @@ -1,61 +0,0 @@ -#----------------------------------------------------------- -# rdphint.pl - http://www.regripper.net/ -# Gathers servers logged onto via RDP and last successful username -# -# by Brandon Nesbit, Trustwave -#----------------------------------------------------------- -package rdphint; -use strict; - -my %config = (hive => "NTUSER", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20090715); - -sub getConfig{return %config} -sub getShortDescr { return "Gets hosts logged onto via RDP and the Domain\\Username";} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching RDPHint v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - my $key_path = 'Software\\Microsoft\\Terminal Server Client\\Servers'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("Terminal Server Client\\Servers"); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - my @subkeys = $key->get_list_of_subkeys(); - if (scalar(@subkeys) > 0) { - foreach my $s (@subkeys) { - my $path; - eval { - $path = $s->get_value("UsernameHint")->get_data(); - }; - ::rptMsg(""); - ::rptMsg("Hostname: ".$s->get_name()); - ::rptMsg("Domain/Username: ".$path); - ::rptMsg("LastWrite: ".gmtime($s->get_timestamp())." (UTC)"); - ::rptMsg(""); - } - } - else { - ::rptMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/rdpport.pl b/RecentActivity/release/rr/plugins/rdpport.pl deleted file mode 100644 index 44110d33cb..0000000000 --- a/RecentActivity/release/rr/plugins/rdpport.pl +++ /dev/null @@ -1,59 +0,0 @@ -#----------------------------------------------------------- -# rdpport.pl -# Determine the RDP Port used -# -# History -# 20100713 - created -# -# References -# http://support.microsoft.com/kb/306759 -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package rdpport; -use strict; -my %config = (hive => "System", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20100713); - -sub getConfig{return %config} -sub getShortDescr { - return "Queries System hive for RDP Port"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - my $key; - - ::logMsg("Launching rdpport v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $ccs = $root_key->get_subkey("Select")->get_value("Current")->get_data(); - my $key_path = "ControlSet00".$ccs."\\Control\\Terminal Server\\WinStations\\RDP-Tcp"; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("rdpport v.".$VERSION); - ::rptMsg(""); - my $port; - eval { - $port = $key->get_value("PortNumber")->get_data(); - ::rptMsg("Remote Desktop Listening Port Number = ".$port); - }; - ::rptMsg("Error getting PortNumber: ".$@) if ($@); - - } - else { - ::rptMsg($key_path." not found."); - } -} -1 \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/realplayer6.pl b/RecentActivity/release/rr/plugins/realplayer6.pl deleted file mode 100644 index 7ea5913a5f..0000000000 --- a/RecentActivity/release/rr/plugins/realplayer6.pl +++ /dev/null @@ -1,79 +0,0 @@ -#----------------------------------------------------------- -# realplayer6.pl -# Plugin for Registry Ripper -# Get Real Player 6 MostRecentClipsx values -# -# Change history -# -# -# References -# -# Note: LastWrite times on c subkeys will all be the same, -# as each subkey is modified as when a new entry is added -# -# copyright 2008 H. Carvey -#----------------------------------------------------------- -package realplayer6; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20080324); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets user's RealPlayer v6 MostRecentClips\(Default) values"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching realplayer6 v.".$VERSION); - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - ::rptMsg("Realplayer6 v.".$VERSION); - - my $key_path = "Software\\RealNetworks\\RealPlayer\\6.0\\Preferences"; - my $key = $root_key->get_subkey($key_path); - if ($key) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - my %rpkeys; - my $tag = "MostRecentClips"; - my @subkeys = $key->get_list_of_subkeys(); - if (scalar @subkeys > 0) { - foreach my $s (@subkeys) { - my $name = $s->get_name(); - if ($name =~ m/^$tag/) { - my $num = $name; - $num =~ s/$tag//; - $rpkeys{$num}{name} = $name; - $rpkeys{$num}{data} = $s->get_value('')->get_data(); - $rpkeys{$num}{lastwrite} = $s->get_timestamp(); - } - } - foreach my $k (sort keys %rpkeys) { - ::rptMsg("\t".$rpkeys{$k}{name}." -> ".$rpkeys{$k}{data}); - } - } - else { - ::rptMsg($key_path." has no subkeys."); - ::logMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} - -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/realvnc.pl b/RecentActivity/release/rr/plugins/realvnc.pl deleted file mode 100644 index 667766aca4..0000000000 --- a/RecentActivity/release/rr/plugins/realvnc.pl +++ /dev/null @@ -1,75 +0,0 @@ -#----------------------------------------------------------- -# realvnc.pl -# Plugin to get RealVNC MRU listings from NTUSER.DAT -# -# Change history -# 20091125 - created -# -# References -# -# copyright 2009 H. Carvey -#----------------------------------------------------------- -package realvnc; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20091125); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets user's RealVNC MRU listing"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching realvnc v.".$VERSION); - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $key_path = 'Software\\RealVNC\\VNCViewer4\\MRU'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - my %mru; - my @order; - foreach my $v (@vals) { - $mru{$v->get_name()} = $v->get_data(); - } - - if (exists($mru{Order})) { - @order = unpack("C*",$mru{Order}); -# List systems connected to based on Order MRU value - ::rptMsg("*Systems output in \"Order\" sequence"); - foreach my $i (0..scalar(@order) - 1) { - $order[$i] = "0".$order[$i] if ($order[$i] < 10); - ::rptMsg(" ".$order[$i]." -> ".$mru{$order[$i]}); - } - } - else { - ::rptMsg("Could not find Order value."); - } - } - else { - ::rptMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} - -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/recentdocs.pl b/RecentActivity/release/rr/plugins/recentdocs.pl deleted file mode 100644 index 7850665376..0000000000 --- a/RecentActivity/release/rr/plugins/recentdocs.pl +++ /dev/null @@ -1,161 +0,0 @@ -#----------------------------------------------------------- -# recentdocs.pl -# Plugin for Registry Ripper -# Parses RecentDocs keys/values in NTUSER.DAT -# -# Change history -# 20100405 - Updated to use Encode::decode to translate strings -# 20090115 - Minor update to keep plugin from printing terminating -# MRUListEx value of 0xFFFFFFFF -# 20080418 - Minor update to address NTUSER.DAT files that have -# MRUList values in this key, rather than MRUListEx -# values -# -# References -# -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package recentdocs; -use strict; -use Encode; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20100405); - -sub getShortDescr { - return "Gets contents of user's RecentDocs key"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching recentdocs v.".$VERSION); - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RecentDocs"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("RecentDocs"); - ::rptMsg("**All values printed in MRUList\\MRUListEx order."); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); -# Get RecentDocs values - my %rdvals = getRDValues($key); - if (%rdvals) { - my $tag; - if (exists $rdvals{"MRUListEx"}) { - $tag = "MRUListEx"; - } - elsif (exists $rdvals{"MRUList"}) { - $tag = "MRUList"; - } - else { - - } - - my @list = split(/,/,$rdvals{$tag}); - foreach my $i (@list) { - ::rptMsg(" ".$i." = ".$rdvals{$i}); - } - ::rptMsg(""); - } - else { - ::rptMsg($key_path." has no values."); - ::logMsg("Error: ".$key_path." has no values."); - } -# Get RecentDocs subkeys' values - my @subkeys = $key->get_list_of_subkeys(); - if (scalar(@subkeys) > 0) { - foreach my $s (@subkeys) { - ::rptMsg($key_path."\\".$s->get_name()); - ::rptMsg("LastWrite Time ".gmtime($s->get_timestamp())." (UTC)"); - - my %rdvals = getRDValues($s); - if (%rdvals) { - my $tag; - if (exists $rdvals{"MRUListEx"}) { - $tag = "MRUListEx"; - } - elsif (exists $rdvals{"MRUList"}) { - $tag = "MRUList"; - } - else { - - } - - my @list = split(/,/,$rdvals{$tag}); - ::rptMsg($tag." = ".$rdvals{$tag}); - foreach my $i (@list) { - ::rptMsg(" ".$i." = ".$rdvals{$i}); - } - - ::rptMsg(""); - } - else { - ::rptMsg($key_path." has no values."); - } - } - } - else { - ::rptMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} - - -sub getRDValues { - my $key = shift; - - my $mru = "MRUList"; - my %rdvals; - - my @vals = $key->get_list_of_values(); - if (scalar @vals > 0) { - foreach my $v (@vals) { - my $name = $v->get_name(); - my $data = $v->get_data(); - if ($name =~ m/^$mru/) { - my @mru; - if ($name eq "MRUList") { - @mru = split(//,$data); - } - elsif ($name eq "MRUListEx") { - @mru = unpack("V*",$data); - } -# Horrible, ugly cludge; the last, terminating value in MRUListEx -# is 0xFFFFFFFF, so we remove it. - pop(@mru); - $rdvals{$name} = join(',',@mru); - } - else { -# New code - $data = decode("ucs-2le", $data); - my $file = (split(/\00/,$data))[0]; -# my $file = (split(/\00\00/,$data))[0]; -# $file =~ s/\00//g; - $rdvals{$name} = $file; - } - } - return %rdvals; - } - else { - return undef; - } -} - -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/regtime.pl b/RecentActivity/release/rr/plugins/regtime.pl deleted file mode 100644 index 03510c46d9..0000000000 --- a/RecentActivity/release/rr/plugins/regtime.pl +++ /dev/null @@ -1,65 +0,0 @@ -#! c:\perl\bin\perl.exe -#----------------------------------------------------------- -# regtime.pl -# Plugin for Registry Ripper; traverses through a Registry -# hive file, pulling out keys and their LastWrite times, and -# then listing them in order, sorted by the most recent time -# first - works with any Registry hive file. -# -# Change history -# -# -# copyright 2008 H. Carvey -#----------------------------------------------------------- -package regtime; -use strict; - -my %config = (hive => "All", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20080324); - -sub getConfig{return %config} -sub getShortDescr { - return "Dumps entire hive - all keys sorted by LastWrite time"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -my %regkeys; - -sub pluginmain { - my $class = shift; - my $file = shift; - my $reg = Parse::Win32Registry->new($file); - my $root_key = $reg->get_root_key; - ::logMsg("Launching regtime v.".$VERSION); - - traverse($root_key); - - foreach my $t (reverse sort {$a <=> $b} keys %regkeys) { - foreach my $item (@{$regkeys{$t}}) { - ::rptMsg(gmtime($t)."Z \t".$item); - } - } -} - -sub traverse { - my $key = shift; - my $ts = $key->get_timestamp(); - my $name = $key->as_string(); - $name =~ s/\$\$\$PROTO\.HIV//; - $name = (split(/\[/,$name))[0]; - push(@{$regkeys{$ts}},$name); - foreach my $subkey ($key->get_list_of_subkeys()) { - traverse($subkey); - } -} - -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/regtime_tln.pl b/RecentActivity/release/rr/plugins/regtime_tln.pl deleted file mode 100644 index 558d7f0eeb..0000000000 --- a/RecentActivity/release/rr/plugins/regtime_tln.pl +++ /dev/null @@ -1,66 +0,0 @@ -#! c:\perl\bin\perl.exe -#----------------------------------------------------------- -# regtime.pl -# Plugin for Registry Ripper; traverses through a Registry -# hive file, pulling out keys and their LastWrite times, and -# then listing them in order, sorted by the most recent time -# first - works with any Registry hive file. -# -# Change history -# -# -# copyright 2008 H. Carvey -#----------------------------------------------------------- -package regtime_tln; -use strict; - -my %config = (hive => "All", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20080324); - -sub getConfig{return %config} -sub getShortDescr { - return "Dumps entire hive - all keys sorted by LastWrite time"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -my %regkeys; - -sub pluginmain { - my $class = shift; - my $file = shift; - my $reg = Parse::Win32Registry->new($file); - my $root_key = $reg->get_root_key; - ::logMsg("Launching regtime_tln v.".$VERSION); - - traverse($root_key); - - foreach my $t (reverse sort {$a <=> $b} keys %regkeys) { - foreach my $item (@{$regkeys{$t}}) { - #::rptMsg(gmtime($t)."Z \t".$item); - ::rptMsg($t."|REG|M... ".$item); - } - } -} - -sub traverse { - my $key = shift; - my $ts = $key->get_timestamp(); - my $name = $key->as_string(); - $name =~ s/\$\$\$PROTO\.HIV//; - $name = (split(/\[/,$name))[0]; - push(@{$regkeys{$ts}},$name); - foreach my $subkey ($key->get_list_of_subkeys()) { - traverse($subkey); - } -} - -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/renocide.pl b/RecentActivity/release/rr/plugins/renocide.pl deleted file mode 100644 index 5f71f922f9..0000000000 --- a/RecentActivity/release/rr/plugins/renocide.pl +++ /dev/null @@ -1,65 +0,0 @@ -#----------------------------------------------------------- -# renocide.pl -# Plugin to assist in the detection of malware per MMPC -# blog post (References, below) -# -# Change History: -# 20110309 - created -# -# References -# http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win32/Renocide -# -# copyright 2011 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package renocide; -use strict; - -my %config = (hive => "Software", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20110309); - -sub getConfig{return %config} - -sub getShortDescr { - return "Check for Renocide malware"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching renocide v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Microsoft\\DRM\\amty"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("renocide"); - ::rptMsg($key_path); - ::rptMsg("LastWrite: ".gmtime($key->get_timestamp())); - ::rptMsg(""); - ::rptMst($key_path." found; possible Win32\\Renocide infection."); - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - foreach my $v (@vals) { - ::rptMsg(sprintf "%-12s %-20s",$v->get_name(),$v->get_data()); - } - } - else { - ::rptMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/routes.pl b/RecentActivity/release/rr/plugins/routes.pl deleted file mode 100644 index 823f097b3e..0000000000 --- a/RecentActivity/release/rr/plugins/routes.pl +++ /dev/null @@ -1,81 +0,0 @@ -#----------------------------------------------------------- -# routes.pl -# -# Some malware is known to create persistent routes -# -# Change History: -# 20100817 - created -# -# Ref: -# http://support.microsoft.com/kb/141383 -# http://www.symantec.com/security_response/writeup.jsp?docid= -# 2010-041308-3301-99&tabid=2 -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package routes; -use strict; - -my %config = (hive => "System", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20100817); - -sub getConfig{return %config} - -sub getShortDescr { - return "Get persistent routes"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching routes v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - -# Code for System file, getting CurrentControlSet - my $current; - my $key_path = 'Select'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - $current = $key->get_value("Current")->get_data(); - my $ccs = "ControlSet00".$current; - - my $sb_path = $ccs."\\Services\\Tcpip\\Parameters\\PersistentRoutes"; - - my $sb; - if ($sb = $root_key->get_subkey($sb_path)) { - ::rptMsg($sb_path); - ::rptMsg("LastWrite: ".gmtime($sb->get_timestamp())); - ::rptMsg(""); - my @vals = $sb->get_list_of_values(); - - if (scalar(@vals) > 0) { - ::rptMsg(sprintf "%-15s %-15s %-15s %-5s","Address","Netmask","Gateway","Metric"); - foreach my $v (@vals) { - my ($addr,$netmask,$gateway,$metric) = split(/,/,$v->get_name(),4); - ::rptMsg(sprintf "%-15s %-15s %-15s %-5s",$addr,$netmask,$gateway,$metric); - } - } - else { - ::rptMsg($sb_path." has no values."); - } - } - else { - ::rptMsg($sb_path." not found."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/runmru.pl b/RecentActivity/release/rr/plugins/runmru.pl deleted file mode 100644 index f18a9ec434..0000000000 --- a/RecentActivity/release/rr/plugins/runmru.pl +++ /dev/null @@ -1,72 +0,0 @@ -#----------------------------------------------------------- -# runmru.pl -# Plugin for Registry Ripper, NTUSER.DAT edition - gets the -# RunMru values -# -# Change history -# -# -# References -# -# -# copyright 2008 H. Carvey -#----------------------------------------------------------- -package runmru; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20080324); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets contents of user's RunMRU key"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching runmru v.".$VERSION); - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $key_path = 'Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("RunMru"); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - my @vals = $key->get_list_of_values(); - my %runvals; - my $mru; - if (scalar(@vals) > 0) { - foreach my $v (@vals) { - $runvals{$v->get_name()} = $v->get_data() unless ($v->get_name() =~ m/^MRUList/i); - $mru = $v->get_data() if ($v->get_name() =~ m/^MRUList/i); - } - ::rptMsg("MRUList = ".$mru); - foreach my $r (sort keys %runvals) { - ::rptMsg($r." ".$runvals{$r}); - } - } - else { - ::rptMsg($key_path." has no values."); - ::logMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} - -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/safeboot.pl b/RecentActivity/release/rr/plugins/safeboot.pl deleted file mode 100644 index 66ee850137..0000000000 --- a/RecentActivity/release/rr/plugins/safeboot.pl +++ /dev/null @@ -1,104 +0,0 @@ -#----------------------------------------------------------- -# safeboot.pl -# -# Some malware is known to maintain persistence, even when the system -# is booted to SafeMode by writing entries to the SafeBoot subkeys -# ex: http://www.symantec.com/security_response/writeup.jsp? -# docid=2008-011507-0108-99&tabid=2 -# -# Ref: -# http://support.microsoft.com/kb/315222 -# http://support.microsoft.com/kb/202485/ -# -# copyright 2008-2009 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package safeboot; -use strict; - -my %config = (hive => "System", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20081216); - -sub getConfig{return %config} - -sub getShortDescr { - return "Check SafeBoot entries"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching safeboot v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - -# Code for System file, getting CurrentControlSet - my $current; - my $key_path = 'Select'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - $current = $key->get_value("Current")->get_data(); - my $ccs = "ControlSet00".$current; - - my $sb_path = $ccs."\\Control\\SafeBoot"; - my $sb; - if ($sb = $root_key->get_subkey($sb_path)) { - - my @sks = $sb->get_list_of_subkeys(); - - if (scalar(@sks) > 0) { - - foreach my $s (@sks) { - my $name = $s->get_name(); - my $ts = $s->get_timestamp(); - ::rptMsg($name." [".gmtime($ts)." Z]"); - my %sk; - my @subkeys = $s->get_list_of_subkeys(); - - if (scalar(@subkeys) > 0) { - foreach my $s2 (@subkeys) { - my $str; - my $default; - eval { - $default = $s2->get_value("")->get_data(); - }; - ($@)?($str = $s2->get_name()):($str = $s2->get_name()." (".$default.")"); - push(@{$sk{$s2->get_timestamp()}},$str); - } - - foreach my $t (sort keys %sk) { - ::rptMsg(gmtime($t)." Z"); - foreach my $i (@{$sk{$t}}) { - ::rptMsg(" ".$i); - } - } - ::rptMsg(""); - } - else { - ::rptMsg($name." has no subkeys."); - } - } - } - else { - ::rptMsg($sb_path." has no subkeys."); - } - } - else { - ::rptMsg($sb_path." not found."); - } - } - else { - ::rptMsg($key_path." not found."); -# ::logMsg($key_path." not found."); - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/sam b/RecentActivity/release/rr/plugins/sam deleted file mode 100644 index 84568779ff..0000000000 --- a/RecentActivity/release/rr/plugins/sam +++ /dev/null @@ -1,3 +0,0 @@ -#------------------------------------- -# SAM -samparse \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/samparse.pl b/RecentActivity/release/rr/plugins/samparse.pl deleted file mode 100644 index 001857728e..0000000000 --- a/RecentActivity/release/rr/plugins/samparse.pl +++ /dev/null @@ -1,323 +0,0 @@ -#----------------------------------------------------------- -# samparse.pl -# Parse the SAM hive file for user/group membership info -# -# Change history: -# 20110303 - Fixed parsing of SID, added check for account type -# Acct type determined based on Dustin Hulburt's "Forensic -# Determination of a User's Logon Status in Windows" -# from 10 Aug 2009 (link below) -# 20100712 - Added References entry -# 20091020 - Added extracting UserPasswordHint value -# 20090413 - Added account creation date -# 20080415 - created -# -# References -# Source available here: http://pogostick.net/~pnh/ntpasswd/ -# http://accessdata.com/downloads/media/Forensic_Determination_Users_Logon_Status.pdf -# -# copyright 2011 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package samparse; -use strict; - -my %config = (hive => "SAM", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 1, - version => 20110303); - -sub getConfig{return %config} - -sub getShortDescr { - return "Parse SAM file for user/group mbrshp info"; -} -sub getDescr{} -sub getRefs { - my %refs = ("Well-known SIDs" => "http://support.microsoft.com/kb/243330"); - return %refs; -} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -my %acb_flags = (0x0001 => "Account Disabled", - 0x0002 => "Home directory required", - 0x0004 => "Password not required", - 0x0008 => "Temporary duplicate account", - 0x0010 => "Normal user account", - 0x0020 => "MNS logon user account", - 0x0040 => "Interdomain trust account", - 0x0080 => "Workstation trust account", - 0x0100 => "Server trust account", - 0x0200 => "Password does not expire", - 0x0400 => "Account auto locked"); - -my %types = (0xbc => "Default Admin User", - 0xd4 => "Custom Limited Acct", - 0xb0 => "Default Guest Acct"); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching samparse v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - ::rptMsg(""); -# Get user information - ::rptMsg("User Information"); - ::rptMsg("-" x 25); - my $key_path = 'SAM\\Domains\\Account\\Users'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - my @user_list = $key->get_list_of_subkeys(); - if (scalar(@user_list) > 0) { - foreach my $u (@user_list) { - my $rid = $u->get_name(); - my $ts = $u->get_timestamp(); - my $tag = "0000"; - if ($rid =~ m/^$tag/) { - my $v_value = $u->get_value("V"); - my $v = $v_value->get_data(); - my %v_val = parseV($v); - $rid =~ s/^0000//; - $rid = hex($rid); - - my $c_date; - eval { - my $create_path = $key_path."\\Names\\".$v_val{name}; - if (my $create = $root_key->get_subkey($create_path)) { - $c_date = $create->get_timestamp(); - } - }; - - ::rptMsg("Username : ".$v_val{name}." [".$rid."]"); - ::rptMsg("Full Name : ".$v_val{fullname}); - ::rptMsg("User Comment : ".$v_val{comment}); - ::rptMsg("Account Type : ".$v_val{type}); - ::rptMsg("Account Created : ".gmtime($c_date)." Z") if ($c_date > 0); - - my $f_value = $u->get_value("F"); - my $f = $f_value->get_data(); - my %f_val = parseF($f); - - my $lastlogin; - my $pwdreset; - my $pwdfail; - ($f_val{last_login_date} == 0) ? ($lastlogin = "Never") : ($lastlogin = gmtime($f_val{last_login_date})." Z"); - ($f_val{pwd_reset_date} == 0) ? ($pwdreset = "Never") : ($pwdreset = gmtime($f_val{pwd_reset_date})." Z"); - ($f_val{pwd_fail_date} == 0) ? ($pwdfail = "Never") : ($pwdfail = gmtime($f_val{pwd_fail_date})." Z"); - - my $pw_hint; - eval { - $pw_hint = $u->get_value("UserPasswordHint")->get_data(); - $pw_hint =~ s/\00//g; - }; - ::rptMsg("Password Hint : ".$pw_hint) unless ($@); - ::rptMsg("Last Login Date : ".$lastlogin); - ::rptMsg("Pwd Reset Date : ".$pwdreset); - ::rptMsg("Pwd Fail Date : ".$pwdfail); - ::rptMsg("Login Count : ".$f_val{login_count}); - foreach my $flag (keys %acb_flags) { - ::rptMsg(" --> ".$acb_flags{$flag}) if ($f_val{acb_flags} & $flag); - } - ::rptMsg(""); - } - } - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } - ::rptMsg("-" x 25); - ::rptMsg("Group Membership Information"); - ::rptMsg("-" x 25); -# Get Group membership information - my $key_path = 'SAM\\Domains\\Builtin\\Aliases'; - if ($key = $root_key->get_subkey($key_path)) { - my %grps; - my @groups = $key->get_list_of_subkeys(); - if (scalar(@groups) > 0) { - foreach my $k (@groups) { - my $name = $k->get_name(); - if ($name =~ m/^0000/) { - $grps{$name}{LastWrite} = $k->get_timestamp(); - $grps{$name}{C_value} = $k->get_value("C")->get_data(); - } - } - - foreach my $k (keys %grps) { - my $name = $k; - $name =~ s/^0000//; - my %c_val = parseC($grps{$k}{C_value}); - ::rptMsg("Group Name : ".$c_val{group_name}." [".$c_val{num_users}."]"); - ::rptMsg("LastWrite : ".gmtime($grps{$k}{LastWrite})." Z"); - ::rptMsg("Group Comment : ".$c_val{comment}); - if ($c_val{num_users} == 0) { - ::rptMsg("Users : None"); - }else { - my %users = parseCUsers($grps{$k}{C_value}); - if (scalar(keys %users) != $c_val{num_users}) { - ::logMsg("parseC function reports ".$c_val{num_users}."; parseCUsers function returned ".(scalar(keys %users))); - } - ::rptMsg("Users :"); - foreach my $u (keys %users) { - ::rptMsg(" ".$u); - } - - } - ::rptMsg(""); - } - ::rptMsg("Analysis Tips:"); - ::rptMsg(" - For well-known SIDs, see http://support.microsoft.com/kb/243330"); - ::rptMsg(" - S-1-5-4 = Interactive"); - ::rptMsg(" - S-1-5-11 = Authenticated Users"); - ::rptMsg(" - Correlate the user SIDs to the output of the ProfileList plugin"); - ::rptMsg(""); - } - else { - ::rptMsg($key_path." has no subkeys."); - ::logMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} - -sub parseF { - my $f = shift; - my %f_value = (); - my @tv; -# last login date - @tv = unpack("VV",substr($f,8,8)); - $f_value{last_login_date} = ::getTime($tv[0],$tv[1]); -# password reset/acct creation - @tv = unpack("VV",substr($f,24,8)); - $f_value{pwd_reset_date} = ::getTime($tv[0],$tv[1]); -# Account expires - @tv = unpack("VV",substr($f,32,8)); - $f_value{acct_exp_date} = ::getTime($tv[0],$tv[1]); -# Incorrect password - @tv = unpack("VV",substr($f,40,8)); - $f_value{pwd_fail_date} = ::getTime($tv[0],$tv[1]); - $f_value{rid} = unpack("V",substr($f,48,4)); - $f_value{acb_flags} = unpack("v",substr($f,56,2)); - $f_value{failed_count} = unpack("v",substr($f,64,2)); - $f_value{login_count} = unpack("v",substr($f,66,2)); - return %f_value; -} - -sub parseV { - my $v = shift; - my %v_val = (); - my $header = substr($v,0,44); - my @vals = unpack("V*",$header); - $v_val{type} = $types{$vals[1]}; - $v_val{name} = _uniToAscii(substr($v,($vals[3] + 0xCC),$vals[4])); - $v_val{fullname} = _uniToAscii(substr($v,($vals[6] + 0xCC),$vals[7])) if ($vals[7] > 0); - $v_val{comment} = _uniToAscii(substr($v,($vals[9] + 0xCC),$vals[10])) if ($vals[10] > 0); - return %v_val; -} - -sub parseC { - my $cv = $_[0]; - my %c_val = (); - my $header = substr($cv,0,0x34); - my @vals = unpack("V*",$header); - - $c_val{group_name} = _uniToAscii(substr($cv,(0x34 + $vals[4]),$vals[5])); - $c_val{comment} = _uniToAscii(substr($cv,(0x34 + $vals[7]),$vals[8])); - $c_val{num_users} = $vals[12]; - - return %c_val; -} - -sub parseCUsers { - my $cv = $_[0]; - my %members = (); - my $header = substr($cv,0,0x34); - my @vals = unpack("V*",$header); - - my $num = $vals[12]; - - my @users = (); - my $ofs; - if ($num > 0) { - my $count = 0; - foreach my $c (1..$num) { - my $ofs = $vals[10] + 52 + $count; - my $tmp = unpack("V",substr($cv,$ofs,4)); - - if ($tmp == 0x101) { - $ofs++ if (unpack("C",substr($cv,$ofs,1)) == 0); - $members{_translateSID(substr($cv,$ofs,12))} = 1; - $count += 12; - } - elsif ($tmp == 0x501) { - $members{_translateSID(substr($cv,$ofs,28))} = 1; - $count += 28; - } - else { - - } - } - } - return %members; -} - -#--------------------------------------------------------------------- -# _translateSID() -# Translate binary data into a SID -# References: -# http://blogs.msdn.com/oldnewthing/archive/2004/03/15/89753.aspx -# http://support.microsoft.com/kb/286182/ -# http://support.microsoft.com/kb/243330 -#--------------------------------------------------------------------- -sub _translateSID { - my $sid = $_[0]; - my $len = length($sid); - my $revision; - my $dashes; - my $idauth; - if ($len < 12) { -# Is a SID ever less than 12 bytes? - return "SID less than 12 bytes"; - } - elsif ($len == 12) { - $revision = unpack("C",substr($sid,0,1)); - $dashes = unpack("C",substr($sid,1,1)); - $idauth = unpack("H*",substr($sid,2,6)); - $idauth =~ s/^0+//g; - my $sub = unpack("V",substr($sid,8,4)); - return "S-".$revision."-".$idauth."-".$sub; - } - elsif ($len > 12) { - $revision = unpack("C",substr($sid,0,1)); - $dashes = unpack("C",substr($sid,1,1)); - $idauth = unpack("H*",substr($sid,2,6)); - $idauth =~ s/^0+//g; - my @sub = unpack("V4",substr($sid,8,16)); - my $rid = unpack("V",substr($sid,24,4)); - my $s = join('-',@sub); - return "S-".$revision."-".$idauth."-".$s."-".$rid; - } - else { -# Nothing to do - } -} - -#--------------------------------------------------------------------- -# _uniToAscii() -#--------------------------------------------------------------------- -sub _uniToAscii { - my $str = $_[0]; - $str =~ s/\00//g; - return $str; -} - -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/schedagent.pl b/RecentActivity/release/rr/plugins/schedagent.pl deleted file mode 100644 index a3f0d4012f..0000000000 --- a/RecentActivity/release/rr/plugins/schedagent.pl +++ /dev/null @@ -1,87 +0,0 @@ -#----------------------------------------------------------- -# schedagent -# Get contents of SchedulingAgent key from Software hive -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package schedagent; -use strict; - -my %config = (hive => "Software", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 1, - version => 20100817); - -sub getConfig{return %config} - -sub getShortDescr { - return "Get SchedulingAgent key contents"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching schedagent v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Microsoft\\SchedulingAgent"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - - my ($oldname,$logpath,$folder,$lastrun,$size); - eval { - $oldname = $key->get_value("OldName")->get_data(); - ::rptMsg("OldName = ".$oldname); - }; - - eval { - $logpath = $key->get_value("LogPath")->get_data(); - ::rptMsg("LogPath = ".$logpath); - }; - - eval { - $size = $key->get_value("MaxLogSizeKB")->get_data(); - ::rptMsg("MaxLogSizeKB = ".$size); - }; - - eval { - $folder = $key->get_value("TasksFolder")->get_data(); - ::rptMsg("TasksFolder = ".$folder); - }; -# - eval { - $lastrun = $key->get_value("LastTaskRun")->get_data(); - ::rptMsg("LastTaskRun = ".parseSystemTime($lastrun)); - ::rptMsg(""); - ::rptMsg("Note: LastTaskRun time is written in local system time, not GMT"); - }; - - } - else { - ::rptMsg($key_path." not found."); - } -} - -sub parseSystemTime { - my ($yr,$mon,$dow,$day,$hr,$min,$sec,$mil) = unpack("v8",$_[0]); - $mon = "0".$mon unless ($mon =~ /^\d\d$/); - $day = "0".$day unless ($day =~ /^\d\d$/); - $hr = "0".$hr unless ($hr =~ /^\d\d$/); - $min = "0".$min unless ($min =~ /^\d\d$/); - $sec = "0".$sec unless ($sec =~ /^\d\d$/); - return "$yr-$mon-$day $hr:$min:$sec"; -} - -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/secctr.pl b/RecentActivity/release/rr/plugins/secctr.pl deleted file mode 100644 index 19e53f71bb..0000000000 --- a/RecentActivity/release/rr/plugins/secctr.pl +++ /dev/null @@ -1,67 +0,0 @@ -#----------------------------------------------------------- -# secctr -# Plugin to get data from Security Center keys -# -# Change History: -# 20100310 - created -# -# References: -# -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package secctr; -use strict; - -my %config = (hive => "Software", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20100310); - -sub getConfig{return %config} -sub getShortDescr { - return "Get data from Security Center key"; -} -sub getDescr{} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - my $infected = 0; - ::logMsg("Launching secctr v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - my $key_path = 'Microsoft\Security Center'; - my $key; - ::rptMsg("secctr"); - ::rptMsg(""); - - if ($key = $root_key->get_subkey($key_path)) { - $infected++; - ::rptMsg(""); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - foreach my $v (@vals) { - my $str = sprintf "%-25s 0x%02x",$v->get_name(),$v->get_data(); - ::rptMsg($str); - } - } - else { - ::rptMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - ::rptMsg(""); - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/security b/RecentActivity/release/rr/plugins/security deleted file mode 100644 index 233d63ca80..0000000000 --- a/RecentActivity/release/rr/plugins/security +++ /dev/null @@ -1,4 +0,0 @@ -#------------------------------------- -# Security -polacdms -auditpol \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/services.pl b/RecentActivity/release/rr/plugins/services.pl deleted file mode 100644 index a22e24f8fa..0000000000 --- a/RecentActivity/release/rr/plugins/services.pl +++ /dev/null @@ -1,150 +0,0 @@ -#----------------------------------------------------------- -# services.pl -# Plugin for Registry Ripper; Access System hive file to get the -# services -# -# Change history -# 20080507 - Added collection of Type and Start values; separated -# data by Services vs. Drivers; created separate plugin -# for Drivers -# 20080505 - Added collection of ImagePath and DisplayName, if avail. -# -# References -# -# -# copyright 2008 H. Carvey -#----------------------------------------------------------- -package services; -#use strict; - -my %config = (hive => "System", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20080507); - -sub getConfig{return %config} -sub getShortDescr { - return "Lists services/drivers in Services key by LastWrite times"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -# Reference for types and start types: -# http://msdn.microsoft.com/en-us/library/aa394420(VS.85).aspx -my %types = (0x001 => "Kernel driver", - 0x002 => "File system driver", - 0x010 => "Own_Process", - 0x020 => "Share_Process", - 0x100 => "Interactive"); - -my %starts = (0x00 => "Boot Start", - 0x01 => "System Start", - 0x02 => "Auto Start", - 0x03 => "Manual", - 0x04 => "Disabled"); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching services v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; -# First thing to do is get the ControlSet00x marked current...this is -# going to be used over and over again in plugins that access the system -# file - my $current; - my $key_path = 'Select'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - $current = $key->get_value("Current")->get_data(); - my $ccs = "ControlSet00".$current; - my $s_path = $ccs."\\Services"; - my $svc; - my %svcs; - if ($svc = $root_key->get_subkey($s_path)) { - ::rptMsg($s_path); - ::rptMsg(getShortDescr()); - ::rptMsg(""); -# Get all subkeys and sort based on LastWrite times - my @subkeys = $svc->get_list_of_subkeys(); - if (scalar (@subkeys) > 0) { - foreach my $s (@subkeys) { - - my $type; - eval { - $type = $s->get_value("Type")->get_data(); -# Only look for services; drivers handled in another plugin - if (exists $types{$type}) { - $type = $types{$type}; - } - else { - $type = sprintf "0x%x",$t; - } - }; - - $name = $s->get_name(); - my $display; - eval { - $display = $s->get_value("DisplayName")->get_data(); - }; - - my $image; - eval { - $image = $s->get_value("ImagePath")->get_data(); - }; - - my $start; - eval { - $start = $s->get_value("Start")->get_data(); - if (exists $starts{$start}) { - $start = $starts{$start}; - } - }; - - my $group; - eval { - $group = $s->get_value("Group")->get_data(); - }; - - my $str = $name.";".$display.";".$image.";".$type.";".$start.";".$group; - push(@{$svcs{$s->get_timestamp()}},$str) unless ($str eq ""); - } - - foreach my $t (reverse sort {$a <=> $b} keys %svcs) { - ::rptMsg(gmtime($t)."Z"); - foreach my $item (@{$svcs{$t}}) { - my ($n,$d,$i,$t,$s,$g) = split(/;/,$item,6); - ::rptMsg(" Name = ".$n); - ::rptMsg(" Display = ".$d); - ::rptMsg(" ImagePath = ".$i); - ::rptMsg(" Type = ".$t); - ::rptMsg(" Start = ".$s); - ::rptMsg(" Group = ".$g); - ::rptMsg(""); - } - } - - } - else { - ::rptMsg($s_path." has no subkeys."); - ::logMsg("Error: ".$s_path." has no subkeys."); - } - } - else { - ::rptMsg($s_path." not found."); - ::logMsg($s_path." not found."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} - -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/sevenzip.pl b/RecentActivity/release/rr/plugins/sevenzip.pl deleted file mode 100644 index cc90d31a16..0000000000 --- a/RecentActivity/release/rr/plugins/sevenzip.pl +++ /dev/null @@ -1,83 +0,0 @@ -#----------------------------------------------------------- -# sevenzip.pl -# Google Toolbar Search History plugin -# -# -# Change history -# 20100218 - created -# -# References -# -# -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package sevenzip; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20100218); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets records of histories from 7-Zip keys"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - my %hist; - ::logMsg("Launching 7-zip v.".$VERSION); - - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $key_path = 'Software\\7-Zip'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - - eval { - ::rptMsg(""); - my @arc = $key->get_subkey("Compression")->get_subkey("ArcHistory")->get_list_of_values(); - if (scalar @arc > 0) { - ::rptMsg("Compression\\ArcHistory"); - foreach my $a (@arc) { - ::rptMsg(" ".$a->get_name()." -> ".$a->get_data()); - } - } - }; - ::rptMsg("Error: ".$@) if ($@); - - eval { - ::rptMsg(""); - my @arc = $key->get_subkey("Extraction")->get_subkey("PathHistory")->get_list_of_values(); - if (scalar @arc > 0) { - ::rptMsg("Extraction\\PathHistory"); - foreach my $a (@arc) { - ::rptMsg(" ".$a->get_name()." -> ".$a->get_data()); - } - } - }; - ::rptMsg("Error: ".$@) if ($@); - - - - - - } - else { - ::rptMsg($key_path." not found."); - } -} - -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/sfc.pl b/RecentActivity/release/rr/plugins/sfc.pl deleted file mode 100644 index 16e829670f..0000000000 --- a/RecentActivity/release/rr/plugins/sfc.pl +++ /dev/null @@ -1,107 +0,0 @@ -#----------------------------------------------------------- -# sfc.pl -# Check SFC settings in the Registry -# -# History -# 20100305 - updated -# -# -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package sfc; -use strict; - -my %config = (hive => "Software", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20100305); - -sub getConfig{return %config} - -sub getShortDescr { - return "Get SFC values"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching sfc v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - my $key_path = "Microsoft\\Windows NT\\CurrentVersion\\Winlogon"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("sfc v.".$VERSION); - ::rptMsg(""); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - foreach my $v (@vals) { - my $name = $v->get_name(); - next unless ($name =~ m/^sfc/i); - my $str; - if ($name =~ m/^sfcquota$/i || $name =~ m/^sfcdisable$/i) { - $str = sprintf " %-20s 0x%08x",$name,$v->get_data(); - } - else { - $str = sprintf " %-20s %-20s",$name,$v->get_data(); - } - ::rptMsg($str); - } - - } - else { - ::rptMsg($key_path." key has no values."); - } - } - else { - ::rptMsg($key_path." key not found."); - ::logMsg($key_path." key not found."); - } - ::rptMsg(""); -# According to http://support.microsoft.com/kb/222193, sfc* values in this key, if -# it exists, take precedence over and are copied into the values within the Winlogon -# key; see also http://support.microsoft.com/kb/222473/ - my $key_path = "Policies\\Microsoft\\Windows NT\\Windows File Protection"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - foreach my $v (@vals) { - my $name = $v->get_name(); - next unless ($name =~ m/^sfc/i); - my $str; - if ($name =~ m/^sfcquota$/i || $name =~ m/^sfcdisable$/i) { - $str = sprintf " %-20s 0x%08x",$name,$v->get_data(); - } - else { - $str = sprintf " %-20s %-20s",$name,$v->get_data(); - } - ::rptMsg($str); - } - - } - else { - ::rptMsg($key_path." key has no values."); - } - } - else { - ::rptMsg($key_path." key not found."); -# ::logMsg($key_path." not found."); - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/shares.pl b/RecentActivity/release/rr/plugins/shares.pl deleted file mode 100644 index e36f4737cb..0000000000 --- a/RecentActivity/release/rr/plugins/shares.pl +++ /dev/null @@ -1,128 +0,0 @@ -#----------------------------------------------------------- -# shares.pl -# -# Retrieve information about shares from a System hive file -# -# References: -# http://support.microsoft.com/kb/556023 -# For info about share types, see the Win32_Share WMI class: -# http://msdn.microsoft.com/en-us/library/aa394435(VS.85).aspx -# -# copyright 2009 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package shares; -use strict; - -my %config = (hive => "System", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20090112); - -sub getConfig{return %config} - -sub getShortDescr { - return "Get list of shares from System hive file"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); -my $root_key; - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching shares v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - $root_key = $reg->get_root_key; - -# Code for System file, getting CurrentControlSet - my $current; - my $ccs; - eval { - my $key_path = 'Select'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - $current = $key->get_value("Current")->get_data(); - $ccs = "ControlSet00".$current; - } - }; - if ($@) { - ::rptMsg("Problem locating proper controlset: $@"); - return; - } -# First, connect to the Services key; some versions of Windows appear to -# spell the lanmanserver key as "lanmanserver" and others as "LanmanServer" - my $key_path = $ccs."\\Services"; - my $key; - my $tag = "lanmanserver"; - my $lanman = getKeyPath($key_path,$tag); - if ($lanman ne "") { - my $share_path = $key_path."\\".$lanman."\\Shares"; - my $share; - if ($share = $root_key->get_subkey($share_path)) { - my @vals = $share->get_list_of_values(); - if (scalar(@vals) > 0) { - foreach my $v (@vals) { - ::rptMsg(" ".$v->get_name()); - my @data = $v->get_data(); - ::rptMsg(" ".$data[2]); - ::rptMsg(" ".$data[4]); - ::rptMsg(" ".$data[5]); - ::rptMsg(""); - } - } - else { - ::rptMsg($share_path." has no values."); - } - } - else { - ::rptMsg($share_path." not found."); - } - } - else { - ::rptMsg($lanman." subkey not found."); - } - -# Determine of the AutoShareServer/Wks values have been set - my $path = $key_path."\\".$lanman; - my $tag = "parameters"; - my $para = getKeyPath($path,$tag); - eval { - if ($key = $root_key->get_subkey($path."\\".$para)) { - my $auto_svr = $key->get_value("AutoShareServer")->get_data(); - ::rptMsg(" AutoShareServer = ".$auto_svr); - } - }; - - eval { - if ($key = $root_key->get_subkey($path."\\".$para)) { - my $auto_wks = $key->get_value("AutoShareWks")->get_data(); - ::rptMsg(" AutoShareWks = ".$auto_wks); - } - }; -} - -# On different versions of Windows, subkeys such as lanmanserver -# and parameters are spelled differently; use this subroutine to get -# the correct spelling of the name of the subkey -# http://support.microsoft.com/kb/288164 -sub getKeyPath { - my $path = $_[0]; - my $tag = $_[1]; - my $subkey; - if (my $key = $root_key->get_subkey($path)) { - my @sk = $key->get_list_of_subkeys(); - foreach my $s (@sk) { - my $name = $s->get_name(); - $subkey = $name if ($name =~ m/^$tag/i); - } - } - return $subkey; -} - -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/shellexec.pl b/RecentActivity/release/rr/plugins/shellexec.pl deleted file mode 100644 index 608bacac02..0000000000 --- a/RecentActivity/release/rr/plugins/shellexec.pl +++ /dev/null @@ -1,118 +0,0 @@ -#----------------------------------------------------------- -# shellexec -# Get ShellExecuteHooks values from Software hive (based on BHO -# code) -# -# ShellExecuteHooks are DLLs that load as part of the Explorer.exe process, -# and can intercept commands. There are some legitimate applications that -# run as ShellExecuteHooks, but many times, malware (spy-, ad-ware) will -# install here. ShellExecuteHooks allow you to type a URL into the Start->Run -# box and have that URL opened in your browser. For example, in 2001, Michael -# Dunn wrote KBLaunch, a ShellExecuteHook that looked for "?q" in the Run box -# and would open the appropriate MS KB article. -# -# Refs: -# http://support.microsoft.com/kb/914922 -# http://support.microsoft.com/kb/170918 -# http://support.microsoft.com/kb/943460 -# -# History: -# 20081229 - initial creation -# -# copyright 2008 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package shellexec; -use strict; - -my %config = (hive => "Software", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20081229); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets ShellExecuteHooks from Software hive"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - my %bhos; - ::logMsg("Launching shellexec v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - my $key_path = "Microsoft\\Windows\\CurrentVersion\\Explorer\\ShellExecuteHooks";; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - my @vals = $key->get_list_of_values(); - if (scalar (@vals) > 0) { - foreach my $s (@vals) { - my $name = $s->get_name(); - next if ($name =~ m/^-/ || $name eq ""); - my $clsid_path = "Classes\\CLSID\\".$name; - my $clsid; - if ($clsid = $root_key->get_subkey($clsid_path)) { - my $class; - my $mod; - my $lastwrite; - - eval { - $class = $clsid->get_value("")->get_data(); - $bhos{$name}{class} = $class; - }; - if ($@) { - ::logMsg("\tError getting Class name for CLSID\\".$name); - ::logMsg("\t".$@); - } - eval { - $mod = $clsid->get_subkey("InProcServer32")->get_value("")->get_data(); - $bhos{$name}{module} = $mod; - }; - if ($@) { - ::logMsg("\tError getting Module name for CLSID\\".$name); - ::logMsg("\t".$@); - } - eval{ - $lastwrite = $clsid->get_subkey("InProcServer32")->get_timestamp(); - $bhos{$name}{lastwrite} = $lastwrite; - }; - if ($@) { - ::logMsg("\tError getting LastWrite time for CLSID\\".$name); - ::logMsg("\t".$@); - } - - foreach my $b (keys %bhos) { - ::rptMsg($b); - ::rptMsg("\tClass => ".$bhos{$b}{class}); - ::rptMsg("\tModule => ".$bhos{$b}{module}); - ::rptMsg("\tLastWrite => ".gmtime($bhos{$b}{lastwrite})); - ::rptMsg(""); - } - } - else { - ::rptMsg($clsid_path." not found."); - ::rptMsg(""); - ::logMsg($clsid_path." not found."); - } - } - } - else { - ::rptMsg($key_path." has no values. No ShellExecuteHooks installed."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/shellext.pl b/RecentActivity/release/rr/plugins/shellext.pl deleted file mode 100644 index 8f9994d9d4..0000000000 --- a/RecentActivity/release/rr/plugins/shellext.pl +++ /dev/null @@ -1,96 +0,0 @@ -#----------------------------------------------------------- -# shellext -# Plugin to get approved shell extensions list from the -# Software hive -# -# This plugin retrieves the list of approved shell extensions from -# the Software hive; specifically, the "Shell Extensions\Approved" -# key. Once it has the names (GUID) and data (string) of each value, -# it then goes to the Classes\CLSID\{GUID} key to get the name of/path to -# the associated DLL, if available. It also gets the LastWrite time of the -# Classes\CLSID\{GUID} key. -# -# Analysis of an incident showed that the intruder placed their malware in -# the C:\Windows dir, using the same name as a known valid shell extension. -# When Explorer.exe launches, it reads the list of approved shell extensions, -# then goes to the Classes\CLSID key to get the path to the associated DLL. The -# intruder chose a shell extension that did not have an explicit path, so when -# explorer.exe looked for it, it started in the C:\Windows dir, and never got to -# the legit DLL in the C:\Windows\system32 dir. -# -# References: -# http://msdn.microsoft.com/en-us/library/ms682586%28VS.85%29.aspx -# -# -# Note: This plugin can take several minutes to run -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package shellext; -use strict; - -my %config = (hive => "Software", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20100515); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets Shell Extensions from Software hive"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - my %bhos; - ::logMsg("Launching shellext v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - my $key_path = "Microsoft\\Windows\\CurrentVersion\\Shell Extensions\\Approved";; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - - my %exts; - - my @vals = $key->get_list_of_values(); - if (scalar (@vals) > 0) { - foreach my $v (@vals) { - my $name = $v->get_name(); - $exts{$name}{name} = $v->get_data(); - - my $clsid_path = "Classes\\CLSID\\".$name; - my $clsid; - if ($clsid = $root_key->get_subkey($clsid_path)) { - eval { - $exts{$v->get_name()}{lastwrite} = $clsid->get_timestamp(); - $exts{$v->get_name()}{dll} = $clsid->get_subkey("InProcServer32")->get_value("")->get_data(); - }; - } - } - foreach my $e (keys %exts) { - ::rptMsg($e." ".$exts{$e}{name}); - ::rptMsg(" DLL: ".$exts{$e}{dll}); - ::rptMsg(" Timestamp: ".gmtime($exts{$e}{lastwrite})." Z"); - ::rptMsg(""); - } - } - else { - ::rptMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/shellfolders.pl b/RecentActivity/release/rr/plugins/shellfolders.pl deleted file mode 100644 index 42eb461f40..0000000000 --- a/RecentActivity/release/rr/plugins/shellfolders.pl +++ /dev/null @@ -1,71 +0,0 @@ -#----------------------------------------------------------- -# shellfolders.pl -# -# Retrieve the Shell Folders values from user's hive; while -# this may not be important in every instance, it may give the -# examiner indications as to where to look for certain items; -# for example, if the user's "My Documents" folder has been redirected -# as part of configuration changes (corporate policies, etc.). Also, -# this may be important as part of data leakage exams, as XP and Vista -# allow users to drop and drag files to the CD Burner. -# -# References: -# http://support.microsoft.com/kb/279157 -# http://support.microsoft.com/kb/326982 -# -# copyright 2009 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package shellfolders; -use strict; - -my %config = (hive => "NTUSER\.DAT", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20090115); - -sub getConfig{return %config} - -sub getShortDescr { - return "Retrieve user Shell Folders values"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching shellfolders v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - - my @vals = $key->get_list_of_values(); - - if (scalar(@vals) > 0) { - foreach my $v (@vals) { - my $str = sprintf "%-20s %-40s",$v->get_name(),$v->get_data(); - ::rptMsg($str); - } - ::rptMsg(""); - } - else { - ::rptMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/shelloverlay.pl b/RecentActivity/release/rr/plugins/shelloverlay.pl deleted file mode 100644 index 67c46b858f..0000000000 --- a/RecentActivity/release/rr/plugins/shelloverlay.pl +++ /dev/null @@ -1,86 +0,0 @@ -#----------------------------------------------------------- -# shelloverlay -# Get contents of ShellIconOverlayIdentifiers subkeys; sorts data -# based on LastWrite times of subkeys -# -# History -# 20100308 - created -# -# References -# http://msdn.microsoft.com/en-us/library/cc144123%28VS.85%29.aspx -# Coreflood - http://vil.nai.com/vil/content/v_102053.htm -# http://www.secureworks.com/research/threats/coreflood/?threat=coreflood -# -# Analysis Tip: Malware such as Coreflood uses a random subkey name and a -# random CLSID GUID value -# -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package shelloverlay; -use strict; - -my %config = (hive => "Software", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20100308); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets ShellIconOverlayIdentifiers values"; -} -sub getDescr{} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching shelloverlay v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my %id; - - my $key_path = 'Microsoft\\Windows\\CurrentVersion\\Explorer\\ShellIconOverlayIdentifiers'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("shelloverlay"); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - - my @subkeys = $key->get_list_of_subkeys(); - if (scalar @subkeys > 0) { - foreach my $s (@subkeys) { - my $name = $s->get_name(); - my $def; - eval { - $def = $s->get_value("")->get_data(); - $name .= " ".$def; - }; - push(@{$id{$s->get_timestamp()}},$name); - } - - foreach my $t (reverse sort {$a <=> $b} keys %id) { - ::rptMsg(gmtime($t)." Z"); - foreach my $item (@{$id{$t}}) { - ::rptMsg(" ".$item); - } - ::rptMsg(""); - } - - } - else { - ::rptMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/shutdown.pl b/RecentActivity/release/rr/plugins/shutdown.pl deleted file mode 100644 index a63914d5c0..0000000000 --- a/RecentActivity/release/rr/plugins/shutdown.pl +++ /dev/null @@ -1,76 +0,0 @@ -#----------------------------------------------------------- -# shutdown.pl -# Plugin for Registry Ripper; Access System hive file to get the -# contents of the ShutdownTime value -# -# Change history -# -# -# References -# -# -# copyright 2008 H. Carvey -#----------------------------------------------------------- -package shutdown; -use strict; - -my %config = (hive => "System", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20080324); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets ShutdownTime value from System hive"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching shutdown v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; -# First thing to do is get the ControlSet00x marked current...this is -# going to be used over and over again in plugins that access the system -# file - my $current; - my $key_path = 'Select'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - $current = $key->get_value("Current")->get_data(); - my $ccs = "ControlSet00".$current; - my $win_path = $ccs."\\Control\\Windows"; - my $win; - if ($win = $root_key->get_subkey($win_path)) { - ::rptMsg($win_path." key, ShutdownTime value"); - ::rptMsg($win_path); - ::rptMsg("LastWrite Time ".gmtime($win->get_timestamp())." (UTC)"); - my $sd; - if ($sd = $win->get_value("ShutdownTime")->get_data()) { - my @vals = unpack("VV",$sd); - my $shutdown = ::getTime($vals[0],$vals[1]); - ::rptMsg(" ShutdownTime = ".gmtime($shutdown)." (UTC)"); - - } - else { - ::rptMsg("ShutdownTime value not found."); - } - } - else { - ::rptMsg($win_path." not found."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/shutdowncount.pl b/RecentActivity/release/rr/plugins/shutdowncount.pl deleted file mode 100644 index 73d649117d..0000000000 --- a/RecentActivity/release/rr/plugins/shutdowncount.pl +++ /dev/null @@ -1,81 +0,0 @@ -#----------------------------------------------------------- -# shutdowncount.pl -# -# *Value info first seen at: -# http://forensicsfromthesausagefactory.blogspot.com/2008/06/install-dates-and-shutdown-times-found.html -# thanks to DC1743@gmail.com -# -# copyright 2008 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package shutdowncount; -use strict; - -my %config = (hive => "System", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20080709); - -sub getConfig{return %config} - -sub getShortDescr { - return "Retrieves ShutDownCount value"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching shutdowncount v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - -# Code for System file, getting CurrentControlSet - my $current; - my $ccs; - my $key_path = 'Select'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - $current = $key->get_value("Current")->get_data(); - $ccs = "ControlSet00".$current; - } - else { - ::logMsg("Could not find ".$key_path); - return - } - - my $key_path = $ccs."\\Control\\Watchdog\\Display"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("ShutdownCount"); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - - my $count = 0; - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - foreach my $v (@vals) { - if ($v->get_name() eq "ShutdownCount") { - $count = 1; - ::rptMsg("ShutdownCount = ".$v->get_data()); - } - } - ::rptMsg("ShutdownCount value not found.") if ($count == 0); - } - else { - ::rptMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/skype.pl b/RecentActivity/release/rr/plugins/skype.pl deleted file mode 100644 index 3c83bc65f1..0000000000 --- a/RecentActivity/release/rr/plugins/skype.pl +++ /dev/null @@ -1,60 +0,0 @@ -#----------------------------------------------------------- -# skype.pl -# -# -# History -# 20100713 - created -# -# References -# -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package skype; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20100713); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets data user's Skype key"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching acmru v.".$VERSION); - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $key_path = 'Software\\Skype'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - - my $install; - eval { - $install = $key->get_subkey("Installer")->get_value("DonwloadLastModified")->get_data(); - ::rptMsg("DonwloadLastModified = ".$install); - }; - ::rptMsg("DonwloadLastModified value not found: ".$@) if ($@); - - } - else { - ::rptMsg($key_path." not found."); - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/snapshot.pl b/RecentActivity/release/rr/plugins/snapshot.pl deleted file mode 100644 index 29bf42b93b..0000000000 --- a/RecentActivity/release/rr/plugins/snapshot.pl +++ /dev/null @@ -1,96 +0,0 @@ -#----------------------------------------------------------- -# snapshot.pl -# Plugin to check the ActiveX component for the MS Access Snapshot -# Viewer kill bit -# -# Ref: US-CERT Vuln Note #837785, http://www.kb.cert.org/vuls/id/837785 -# -# Note: Look for each GUID key, and check for the Compatibility Flags value; -# if the value is 0x400, the kill bit is set; a vulnerable system is -# indicated by having IE version 6.x, and the kill bits NOT set (IE 7 -# requires user interaction to download the ActiveX component -# -# copyright 2008 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package snapshot; -use strict; - -my %config = (hive => "Software", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 1, - version => 20080725); - -sub getConfig{return %config} - -sub getShortDescr { - return "Check ActiveX comp kill bit; Access Snapshot"; -} -sub getDescr{} -sub getRefs {"US-CERT Vuln Note 837785" => "http://www.kb.cert.org/vuls/id/837785"} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -my @guids = ("{F0E42D50-368C-11D0-AD81-00A0C90DC8D9}", - "{F0E42D60-368C-11D0-AD81-00A0C90DC8D9}", - "{F2175210-368C-11D0-AD81-00A0C90DC8D9}"); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching snapshot v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Microsoft\\Internet Explorer"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("ActiveX Snapshot Vuln"); - ::rptMsg($key_path); - ::rptMsg(""); - my $ver; - eval { - $ver = $key->get_value("Version")->get_data(); - }; - if ($@) { - ::rptMsg("IE Version not found."); - } - else { - ::rptMsg("IE Version = ".$ver) - } - - ::rptMsg(""); - foreach my $guid (@guids) { - my $g; - eval { - $g = $key->get_subkey("ActiveX Compatibility\\".$guid); - }; - if ($@) { - ::rptMsg("$guid not found."); - } - else { - ::rptMsg("GUID: $guid"); - my $flag; - eval { - $flag = $g->get_value("Compatibility Flags")->get_data(); - }; - if ($@) { - ::rptMsg("Compatibility Flags value not found."); - } - else { - my $str = sprintf "Compatibility Flags 0x%x",$flag; - ::rptMsg($str); - } - } - ::rptMsg(""); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/soft_run.pl b/RecentActivity/release/rr/plugins/soft_run.pl deleted file mode 100644 index 1c5e7a6d52..0000000000 --- a/RecentActivity/release/rr/plugins/soft_run.pl +++ /dev/null @@ -1,97 +0,0 @@ -#----------------------------------------------------------- -# soft_run -# Get contents of Run key from Software hive -# -# copyright 2008 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package soft_run; -use strict; - -my %config = (hive => "Software", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 1, - version => 20080328); - -sub getConfig{return %config} - -sub getShortDescr { - return "Autostart - get Run key contents from Software hive"; -} -sub getDescr{} -sub getRefs { - my %refs = ("Definition of the Run keys in the WinXP Registry" => - "http://support.microsoft.com/kb/314866"); - return %refs; -} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching soft_run v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Microsoft\\Windows\\CurrentVersion\\Run"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - - my %vals = getKeyValues($key); - if (scalar(keys %vals) > 0) { - foreach my $v (keys %vals) { - ::rptMsg("\t".$v." -> ".$vals{$v}); - } - } - else { - ::rptMsg($key_path." has no values."); - } - - my @sk = $key->get_list_of_subkeys(); - if (scalar(@sk) > 0) { - foreach my $s (@sk) { - ::rptMsg(""); - ::rptMsg($key_path."\\".$s->get_name()); - ::rptMsg("LastWrite Time ".gmtime($s->get_timestamp())." (UTC)"); - my %vals = getKeyValues($s); - foreach my $v (keys %vals) { - ::rptMsg("\t".$v." -> ".$vals{$v}); - } - } - } - else { - ::rptMsg(""); - ::rptMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } - -} - -sub getKeyValues { - my $key = shift; - my %vals; - - my @vk = $key->get_list_of_values(); - if (scalar(@vk) > 0) { - foreach my $v (@vk) { - next if ($v->get_name() eq "" && $v->get_data() eq ""); - $vals{$v->get_name()} = $v->get_data(); - } - } - else { - - } - return %vals; -} - -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/software b/RecentActivity/release/rr/plugins/software deleted file mode 100644 index 144bfaf466..0000000000 --- a/RecentActivity/release/rr/plugins/software +++ /dev/null @@ -1,36 +0,0 @@ -#------------------------------------- -# Software -winver -win_cv -winnt_cv -defbrowser -ie_version -banner -bitbucket -macaddr -cmd_shell -soft_run -networkcards -ssid -appinitdlls -bho -shellexec -imagefile -port_dev -userinit -winlogon -profilelist -specaccts -mrt -svchost -snapshot -sfc -uninstall -installedcomp -shelloverlay -msis -shellexec -apppaths -drwatson -schedagent -kb950582 \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/specaccts.pl b/RecentActivity/release/rr/plugins/specaccts.pl deleted file mode 100644 index 4933d865fa..0000000000 --- a/RecentActivity/release/rr/plugins/specaccts.pl +++ /dev/null @@ -1,68 +0,0 @@ -#----------------------------------------------------------- -# specaccts.pl -# Gets contents of SpecialAccounts\UserList key -# -# History -# 20100223 - created -# -# References -# http://www.microsoft.com/security/portal/Threat/Encyclopedia/ -# Entry.aspx?Name=Trojan%3AWin32%2FStarter -# -# http://www.microsoft.com/Security/portal/Threat/Encyclopedia/ -# Entry.aspx?Name=TrojanSpy%3AWin32%2FUrsnif.gen!H&ThreatID=-2147343835 -# -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package specaccts; -use strict; - -my %config = (hive => "Software", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20100223); - -sub getConfig{return %config} - -sub getShortDescr { - return "Gets contents of SpecialAccounts\\UserList key"; -} -sub getDescr{} - -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching specaccts v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\SpecialAccounts\\UserList"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - my %apps; - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - foreach my $v (@vals) { - ::rptMsg(sprintf "%-20s 0x%x",$v->get_name(),$v->get_data()); - } - } - else { - ::rptMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/sql_lastconnect.pl b/RecentActivity/release/rr/plugins/sql_lastconnect.pl deleted file mode 100644 index fb21951a75..0000000000 --- a/RecentActivity/release/rr/plugins/sql_lastconnect.pl +++ /dev/null @@ -1,66 +0,0 @@ -#----------------------------------------------------------- -# sql_lastconnect.pl -# -# Per MS, Microsoft Data Access Components (MDAC) clients can attempt -# to use multiple protocols based on a protocol ordering, which is -# listed in the SuperSocketNetLib\ProtocolOrder value. Successful -# connection attempts (for SQL Server 2000) are cached in the LastConnect -# key. -# -# References: -# http://support.microsoft.com/kb/273673/ -# -# copyright 2009 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package sql_lastconnect; -use strict; - -my %config = (hive => "Software", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20090112); - -sub getConfig{return %config} - -sub getShortDescr { - return "MDAC cache of successful connections"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching sql_lastconnect v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Microsoft\\MSSQLServer\\Client\\SuperSocketNetLib\\LastConnect"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("MDAC Cache of successful connections"); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - foreach my $v (@vals) { - my $str = sprintf "%-15s %-25s",$v->get_name(),$v->get_data(); - ::rptMsg($str); - } - } - else { - ::rptMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/ssid.pl b/RecentActivity/release/rr/plugins/ssid.pl deleted file mode 100644 index 1e7714ae56..0000000000 --- a/RecentActivity/release/rr/plugins/ssid.pl +++ /dev/null @@ -1,183 +0,0 @@ -#----------------------------------------------------------- -# ssid -# Gets SSID and other info from WZCSVC key -# -# -# Change History: -# 20100301 - Updated References; removed dwCtlFlags being -# printed; minor adjustments to formatting -# 20091102 - added code to parse EAPOL values for SSIDs -# 20090807 - updated code in accordance with WZC_WLAN_CONFIG -# structure -# -# References -# http://msdn.microsoft.com/en-us/library/aa448338.aspx -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package ssid; -use strict; - -my %config = (hive => "Software", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20100301); - -sub getConfig{return %config} -sub getShortDescr { - return "Get WZCSVC SSID Info"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); -my $error; - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching ssid v.".$VERSION); -# Get the NetworkCards values - my %nc; - if (%nc = getNetworkCards($hive)) { - - } - else { - ::logMsg("Problem w/ SSIDs, getting NetworkCards: ".$error); - return; - } - - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - my $key_path = "Microsoft\\WZCSVC\\Parameters\\Interfaces"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("SSID"); - ::rptMsg($key_path); - ::rptMsg(""); - my @subkeys = $key->get_list_of_subkeys(); - if (scalar(@subkeys) > 0) { - foreach my $s (@subkeys) { - my $name = $s->get_name(); - if (exists($nc{$name})) { - ::rptMsg("NIC: ".$nc{$name}{descr}); - ::rptMsg("Key LastWrite: ".gmtime($s->get_timestamp())." UTC"); - ::rptMsg(""); - my @vals = $s->get_list_of_values(); - if (scalar(@vals) > 0) { - foreach my $v (@vals) { - my $n = $v->get_name(); - if ($n =~ m/^Static#/) { - my $data = $v->get_data(); -# my $w = unpack("V",substr($data,0x04,0x04)); -# printf "dwCtlFlags = 0x%x\n",$w; - - my $l = unpack("V",substr($data, 0x10, 0x04)); - my $ssid = substr($data,0x14,$l); - - my $tm = uc(unpack("H*",substr($data,0x08,0x06))); - my @t = split(//,$tm); - my $mac = $t[0].$t[1]."-".$t[2].$t[3]."-".$t[4].$t[5]."-".$t[6].$t[7]."-".$t[8].$t[9]."-".$t[10].$t[11]; - - my ($t1,$t2) = unpack("VV",substr($data,0x2B8,8)); - my $t = ::getTime($t1,$t2); - my $str = sprintf gmtime($t)." MAC: %-18s %-8s",$mac,$ssid; - ::rptMsg($str); - } - } - } - else { - ::rptMsg($name." has no values."); - } - } - } - } - else { - ::rptMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - } - -# Now, go to the EAPOL key, locate the appropriate subkeys and parse out -# any available SSIDs -# EAPOL is Extensible Authentication Protocol over LAN - my $key_path = "Microsoft\\EAPOL\\Parameters\\Interfaces"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg(""); - ::rptMsg($key_path); - ::rptMsg(""); - my @subkeys = $key->get_list_of_subkeys(); - if (scalar(@subkeys) > 0) { - foreach my $s (@subkeys) { - my $name = $s->get_name(); - if (exists $nc{$name}) { - ::rptMsg("NIC: ".$nc{$name}{descr}); - } - else { - ::rptMsg("NIC: ".$name); - } - ::rptMsg("LastWrite time: ".gmtime($s->get_timestamp())." UTC"); - - my @vals = $s->get_list_of_values(); - my %eapol; - if (scalar(@vals) > 0) { - foreach my $v (@vals) { - $eapol{$v->get_name()} = parseEAPOLData($v->get_data()); - } - foreach my $i (sort {$a <=> $b} keys %eapol) { - my $str = sprintf "%-3d %s",$i,$eapol{$i}; - ::rptMsg($str); - } - } - ::rptMsg(""); - } - } - else { - ::rtpMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} - -sub getNetworkCards { - my $hive = shift; - my %nc; - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - my $key_path = "Microsoft\\Windows NT\\CurrentVersion\\NetworkCards"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - my @subkeys = $key->get_list_of_subkeys(); - if (scalar(@subkeys) > 0) { - foreach my $s (@subkeys) { - my $service = $s->get_value("ServiceName")->get_data(); - $nc{$service}{descr} = $s->get_value("Description")->get_data(); - $nc{$service}{lastwrite} = $s->get_timestamp(); - } - } - else { - $error = $key_path." has no subkeys."; - } - } - else { - $error = $key_path." not found."; - } - return %nc; -} - -sub parseEAPOLData { - my $data = shift; - my $size = unpack("V",substr($data,0x10,4)); - return substr($data,0x14,$size); -} - -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/startpage.pl b/RecentActivity/release/rr/plugins/startpage.pl deleted file mode 100644 index 78dcc9e426..0000000000 --- a/RecentActivity/release/rr/plugins/startpage.pl +++ /dev/null @@ -1,77 +0,0 @@ -#----------------------------------------------------------- -# startpage.pl -# For Windows 7 -# -# Change history -# 20100330 - created -# -# References -# -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package startpage; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20100330); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets contents of user's StartPage key"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching startpage v.".$VERSION); - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartPage"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - - my $menu; - my $balloon; - - eval { - my $val = $key->get_value("StartMenu_Start_Time")->get_data(); - my ($t0,$t1) = unpack("VV",$val); - $menu = ::getTime($t0,$t1); - ::rptMsg("StartMenu_Start_Time = ".gmtime($menu)." Z"); - }; - ::rptMsg("Error: ".@$) if (@$); - - eval { - my $val = $key->get_value("StartMenu_Balloon_Time")->get_data(); - my ($t0,$t1) = unpack("VV",$val); - $balloon = ::getTime($t0,$t1); - ::rptMsg("StartMenu_Balloon_Time = ".gmtime($balloon)." Z"); - }; - ::rptMsg("Error: ".@$) if (@$); - - - - - - } - else { - ::rptMsg($key_path." not found."); - } -} - -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/stillimage.pl b/RecentActivity/release/rr/plugins/stillimage.pl deleted file mode 100644 index aaf23600e4..0000000000 --- a/RecentActivity/release/rr/plugins/stillimage.pl +++ /dev/null @@ -1,112 +0,0 @@ -#----------------------------------------------------------- -# stillimage.pl -# Parses contents of Enum\USB key for web cam -# -# History -# 20100222 - created -# -# References -# http://msdn.microsoft.com/en-us/library/ms791870.aspx -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package stillimage; -use strict; - -my %config = (hive => "System", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20100222); - -sub getConfig{return %config} - -sub getShortDescr { - return "Get info on StillImage devices"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); -my $reg; - -sub pluginmain { - my $class = shift; - my $hive = shift; - $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; -::logMsg("Launching stillimage v.".$VERSION); -# Code for System file, getting CurrentControlSet - my $current; - my $ccs; - my $key_path = 'Select'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - $current = $key->get_value("Current")->get_data(); - $ccs = "ControlSet00".$current; - } - else { - ::rptMsg($key_path." not found."); - return; - } - - my $key_path = $ccs."\\Control\\Class\\{6BDD1FC6-810F-11D0-BEC7-08002BE2092F}"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - - my @subkeys = $key->get_list_of_subkeys(); - if (scalar @subkeys > 0) { - ::rptMsg(""); - foreach my $s (@subkeys) { - my $name = $s->get_name(); - next unless ($name =~ m/\d\d/); - ::rptMsg($name); - - eval { - my $desc = $s->get_value("DriverDesc")->get_data(); - ::rptMsg(" ".$desc); - }; - - eval { - my $desc = $s->get_value("MatchingDeviceID")->get_data(); - ::rptMsg(" ".$desc); - }; - ::rptMsg(""); - } - } - else { - ::rptMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - } - -# http://msdn.microsoft.com/en-us/library/ms791870.aspx -# StillImage logging levels - my $key_path = $ccs."\\Control\\StillImage\\Logging"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg(""); - ::rptMsg("StillImage Logging Level"); - eval { - my $level = $key->get_subkey("STICLI")->get_value("Level")->get_data(); - my $str = sprintf " STICLI Logging Level = 0x%x",$level; - ::rptMsg($str); - }; - ::rptMsg("STICLI Error: ".$@) if ($@); - - eval { - my $level = $key->get_subkey("STIMON")->get_value("Level")->get_data(); - my $str = sprintf " STIMON Logging Level = 0x%x",$level; - ::rptMsg($str); - }; - } - else { - ::rptMsg($key_path." not found."); - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/streammru.pl b/RecentActivity/release/rr/plugins/streammru.pl deleted file mode 100644 index 0276cad084..0000000000 --- a/RecentActivity/release/rr/plugins/streammru.pl +++ /dev/null @@ -1,64 +0,0 @@ -#----------------------------------------------------------- -# streammru.pl -# -# copyright 2009 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package streammru; -use strict; - -my %config = (hive => "NTUSER\.DAT", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20090205); - -sub getConfig{return %config} - -sub getShortDescr { - return "streammru"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching streammru v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StreamMRU"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg(""); - ::rptMsg($key_path); - ::rptMsg(""); - - my $data = $key->get_value("5")->get_data(); - - my $drive = substr($data, 0x16,4); - ::rptMsg("Drive = ".$drive); - ::rptMsg(""); - - my $size = substr($data, 0x2d, 1); - ::rptMsg("Size of first object: ".unpack("c",$size)." bytes"); - ::rptMsg(""); - - - - - - - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } - -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/streams.pl b/RecentActivity/release/rr/plugins/streams.pl deleted file mode 100644 index e620c033df..0000000000 --- a/RecentActivity/release/rr/plugins/streams.pl +++ /dev/null @@ -1,63 +0,0 @@ -#----------------------------------------------------------- -# streams.pl -# -# copyright 2008 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package streams; -use strict; - -my %config = (hive => "NTUSER\.DAT", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20081124); - -sub getConfig{return %config} - -sub getShortDescr { - return "Parse Streams and StreamsMRU entries"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching streams v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = 'Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StreamMRU'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("streamMRU"); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - foreach my $i (0..10) { - my $data = $key->get_value($i)->get_data(); - open(FH,">",$i); - binmode(FH); - print FH $data; - close(FH); - } - } - else { - ::rptMsg($key_path." has no values."); - } - - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } - -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/svc.pl b/RecentActivity/release/rr/plugins/svc.pl deleted file mode 100644 index 32332bf723..0000000000 --- a/RecentActivity/release/rr/plugins/svc.pl +++ /dev/null @@ -1,149 +0,0 @@ -#----------------------------------------------------------- -# svc.pl -# Plugin for Registry Ripper; Access System hive file to get the -# services, display short format (hence "svc", shortened version -# of service.pl plugin) -# -# Change history -# 20080610 - created -# -# copyright 2008 H. Carvey -#----------------------------------------------------------- -package svc; -#use strict; - -my %config = (hive => "System", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20080610); - -sub getConfig{return %config} -sub getShortDescr { - return "Lists services/drivers in Services key by LastWrite times (short format)"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -# Reference for types and start types: -# http://msdn.microsoft.com/en-us/library/aa394420(VS.85).aspx -my %types = (0x001 => "Kernel driver", - 0x002 => "File system driver", - 0x010 => "Own_Process", - 0x020 => "Share_Process", - 0x100 => "Interactive"); - -my %starts = (0x00 => "Boot Start", - 0x01 => "System Start", - 0x02 => "Auto Start", - 0x03 => "Manual", - 0x04 => "Disabled"); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching svc v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; -# First thing to do is get the ControlSet00x marked current...this is -# going to be used over and over again in plugins that access the system -# file - my $current; - my $key_path = 'Select'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - $current = $key->get_value("Current")->get_data(); - my $ccs = "ControlSet00".$current; - my $s_path = $ccs."\\Services"; - my $svc; - my %svcs; - if ($svc = $root_key->get_subkey($s_path)) { - ::rptMsg($s_path); - ::rptMsg(getShortDescr()); - ::rptMsg(""); -# Get all subkeys and sort based on LastWrite times - my @subkeys = $svc->get_list_of_subkeys(); - if (scalar (@subkeys) > 0) { - foreach my $s (@subkeys) { - - my $type; - eval { - $type = $s->get_value("Type")->get_data(); - }; - - $name = $s->get_name(); - my $display; - eval { - $display = $s->get_value("DisplayName")->get_data(); - }; - - my $image; - eval { - $image = $s->get_value("ImagePath")->get_data(); - }; - - my $start; - eval { - $start = $s->get_value("Start")->get_data(); - if (exists $starts{$start}) { - $start = $starts{$start}; - } - }; - - my $object; - eval { - $object = $s->get_value("ObjectName")->get_data(); - }; - next if ($type == 0x001 || $type == 0x002); - my $str = $name.";".$display.";".$image.";".$type.";".$start.";".$object; - push(@{$svcs{$s->get_timestamp()}},$str) unless ($str eq ""); - } - - foreach my $t (reverse sort {$a <=> $b} keys %svcs) { - ::rptMsg(gmtime($t)."Z"); - foreach my $item (@{$svcs{$t}}) { - my ($n,$d,$i,$t,$s,$o) = split(/;/,$item,6); - my $str = " ".$n; - - if ($i eq "") { - if ($d eq "") { - - } - else { - $str = $str." (".$d.")"; - } - } - else { - $str = $str." (".$i.")"; - } - - $str = $str." [".$o."]" unless ($o eq ""); - - ::rptMsg($str); - } - ::rptMsg(""); - } - - } - else { - ::rptMsg($s_path." has no subkeys."); - ::logMsg("Error: ".$s_path." has no subkeys."); - } - } - else { - ::rptMsg($s_path." not found."); - ::logMsg($s_path." not found."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} - -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/svc2.pl b/RecentActivity/release/rr/plugins/svc2.pl deleted file mode 100644 index 0a12370371..0000000000 --- a/RecentActivity/release/rr/plugins/svc2.pl +++ /dev/null @@ -1,148 +0,0 @@ -#----------------------------------------------------------- -# svc2.pl -# Plugin for Registry Ripper; Access System hive file to get the -# services, display short format (hence "svc", shortened version -# of service.pl plugin); outputs info in .csv format -# -# Change history -# 20081129 - created -# -# Ref: -# http://msdn.microsoft.com/en-us/library/aa394073(VS.85).aspx -# -# Analysis Tip: Several services keys have Parameters subkeys that point to -# the ServiceDll value; During intrusions, a service key may be added to -# the system's Registry; using this module, send the output to .csv format -# and sort on column B to get the names to line up -# -# copyright 2008 H. Carvey -#----------------------------------------------------------- -package svc2; -#use strict; - -my %config = (hive => "System", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20081129); - -sub getConfig{return %config} -sub getShortDescr { - return "Lists Services key contents by LastWrite times (CSV)"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -my %types = (0x001 => "Kernel driver", - 0x002 => "File system driver", - 0x004 => "Adapter", - 0x010 => "Own_Process", - 0x020 => "Share_Process", - 0x100 => "Interactive"); - -my %starts = (0x00 => "Boot Start", - 0x01 => "System Start", - 0x02 => "Auto Start", - 0x03 => "Manual", - 0x04 => "Disabled"); - -sub pluginmain { - my $class = shift; - my $hive = shift; -# ::logMsg("Launching svc2 v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; -# First thing to do is get the ControlSet00x marked current...this is -# going to be used over and over again in plugins that access the system -# file - my $current; - my $key_path = 'Select'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - $current = $key->get_value("Current")->get_data(); - my $ccs = "ControlSet00".$current; - my $s_path = $ccs."\\Services"; - my $svc; - my %svcs; - if ($svc = $root_key->get_subkey($s_path)) { -# ::rptMsg($s_path); -# ::rptMsg(getShortDescr()); -# ::rptMsg(""); -# Get all subkeys and sort based on LastWrite times - my @subkeys = $svc->get_list_of_subkeys(); - if (scalar (@subkeys) > 0) { - foreach my $s (@subkeys) { - $name = $s->get_name(); - my $display; - eval { - $display = $s->get_value("DisplayName")->get_data(); -# take commas out of the display name, replace w/ semi-colons - $display =~ s/,/;/g; - }; - - my $type; - eval { - $type = $s->get_value("Type")->get_data(); - $type = $types{$type} if (exists $types{$type}); - - }; - - my $image; - eval { - $image = $s->get_value("ImagePath")->get_data(); - }; - - my $start; - eval { - $start = $s->get_value("Start")->get_data(); - $start = $starts{$start} if (exists $starts{$start}); - }; - - my $object; - eval { - $object = $s->get_value("ObjectName")->get_data(); - }; - - my $str = $name."\|".$display."\|".$image."\|".$type."\|".$start."\|".$object; - push(@{$svcs{$s->get_timestamp()}},$str) unless ($str eq ""); -# Get ServiceDll value if there is one - eval { - my $para = $s->get_subkey("Parameters"); - my $dll = $para->get_value("ServiceDll")->get_data(); - my $str = $name."\\Parameters\|\|".$dll."\|\|\|"; - push(@{$svcs{$para->get_timestamp()}},$str); - }; - - } - - foreach my $t (reverse sort {$a <=> $b} keys %svcs) { -# ::rptMsg(gmtime($t)."Z"); - foreach my $item (@{$svcs{$t}}) { - my ($n,$d,$i,$t2,$s,$o) = split(/\|/,$item,6); -# ::rptMsg($t.",".$n.",".$d.",".$i.",".$t2.",".$s.",".$o); - ::rptMsg(gmtime($t)."Z".",".$n.",".$d.",".$i.",".$t2.",".$s.",".$o); - } - } - } - else { - ::rptMsg($s_path." has no subkeys."); - ::logMsg("Error: ".$s_path." has no subkeys."); - } - } - else { - ::rptMsg($s_path." not found."); - ::logMsg($s_path." not found."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} - -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/svcdll.pl b/RecentActivity/release/rr/plugins/svcdll.pl deleted file mode 100644 index 3cfbcd2f24..0000000000 --- a/RecentActivity/release/rr/plugins/svcdll.pl +++ /dev/null @@ -1,131 +0,0 @@ -#----------------------------------------------------------- -# svcdll.pl -# -# Change history -# 20091104 - created -# -# Ref: -# http://msdn.microsoft.com/en-us/library/aa394073(VS.85).aspx -# -# Analysis Tip: Several services keys have Parameters subkeys that point to -# the ServiceDll value; During intrusions, a service key may be added to -# the system's Registry; this module provides a quick look, displaying the -# Service names (in malware, sometimes random) and the ServiceDll value, -# sorted based on the LastWrite time of the \Parameters subkey. -# -# copyright 2009 H. Carvey -#----------------------------------------------------------- -package svcdll; -use strict; - -my %config = (hive => "System", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20091104); - -sub getConfig{return %config} -sub getShortDescr { - return "Lists Services keys with ServiceDll values"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -#my %types = (0x001 => "Kernel driver", -# 0x002 => "File system driver", -# 0x004 => "Adapter", -# 0x010 => "Own_Process", -# 0x020 => "Share_Process", -# 0x100 => "Interactive"); - -#my %starts = (0x00 => "Boot Start", -# 0x01 => "System Start", -# 0x02 => "Auto Start", -# 0x03 => "Manual", -# 0x04 => "Disabled"); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching svcdll v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; -# First thing to do is get the ControlSet00x marked current...this is -# going to be used over and over again in plugins that access the system -# file - my $current; - my $key_path = 'Select'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - $current = $key->get_value("Current")->get_data(); - my $ccs = "ControlSet00".$current; - my $s_path = $ccs."\\Services"; - my $svc; - my %svcs; - if ($svc = $root_key->get_subkey($s_path)) { - -# Get all subkeys and sort based on LastWrite times - my @subkeys = $svc->get_list_of_subkeys(); - if (scalar (@subkeys) > 0) { - foreach my $s (@subkeys) { - my $name = $s->get_name(); -# my $display; -# eval { -# $display = $s->get_value("DisplayName")->get_data(); -# }; - -# my $type; -# eval { -# $type = $s->get_value("Type")->get_data(); -# $type = $types{$type} if (exists $types{$type}); -# }; - -# my $image; -# eval { -# $image = $s->get_value("ImagePath")->get_data(); -# }; - -# my $start; -# eval { -# $start = $s->get_value("Start")->get_data(); -# $start = $starts{$start} if (exists $starts{$start}); -# }; - - my $dll; - eval { - $dll = $s->get_subkey("Parameters")->get_value("ServiceDll")->get_data(); - my $str = $name." -> ".$dll; - push(@{$svcs{$s->get_timestamp()}},$str) unless ($str eq ""); - }; - } - - foreach my $t (reverse sort {$a <=> $b} keys %svcs) { - ::rptMsg(gmtime($t)."Z"); - foreach my $item (@{$svcs{$t}}) { - ::rptMsg(" ".$item); - } - ::rptMsg(""); - } - } - else { - ::rptMsg($s_path." has no subkeys."); - ::logMsg("Error: ".$s_path." has no subkeys."); - } - } - else { - ::rptMsg($s_path." not found."); - ::logMsg($s_path." not found."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} - -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/svchost.pl b/RecentActivity/release/rr/plugins/svchost.pl deleted file mode 100644 index 481d08ca46..0000000000 --- a/RecentActivity/release/rr/plugins/svchost.pl +++ /dev/null @@ -1,74 +0,0 @@ -#----------------------------------------------------------- -# svchost -# Plugin to get data from Security Center keys -# -# Change History: -# 20100322 - created -# -# References: -# http://support.microsoft.com/kb/314056 -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package svchost; -use strict; - -my %config = (hive => "Software", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20100322); - -sub getConfig{return %config} -sub getShortDescr { - return "Get entries from SvcHost key"; -} -sub getDescr{} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - my $infected = 0; - ::logMsg("Launching secctr v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - my $key_path = 'Microsoft\Windows NT\CurrentVersion\SvcHost'; - my $key; - ::rptMsg("svchost"); - ::rptMsg(""); - - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg(""); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - foreach my $v (@vals) { - my @data = $v->get_data(); - my $d; - if (scalar(@data) > 1) { - $d = join(',',@data); - } - else { - $d = $data[0]; - } - my $str = sprintf "%-15s %-55s",$v->get_name(),$d; - ::rptMsg($str); - } - } - else { - ::rptMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - ::rptMsg(""); - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/system b/RecentActivity/release/rr/plugins/system deleted file mode 100644 index 366c10fc62..0000000000 --- a/RecentActivity/release/rr/plugins/system +++ /dev/null @@ -1,36 +0,0 @@ -#------------------------------------- -# System -compname -xpedition -producttype -dllsearch -termserv -rdpport -shutdown -shutdowncount -nolmhash -timezone -disablelastaccess -eventlog -auditfail -crashcontrol -kbdcrash -pagefile -hibernate -mountdev -routes -network -nic_mst2 -nic -nic2 -fw_config -ide -shares -svc2 -svcdll -imagedev -legacy -stillimage -usbdevices -usbstor -devclass \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/taskman.pl b/RecentActivity/release/rr/plugins/taskman.pl deleted file mode 100644 index 3a6b212a59..0000000000 --- a/RecentActivity/release/rr/plugins/taskman.pl +++ /dev/null @@ -1,61 +0,0 @@ -#----------------------------------------------------------- -# taskman.pl -# Get Taskman value from Winlogon -# -# References -# http://www.geoffchappell.com/viewer.htm?doc=notes/windows/shell/explorer/ -# taskman.htm&tx=3,5-7,12;4&ts=0,19 -# http://technet.microsoft.com/en-us/library/cc957402.aspx -# -# Change History: -# 20091116 - created -# -# copyright 2009 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package taskman; -use strict; - -my %config = (hive => "Software", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20091116); - -sub getConfig{return %config} - -sub getShortDescr { - return "Gets Taskman from HKLM\\..\\Winlogon"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching taskman v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Microsoft\\Windows NT\\CurrentVersion\\Winlogon"; - if (my $key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - - eval { - ::rptMsg(""); - my $task = $key->get_value("Taskman")->get_data(); - ::rptMsg("Taskman value = ".$task); - }; - if ($@) { - ::rptMsg("Taskman value not found."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/termcert.pl b/RecentActivity/release/rr/plugins/termcert.pl deleted file mode 100644 index 81e4b37505..0000000000 --- a/RecentActivity/release/rr/plugins/termcert.pl +++ /dev/null @@ -1,96 +0,0 @@ -#----------------------------------------------------------- -# termcert.pl -# Plugin for Registry Ripper; -# -# Change history -# 20110316 - created -# -# copyright 2011 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package termcert; -use strict; - -my %config = (hive => "System", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20110316); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets Terminal Server certificate"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching termcert v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; -# First thing to do is get the ControlSet00x marked current...this is -# going to be used over and over again in plugins that access the system -# file - my $current; - my $key_path = 'Select'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - $current = $key->get_value("Current")->get_data(); - my $ccs = "ControlSet00".$current; - my $ts_path = $ccs."\\Services\\TermService\\Parameters"; - my $ts; - if ($ts = $root_key->get_subkey($ts_path)) { - ::rptMsg($ts_path); - ::rptMsg("LastWrite Time ".gmtime($ts->get_timestamp())." (UTC)"); - ::rptMsg(""); - - my $cert; - eval { - $cert = $ts->get_value("Certificate")->get_raw_data(); - - printSector($cert); - }; - ::rptMsg("Certificate value not found.") if ($@); - } - else { - ::rptMsg($ts_path." not found."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} - -sub printSector { - my $data = shift; - my $len = length($data); - my $remaining = $len; - my $i = 0; - - while ($remaining > 0) { - my $seg1 = substr($data,$i * 16,16); - my @str1 = split(//,unpack("H*",$seg1)); - - my @s3; - foreach my $i (0..15) { - $s3[$i] = $str1[$i * 2].$str1[($i * 2) + 1]; - } - - my $h = join(' ',@s3); - my @s1 = unpack("A*",$seg1); - my $s2 = join('',@s1); - $s2 =~ s/\W/\./g; - - ::rptMsg(sprintf "%-50s %-20s",$h,$s2); - $i++; - $remaining -= 16; - } -} - -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/termserv.pl b/RecentActivity/release/rr/plugins/termserv.pl deleted file mode 100644 index 010e3aed5e..0000000000 --- a/RecentActivity/release/rr/plugins/termserv.pl +++ /dev/null @@ -1,137 +0,0 @@ -#----------------------------------------------------------- -# termserv.pl -# Plugin for Registry Ripper; -# -# Change history -# 20100713 - Updated to include additional values, based on references -# 20100119 - updated -# 20090727 - created -# -# References -# Change TS listening port number - http://support.microsoft.com/kb/187623 -# Examining TS key - http://support.microsoft.com/kb/243215 -# Win2K8 TS stops listening - http://support.microsoft.com/kb/954398 -# XP/Win2K3 TSAdvertise value - http://support.microsoft.com/kb/281307 -# AllowTSConnections value - http://support.microsoft.com/kb/305608 -# TSEnabled value - http://support.microsoft.com/kb/222992 -# TSUserEnabled value - http://support.microsoft.com/kb/238965 -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package termserv; -use strict; - -my %config = (hive => "System", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20100713); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets Terminal Server values from System hive"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching termserv v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; -# First thing to do is get the ControlSet00x marked current...this is -# going to be used over and over again in plugins that access the system -# file - my $current; - my $key_path = 'Select'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - $current = $key->get_value("Current")->get_data(); - my $ccs = "ControlSet00".$current; - my $ts_path = $ccs."\\Control\\Terminal Server"; - my $ts; - if ($ts = $root_key->get_subkey($ts_path)) { - ::rptMsg($ts_path); - ::rptMsg("LastWrite Time ".gmtime($ts->get_timestamp())." (UTC)"); - ::rptMsg(""); - ::rptMsg("Reference: http://support.microsoft.com/kb/243215"); - ::rptMsg(""); - - my $ver; - eval { - $ver = $ts->get_value("ProductVersion")->get_data(); - ::rptMsg(" ProductVersion = ".$ver); - }; - ::rptMsg(""); - - my $fdeny; - eval { - $fdeny = $ts->get_value("fDenyTSConnections")->get_data(); - ::rptMsg(" fDenyTSConnections = ".$fdeny); - ::rptMsg(" 1 = connections denied"); - }; - ::rptMsg("fDenyTSConnections value not found.") if ($@); - ::rptMsg(""); - - my $allow; - eval { - $allow = $ts->get_value("AllowTSConnections")->get_data(); - ::rptMsg(" AllowTSConnections = ".$allow); - ::rptMsg(" Ref: http://support.microsoft.com/kb/305608"); - }; - ::rptMsg(""); - - my $ad; - eval { - $ad = $ts->get_value("TSAdvertise")->get_data(); - ::rptMsg(" TSAdvertise = ".$ad); - ::rptMsg(" 0 = disabled, 1 = enabled (advertise Terminal Services)"); - ::rptMsg(" Ref: http://support.microsoft.com/kb/281307"); - }; - ::rptMsg(""); - - my $enabled; - eval { - $enabled = $ts->get_value("TSEnabled")->get_data(); - ::rptMsg(" TSEnabled = ".$enabled); - ::rptMsg(" 0 = disabled, 1 = enabled (Terminal Services enabled)"); - ::rptMsg(" Ref: http://support.microsoft.com/kb/222992"); - }; - ::rptMsg(""); - - my $user; - eval { - $user = $ts->get_value("TSUserEnabled")->get_data(); - ::rptMsg(" TSUserEnabled = ".$user); - ::rptMsg(" 1 = All users logging in are automatically part of the"); - ::rptMsg(" built-in Terminal Server User group. 0 = No one is a"); - ::rptMsg(" member of the built-in group."); - ::rptMsg(" Ref: http://support.microsoft.com/kb/238965"); - }; - ::rptMsg(""); - - my $help; - eval { - $help = $ts->get_value("fAllowToGetHelp")->get_data(); - ::rptMsg(" fAllowToGetHelp = ".$user); - ::rptMsg(" 1 = Users can request assistance from friend or a "); - ::rptMsg(" support professional."); - ::rptMsg(" Ref: http://www.pctools.com/guides/registry/detail/1213/"); - }; - - } - else { - ::rptMsg($ts_path." not found."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/timezone.pl b/RecentActivity/release/rr/plugins/timezone.pl deleted file mode 100644 index fa3f38729d..0000000000 --- a/RecentActivity/release/rr/plugins/timezone.pl +++ /dev/null @@ -1,88 +0,0 @@ -#----------------------------------------------------------- -# timezone.pl -# Plugin for Registry Ripper; Access System hive file to get the -# contents of the TimeZoneInformation key -# -# Change history -# -# -# References -# http://support.microsoft.com/kb/102986 -# http://support.microsoft.com/kb/207563 -# -# -# copyright 2008 H. Carvey -#----------------------------------------------------------- -package timezone; -use strict; - -my %config = (hive => "System", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20080324); - -sub getConfig{return %config} -sub getShortDescr { - return "Get TimeZoneInformation key contents"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching timezone v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; -# First thing to do is get the ControlSet00x marked current...this is -# going to be used over and over again in plugins that access the system -# file - my $current; - my $key_path = 'Select'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - $current = $key->get_value("Current")->get_data(); - my $ccs = "ControlSet00".$current; - my $tz_path = $ccs."\\Control\\TimeZoneInformation"; - my $tz; - if ($tz = $root_key->get_subkey($tz_path)) { - ::rptMsg("TimeZoneInformation key"); - ::rptMsg($tz_path); - ::rptMsg("LastWrite Time ".gmtime($tz->get_timestamp())." (UTC)"); - my %tz_vals; - my @vals = $tz->get_list_of_values(); - if (scalar(@vals) > 0) { - map{$tz_vals{$_->get_name()} = $_->get_data()}(@vals); - - ::rptMsg(" DaylightName -> ".$tz_vals{"DaylightName"}); - ::rptMsg(" StandardName -> ".$tz_vals{"StandardName"}); - - my $bias = $tz_vals{"Bias"}/60; - my $atbias = $tz_vals{"ActiveTimeBias"}/60; - - ::rptMsg(" Bias -> ".$tz_vals{"Bias"}." (".$bias." hours)"); - ::rptMsg(" ActiveTimeBias -> ".$tz_vals{"ActiveTimeBias"}." (".$atbias." hours)"); - - } - else { - ::rptMsg($tz_path." has no values."); - ::logMsg($tz_path." has no values."); - } - } - else { - ::rptMsg($tz_path." could not be found."); - ::logMsg($tz_path." could not be found."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/tsclient.pl b/RecentActivity/release/rr/plugins/tsclient.pl deleted file mode 100644 index 364c17bff0..0000000000 --- a/RecentActivity/release/rr/plugins/tsclient.pl +++ /dev/null @@ -1,72 +0,0 @@ -#----------------------------------------------------------- -# tsclient.pl -# Plugin for Registry Ripper -# -# Change history -# -# -# References -# http://support.microsoft.com/kb/312169 -# -# copyright 2008 H. Carvey -#----------------------------------------------------------- -package tsclient; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 0, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20080324); - -sub getConfig{return %config} -sub getShortDescr { - return "Displays contents of user's Terminal Server Client\\Default key"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching tsclient v.".$VERSION); - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $key_path = 'Software\\Microsoft\\Terminal Server Client\\Default'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("TSClient"); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - my %mrus; - foreach my $v (@vals) { - my $val = $v->get_name(); - my $data = $v->get_data(); - my $tag = (split(/MRU/,$val))[1]; - $mrus{$tag} = $val.":".$data; - } - foreach my $u (sort {$a <=> $b} keys %mrus) { - my ($val,$data) = split(/:/,$mrus{$u},2); - ::rptMsg(" ".$val." -> ".$data); - } - } - else { - ::rptMsg($key_path." has no values."); - ::logMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} - -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/typedpaths.pl b/RecentActivity/release/rr/plugins/typedpaths.pl deleted file mode 100644 index 292f0370b0..0000000000 --- a/RecentActivity/release/rr/plugins/typedpaths.pl +++ /dev/null @@ -1,69 +0,0 @@ -#----------------------------------------------------------- -# typedpaths.pl -# For Windows 7, Desktop Address Bar History -# -# Change history -# 20100330 - created -# -# References -# -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package typedpaths; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20100330); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets contents of user's typedpaths key"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching typedpaths v.".$VERSION); - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\TypedPaths"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - my %paths; - foreach my $v (@vals) { - my $name = $v->get_name(); - $name =~ s/^url//; - my $data = $v->get_data(); - $paths{$name} = $data; - } - foreach my $p (sort {$a <=> $b} keys %paths) { - ::rptMsg(sprintf "%-8s %-30s","url".$p,$paths{$p}); - } - } - else { - ::rptMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} - -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/typedurls.pl b/RecentActivity/release/rr/plugins/typedurls.pl deleted file mode 100644 index fbd6c194e9..0000000000 --- a/RecentActivity/release/rr/plugins/typedurls.pl +++ /dev/null @@ -1,87 +0,0 @@ -#! c:\perl\bin\perl.exe -#----------------------------------------------------------- -# typedurls.pl -# Plugin for Registry Ripper, NTUSER.DAT edition - gets the -# TypedURLs values -# -# Change history -# -# -# References -# http://support.microsoft.com/kb/157729 -# http://msdn2.microsoft.com/en-us/library/aa908115.aspx -# -# Notes: Reportedly, only the last 20 entries are maintained; -# Also, new entries aren't added to the key until the current -# instance of IE is terminated. -# -# copyright 2008 H. Carvey -#----------------------------------------------------------- -package typedurls; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 1, - osmask => 22, - version => 20080324); - -sub getConfig{return %config} -sub getShortDescr { - return "Returns contents of user's TypedURLs key."; -} -sub getDescr{} -sub getRefs { - my %refs = ("IESample Registry Settings" => - "http://msdn2.microsoft.com/en-us/library/aa908115.aspx", - "How to clear History entries in IE" => - "http://support.microsoft.com/kb/157729"); - return %refs; -} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching typedurls v.".$VERSION); - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $key_path = 'Software\\Microsoft\\Internet Explorer\\TypedURLs'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("TypedURLs"); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - my %urls; -# Retrieve values and load into a hash for sorting - foreach my $v (@vals) { - my $val = $v->get_name(); - my $data = $v->get_data(); - my $tag = (split(/url/,$val))[1]; - $urls{$tag} = $val.":".$data; - } -# Print sorted content to report file - foreach my $u (sort {$a <=> $b} keys %urls) { - my ($val,$data) = split(/:/,$urls{$u},2); - ::rptMsg(" ".$val." -> ".$data); - } - } - else { - ::rptMsg($key_path." has no values."); - ::logMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} - -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/uninstall.pl b/RecentActivity/release/rr/plugins/uninstall.pl deleted file mode 100644 index 71975fd388..0000000000 --- a/RecentActivity/release/rr/plugins/uninstall.pl +++ /dev/null @@ -1,89 +0,0 @@ -#----------------------------------------------------------- -# uninstall.pl -# Gets contents of Uninstall key from Software hive; sorts -# display names based on key LastWrite time -# -# References: -# http://support.microsoft.com/kb/247501 -# http://support.microsoft.com/kb/314481 -# http://msdn.microsoft.com/en-us/library/ms954376.aspx -# -# Change History: -# 20100116 - Minor updates -# 20090413 - Extract DisplayVersion info -# 20090128 - Added references -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package uninstall; -use strict; - -my %config = (hive => "Software", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20100116); - -sub getConfig{return %config} - -sub getShortDescr { - return "Gets contents of Uninstall key from Software hive"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching uninstall v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = 'Microsoft\\Windows\\CurrentVersion\\Uninstall'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("Uninstall"); - ::rptMsg($key_path); - ::rptMsg(""); - - my %uninst; - my @subkeys = $key->get_list_of_subkeys(); - if (scalar(@subkeys) > 0) { - foreach my $s (@subkeys) { - my $lastwrite = $s->get_timestamp(); - my $display; - eval { - $display = $s->get_value("DisplayName")->get_data(); - }; - $display = $s->get_name() if ($display eq ""); - - my $ver; - eval { - $ver = $s->get_value("DisplayVersion")->get_data(); - }; - $display .= " v\.".$ver unless ($@); - - push(@{$uninst{$lastwrite}},$display); - } - foreach my $t (reverse sort {$a <=> $b} keys %uninst) { - ::rptMsg(gmtime($t)." (UTC)"); - foreach my $item (@{$uninst{$t}}) { - ::rptMsg("\t$item"); - } - ::rptMsg(""); - } - } - else { - ::rptMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/unreadmail.pl b/RecentActivity/release/rr/plugins/unreadmail.pl deleted file mode 100644 index 5f6aadcf6d..0000000000 --- a/RecentActivity/release/rr/plugins/unreadmail.pl +++ /dev/null @@ -1,89 +0,0 @@ -#----------------------------------------------------------- -# unreadmail.pl -# -# -# Change history -# 20100218 - created -# -# References -# http://support.microsoft.com/kb/304148 -# http://support.microsoft.com/kb/831403 -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package unreadmail; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20100218); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets contents of Unreadmail key"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - my %hist; - ::logMsg("Launching unreadmail v.".$VERSION); - - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $key_path = 'Software\\Microsoft\\Windows\\CurrentVersion\\UnreadMail'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - - eval { - my $e = $key->get_value("MessageExpiryDays")->get_data(); - ::rptMsg("MessageExpiryDays : ".$e); - ::rptMsg(""); - }; - - my @subkeys = $key->get_list_of_subkeys(); - if (scalar @subkeys > 0) { - ::rptMsg(""); - foreach my $s (@subkeys) { - ::rptMsg($s->get_name()); - ::rptMsg("LastWrite Time ".gmtime($s->get_timestamp())." (UTC)"); - eval { - my $m = $s->get_value("MessageCount")->get_data(); - ::rptMsg(" MessageCount: ".$m); - }; - - eval { - my $a = $s->get_value("Application")->get_data(); - ::rptMsg(" Application : ".$a); - }; - - eval { - my @t = unpack("VV",$s->get_value("TimeStamp")->get_data()); - my $ts = ::getTime($t[0],$t[1]); - ::rptMsg(" TimeStamp : ".gmtime($ts)." (UTC)"); - }; - - ::rptMsg(""); - } - } - else { - ::rptMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} - -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/urlzone.pl b/RecentActivity/release/rr/plugins/urlzone.pl deleted file mode 100644 index f48e82411f..0000000000 --- a/RecentActivity/release/rr/plugins/urlzone.pl +++ /dev/null @@ -1,96 +0,0 @@ -#----------------------------------------------------------- -# /root/bin/plugins/urlzone.pl -# Plugin to detect URLZONE infection -# -# copyright 2009 Stefan Kelm (skelm@bfk.de) -#----------------------------------------------------------- -package urlzone; -use strict; - -my %config = (hive => "Software", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20090526); - -sub getConfig{return %config} - -sub getShortDescr {return "URLZONE detection";} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { -my $class = shift; -my $hive = shift; -::logMsg("Launching urlzone v.".$VERSION); -my $reg = Parse::Win32Registry->new($hive); -my $root_key = $reg->get_root_key; - -my $key_path = "Microsoft\\Windows\\CurrentVersion\\Internet Settings\\urlzone"; -my $key; -if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - - my @subkeys = $key->get_list_of_subkeys(); - if (scalar(@subkeys) > 0) { - foreach my $s (@subkeys) { - ::rptMsg($key_path."\\".$s->get_name()); - ::rptMsg("LastWrite Time = ".gmtime($s->get_timestamp())." (UTC)"); - eval { - my @vals = $s->get_list_of_values(); - if (scalar(@vals) > 0) { - my %sns; - foreach my $v (@vals) { - $sns{$v->get_name()} = $v->get_data(); - } - foreach my $i (keys %sns) { - ::rptMsg("\t\t".$i." = ".$sns{$i}); - } - } - else { -# No values - } - }; - ::rptMsg(""); - } - } - else { - ::rptMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); -# ::logMsg($key_path." not found."); - } - - my $key_path2 = "Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options\\userinit.exe"; - my $key2; - if ($key2 = $root_key->get_subkey($key_path2)) { - ::rptMsg($key_path2); - ::rptMsg("LastWrite Time ".gmtime($key2->get_timestamp())." (UTC)"); - ::rptMsg(""); - my $dbg; - eval { - $dbg = $key2->get_value("Debugger")->get_data(); - }; - if ($@) { - ::rptMsg("Debugger value not found."); - } - else { - ::rptMsg("Debugger = ".$dbg); - } - ::rptMsg(""); - } - else { - ::rptMsg($key_path2." not found."); -# ::logMsg($key_path2." not found."); - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/usbstor.pl b/RecentActivity/release/rr/plugins/usbstor.pl deleted file mode 100644 index e0223805a4..0000000000 --- a/RecentActivity/release/rr/plugins/usbstor.pl +++ /dev/null @@ -1,91 +0,0 @@ -#----------------------------------------------------------- -# usbstor -# -# copyright 2008 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package usbstor; -use strict; - -my %config = (hive => "System", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20080418); - -sub getConfig{return %config} - -sub getShortDescr { - return "Get USBStor key info"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching usbstor v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - -# Code for System file, getting CurrentControlSet - my $current; - my $ccs; - my $key_path = 'Select'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - $current = $key->get_value("Current")->get_data(); - $ccs = "ControlSet00".$current; - } - else { - ::rptMsg($key_path." not found."); - return; - } - - my $key_path = $ccs."\\Enum\\USBStor"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("USBStor"); - ::rptMsg($key_path); - ::rptMsg(""); - - my @subkeys = $key->get_list_of_subkeys(); - if (scalar(@subkeys) > 0) { - foreach my $s (@subkeys) { - ::rptMsg($s->get_name()." [".gmtime($s->get_timestamp())."]"); - - my @sk = $s->get_list_of_subkeys(); - if (scalar(@sk) > 0) { - foreach my $k (@sk) { - my $serial = $k->get_name(); - ::rptMsg(" S/N: ".$serial." [".gmtime($k->get_timestamp())."]"); - my $friendly; - eval { - $friendly = $k->get_value("FriendlyName")->get_data(); - }; - ::rptMsg(" FriendlyName : ".$friendly) if ($friendly ne ""); - my $parent; - eval { - $parent = $k->get_value("ParentIdPrefix")->get_data(); - }; - ::rptMsg(" ParentIdPrefix: ".$parent) if ($parent ne ""); - } - } - ::rptMsg(""); - } - } - else { - ::rptMsg($key_path." has no subkeys."); - ::logMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/usbstor2.pl b/RecentActivity/release/rr/plugins/usbstor2.pl deleted file mode 100644 index b62283bb1c..0000000000 --- a/RecentActivity/release/rr/plugins/usbstor2.pl +++ /dev/null @@ -1,134 +0,0 @@ -#----------------------------------------------------------- -# usbstor2 -# Similar to usbstor plugin, but prints output in .csv format; -# also checks MountedDevices keys -# -# -# copyright 2008 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package usbstor2; -use strict; - -my %config = (hive => "System", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20080825); - -sub getConfig{return %config} - -sub getShortDescr { - return "Get USBStor key info; csv output"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); -my $reg; - -sub pluginmain { - my $class = shift; - my $hive = shift; - $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - -# Code for System file, getting CurrentControlSet - my $current; - my $ccs; - my $key_path = 'Select'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - $current = $key->get_value("Current")->get_data(); - $ccs = "ControlSet00".$current; - } - else { - ::rptMsg($key_path." not found."); - return; - } - - my $name_path = $ccs."\\Control\\ComputerName\\ComputerName"; - my $comp_name; - eval { - $comp_name = $root_key->get_subkey($name_path)->get_value("ComputerName")->get_data(); - }; - $comp_name = "Test" if ($@); - - my $key_path = $ccs."\\Enum\\USBStor"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - - my @subkeys = $key->get_list_of_subkeys(); - if (scalar(@subkeys) > 0) { - foreach my $s (@subkeys) { - my $dev_class = $s->get_name(); - my @sk = $s->get_list_of_subkeys(); - if (scalar(@sk) > 0) { - foreach my $k (@sk) { - my $serial = $k->get_name(); - my $sn_lw = $k->get_timestamp(); - my $str = $comp_name.",".$dev_class.",".$serial.",".$sn_lw; - - my $friendly; - eval { - $friendly = $k->get_value("FriendlyName")->get_data(); - $str .= ",".$friendly; - }; - $str .= ", " if ($@); - - my $parent; - eval { - $parent = $k->get_value("ParentIdPrefix")->get_data(); - $str .= ",".$parent; - - my $dev = checkMountedDevices($parent); - $str .= ",".$dev if ($dev); - - }; - - - ::rptMsg($str); - } - } - } - } - else { - ::rptMsg($key_path." has no subkeys."); - ::logMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} - -sub checkMountedDevices { - my $pip = shift; - my $root_key = $reg->get_root_key; - my $key_path = 'MountedDevices'; - my $key; - my %md; - if ($key = $root_key->get_subkey($key_path)) { - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - foreach my $v (@vals) { - my $name = $v->get_name(); - next unless ($name =~ m/^\\DosDevices/); - my $data = $v->get_data(); - if (length($data) > 12) { - $data =~ s/\00//g; - return $name if (grep(/$pip/,$data)); - } - } - } - } - else { - return undef; - } - return undef; -} - -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/usbstor3.pl b/RecentActivity/release/rr/plugins/usbstor3.pl deleted file mode 100644 index 5215454818..0000000000 --- a/RecentActivity/release/rr/plugins/usbstor3.pl +++ /dev/null @@ -1,103 +0,0 @@ -#----------------------------------------------------------- -# usbstor3 -# Collects USBStor information, output in .csv -# -# History -# 20100312 - created -# -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package usbstor3; -use strict; - -my %config = (hive => "System", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20100312); - -sub getConfig{return %config} - -sub getShortDescr { - return "Get USBStor key info"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching usbstor3 v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - -# Code for System file, getting CurrentControlSet - my $current; - my $ccs; - my $key_path = 'Select'; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - $current = $key->get_value("Current")->get_data(); - $ccs = "ControlSet00".$current; - } - else { - ::rptMsg($key_path." not found."); - return; - } - - my $key_path = $ccs."\\Enum\\USBStor"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { -# ::rptMsg("USBStor"); -# ::rptMsg($key_path); -# ::rptMsg(""); - - my @subkeys = $key->get_list_of_subkeys(); - if (scalar(@subkeys) > 0) { - foreach my $s (@subkeys) { -# ::rptMsg($s->get_name()." [".gmtime($s->get_timestamp())."]"); - my $name1 = $s->get_name(); - my $time1 = gmtime($s->get_timestamp()); - - my @sk = $s->get_list_of_subkeys(); - if (scalar(@sk) > 0) { - foreach my $k (@sk) { - my $serial = $k->get_name(); -# ::rptMsg(" S/N: ".$serial." [".gmtime($k->get_timestamp())."]"); - my $str = $name1.",".$time1.",".$serial.",".gmtime($k->get_timestamp()); - - my $friendly; - eval { - $friendly = $k->get_value("FriendlyName")->get_data(); - $str .= ",".$friendly; - }; - $str .= "," if ($@); -# ::rptMsg(" FriendlyName : ".$friendly) if ($friendly ne ""); - my $parent; - eval { - $parent = $k->get_value("ParentIdPrefix")->get_data(); - $str .= ",".$parent; - }; - $str .= "," if ($@); -# ::rptMsg(" ParentIdPrefix: ".$parent) if ($parent ne ""); - ::rptMsg($str); - } - } -# ::rptMsg(""); - } - } - else { - ::rptMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/user_run.pl b/RecentActivity/release/rr/plugins/user_run.pl deleted file mode 100644 index f982cfde9a..0000000000 --- a/RecentActivity/release/rr/plugins/user_run.pl +++ /dev/null @@ -1,102 +0,0 @@ -#----------------------------------------------------------- -# user_run -# Get contents of Run key from Software hive -# -# References: -# http://msdn2.microsoft.com/en-us/library/aa376977.aspx -# http://support.microsoft.com/kb/170086 -# -# -# copyright 2008 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package user_run; -use strict; - -my %config = (hive => "NTUSER\.DAT", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 1, - version => 20080328); - -sub getConfig{return %config} - -sub getShortDescr { - return "Autostart - get Run key contents from NTUSER\.DAT hive"; -} -sub getDescr{} -sub getRefs { - my %refs = ("Definition of the Run keys in the WinXP Registry" => - "http://support.microsoft.com/kb/314866"); - return %refs; -} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching user_run v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Run"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - - my %vals = getKeyValues($key); - if (scalar(keys %vals) > 0) { - foreach my $v (keys %vals) { - ::rptMsg("\t".$v." -> ".$vals{$v}); - } - } - else { - ::rptMsg($key_path." has no values."); - } - - my @sk = $key->get_list_of_subkeys(); - if (scalar(@sk) > 0) { - foreach my $s (@sk) { - ::rptMsg(""); - ::rptMsg($key_path."\\".$s->get_name()); - ::rptMsg("LastWrite Time ".gmtime($s->get_timestamp())." (UTC)"); - my %vals = getKeyValues($s); - foreach my $v (keys %vals) { - ::rptMsg("\t".$v." -> ".$vals{$v}); - } - } - } - else { - ::rptMsg(""); - ::rptMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } - -} - -sub getKeyValues { - my $key = shift; - my %vals; - - my @vk = $key->get_list_of_values(); - if (scalar(@vk) > 0) { - foreach my $v (@vk) { - next if ($v->get_name() eq "" && $v->get_data() eq ""); - $vals{$v->get_name()} = $v->get_data(); - } - } - else { - - } - return %vals; -} - -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/user_win.pl b/RecentActivity/release/rr/plugins/user_win.pl deleted file mode 100644 index 107c71d4be..0000000000 --- a/RecentActivity/release/rr/plugins/user_win.pl +++ /dev/null @@ -1,60 +0,0 @@ -#----------------------------------------------------------- -# user_win.pl -# -# copyright 2008 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package user_win; -use strict; - -my %config = (hive => "NTUSER\.DAT", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20080415); - -sub getConfig{return %config} - -sub getShortDescr { - return " -- "; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching user_win v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - my $key_path = "Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - - eval { - my $load = $key->get_value("load")->get_data(); - ::rptMsg("load value = ".$load); - ::rptMsg("*Should be blank; anything listed gets run when the user logs in."); - }; - - eval { - my $run = $key->get_value("run")->get_data(); - ::rptMsg("run value = ".$run); - ::rptMsg("*Should be blank; anything listed gets run when the user logs in."); - }; - - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } - -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/userassist.pl b/RecentActivity/release/rr/plugins/userassist.pl deleted file mode 100644 index d523444e85..0000000000 --- a/RecentActivity/release/rr/plugins/userassist.pl +++ /dev/null @@ -1,86 +0,0 @@ -#! c:\perl\bin\perl.exe -#----------------------------------------------------------- -# userassist.pl -# Plugin for Registry Ripper, NTUSER.DAT edition - gets the -# UserAssist values -# -# Change history -# 20080726 - added reference to help examiner understand Control -# Panel entries found in output -# 20080301 - updated to include run count along with date -# -# -# -# copyright 2008 H. Carvey -#----------------------------------------------------------- -package userassist; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 1, - osmask => 22, - version => 20080726); - -sub getConfig{return %config} -sub getShortDescr { - return "Displays contents of UserAssist Active Desktop key"; -} -sub getDescr{} -sub getRefs {"Description of Control Panel Files in XP" => "http://support.microsoft.com/kb/313808"} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching UserAssist (Active Desktop) v.".$VERSION); - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - my $key_path = 'Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\'. - '{75048700-EF1F-11D0-9888-006097DEACF9}\\Count'; - my $key; - my %ua; - my $hrzr = "HRZR"; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("UserAssist (Active Desktop)"); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - foreach my $v (@vals) { - my $value_name = $v->get_name(); - my $data = $v->get_data(); - if (length($data) == 16) { - my ($session,$count,$val1,$val2) = unpack("V*",$data); - if ($val2 != 0) { - my $time_value = ::getTime($val1,$val2); - if ($value_name =~ m/^$hrzr/) { - $value_name =~ tr/N-ZA-Mn-za-m/A-Za-z/; - } - $count -= 5 if ($count > 5); - push(@{$ua{$time_value}},$value_name." (".$count.")"); - } - } - } - foreach my $t (reverse sort {$a <=> $b} keys %ua) { - ::rptMsg(gmtime($t)." (UTC)"); - foreach my $item (@{$ua{$t}}) { - ::rptMsg("\t$item"); - } - } - } - else { - ::rptMsg($key_path." has no values."); - ::logMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/userassist2.pl b/RecentActivity/release/rr/plugins/userassist2.pl deleted file mode 100644 index 010b9899db..0000000000 --- a/RecentActivity/release/rr/plugins/userassist2.pl +++ /dev/null @@ -1,125 +0,0 @@ -#! c:\perl\bin\perl.exe -#----------------------------------------------------------- -# userassist2.pl -# Plugin for Registry Ripper, NTUSER.DAT edition - gets the -# UserAssist values -# -# Change history -# 20100322 - Added CLSID list reference -# 20100308 - created, based on original userassist.pl plugin -# -# References -# Control Panel Applets - http://support.microsoft.com/kb/313808 -# CLSIDs - http://www.autohotkey.com/docs/misc/CLSID-List.htm -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package userassist2; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20100308); - -sub getConfig{return %config} -sub getShortDescr { - return "Displays contents of UserAssist subkeys"; -} -sub getDescr{} -sub getRefs {"Description of Control Panel Files in XP" => "http://support.microsoft.com/kb/313808"} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching userassist2 v.".$VERSION); - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist"; - my $key; - - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("UserAssist"); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - my @subkeys = $key->get_list_of_subkeys(); - if (scalar(@subkeys) > 0) { - foreach my $s (@subkeys) { - ::rptMsg($s->get_name()); - processKey($s); - ::rptMsg(""); - } - } - else { - ::rptMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} - -sub processKey { - my $ua = shift; - - my $key = $ua->get_subkey("Count"); - - my %ua; - my $hrzr = "HRZR"; - - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - foreach my $v (@vals) { - my $value_name = $v->get_name(); - my $data = $v->get_data(); - -# Windows XP/2003/Vista/2008 - if (length($data) == 16) { - my ($session,$count,$val1,$val2) = unpack("V*",$data); - if ($val2 != 0) { - my $time_value = ::getTime($val1,$val2); - if ($value_name =~ m/^$hrzr/) { - $value_name =~ tr/N-ZA-Mn-za-m/A-Za-z/; - } - $count -= 5 if ($count > 5); - push(@{$ua{$time_value}},$value_name." (".$count.")"); - } - } -# Windows 7 - elsif (length($data) == 72) { - $value_name =~ tr/N-ZA-Mn-za-m/A-Za-z/; -# if (unpack("V",substr($data,0,4)) == 0) { -# my $count = unpack("V",substr($data,4,4)); -# my @t = unpack("VV",substr($data,60,8)); -# next if ($t[0] == 0 && $t[1] == 0); -# my $time_val = ::getTime($t[0],$t[1]); -# print " .-> ".$time_val."\n"; -# push(@{$ua{$time_val}},$value_name." (".$count.")"); -# } - my $count = unpack("V",substr($data,4,4)); - my @t = unpack("VV",substr($data,60,8)); - next if ($t[0] == 0 && $t[1] == 0); - my $time_val = ::getTime($t[0],$t[1]); - push(@{$ua{$time_val}},$value_name." (".$count.")"); - } - else { -# Nothing else to do - } - } - foreach my $t (reverse sort {$a <=> $b} keys %ua) { - ::rptMsg(gmtime($t)." Z"); - foreach my $i (@{$ua{$t}}) { - ::rptMsg(" ".$i); - } - } - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/userassist_tln.pl b/RecentActivity/release/rr/plugins/userassist_tln.pl deleted file mode 100644 index ea87cb3787..0000000000 --- a/RecentActivity/release/rr/plugins/userassist_tln.pl +++ /dev/null @@ -1,114 +0,0 @@ -#! c:\perl\bin\perl.exe -#----------------------------------------------------------- -# userassist_tln.pl -# Plugin for Registry Ripper, NTUSER.DAT edition - gets the -# UserAssist values -# -# Change history -# 20110516 - created, modified from userassist2.pl -# 20100322 - Added CLSID list reference -# 20100308 - created, based on original userassist.pl plugin -# -# References -# Control Panel Applets - http://support.microsoft.com/kb/313808 -# CLSIDs - http://www.autohotkey.com/docs/misc/CLSID-List.htm -# -# copyright 2011 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package userassist_tln; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20110516); - -sub getConfig{return %config} -sub getShortDescr { - return "Displays contents of UserAssist subkeys in TLN format"; -} -sub getDescr{} -sub getRefs {"Description of Control Panel Files in XP" => "http://support.microsoft.com/kb/313808"} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching userassist_tln v.".$VERSION); - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist"; - my $key; - - if ($key = $root_key->get_subkey($key_path)) { -# ::rptMsg("UserAssist"); -# ::rptMsg($key_path); -# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); -# ::rptMsg(""); - my @subkeys = $key->get_list_of_subkeys(); - if (scalar(@subkeys) > 0) { - foreach my $s (@subkeys) { - ::rptMsg($s->get_name()); - processKey($s); - ::rptMsg(""); - } - } - else { - ::logMsg($key_path." has no subkeys."); - } - } - else { - ::logMsg($key_path." not found."); - } -} - -sub processKey { - my $ua = shift; - my $key = $ua->get_subkey("Count"); - my %ua; - my $hrzr = "HRZR"; - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - foreach my $v (@vals) { - my $value_name = $v->get_name(); - my $data = $v->get_data(); - -# Windows XP/2003/Vista/2008 - if (length($data) == 16) { - my ($session,$count,$val1,$val2) = unpack("V*",$data); - if ($val2 != 0) { - my $time_value = ::getTime($val1,$val2); - if ($value_name =~ m/^$hrzr/) { - $value_name =~ tr/N-ZA-Mn-za-m/A-Za-z/; - } - $count -= 5 if ($count > 5); - push(@{$ua{$time_value}},$value_name." (".$count.")"); - } - } -# Windows 7 - elsif (length($data) == 72) { - $value_name =~ tr/N-ZA-Mn-za-m/A-Za-z/; - my $count = unpack("V",substr($data,4,4)); - my @t = unpack("VV",substr($data,60,8)); - next if ($t[0] == 0 && $t[1] == 0); - my $time_val = ::getTime($t[0],$t[1]); - push(@{$ua{$time_val}},$value_name." (".$count.")"); - } - else { -# Nothing else to do - } - } - foreach my $t (reverse sort {$a <=> $b} keys %ua) { - foreach my $i (@{$ua{$t}}) { - ::rptMsg($t."|REG|||UserAssist - ".$i); - } - } - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/userinit.pl b/RecentActivity/release/rr/plugins/userinit.pl deleted file mode 100644 index b6664b8626..0000000000 --- a/RecentActivity/release/rr/plugins/userinit.pl +++ /dev/null @@ -1,63 +0,0 @@ -#----------------------------------------------------------- -# userinit -# -# copyright 2008 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package userinit; -use strict; - -my %config = (hive => "Software", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 1, - version => 20080328); - -sub getConfig{return %config} - -sub getShortDescr { - return "Gets UserInit value"; -} -sub getDescr{} -sub getRefs { - my %refs = ("My Documents open at startup" => - "http://support.microsoft.com/kb/555294", - "Userinit" => - "http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/regentry/12330.mspx?mfr=true"); - return %refs; -} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching userinit v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Microsoft\\Windows NT\\CurrentVersion\\Winlogon"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - my $ui; - eval { - $ui = $key->get_value("Userinit")->get_data(); - ::rptMsg("\tUserinit -> ".$ui); - }; - ::rptMsg("Error: ".$@) if ($@); - ::rptMsg(""); - ::rptMsg("Per references, content should be %SystemDrive%\\system32\\userinit.exe,"); - ::rptMsg(""); - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } - -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/userlocsvc.pl b/RecentActivity/release/rr/plugins/userlocsvc.pl deleted file mode 100644 index 3974a036e1..0000000000 --- a/RecentActivity/release/rr/plugins/userlocsvc.pl +++ /dev/null @@ -1,62 +0,0 @@ -#! c:\perl\bin\perl.exe -#----------------------------------------------------------- -# userlocsvc.pl -# Get the contents of the Microsoft\User Location Service\Clients key -# from the user's hive -# -# Ref: -# http://support.microsoft.com/kb/196301 -# -# copyright 2009 H. Carvey -#----------------------------------------------------------- -package userlocsvc; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20090411); - -sub getConfig{return %config} -sub getShortDescr { - return "Displays contents of User Location Service\\Client key"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching UserLocSvc v.".$VERSION); - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - my $key_path = 'Software\\Microsoft\\User Location Service\\Client'; - my $key; - my %ua; - my $hrzr = "HRZR"; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - foreach my $v (@vals) { - my $str = sprintf "%-15s %-30s",$v->get_name(),$v->get_data(); - ::rptMsg($str) if ($v->get_type() == 1); - } - } - else { - ::rptMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/virut.pl b/RecentActivity/release/rr/plugins/virut.pl deleted file mode 100644 index eed5fc2a60..0000000000 --- a/RecentActivity/release/rr/plugins/virut.pl +++ /dev/null @@ -1,66 +0,0 @@ -#----------------------------------------------------------- -# virut.pl -# Plugin to detect artifacts of a Virut infection -# -# References: -# Symantec: http://www.symantec.com/security_response/ -# writeup.jsp?docid=2009-020411-2802-99&tabid=2 -# -# -# -# -# copyright 2009 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package virut; -use strict; - -my %config = (hive => "Software", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20090218); - -sub getConfig{return %config} - -sub getShortDescr { - return "Detect Virut artifacts"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching virut v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Microsoft\\Windows\\CurrentVersion\\Explorer"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - - my $update; - eval { - $update = $key->get_value("UpdateHost")->get_data(); - ::rptMsg("UpdateHost value detected! Possible Virut infection!"); - }; - ::rptMsg("UpdateHost value not found.") if ($@); - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } - ::rptMsg(""); - ::rptMsg("Also be sure to check the SYSTEM\\ControlSet00n\\Services\\SharedAccess\\"); - ::rptMsg("Parameters\\FirewallPolicy\\DomainProfile\\AuthorizedApplications\\List key"); - ::rptMsg("for exceptions added to the firewall; use the fw_config\.pl plugin."); -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/vista_bitbucket.pl b/RecentActivity/release/rr/plugins/vista_bitbucket.pl deleted file mode 100644 index 6fa27c55a5..0000000000 --- a/RecentActivity/release/rr/plugins/vista_bitbucket.pl +++ /dev/null @@ -1,88 +0,0 @@ -#----------------------------------------------------------- -# vista_bitbucket -# BitBucket settings for Vista $Recylce.bin are maintained on a -# per-user, per-volume basis -# -# copyright 2008 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package vista_bitbucket; -use strict; - -my %config = (hive => "NTUSER\.DAT", - osmask => 192, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20080420); - -sub getConfig{return %config} - -sub getShortDescr { - return "Get BitBucket settings from Vista via NTUSER\.DAT"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching vista_bitbucket v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\BitBucket"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - foreach my $v (@vals) { - ::rptMsg($v->get_name()." : ".$v->get_data()); - } - - } - else { - ::rptMsg($key_path." has no values."); - } - ::rptMsg(""); - - my @vols; - eval { - @vols = $key->get_subkey("Volume")->get_list_of_subkeys(); - }; - if ($@) { - ::rptMsg("Could not access ".$key_path."\\Volume subkey."); - return; - } - - if (scalar(@vols) > 0) { - foreach my $v (@vols) { - ::rptMsg($v->get_name()." [".gmtime($v->get_timestamp())."] (UTC)"); - eval { - ::rptMsg(sprintf " %-15s %-3s","NukeOnDelete",$v->get_value("NukeOnDelete")->get_data()); - }; - - - } - - } - else { - ::rptMsg($key_path."\\Volume key has no subkeys."); - } - - - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } - -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/vista_comdlg32.pl b/RecentActivity/release/rr/plugins/vista_comdlg32.pl deleted file mode 100644 index d20b8fb89d..0000000000 --- a/RecentActivity/release/rr/plugins/vista_comdlg32.pl +++ /dev/null @@ -1,145 +0,0 @@ -#----------------------------------------------------------- -# vista_comdlg32.pl -# Plugin for Registry Ripper -# -# Change history -# 20090821 - created -# -# References -# -# -# -# copyright 2009 H. Carvey -#----------------------------------------------------------- -package vista_comdlg32; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20090821); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets contents of Vista user's ComDlg32 key"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching vista_comdlg32 v.".$VERSION); - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - ::rptMsg("vista_comdlg32 v.".$VERSION); - ::rptMsg("**All values listed in MRU order."); - -# CIDSizeMRU - my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComDlg32\\CIDSizeMRU"; - my $key; - my @vals; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg(""); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - - my %lvmru; - my @mrulist; - @vals = $key->get_list_of_values(); - - if (scalar(@vals) > 0) { -# First, read in all of the values and the data - foreach my $v (@vals) { - $lvmru{$v->get_name()} = $v->get_data(); - } -# Then, remove the MRUList value - if (exists $lvmru{MRUListEx}) { - delete($lvmru{MRUListEx}); - foreach my $m (keys %lvmru) { - my $file = parseStr($lvmru{$m}); - my $str = sprintf "%-4s ".$file,$m; - ::rptMsg(" ".$str); - } - } - else { - ::rptMsg($key_path." does not have an MRUList value."); - } - } - else { - ::rptMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - } - ::rptMsg(""); - -# LastVistedPidlMRU - my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComDlg32\\LastVisitedPidlMRU"; - my $key; - my @vals; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - - my %lvmru; - my @mrulist; - @vals = $key->get_list_of_values(); - - if (scalar(@vals) > 0) { -# First, read in all of the values and the data - foreach my $v (@vals) { - $lvmru{$v->get_name()} = $v->get_data(); - } -# Then, remove the MRUList value - if (exists $lvmru{MRUListEx}) { - delete($lvmru{MRUListEx}); - foreach my $m (keys %lvmru) { - my $file = parseStr($lvmru{$m}); - my $str = sprintf "%-4s ".$file,$m; - ::rptMsg(" ".$str); - } - } - else { - ::rptMsg($key_path." does not have an MRUList value."); - } - } - else { - ::rptMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - } - ::rptMsg(""); - - -} - -sub parseStr { - my $data = $_[0]; - my $temp; - my $tag = 1; - my $ofs = 0; - - while ($tag) { - my $t = substr($data,$ofs,2); - if (unpack("v",$t) == 0x00) { - $tag = 0; - } - else { - $temp .= $t; - $ofs += 2; - } - } - $temp =~ s/\00//g; - return $temp; -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/vista_wireless.pl b/RecentActivity/release/rr/plugins/vista_wireless.pl deleted file mode 100644 index f6b74bcf7a..0000000000 --- a/RecentActivity/release/rr/plugins/vista_wireless.pl +++ /dev/null @@ -1,80 +0,0 @@ -#----------------------------------------------------------- -# vista_wireless -# -# Get Wireless info from Vista systems -# -# copyright 2009 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package vista_wireless; -use strict; - -my %config = (hive => "Software", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20090514); - -sub getConfig{return %config} -sub getShortDescr { - return "Get Vista Wireless Info"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); -my $error; - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching vista_wireless v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - my $key_path = "Microsoft\\Windows NT\\CurrentVersion\\NetworkList\\Profiles"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg(""); - my @subkeys = $key->get_list_of_subkeys(); - if (scalar(@subkeys) > 0) { - foreach my $s (@subkeys) { - my $name = $s->get_name(); - my $lastwrite = $s->get_timestamp(); - - my $nametype; - eval { - $nametype = $s->get_value("NameType")->get_data(); - }; - if ($@) { - - } - else { - if ($nametype == 0x47) { - my $profilename; - my $descr; - eval { - ::rptMsg("LastWrite = ".gmtime($lastwrite)." Z"); - $profilename = $s->get_value("ProfileName")->get_data(); - $descr = $s->get_value("Description")->get_data(); - ::rptMsg(" ".$profilename." [".$descr."]"); - - }; - } - } - - - } - } - else { - ::rptMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} - -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/vncviewer.pl b/RecentActivity/release/rr/plugins/vncviewer.pl deleted file mode 100644 index 82049c93bd..0000000000 --- a/RecentActivity/release/rr/plugins/vncviewer.pl +++ /dev/null @@ -1,68 +0,0 @@ -#----------------------------------------------------------- -# vncviewer -# -# -#----------------------------------------------------------- -package vncviewer; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20080325); - -sub getConfig{return %config} -sub getShortDescr { - return "Get VNCViewer system list"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching vncviewer v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - my $key_path = "Software\\ORL\\VNCviewer\\MRU"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("VNCViewer\\MRU"); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - my %vnc; - foreach my $v (@vals) { - $vnc{$v->get_name()} = $v->get_data(); - } - my $ind; - if (exists $vnc{'index'}) { - $ind = $vnc{'index'}; - delete $vnc{'index'}; - } - - ::rptMsg("Index = ".$ind); - my @i = split(//,$ind); - foreach my $i (@i) { - ::rptMsg(" ".$i." -> ".$vnc{$i}); - } - } - else { - ::rptMsg($key_path." has no values."); - ::logMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/wallpaper.pl b/RecentActivity/release/rr/plugins/wallpaper.pl deleted file mode 100644 index 2d930cb0b1..0000000000 --- a/RecentActivity/release/rr/plugins/wallpaper.pl +++ /dev/null @@ -1,90 +0,0 @@ -#----------------------------------------------------------- -# wallpaper.pl -# -# Wallpaper MRU -# -# copyright 2008 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package wallpaper; -use strict; - -my %config = (hive => "NTUSER\.DAT", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 200800810); - -sub getConfig{return %config} - -sub getShortDescr { - return "Parses Wallpaper MRU Entries"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching wallpaper v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Wallpaper\\MRU"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("wallpaper"); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - - my %wp; - my @mrulist; - - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - foreach my $v (sort @vals) { - my $name = $v->get_name(); - if ($name =~ m/^\d/) { - my $data = $v->get_data(); - my $str = getStringValue($data); - $wp{$name} = $str; - } - elsif ($name =~ m/^MRUList/) { - @mrulist = unpack("V*",$v->get_data()); - } - else { -# nothing to do - } - } - foreach my $m (@mrulist) { - next if ($m == 0xffffffff); - ::rptMsg($m." -> ".$wp{$m}); - } - } - else { - ::rptMsg($key_path." has no values"); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} - -#----------------------------------------------------------- -# getStringValue() - given a binary data type w/ a Unicode -# string at the beginning, delimited by \x00\x00, return an ASCII -# string -#----------------------------------------------------------- -sub getStringValue { - my $bin = shift; - my $str = (split(/\00\00/,$bin,2))[0]; - $str =~ s/\00//g; - return $str; -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/win7_ua.pl b/RecentActivity/release/rr/plugins/win7_ua.pl deleted file mode 100644 index be2ea1afa8..0000000000 --- a/RecentActivity/release/rr/plugins/win7_ua.pl +++ /dev/null @@ -1,140 +0,0 @@ -#----------------------------------------------------------- -# win7_ua.pl -# -# copyright 2008 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package win7_ua; -use strict; -my $vignerekey = "BWHQNKTEZYFSLMRGXADUJOPIVC"; -my %config = (hive => "NTUSER\.DAT", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20090121); - -sub getConfig{return %config} - -sub getShortDescr { - return "Get Win7 UserAssist data"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching win7_ua v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - - my @subkeys = $key->get_list_of_subkeys(); - - if (scalar(@subkeys) > 0) { - foreach my $s (@subkeys) { - print $s->get_name()."\n"; - - my @vals = $s->get_subkey("Count")->get_list_of_values(); - if (scalar(@vals) > 0) { - foreach my $v (@vals) { - my $name = decrypt_string($v->get_name(),$vignerekey); - my $data = $v->get_data(); - ::rptMsg(" ".$name); - if (length($data) == 72) { - my %vals = parseData($data); - ::rptMsg(" Counter 1 = ".$vals{counter1}); - ::rptMsg(" Counter 2 = ".$vals{counter2}); - ::rptMsg(" Runtime = ".$vals{runtime}." ms"); - ::rptMsg(" Last Run = ".$vals{lastrun}); - ::rptMsg(" MRU = ".$vals{mru}); - } - } - - } - else { - ::rptMsg($key_path."\\".$s->get_name()." has no values."); - } - } - } - else { - ::rptMsg($key_path." has no subkeys."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} -1; - -sub decrypt_string{ -# decrypts a full string of ciphertext, given the ciphertext and the key. -# returns the plaintext string. - my ($ciphertext, $key) = @_; - my $plaintext; - my @plain; - - $key = $key x (length($ciphertext) / length($key) + 1); - - my @cipherletters = split(//,$ciphertext); - foreach my $i (0..(scalar(@cipherletters) - 1)) { -# print "Cipher letter => ".$cipherletters[$i]."\n"; - if ($cipherletters[$i] =~ m/\w/ && !($cipherletters[$i] =~ m/\d/)) { -# print "Decrypting ".$cipherletters[$i]." with ".(substr($key,$i,1))."\n"; - $plain[$i] = decrypt_letter($cipherletters[$i], (substr($key,$i,1))); - } - else { - $plain[$i] = $cipherletters[$i]; - } - } - -# for( my $i=0; $i= 65 && ord($cipher) <= 90); - -# in row n, plaintext is ciphertext - n, mod 26. - $row = ord(lc($row)) - ord('a'); # enable mod 26 - $cipher = ord(lc($cipher)) - ord('a'); # enable mod 26 - $plain = ($cipher - $row) % 26; - $plain = chr($plain + ord('a')); - - $plain = uc($plain) if ($upper == 1); - return $plain; -} - -sub parseData { - my $data = shift; - my %vals; - - $vals{counter1} = unpack("V",substr($data,4,4)); - $vals{counter2} = unpack("V",substr($data,8,4)); - $vals{runtime} = unpack("V",substr($data,12,4)); - my @a = unpack("VV",substr($data,60,8)); - my $t = ::getTime($a[0],$a[1]); - ($t == 0) ? ($vals{lastrun} = 0) : ($vals{lastrun} = gmtime($t)); - - $vals{mru} = unpack("V",substr($data,68,4)); - return %vals; - -} \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/win_cv.pl b/RecentActivity/release/rr/plugins/win_cv.pl deleted file mode 100644 index 977eeb7920..0000000000 --- a/RecentActivity/release/rr/plugins/win_cv.pl +++ /dev/null @@ -1,85 +0,0 @@ -#----------------------------------------------------------- -# win_cv.pl -# Get and display the contents of the Windows\CurrentVersion key -# Output sorted based on length of data -# -# Change History: -# 20080609: added translation of InstallDate time -# -# copyright 2009 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package win_cv; -use strict; - -my %config = (hive => "Software", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20090312); - -sub getConfig{return %config} -sub getShortDescr { - return "Get & display the contents of the Windows\\CurrentVersion key"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching win_cv v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - my $key_path = "Microsoft\\Windows\\CurrentVersion"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - my %cv; - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - foreach my $v (@vals) { - my $name = $v->get_name(); - my $data = $v->get_data(); - my $len = length($data); - next if ($name eq ""); - if ($v->get_type() == 3) { - $data = _translateBinary($data); - } - push(@{$cv{$len}},$name." : ".$data); - } - foreach my $t (sort {$a <=> $b} keys %cv) { - foreach my $item (@{$cv{$t}}) { - ::rptMsg(" $item"); - } - } - } - else { - ::rptMsg($key_path." has no values."); - ::logMsg($key_path." has no values"); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} - - -sub _translateBinary { - my $str = unpack("H*",$_[0]); - my $len = length($str); - my @nstr = split(//,$str,$len); - my @list = (); - foreach (0..($len/2)) { - push(@list,$nstr[$_*2].$nstr[($_*2)+1]); - } - return join(' ',@list); -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/winlogon.pl b/RecentActivity/release/rr/plugins/winlogon.pl deleted file mode 100644 index 6808f3e278..0000000000 --- a/RecentActivity/release/rr/plugins/winlogon.pl +++ /dev/null @@ -1,98 +0,0 @@ -#----------------------------------------------------------- -# WinLogon -# Get values from WinLogon key -# -# History -# 20100219 - Updated output to better present some data -# 20080415 - created -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package winlogon; -use strict; - -my %config = (hive => "Software", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20100219); - -sub getConfig{return %config} - -sub getShortDescr { - return "Get values from the WinLogon key"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching winlogon v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - my $key_path = "Microsoft\\Windows NT\\CurrentVersion\\Winlogon"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - my %wl; - foreach my $v (@vals) { - my $name = $v->get_name(); - my $data = $v->get_data(); - my $len = length($data); - next if ($name eq ""); - if ($v->get_type() == 3 && $name ne "DCacheUpdate") { - $data = _translateBinary($data); - } - - $data = sprintf "0x%x",$data if ($name eq "SfcQuota"); - if ($name eq "DCacheUpdate") { - my @v = unpack("VV",$data); - $data = gmtime(::getTime($v[0],$v[1])); - } - - push(@{$wl{$len}},$name." = ".$data); - } - - foreach my $t (sort {$a <=> $b} keys %wl) { - foreach my $item (@{$wl{$t}}) { - ::rptMsg(" $item"); - } - } - - ::rptMsg(""); - ::rptMsg("Analysis Tips: The UserInit and Shell values are executed when a user logs on."); - - } - else { - ::rptMsg($key_path." has no values."); - ::logMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } - -} - -sub _translateBinary { - my $str = unpack("H*",$_[0]); - my $len = length($str); - my @nstr = split(//,$str,$len); - my @list = (); - foreach (0..($len/2)) { - push(@list,$nstr[$_*2].$nstr[($_*2)+1]); - } - return join(' ',@list); -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/winlogon_u.pl b/RecentActivity/release/rr/plugins/winlogon_u.pl deleted file mode 100644 index f2355efe83..0000000000 --- a/RecentActivity/release/rr/plugins/winlogon_u.pl +++ /dev/null @@ -1,90 +0,0 @@ -#----------------------------------------------------------- -# winlogon_u -# Get values from user's WinLogon key -# -# Change History: -# 20091021 - created -# -# References: -# http://support.microsoft.com/kb/119941 -# -# copyright 2009 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package winlogon_u; -use strict; - -my %config = (hive => "NTUSER\.DAT", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20091021); - -sub getConfig{return %config} - -sub getShortDescr { - return "Get values from the user's WinLogon key"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching winlogon_u v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - my $key_path = "Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - my %wl; - foreach my $v (@vals) { - my $name = $v->get_name(); - my $data = $v->get_data(); - my $len = length($data); - next if ($name eq ""); - if ($v->get_type() == 3) { - $data = _translateBinary($data); - } - push(@{$wl{$len}},$name." = ".$data); - } - - foreach my $t (sort {$a <=> $b} keys %wl) { - foreach my $item (@{$wl{$t}}) { - ::rptMsg(" $item"); - } - } - - ::rptMsg(""); - ::rptMsg("Analysis Tip: Existence of RunGrpConv = 1 value may indicate that the"); - ::rptMsg(" system had been infected with Bredolab (Symantec)."); - } - else { - ::rptMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} - -sub _translateBinary { - my $str = unpack("H*",$_[0]); - my $len = length($str); - my @nstr = split(//,$str,$len); - my @list = (); - foreach (0..($len/2)) { - push(@list,$nstr[$_*2].$nstr[($_*2)+1]); - } - return join(' ',@list); -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/winnt_cv.pl b/RecentActivity/release/rr/plugins/winnt_cv.pl deleted file mode 100644 index 537ced5ca8..0000000000 --- a/RecentActivity/release/rr/plugins/winnt_cv.pl +++ /dev/null @@ -1,87 +0,0 @@ -#----------------------------------------------------------- -# winnt_cv.pl -# Get and display the contents of the Windows\CurrentVersion key -# Output sorted based on length of data -# -# Change History: -# 20080609: added translation of InstallDate time -# -# copyright 2008 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package winnt_cv; -use strict; - -my %config = (hive => "Software", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20080609); - -sub getConfig{return %config} -sub getShortDescr { - return "Get & display the contents of the Windows NT\\CurrentVersion key"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching winnt_cv v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - my $key_path = "Microsoft\\Windows NT\\CurrentVersion"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("WinNT_CV"); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - my %cv; - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - foreach my $v (@vals) { - my $name = $v->get_name(); - my $data = $v->get_data(); - $data = gmtime($data)." (UTC)" if ($name eq "InstallDate"); - my $len = length($data); - next if ($name eq ""); - if ($v->get_type() == 3) { - $data = _translateBinary($data); - } - push(@{$cv{$len}},$name." : ".$data); - } - foreach my $t (sort {$a <=> $b} keys %cv) { - foreach my $item (@{$cv{$t}}) { - ::rptMsg(" $item"); - } - } - } - else { - ::rptMsg($key_path." has no values."); - ::logMsg($key_path." has no values"); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} - - -sub _translateBinary { - my $str = unpack("H*",$_[0]); - my $len = length($str); - my @nstr = split(//,$str,$len); - my @list = (); - foreach (0..($len/2)) { - push(@list,$nstr[$_*2].$nstr[($_*2)+1]); - } - return join(' ',@list); -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/winrar.pl b/RecentActivity/release/rr/plugins/winrar.pl deleted file mode 100644 index f66f06ff65..0000000000 --- a/RecentActivity/release/rr/plugins/winrar.pl +++ /dev/null @@ -1,66 +0,0 @@ -#----------------------------------------------------------- -# winrar.pl -# Get WinRAR\ArcHistory entries -# -# copyright 2008 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package winrar; -use strict; - -my %config = (hive => "NTUSER\.DAT", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20080819); - -sub getConfig{return %config} - -sub getShortDescr { - return "Get WinRAR\\ArcHistory entries"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching winrar v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Software\\WinRAR\\ArcHistory"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("WinRAR"); - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - ::rptMsg(""); - - my %arc; - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - foreach my $v (@vals) { - $arc{$v->get_name()} = $v->get_data(); - } - - foreach (sort keys %arc) { - ::rptMsg($_." -> ".$arc{$_}); - } - - } - else { - ::rptMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } - -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/winver.pl b/RecentActivity/release/rr/plugins/winver.pl deleted file mode 100644 index d59262e596..0000000000 --- a/RecentActivity/release/rr/plugins/winver.pl +++ /dev/null @@ -1,107 +0,0 @@ -#----------------------------------------------------------- -# winver.pl -# -# copyright 2008-2009 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package winver; -use strict; - -my %config = (hive => "Software", - osmask => 22, - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - version => 20081210); - -sub getConfig{return %config} - -sub getShortDescr { - return "Get Windows version"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching winver v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - - my $key_path = "Microsoft\\Windows NT\\CurrentVersion"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { -# ::rptMsg("{name}"); -# ::rptMsg($key_path); -# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - - my $prod; - eval { - $prod = $key->get_value("ProductName")->get_data(); - }; - if ($@) { -# ::rptMsg("ProductName value not found."); - } - else { - ::rptMsg("ProductName = ".$prod); - } - - my $csd; - eval { - $csd = $key->get_value("CSDVersion")->get_data(); - }; - if ($@) { -# ::rptMsg("CSDVersion value not found."); - } - else { - ::rptMsg("CSDVersion = ".$csd); - } - - - my $build; - eval { - $build = $key->get_value("BuildName")->get_data(); - }; - if ($@) { -# ::rptMsg("BuildName value not found."); - } - else { - ::rptMsg("BuildName = ".$build); - } - - my $buildex; - eval { - $buildex = $key->get_value("BuildNameEx")->get_data(); - }; - if ($@) { -# ::rptMsg("BuildName value not found."); - } - else { - ::rptMsg("BuildNameEx = ".$buildex); - } - - - my $install; - eval { - $install = $key->get_value("InstallDate")->get_data(); - }; - if ($@) { -# ::rptMsg("InstallDate value not found."); - } - else { - ::rptMsg("InstallDate = ".gmtime($install)); - } - - - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } - -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/winzip.pl b/RecentActivity/release/rr/plugins/winzip.pl deleted file mode 100644 index 7fa815250b..0000000000 --- a/RecentActivity/release/rr/plugins/winzip.pl +++ /dev/null @@ -1,89 +0,0 @@ -#----------------------------------------------------------- -# WinZip -# -# copyright 2008 H. Carvey, keydet89@yahoo.com -#----------------------------------------------------------- -package winzip; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20080325); - -sub getConfig{return %config} -sub getShortDescr { - return "Get WinZip extract and filemenu values"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - ::logMsg("Launching WinZip v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - my $key_path = "Software\\Nico Mak Computing\\WinZip"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg("WinZip"); - ::rptMsg($key_path); - ::rptMsg(""); - my @subkeys = $key->get_list_of_subkeys(); - my %sk; - foreach my $s (@subkeys) { - $sk{$s->get_name()} = $s; - } - - if (exists $sk{'extract'}) { - my $tag = "extract"; - ::rptMsg($key_path."\\extract [".gmtime($sk{'extract'}->get_timestamp)."]"); - my @vals = $sk{'extract'}->get_list_of_values(); - my %ext; - foreach my $v (@vals) { - my $name = $v->get_name(); - my $num = $name; - $num =~ s/^$tag//; - $ext{$num} = $v->get_data(); - } - foreach my $e (sort {$a <=> $b} keys %ext) { - ::rptMsg(" extract".$e." -> ".$ext{$e}); - } - ::rptMsg(""); - } - else { - ::rptMsg("extract key not found."); - } - - if (exists $sk{'filemenu'}) { - my $tag = "filemenu"; - ::rptMsg($key_path."\\filemenu [".gmtime($sk{'extract'}->get_timestamp)."]"); - my @vals = $sk{'filemenu'}->get_list_of_values(); - my %ext; - foreach my $v (@vals) { - my $name = $v->get_name(); - my $num = $name; - $num =~ s/^$tag//; - $ext{$num} = $v->get_data(); - } - foreach my $e (sort {$a <=> $b} keys %ext) { - ::rptMsg(" filemenu".$e." -> ".$ext{$e}); - } - } - else { - ::rptMsg("filemenu key not found."); - } - } - else { - ::rptMsg($key_path." not found."); - ::logMsg($key_path." not found."); - } -} -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/wordwheelquery.pl b/RecentActivity/release/rr/plugins/wordwheelquery.pl deleted file mode 100644 index 10a2eba1cf..0000000000 --- a/RecentActivity/release/rr/plugins/wordwheelquery.pl +++ /dev/null @@ -1,79 +0,0 @@ -#----------------------------------------------------------- -# wordwheelquery.pl -# For Windows 7 -# -# Change history -# 20100330 - created -# -# References -# http://www.winhelponline.com/blog/clear-file-search-mru-history-windows-7/ -# -# copyright 2010 Quantum Analytics Research, LLC -#----------------------------------------------------------- -package wordwheelquery; -use strict; - -my %config = (hive => "NTUSER\.DAT", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20100330); - -sub getConfig{return %config} -sub getShortDescr { - return "Gets contents of user's WordWheelQuery key"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $ntuser = shift; - ::logMsg("Launching wordwheelquery v.".$VERSION); - my $reg = Parse::Win32Registry->new($ntuser); - my $root_key = $reg->get_root_key; - - my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\WordWheelQuery"; - my $key; - if ($key = $root_key->get_subkey($key_path)) { - ::rptMsg($key_path); - ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)"); - my @vals = $key->get_list_of_values(); - if (scalar(@vals) > 0) { - my @list; - my %wwq; - foreach my $v (@vals) { - my $name = $v->get_name(); - if ($name eq "MRUListEx") { - @list = unpack("V*",$v->get_data()); - pop(@list) if ($list[scalar(@list) - 1] == 0xffffffff); - } - else { - my $data = $v->get_data(); - $data =~ s/\00//g; - $wwq{$name} = $data; - } - } -# list searches in MRUListEx order - ::rptMsg(""); - ::rptMsg("Searches listed in MRUListEx order"); - ::rptMsg(""); - foreach my $l (@list) { - ::rptMsg(sprintf "%-4d %-30s",$l,$wwq{$l}); - } - } - else { - ::rptMsg($key_path." has no values."); - } - } - else { - ::rptMsg($key_path." not found."); - } -} - -1; \ No newline at end of file diff --git a/RecentActivity/release/rr/plugins/xpedition.pl b/RecentActivity/release/rr/plugins/xpedition.pl deleted file mode 100644 index f3a5d35914..0000000000 --- a/RecentActivity/release/rr/plugins/xpedition.pl +++ /dev/null @@ -1,60 +0,0 @@ -#----------------------------------------------------------- -# xpedition.pl -# Determine the edition of XP (MediaCenter, TabletPC) -# -# History -# -# References -# http://windowsitpro.com/article/articleid/94531/ -# how-can-a-script-determine-if-windows-xp-tablet-pc-edition-is-installed.html -# http://unasked.com/question/view/id/119610 -# -# copyright 2009 H. Carvey -#----------------------------------------------------------- -package xpedition; -use strict; -my %config = (hive => "System", - hasShortDescr => 1, - hasDescr => 0, - hasRefs => 0, - osmask => 22, - version => 20090727); - -sub getConfig{return %config} -sub getShortDescr { - return "Queries System hive for XP Edition info"; -} -sub getDescr{} -sub getRefs {} -sub getHive {return $config{hive};} -sub getVersion {return $config{version};} - -my $VERSION = getVersion(); - -sub pluginmain { - my $class = shift; - my $hive = shift; - my $key; - my $edition = 0; - - ::logMsg("Launching xpedition v.".$VERSION); - my $reg = Parse::Win32Registry->new($hive); - my $root_key = $reg->get_root_key; - ::rptMsg("xpedition v.".$VERSION); - eval { - $key = $root_key->get_subkey("WPA\\MediaCenter")->get_value("Installed")->get_data(); - if ($key == 1) { - ::rptMsg("MediaCenter Edition"); - $edition = 1; - } - }; - - eval { - $key = $root_key->get_subkey("WPA\\TabletPC")->get_value("Installed")->get_data(); - if ($key == 1) { - ::rptMsg("TabletPC Edition"); - $edition = 1; - } - }; -} -1 \ No newline at end of file diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Chrome.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Chrome.java index ce51b19478..1f67c326b4 100755 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Chrome.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Chrome.java @@ -35,9 +35,9 @@ public class Chrome { public static final String chquery = "SELECT urls.url, urls.title, urls.visit_count, urls.typed_count, " - + "datetime(urls.last_visit_time/1000000-11644473600,'unixepoch','localtime') as last_visit_time, urls.hidden, visits.visit_time, (SELECT urls.url FROM urls WHERE urls.id=visits.url) as from_visit, visits.transition FROM urls, visits WHERE urls.id = visits.url"; - public static final String chcookiequery = "select name, value, host_key, expires_utc, datetime(last_access_utc/1000000-11644473600,'unixepoch','localtime') as last_access_utc, creation_utc from cookies"; - public static final String chbookmarkquery = "SELECT starred.title, urls.url, starred.date_added, starred.date_modified, urls.typed_count, datetime(urls.last_visit_time/1000000-11644473600,'unixepoch','localtime') as urls._last_visit_time FROM starred INNER JOIN urls ON urls.id = starred.url_id"; + + "last_visit_time, urls.hidden, visits.visit_time, (SELECT urls.url FROM urls WHERE urls.id=visits.url) as from_visit, visits.transition FROM urls, visits WHERE urls.id = visits.url"; + public static final String chcookiequery = "select name, value, host_key, expires_utc,last_access_utc, creation_utc from cookies"; + public static final String chbookmarkquery = "SELECT starred.title, urls.url, starred.date_added, starred.date_modified, urls.typed_count,urls._last_visit_time FROM starred INNER JOIN urls ON urls.id = starred.url_id"; public static final String chdownloadquery = "select full_path, url, start_time, received_bytes from downloads"; public static final String chloginquery = "select origin_url, username_value, signon_realm from logins"; private final Logger logger = Logger.getLogger(this.getClass().getName()); @@ -56,9 +56,12 @@ public class Chrome { List FFSqlitedb; Map kvs = new LinkedHashMap(); String allFS = new String(); - for(String img : image) - { - allFS += " AND fs_obj_id = '" + img + "'"; + for(int i = 0; i < image.size(); i++) { + if(i == 0) + allFS += " AND (0"; + allFS += " OR fs_obj_id = '" + image.get(i) + "'"; + if(i == image.size()-1) + allFS += ")"; } ResultSet rs = tempDb.runQuery("select * from tsk_files where name LIKE 'History' AND parent_path LIKE '%Chrome%'" + allFS); @@ -85,7 +88,7 @@ public class Chrome { while(temprs.next()) { - + String domain = Util.extractDomain(temprs.getString("url")); BlackboardArtifact bbart = FFSqlitedb.get(j).newArtifact(ARTIFACT_TYPE.TSK_WEB_HISTORY); Collection bbattributes = new ArrayList(); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(),"RecentActivity","",temprs.getString("url"))); @@ -93,6 +96,7 @@ public class Chrome { bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_REFERRER.getTypeID(),"RecentActivity","",temprs.getString("from_visit"))); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(),"RecentActivity","",((temprs.getString("title") != null) ? temprs.getString("title") : ""))); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(),"RecentActivity","","Chrome")); + bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(),"RecentActivity","",domain)); bbart.addAttributes(bbattributes); } @@ -126,9 +130,12 @@ public class Chrome { Case currentCase = Case.getCurrentCase(); // get the most updated case SleuthkitCase tempDb = currentCase.getSleuthkitCase(); String allFS = new String(); - for(String img : image) - { - allFS += " AND fs_obj_id = '" + img + "'"; + for(int i = 0; i < image.size(); i++) { + if(i == 0) + allFS += " AND (0"; + allFS += " OR fs_obj_id = '" + image.get(i) + "'"; + if(i == image.size()-1) + allFS += ")"; } List FFSqlitedb; ResultSet rs = tempDb.runQuery("select * from tsk_files where name LIKE '%Cookies%' and parent_path LIKE '%Chrome%'" + allFS); @@ -156,11 +163,13 @@ public class Chrome { { BlackboardArtifact bbart = FFSqlitedb.get(j).newArtifact(ARTIFACT_TYPE.TSK_WEB_COOKIE); Collection bbattributes = new ArrayList(); + String domain = temprs.getString("host_key"); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(), "RecentActivity", "", temprs.getString("host_key"))); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(),"RecentActivity", "Last Visited",temprs.getString("last_access_utc"))); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_VALUE.getTypeID(),"RecentActivity", "",temprs.getString("value"))); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity","Title",((temprs.getString("name") != null) ? temprs.getString("name") : ""))); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(),"RecentActivity","","Chrome")); + bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(),"RecentActivity","",domain)); bbart.addAttributes(bbattributes); } tempdbconnect.closeConnection(); @@ -192,9 +201,12 @@ public class Chrome { Case currentCase = Case.getCurrentCase(); // get the most updated case SleuthkitCase tempDb = currentCase.getSleuthkitCase(); String allFS = new String(); - for(String img : image) - { - allFS += " AND fs_obj_id = '" + img + "'"; + for(int i = 0; i < image.size(); i++) { + if(i == 0) + allFS += " AND (0"; + allFS += " OR fs_obj_id = '" + image.get(i) + "'"; + if(i == image.size()-1) + allFS += ")"; } List FFSqlitedb; ResultSet rs = tempDb.runQuery("select * from tsk_files where name LIKE 'Bookmarks' and parent_path LIKE '%Chrome%'" + allFS); @@ -231,13 +243,14 @@ public class Chrome { String url = address.get("url").getAsString(); String name = address.get("name").getAsString(); String date = address.get("date_added").getAsString(); - + String domain = Util.extractDomain(url); BlackboardArtifact bbart = FFSqlitedb.get(j).newArtifact(ARTIFACT_TYPE.TSK_WEB_BOOKMARK); Collection bbattributes = new ArrayList(); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(),"RecentActivity","Last Visited",date)); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(), "RecentActivity","",url)); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity","",name)); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(),"RecentActivity","","Chrome")); + bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(),"RecentActivity","",domain)); bbart.addAttributes(bbattributes); } @@ -269,9 +282,12 @@ public class Chrome { SleuthkitCase tempDb = currentCase.getSleuthkitCase(); List FFSqlitedb; String allFS = new String(); - for(String img : image) - { - allFS += " AND fs_obj_id = '" + img + "'"; + for(int i = 0; i < image.size(); i++) { + if(i == 0) + allFS += " AND (0"; + allFS += " OR fs_obj_id = '" + image.get(i) + "'"; + if(i == image.size()-1) + allFS += ")"; } ResultSet rs = tempDb.runQuery("select * from tsk_files where name LIKE 'History' and parent_path LIKE '%Chrome%'" + allFS); FFSqlitedb = tempDb.resultSetToFsContents(rs); @@ -298,11 +314,12 @@ public class Chrome { { BlackboardArtifact bbart = FFSqlitedb.get(j).newArtifact(ARTIFACT_TYPE.TSK_WEB_DOWNLOAD); Collection bbattributes = new ArrayList(); + String domain = Util.extractDomain(temprs.getString("url")); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(),"RecentActivity","Last Visited",temprs.getString("start_time"))); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(), "RecentActivity","",((temprs.getString("url") != null) ? temprs.getString("url") : ""))); //bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity","", ((temprs.getString("title") != null) ? temprs.getString("title").replaceAll("'", "''") : ""))); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH.getTypeID(), "Recent Activity", "", temprs.getString("full_path"))); - + bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(),"RecentActivity","",domain)); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(),"RecentActivity","","Chrome")); bbart.addAttributes(bbattributes); @@ -336,9 +353,12 @@ public class Chrome { Case currentCase = Case.getCurrentCase(); // get the most updated case SleuthkitCase tempDb = currentCase.getSleuthkitCase(); String allFS = new String(); - for(String img : image) - { - allFS += " AND fs_obj_id = '" + img + "'"; + for(int i = 0; i < image.size(); i++) { + if(i == 0) + allFS += " AND (0"; + allFS += " OR fs_obj_id = '" + image.get(i) + "'"; + if(i == image.size()-1) + allFS += ")"; } List FFSqlitedb; ResultSet rs = tempDb.runQuery("select * from tsk_files where name LIKE 'signons.sqlite' and parent_path LIKE '%Chrome%'" + allFS); @@ -370,7 +390,7 @@ public class Chrome { bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(), "RecentActivity","",((temprs.getString("origin_url") != null) ? temprs.getString("origin_url") : ""))); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_USERNAME.getTypeID(), "RecentActivity","", ((temprs.getString("username_value") != null) ? temprs.getString("username_value").replaceAll("'", "''") : ""))); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(), "Recent Activity", "", temprs.getString("signon_realm"))); - + bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(),"RecentActivity","",Util.extractDomain(((temprs.getString("origin_url") != null) ? temprs.getString("origin_url") : "")))); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(),"RecentActivity","","Chrome")); bbart.addAttributes(bbattributes); diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractIE.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractIE.java index 4588106de0..b169601203 100755 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractIE.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractIE.java @@ -28,6 +28,8 @@ import java.sql.ResultSet; //Util Imports import java.sql.SQLException; +import java.text.ParseException; +import java.text.SimpleDateFormat; import java.util.ArrayList; import java.util.HashMap; import java.util.List; @@ -44,6 +46,7 @@ import org.openide.modules.InstalledFileLocator; import org.openide.util.Exceptions; import org.sleuthkit.autopsy.casemodule.Case; import org.sleuthkit.autopsy.datamodel.ContentUtils; +import org.sleuthkit.autopsy.datamodel.DataConversion; import org.sleuthkit.autopsy.datamodel.KeyValue; import org.sleuthkit.autopsy.ingest.IngestImageWorkerController; import org.sleuthkit.autopsy.ingest.IngestManager; @@ -91,9 +94,12 @@ public class ExtractIE { // implements BrowserActivity { Case currentCase = Case.getCurrentCase(); // get the most updated case SleuthkitCase tempDb = currentCase.getSleuthkitCase(); String allFS = new String(); - for(String img : image) - { - allFS += " AND fs_obj_id = '" + img + "'"; + for(int i = 0; i < image.size(); i++) { + if(i == 0) + allFS += " AND (0"; + allFS += " OR fs_obj_id = '" + image.get(i) + "'"; + if(i == image.size()-1) + allFS += ")"; } List FavoriteList; @@ -122,13 +128,14 @@ public class ExtractIE { // implements BrowserActivity { } String name = Favorite.getName(); String datetime = Favorite.getCrtimeAsDate(); - + String domain = Util.extractDomain(url); BlackboardArtifact bbart = Favorite.newArtifact(ARTIFACT_TYPE.TSK_WEB_BOOKMARK); Collection bbattributes = new ArrayList(); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(),"RecentActivity","Last Visited",datetime)); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(), "RecentActivity","",url)); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity","",name)); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(),"RecentActivity","","Internet Explorer")); + bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(),"RecentActivity","",domain)); bbart.addAttributes(bbattributes); IngestManager.fireServiceDataEvent(new ServiceDataEvent("Recent Activity", BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_BOOKMARK)); @@ -150,9 +157,12 @@ public class ExtractIE { // implements BrowserActivity { Case currentCase = Case.getCurrentCase(); // get the most updated case SleuthkitCase tempDb = currentCase.getSleuthkitCase(); String allFS = new String(); - for(String img : image) - { - allFS += " AND fs_obj_id = '" + img + "'"; + for(int i = 0; i < image.size(); i++) { + if(i == 0) + allFS += " AND (0"; + allFS += " OR fs_obj_id = '" + image.get(i) + "'"; + if(i == image.size()-1) + allFS += ")"; } List CookiesList; @@ -172,11 +182,11 @@ public class ExtractIE { // implements BrowserActivity { String cookieString = new String(t); String[] values = cookieString.split("\n"); - String url = values[2]; - String value = values[1]; - String name = values[0]; + String url = values.length > 2 ? values[2] : ""; + String value = values.length > 1 ? values[1] : ""; + String name = values.length > 0 ? values[0] : ""; String datetime = Cookie.getCrtimeAsDate(); - + String domain = Util.extractDomain(url); BlackboardArtifact bbart = Cookie.newArtifact(ARTIFACT_TYPE.TSK_WEB_COOKIE); Collection bbattributes = new ArrayList(); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(), "RecentActivity", "", url)); @@ -184,6 +194,7 @@ public class ExtractIE { // implements BrowserActivity { bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_VALUE.getTypeID(),"RecentActivity", "",value)); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity","Title",(name != null) ? name : "")); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(),"RecentActivity","","Internet Explorer")); + bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(),"RecentActivity","",domain)); bbart.addAttributes(bbattributes); } @@ -199,6 +210,79 @@ public class ExtractIE { // implements BrowserActivity { logger.log(Level.WARNING, "Error while trying to retrieve files from the TSK .", ioex); } + + //Recent Documents section + // This gets the recent object info + try + { + Case currentCase = Case.getCurrentCase(); // get the most updated case + SleuthkitCase tempDb = currentCase.getSleuthkitCase(); + String allFS = new String(); + for(int i = 0; i < image.size(); i++) { + if(i == 0) + allFS += " AND (0"; + allFS += " OR fs_obj_id = '" + image.get(i) + "'"; + if(i == image.size()-1) + allFS += ")"; + } + List RecentList; + + ResultSet rs = tempDb.runQuery(recentQuery + allFS); + RecentList = tempDb.resultSetToFsContents(rs); + rs.close(); + rs.getStatement().close(); + + for(FsContent Recent : RecentList) + { + if (controller.isCancelled() ) { + break; + } + Content fav = Recent; + + byte[] t = new byte[(int) fav.getSize()]; + + int bytesRead = 0; + if (fav.getSize() > 0) { + bytesRead = fav.read(t, 0, fav.getSize()); // read the data + } + + + // set the data on the bottom and show it + + String recentString = new String(); + + + if (bytesRead > 0) { + recentString = DataConversion.getString(t, bytesRead, 4); + } + + + String path = Util.getPath(recentString); + String name = Util.getFileName(path); + String datetime = Recent.getCrtimeAsDate(); + BlackboardArtifact bbart = Recent.newArtifact(ARTIFACT_TYPE.TSK_RECENT_OBJECT); + Collection bbattributes = new ArrayList(); + bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH.getTypeID(),"RecentActivity","Last Visited",path)); + bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity","",name)); + bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH_ID.getTypeID(),"RecentActivity","",Util.findID(path))); + bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(),"RecentActivity","Date Created",datetime)); + bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(),"RecentActivity","","Windows Explorer")); + bbart.addAttributes(bbattributes); + + } + IngestManager.fireServiceDataEvent(new ServiceDataEvent("Recent Activity", BlackboardArtifact.ARTIFACT_TYPE.TSK_RECENT_OBJECT)); + + } + catch(TskException ex) + { + logger.log(Level.WARNING, "Error while trying to retrieve content from the TSK .", ex); + } + catch(SQLException ioex) + { + logger.log(Level.WARNING, "Error while trying to retrieve files from the TSK .", ioex); + } + + } //@Override @@ -236,9 +320,12 @@ public class ExtractIE { // implements BrowserActivity { Collection FsContentCollection; tempDb = currentCase.getSleuthkitCase(); String allFS = new String(); - for(String img : image) - { - allFS += " AND fs_obj_id = '" + img + "'"; + for(int i = 0; i < image.size(); i++) { + if(i == 0) + allFS += " AND (0"; + allFS += " OR fs_obj_id = '" + image.get(i) + "'"; + if(i == image.size()-1) + allFS += ")"; } ResultSet rs = tempDb.runQuery(indexDatQueryStr + allFS); FsContentCollection = tempDb.resultSetToFsContents(rs); @@ -296,18 +383,17 @@ public class ExtractIE { // implements BrowserActivity { boolean success = true; try { - List command = new ArrayList(); + StringBuilder command = new StringBuilder(); - command.add("-cp"); - command.add("\"" + PASCO_LIB_PATH + "\""); - command.add(" isi.pasco2.Main"); - command.add(" -T history"); - command.add("\"" + indexFilePath + "\""); - command.add(" > \"" + PASCO_RESULTS_PATH + "\\pasco2Result." + Integer.toString(fileIndex) + ".txt\""); + command.append(" -cp"); + command.append(" \"" + PASCO_LIB_PATH + "\""); + command.append(" isi.pasco2.Main"); + command.append(" -T history"); + command.append(" \"" + indexFilePath + "\""); + command.append(" > \"" + PASCO_RESULTS_PATH + "\\pasco2Result." + Integer.toString(fileIndex) + ".txt\""); // command.add(" > " + "\"" + PASCO_RESULTS_PATH + File.separator + Long.toString(bbId) + "\""); - String[] cmd = command.toArray(new String[0]); - - JavaSystemCaller.Exec.execute("java", cmd); + String cmd = command.toString(); + JavaSystemCaller.Exec.execute("\"java "+cmd+ "\""); } catch (Exception e) { success = false; @@ -368,6 +454,7 @@ public class ExtractIE { // implements BrowserActivity { String actime = lineBuff[3]; String user = ""; String realurl = ""; + String domain = ""; if(url.length > 1) { user = url[0]; @@ -380,14 +467,20 @@ public class ExtractIE { // implements BrowserActivity { realurl = realurl.replaceAll(":(.*?):", ""); realurl = realurl.replace(":Host:", ""); realurl = realurl.trim(); + domain = Util.extractDomain(realurl); } if(!ddtime.isEmpty()){ ddtime = ddtime.replace("T"," "); ddtime = ddtime.substring(ddtime.length()-5); } if(!actime.isEmpty()){ - actime = actime.replace("T"," "); - actime = actime.substring(0,actime.length()-5); + try{ + Long epochtime = new SimpleDateFormat("yyyy-MM-dd'T'HH:mm:ss.SSS'Z'").parse(actime).getTime(); + actime = epochtime.toString(); + } + catch(ParseException e){ + logger.log(Level.SEVERE, "ExtractIE::parsePascosResults() -> ", e.getMessage()); + } } // TODO: Need to fix this so we have the right obj_id @@ -402,7 +495,7 @@ public class ExtractIE { // implements BrowserActivity { // bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), "RecentActivity", "", ddtime)); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(),"RecentActivity","","Internet Explorer")); - + bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(),"RecentActivity","",domain)); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_USERNAME.getTypeID(),"RecentActivity","",user)); bbart.addAttributes(bbattributes); diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java index 54ae347a38..03612451e8 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/ExtractRegistry.java @@ -8,10 +8,8 @@ import java.io.BufferedReader; import java.io.File; import java.io.FileInputStream; import java.io.IOException; -import java.io.InputStream; import java.io.InputStreamReader; import java.io.StringReader; -import java.nio.charset.Charset; import java.sql.ResultSet; import java.sql.SQLException; import java.util.ArrayList; @@ -21,6 +19,7 @@ import java.util.List; import java.util.Scanner; import java.util.logging.Level; import java.util.logging.Logger; +import org.apache.commons.lang3.StringEscapeUtils; import org.jdom.Document; import org.jdom.Element; import org.jdom.input.SAXBuilder; @@ -84,9 +83,12 @@ public void getregistryfiles(List image, IngestImageWorkerController con Case currentCase = Case.getCurrentCase(); // get the most updated case SleuthkitCase tempDb = currentCase.getSleuthkitCase(); String allFS = new String(); - for(String img : image) - { - allFS += " AND fs_obj_id = '" + img + "'"; + for(int i = 0; i < image.size(); i++) { + if(i == 0) + allFS += " AND (0"; + allFS += " OR fs_obj_id = '" + image.get(i) + "'"; + if(i == image.size()-1) + allFS += ")"; } List Regfiles; ResultSet rs = tempDb.runQuery("select * from tsk_files where lower(name) = 'ntuser.dat' OR lower(parent_path) LIKE '%/system32/config%' and (name = 'system' OR name = 'software' OR name = 'SECURITY' OR name = 'SAM' OR name = 'default')" + allFS); @@ -149,7 +151,7 @@ public void getregistryfiles(List image, IngestImageWorkerController con if(regFilePath.toLowerCase().contains("system")) { - type = "1system"; + type = "autopsysystem"; } if(regFilePath.toLowerCase().contains("software")) { @@ -172,8 +174,8 @@ public void getregistryfiles(List image, IngestImageWorkerController con type = "1security"; } - String command = RR_PATH + " -r " + regFilePath +" -f " + type + "> " + txtPath; - JavaSystemCaller.Exec.execute(command); + String command = "\"" + RR_PATH + "\" -r \"" + regFilePath +"\" -f " + type + " > \"" + txtPath + "\" 2> NUL"; + JavaSystemCaller.Exec.execute("\""+command + "\""); } @@ -196,13 +198,17 @@ public void getregistryfiles(List image, IngestImageWorkerController con File regfile = new File(regRecord); FileInputStream fstream = new FileInputStream(regfile); - InputStreamReader fstreamReader = new InputStreamReader(fstream, "UTF-8"); + InputStreamReader fstreamReader = new InputStreamReader(fstream, "UTF-16"); BufferedReader input = new BufferedReader(fstreamReader); //logger.log(Level.INFO, "using encoding " + fstreamReader.getEncoding()); String regString = new Scanner(input).useDelimiter("\\Z").next(); regfile.delete(); - String startdoc = ""; + String startdoc = ""; String result = regString.replaceAll("----------------------------------------",""); + result = result.replaceAll("\\n", ""); + result = result.replaceAll("\\r",""); + result = result.replaceAll("'","'"); + result = result.replaceAll("&", "&"); String enddoc = ""; String stringdoc = startdoc + result + enddoc; SAXBuilder sb = new SAXBuilder(); @@ -237,18 +243,19 @@ public void getregistryfiles(List image, IngestImageWorkerController con Collection bbattributes = new ArrayList(); if("recentdocs".equals(context)){ - BlackboardArtifact bbart = tempDb.getContentById(orgId).newArtifact(ARTIFACT_TYPE.TSK_RECENT_OBJECT); - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(), "RecentActivity", context, time)); - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity", context, name)); - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_VALUE.getTypeID(), "RecentActivity", context, value)); - bbart.addAttributes(bbattributes); +// BlackboardArtifact bbart = tempDb.getContentById(orgId).newArtifact(ARTIFACT_TYPE.TSK_RECENT_OBJECT); +// bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(), "RecentActivity", context, time)); +// bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity", context, name)); +// bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_VALUE.getTypeID(), "RecentActivity", context, value)); +// bbart.addAttributes(bbattributes); } - else if("runMRU".equals(context)){ - BlackboardArtifact bbart = tempDb.getContentById(orgId).newArtifact(ARTIFACT_TYPE.TSK_RECENT_OBJECT); - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_LAST_ACCESSED.getTypeID(), "RecentActivity", context, time)); - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity", context, name)); + else if("usb".equals(context)){ + BlackboardArtifact bbart = tempDb.getContentById(orgId).newArtifact(ARTIFACT_TYPE.TSK_DEVICE_ATTACHED); + bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME.getTypeID(), "RecentActivity", context, name)); + String dev = artnode.getAttributeValue("dev"); + bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DEVICE_MODEL.getTypeID(), "RecentActivity", context, dev)); - bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_VALUE.getTypeID(), "RecentActivity", context, value)); + bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DEVICE_ID.getTypeID(), "RecentActivity", context, value)); bbart.addAttributes(bbattributes); } else if("uninstall".equals(context)){ @@ -294,7 +301,8 @@ public void getregistryfiles(List image, IngestImageWorkerController con catch (Exception ex) { - logger.log(Level.WARNING, "Error while trying to read into a registry file." + ex); + logger.log(Level.WARNING, "Error while trying to read into a registry file." + ex); + String sadafd = ""; } diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Firefox.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Firefox.java index 4ae3be6e29..81a96a4b46 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Firefox.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Firefox.java @@ -31,10 +31,10 @@ import org.sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE; */ public class Firefox { - private static final String ffquery = "SELECT moz_historyvisits.id,url,title,visit_count,datetime(moz_historyvisits.visit_date/1000000,'unixepoch','localtime') as visit_date,from_visit,(SELECT url FROM moz_places WHERE id=moz_historyvisits.from_visit) as ref FROM moz_places, moz_historyvisits WHERE moz_places.id = moz_historyvisits.place_id AND hidden = 0"; - private static final String ffcookiequery = "SELECT name,value,host,expiry,datetime(moz_cookies.lastAccessed/1000000,'unixepoch','localtime') as lastAccessed,creationTime FROM moz_cookies"; + private static final String ffquery = "SELECT moz_historyvisits.id,url,title,visit_count,visit_date,from_visit,(SELECT url FROM moz_places WHERE id=moz_historyvisits.from_visit) as ref FROM moz_places, moz_historyvisits WHERE moz_places.id = moz_historyvisits.place_id AND hidden = 0"; + private static final String ffcookiequery = "SELECT name,value,host,expiry,lastAccessed,creationTime FROM moz_cookies"; private static final String ffbookmarkquery = "SELECT fk, moz_bookmarks.title, url FROM moz_bookmarks INNER JOIN moz_places ON moz_bookmarks.fk=moz_places.id"; - private static final String ffdownloadquery = "select target, source, datetime(startTime/1000000,'unixepoch','localtime') as startTime, maxBytes from moz_downloads"; + private static final String ffdownloadquery = "select target, source,startTime, maxBytes from moz_downloads"; public Logger logger = Logger.getLogger(this.getClass().getName()); @@ -51,10 +51,13 @@ public class Firefox { Case currentCase = Case.getCurrentCase(); // get the most updated case SleuthkitCase tempDb = currentCase.getSleuthkitCase(); String allFS = new String(); - for(String img : image) - { - allFS += " AND fs_obj_id = '" + img + "'"; - } + for(int i = 0; i < image.size(); i++) { + if(i == 0) + allFS += " AND (0"; + allFS += " OR fs_obj_id = '" + image.get(i) + "'"; + if(i == image.size()-1) + allFS += ")"; + } List FFSqlitedb; ResultSet rs = tempDb.runQuery("select * from tsk_files where name LIKE '%places.sqlite%' and parent_path LIKE '%Firefox%'" + allFS); @@ -95,6 +98,7 @@ public class Firefox { bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_REFERRER.getTypeID(),"RecentActivity","",((temprs.getString("ref") != null) ? temprs.getString("ref") : ""))); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(),"RecentActivity","",((temprs.getString("title") != null) ? temprs.getString("title") : ""))); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(),"RecentActivity","","FireFox")); + bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(),"RecentActivity","",(Util.extractDomain((temprs.getString("url") != null) ? temprs.getString("url") : "")))); bbart.addAttributes(bbattributes); } @@ -120,6 +124,7 @@ public class Firefox { bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_URL.getTypeID(),"RecentActivity","",((tempbm.getString("url") != null) ? tempbm.getString("url") : ""))); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity","", ((tempbm.getString("title") != null) ? tempbm.getString("title").replaceAll("'", "''") : ""))); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(),"RecentActivity","","FireFox")); + bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(),"RecentActivity","",Util.extractDomain(tempbm.getString("url")))); bbart.addAttributes(bbattributes); } tempbm.close(); @@ -154,9 +159,12 @@ public class Firefox { Case currentCase = Case.getCurrentCase(); // get the most updated case SleuthkitCase tempDb = currentCase.getSleuthkitCase(); String allFS = new String(); - for(String img : image) - { - allFS += " AND fs_obj_id = '" + img + "'"; + for(int i = 0; i < image.size(); i++) { + if(i == 0) + allFS += " AND (0"; + allFS += " OR fs_obj_id = '" + image.get(i) + "'"; + if(i == image.size()-1) + allFS += ")"; } List FFSqlitedb; @@ -189,6 +197,7 @@ public class Firefox { bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_VALUE.getTypeID(), "RecentActivity", "", temprs.getString("value"))); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity","Title",((temprs.getString("name") != null) ? temprs.getString("name") : ""))); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(),"RecentActivity","","FireFox")); + bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(),"RecentActivity","",temprs.getString("host"))); bbart.addAttributes(bbattributes); } @@ -222,9 +231,12 @@ public class Firefox { Case currentCase = Case.getCurrentCase(); // get the most updated case SleuthkitCase tempDb = currentCase.getSleuthkitCase(); String allFS = new String(); - for(String img : image) - { - allFS += " AND fs_obj_id = '" + img + "'"; + for(int i = 0; i < image.size(); i++) { + if(i == 0) + allFS += " AND (0"; + allFS += " OR fs_obj_id = '" + image.get(i) + "'"; + if(i == image.size()-1) + allFS += ")"; } List FFSqlitedb; ResultSet rs = tempDb.runQuery("select * from tsk_files where name LIKE 'downloads.sqlite' and parent_path LIKE '%Firefox%'" + allFS); @@ -257,7 +269,8 @@ public class Firefox { //bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME.getTypeID(), "RecentActivity","", ((temprs.getString("title") != null) ? temprs.getString("title").replaceAll("'", "''") : ""))); String urldecodedtarget = URLDecoder.decode(temprs.getString("target").replaceAll("file:///", ""), "UTF-8"); bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH.getTypeID(), "Recent Activity", "", urldecodedtarget)); - + bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DOMAIN.getTypeID(),"RecentActivity","",Util.extractDomain(temprs.getString("source")))); + bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PROG_NAME.getTypeID(),"RecentActivity","","FireFox")); bbart.addAttributes(bbattributes); diff --git a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Util.java b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Util.java index 90a75f165f..34cdc018a4 100644 --- a/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Util.java +++ b/RecentActivity/src/org/sleuthkit/autopsy/recentactivity/Util.java @@ -6,6 +6,7 @@ package org.sleuthkit.autopsy.recentactivity; import java.io.File; import java.io.FileInputStream; import java.io.IOException; +import java.net.URL; import java.nio.MappedByteBuffer; import java.nio.channels.FileChannel; import java.nio.charset.Charset; @@ -15,7 +16,11 @@ import java.sql.Statement; import java.text.SimpleDateFormat; import java.util.Date; import java.util.List; +import java.util.logging.Level; import java.util.logging.Logger; +//import org.apache.commons.lang.NullArgumentException; +import java.util.regex.Matcher; +import java.util.regex.Pattern; import org.sleuthkit.autopsy.casemodule.Case; import org.sleuthkit.datamodel.FsContent; import org.sleuthkit.datamodel.SleuthkitCase; @@ -24,7 +29,7 @@ import org.sleuthkit.datamodel.SleuthkitCase; * @author Alex */ public class Util { -public Logger logger = Logger.getLogger(this.getClass().getName()); +private static Logger logger = Logger.getLogger(Util.class.getName()); private Util(){ @@ -87,4 +92,91 @@ public static boolean imgpathexists(String path){ } } + +public static String extractDomain(String value){ + if (value == null) throw new java.lang.NullPointerException("domains to extract"); + String result = ""; + // String domainPattern = "(\\w+)\\.(AC|AD|AE|AERO|AF|AG|AI|AL|AM|AN|AO|AQ|AR|ARPA|AS|ASIA|AT|AU|AW|AX|AZ|BA|BB|BD|BE|BF|BG|BH|BI|BIZ|BJ|BM|BN|BO|BR|BS|BT|BV|BW|BY|BZ|CA|CAT|CC|CD|CF|CG|CH|CI|CK|CL|CM|CN|CO|COM|COOP|CR|CU|CV|CW|CX|CY|CZ|DE|DJ|DK|DM|DO|DZ|EC|EDU|EE|EG|ER|ES|ET|EU|FI|FJ|FK|FM|FO|FR|GA|GB|GD|GE|GF|GG|GH|GI|GL|GM|GN|GOV|GP|GQ|GR|GS|GT|GU|GW|GY|HK|HM|HN|HR|HT|HU|ID|IE|IL|IM|IN|INFO|INT|IO|IQ|IR|IS|IT|JE|JM|JO|JOBS|JP|KE|KG|KH|KI|KM|KN|KP|KR|KW|KY|KZ|LA|LB|LC|LI|LK|LR|LS|LT|LU|LV|LY|MA|MC|MD|ME|MG|MH|MIL|MK|ML|MM|MN|MO|MOBI|MP|MQ|MR|MS|MT|MU|MUSEUM|MV|MW|MX|MY|MZ|NA|NAME|NC|NE|NET|NF|NG|NI|NL|NO|NP|NR|NU|NZ|OM|ORG|PA|PE|PF|PG|PH|PK|PL|PM|PN|PR|PRO|PS|PT|PW|PY|QA|RE|RO|RS|RU|RW|SA|SB|SC|SD|SE|SG|SH|SI|SJ|SK|SL|SM|SN|SO|SR|ST|SU|SV|SX|SY|SZ|TC|TD|TEL|TF|TG|TH|TJ|TK|TL|TM|TN|TO|TP|TR|TRAVEL|TT|TV|TW|TZ|UA|UG|UK|US|UY|UZ|VA|VC|VE|VG|VI|VN|VU|WF|WS|XXX|YE|YT|ZA|ZM|ZW(co\\.[a-z].))"; + // Pattern p = Pattern.compile(domainPattern,Pattern.CASE_INSENSITIVE); + // Matcher m = p.matcher(value); + // while (m.find()) { + // result = value.substring(m.start(0),m.end(0)); + // } + try{ + URL url = new URL(value); + result = url.getHost(); + } + catch(Exception e){ + + } + + return result; + } + +public static String getFileName(String value){ + String filename = ""; + String filematch = "^([a-zA-Z]\\:)(\\\\[^\\\\/:*?<>\"|]*(?|]+)+)"; // Windows network + + Pattern p2 = Pattern.compile(network,Pattern.CASE_INSENSITIVE | Pattern.DOTALL); + Matcher m2 = p2.matcher(txt); + if (m2.find()) + { + path = m2.group(1); + } + } + return path; + } + +public static long findID(String path) { + String parent_path = path.replace('\\', '/'); // fix Chrome paths + if(parent_path.length() > 2 && parent_path.charAt(1) == ':') + parent_path = parent_path.substring(2); // remove drive letter (e.g., 'C:') + int index = parent_path.lastIndexOf('/'); + String name = parent_path.substring(++index); + parent_path = parent_path.substring(0, index); + String query = "select * from tsk_files where parent_path like \"" + parent_path + "\" AND name like \"" + name + "\""; + Case currentCase = Case.getCurrentCase(); + SleuthkitCase tempDb = currentCase.getSleuthkitCase(); + try { + ResultSet rs = tempDb.runQuery(query); + List results = tempDb.resultSetToFsContents(rs); + Statement s = rs.getStatement(); + rs.close(); + if (s != null) + s.close(); + if(results.size() > 0) { + return results.get(0).getId(); + } + } catch (Exception ex) { + // logger.log(Level.WARNING, "Error retrieving content from DB", ex); + } + return -1; + } } \ No newline at end of file diff --git a/Report/nbproject/genfiles.properties b/Report/nbproject/genfiles.properties index 945c2734f9..03f0e6b880 100644 --- a/Report/nbproject/genfiles.properties +++ b/Report/nbproject/genfiles.properties @@ -1,8 +1,8 @@ -build.xml.data.CRC32=9224614a +build.xml.data.CRC32=38c0b1aa build.xml.script.CRC32=bbb1c310 build.xml.stylesheet.CRC32=a56c6a5b@1.46.1 # This file is used by a NetBeans-based IDE to track changes in generated files such as build-impl.xml. # Do not edit this file. You may delete it but then the IDE will never regenerate such files for you. -nbproject/build-impl.xml.data.CRC32=9224614a +nbproject/build-impl.xml.data.CRC32=38c0b1aa nbproject/build-impl.xml.script.CRC32=1562aec2 nbproject/build-impl.xml.stylesheet.CRC32=238281d1@1.46.1 diff --git a/Report/nbproject/project.properties b/Report/nbproject/project.properties index 17255bac6b..256c008f13 100644 --- a/Report/nbproject/project.properties +++ b/Report/nbproject/project.properties @@ -1,2 +1,14 @@ +file.reference.commons-logging-1.1.jar=release/modules/ext/commons-logging-1.1.jar +file.reference.dom4j-1.6.1.jar=release/modules/ext/dom4j-1.6.1.jar +file.reference.jdom-1.1.2.jar=release/modules/ext/jdom-1.1.2.jar +file.reference.junit-3.8.1.jar=release/modules/ext/junit-3.8.1.jar +file.reference.log4j-1.2.13.jar=release/modules/ext/log4j-1.2.13.jar +file.reference.poi-3.8-20120326.jar=release/modules/ext/poi-3.8-20120326.jar +file.reference.poi-excelant-3.8-20120326.jar=release/modules/ext/poi-excelant-3.8-20120326.jar +file.reference.poi-ooxml-3.8-20120326.jar=release/modules/ext/poi-ooxml-3.8-20120326.jar +file.reference.poi-ooxml-schemas-3.8-20120326.jar=release/modules/ext/poi-ooxml-schemas-3.8-20120326.jar +file.reference.poi-scratchpad-3.8-20120326.jar=release/modules/ext/poi-scratchpad-3.8-20120326.jar +file.reference.stax-api-1.0.1.jar=release/modules/ext/stax-api-1.0.1.jar +file.reference.xmlbeans-2.3.0.jar=release/modules/ext/xmlbeans-2.3.0.jar javac.source=1.6 javac.compilerargs=-Xlint -Xlint:-serial diff --git a/Report/nbproject/project.xml b/Report/nbproject/project.xml index 959460f967..b7a7ee39b9 100644 --- a/Report/nbproject/project.xml +++ b/Report/nbproject/project.xml @@ -6,12 +6,6 @@ org.sleuthkit.autopsy.report - - org.netbeans.libs.felix - - 1.5.1 - - org.netbeans.swing.plaf @@ -143,10 +137,58 @@ + + ext/poi-excelant-3.8-20120326.jar + release/modules/ext/poi-excelant-3.8-20120326.jar + + + ext/junit-3.8.1.jar + release/modules/ext/junit-3.8.1.jar + + + ext/poi-ooxml-schemas-3.8-20120326.jar + release/modules/ext/poi-ooxml-schemas-3.8-20120326.jar + ext/jdom-1.1.2.jar release/modules/ext/jdom-1.1.2.jar + + ext/poi-3.8-20120326.jar + release/modules/ext/poi-3.8-20120326.jar + + + ext/poi-ooxml-3.8-20120326.jar + release/modules/ext/poi-ooxml-3.8-20120326.jar + + + ext/poi-scratchpad-3.8-20120326.jar + release/modules/ext/poi-scratchpad-3.8-20120326.jar + + + ext/dom4j-1.6.1.jar + release/modules/ext/dom4j-1.6.1.jar + + + ext/stax-api-1.0.1.jar + release/modules/ext/stax-api-1.0.1.jar + + + ext/commons-logging-1.1.jar + release/modules/ext/commons-logging-1.1.jar + + + ext/log4j-1.2.13.jar + release/modules/ext/log4j-1.2.13.jar + + + ext/xmlbeans-2.3.0.jar + release/modules/ext/xmlbeans-2.3.0.jar + + + ext/commons-lang3-3.1.jar + release/modules/ext/commons-lang3-3.1.jar + diff --git a/Report/release/modules/ext/cobra-0.98.4.zip b/Report/release/modules/ext/cobra-0.98.4.zip deleted file mode 100644 index 705d3772e8..0000000000 Binary files a/Report/release/modules/ext/cobra-0.98.4.zip and /dev/null differ diff --git a/Report/release/modules/ext/commons-lang3-3.1.jar b/Report/release/modules/ext/commons-lang3-3.1.jar new file mode 100644 index 0000000000..a85e539b17 Binary files /dev/null and b/Report/release/modules/ext/commons-lang3-3.1.jar differ diff --git a/Report/release/modules/ext/commons-logging-1.1.jar b/Report/release/modules/ext/commons-logging-1.1.jar new file mode 100644 index 0000000000..2ff9bbd90d Binary files /dev/null and b/Report/release/modules/ext/commons-logging-1.1.jar differ diff --git a/Report/release/modules/ext/dom4j-1.6.1.jar b/Report/release/modules/ext/dom4j-1.6.1.jar new file mode 100644 index 0000000000..c8c4dbb92d Binary files /dev/null and b/Report/release/modules/ext/dom4j-1.6.1.jar differ diff --git a/Report/release/modules/ext/install-lobo-0.98.4.jar b/Report/release/modules/ext/install-lobo-0.98.4.jar deleted file mode 100644 index d5e85d11d1..0000000000 Binary files a/Report/release/modules/ext/install-lobo-0.98.4.jar and /dev/null differ diff --git a/Report/release/modules/ext/junit-3.8.1.jar b/Report/release/modules/ext/junit-3.8.1.jar new file mode 100644 index 0000000000..674d71e89e Binary files /dev/null and b/Report/release/modules/ext/junit-3.8.1.jar differ diff --git a/Report/release/modules/ext/log4j-1.2.13.jar b/Report/release/modules/ext/log4j-1.2.13.jar new file mode 100644 index 0000000000..dde9972109 Binary files /dev/null and b/Report/release/modules/ext/log4j-1.2.13.jar differ diff --git a/Report/release/modules/ext/poi-3.8-20120326.jar b/Report/release/modules/ext/poi-3.8-20120326.jar new file mode 100644 index 0000000000..edc0ee59b8 Binary files /dev/null and b/Report/release/modules/ext/poi-3.8-20120326.jar differ diff --git a/Report/release/modules/ext/poi-excelant-3.8-20120326.jar b/Report/release/modules/ext/poi-excelant-3.8-20120326.jar new file mode 100644 index 0000000000..ad39033cfe Binary files /dev/null and b/Report/release/modules/ext/poi-excelant-3.8-20120326.jar differ diff --git a/Report/release/modules/ext/poi-ooxml-3.8-20120326.jar b/Report/release/modules/ext/poi-ooxml-3.8-20120326.jar new file mode 100644 index 0000000000..9175c16d95 Binary files /dev/null and b/Report/release/modules/ext/poi-ooxml-3.8-20120326.jar differ diff --git a/Report/release/modules/ext/poi-ooxml-schemas-3.8-20120326.jar b/Report/release/modules/ext/poi-ooxml-schemas-3.8-20120326.jar new file mode 100644 index 0000000000..2372d1edfb Binary files /dev/null and b/Report/release/modules/ext/poi-ooxml-schemas-3.8-20120326.jar differ diff --git a/Report/release/modules/ext/poi-scratchpad-3.8-20120326.jar b/Report/release/modules/ext/poi-scratchpad-3.8-20120326.jar new file mode 100644 index 0000000000..02e52e848d Binary files /dev/null and b/Report/release/modules/ext/poi-scratchpad-3.8-20120326.jar differ diff --git a/Report/release/modules/ext/stax-api-1.0.1.jar b/Report/release/modules/ext/stax-api-1.0.1.jar new file mode 100644 index 0000000000..d9a1665151 Binary files /dev/null and b/Report/release/modules/ext/stax-api-1.0.1.jar differ diff --git a/Report/release/modules/ext/xmlbeans-2.3.0.jar b/Report/release/modules/ext/xmlbeans-2.3.0.jar new file mode 100644 index 0000000000..ccd8163421 Binary files /dev/null and b/Report/release/modules/ext/xmlbeans-2.3.0.jar differ diff --git a/Report/src/org/sleuthkit/autopsy/report/layer.xml b/Report/src/org/sleuthkit/autopsy/report/layer.xml index 56eb3cc819..c5606919b8 100644 --- a/Report/src/org/sleuthkit/autopsy/report/layer.xml +++ b/Report/src/org/sleuthkit/autopsy/report/layer.xml @@ -10,7 +10,6 @@ - diff --git a/Report/src/org/sleuthkit/autopsy/report/report.java b/Report/src/org/sleuthkit/autopsy/report/report.java index e87d4e60ee..5365eae6ae 100644 --- a/Report/src/org/sleuthkit/autopsy/report/report.java +++ b/Report/src/org/sleuthkit/autopsy/report/report.java @@ -218,6 +218,28 @@ public HashMap> getInstalledPr return reportMap; } +@Override +public HashMap> getDevices() { + HashMap> reportMap = new HashMap(); + Case currentCase = Case.getCurrentCase(); // get the most updated case + SleuthkitCase tempDb = currentCase.getSleuthkitCase(); + try + { + ArrayList bbart = tempDb.getBlackboardArtifacts(11); + for (BlackboardArtifact artifact : bbart) + { + ArrayList attributes = artifact.getAttributes(); + reportMap.put(artifact, attributes); + } + } + catch (Exception e) + { + Logger.getLogger(report.class.getName()).log(Level.INFO, "Exception occurred", e); + } + + return reportMap; +} + @Override public String getGroupedKeywordHit() { StringBuilder table = new StringBuilder(); diff --git a/Report/src/org/sleuthkit/autopsy/report/reportAction.java b/Report/src/org/sleuthkit/autopsy/report/reportAction.java index b7ab67ea1f..dbdd86f698 100644 --- a/Report/src/org/sleuthkit/autopsy/report/reportAction.java +++ b/Report/src/org/sleuthkit/autopsy/report/reportAction.java @@ -39,7 +39,7 @@ id = "org.sleuthkit.autopsy.report.reportAction") public final class reportAction extends CallableSystemAction implements Presenter.Toolbar{ private JButton toolbarButton = new JButton(); - private static final String ACTION_NAME = "Report"; + private static final String ACTION_NAME = "Generate Report"; Logger logger = Logger.getLogger(reportAction.class.getName()); public reportAction() { diff --git a/Report/src/org/sleuthkit/autopsy/report/reportFilter.form b/Report/src/org/sleuthkit/autopsy/report/reportFilter.form index 381679b708..7b3e65968b 100644 --- a/Report/src/org/sleuthkit/autopsy/report/reportFilter.form +++ b/Report/src/org/sleuthkit/autopsy/report/reportFilter.form @@ -41,37 +41,30 @@ + - - - - - - - - - - - - + + + + + + + - - - - - - - - + - - + + + + + + @@ -96,7 +89,7 @@ - + diff --git a/Report/src/org/sleuthkit/autopsy/report/reportFilter.java b/Report/src/org/sleuthkit/autopsy/report/reportFilter.java index 6bab8b7846..aadf1692fa 100644 --- a/Report/src/org/sleuthkit/autopsy/report/reportFilter.java +++ b/Report/src/org/sleuthkit/autopsy/report/reportFilter.java @@ -196,11 +196,13 @@ private void jButton1ActionPerformed(java.awt.event.ActionEvent evt) {//GEN-FIRS if(jCheckBox4.isSelected()) { filters.add(10); + } if(jCheckBox5.isSelected()) { filters.add(6); - filters.add(8); + filters.add(8); + filters.add(11); } getReports(); }//GEN-LAST:event_jButton1ActionPerformed diff --git a/Report/src/org/sleuthkit/autopsy/report/reportHTML.java b/Report/src/org/sleuthkit/autopsy/report/reportHTML.java index b7bfc91923..558fbab172 100644 --- a/Report/src/org/sleuthkit/autopsy/report/reportHTML.java +++ b/Report/src/org/sleuthkit/autopsy/report/reportHTML.java @@ -55,6 +55,7 @@ public reportHTML (HashMap> re int countInstalled = 0; int countKeyword = 0; int countHash = 0; + int countDevice = 0; for (Entry> entry : report.entrySet()) { if(entry.getKey().getArtifactTypeID() == 1){ countGen++; @@ -88,6 +89,9 @@ public reportHTML (HashMap> re if(entry.getKey().getArtifactTypeID() == 10){ countHash++; } + if(entry.getKey().getArtifactTypeID() == 11){ + countDevice++; + } } try{ @@ -157,6 +161,9 @@ public reportHTML (HashMap> re formatted_Report.append("
Attribute TypeValueContext
"); @@ -81,10 +81,10 @@ public class ArtifactStringContent implements StringContent { break; } - buffer.append(""); if (!"".equals(attr.getContext())) { + buffer.append(" ("); buffer.append(attr.getContext()); + buffer.append(")"); } buffer.append("
"); if(countWebBookmark > 0){ formatted_Report.append(""); + } + if(countWebCookie > 0){ + formatted_Report.append(""); } if(countWebHistory > 0){ formatted_Report.append(""); @@ -175,6 +182,9 @@ public reportHTML (HashMap> re } if(countHash > 0){ formatted_Report.append(""); + } + if(countDevice > 0){ + formatted_Report.append(""); } formatted_Report.append("
SectionCount
Web Bookmarks").append(countWebBookmark).append("
Web Cookies").append(countWebCookie).append("
Web History").append(countWebHistory).append("
Hash Hits").append(countHash).append("
Attached Devices").append(countDevice).append("

"); String tableHeader = ""; @@ -183,11 +193,13 @@ public reportHTML (HashMap> re StringBuilder nodeWebCookie = new StringBuilder("

Web Cookies (").append(countWebCookie).append(")

").append(tableHeader).append(""); StringBuilder nodeWebHistory = new StringBuilder("

Web History (").append(countWebHistory).append(")

").append(tableHeader).append(""); StringBuilder nodeWebDownload = new StringBuilder("

Web Downloads (").append(countWebDownload).append(")

").append(tableHeader).append(""); - StringBuilder nodeRecentObjects = new StringBuilder("

Recent Documents (").append(countRecentObjects).append(")

").append(tableHeader).append(""); + StringBuilder nodeRecentObjects = new StringBuilder("

Recent Documents (").append(countRecentObjects).append(")

").append(tableHeader).append(""); StringBuilder nodeTrackPoint = new StringBuilder("

Track Points (").append(countTrackPoint).append(")

").append(tableHeader).append(""); StringBuilder nodeInstalled = new StringBuilder("

Installed Programs (").append(countInstalled).append(")

").append(tableHeader).append(""); StringBuilder nodeKeyword = new StringBuilder("

Keyword Search Hits (").append(countKeyword).append(")

"); StringBuilder nodeHash = new StringBuilder("

Hashset Hit (").append(countHash).append(")

").append(tableHeader).append(""); + StringBuilder nodeDevice = new StringBuilder("

Attached Devices (").append(countHash).append(")

").append(tableHeader).append(""); + int alt = 0; String altRow = ""; for (Entry> entry : report.entrySet()) { @@ -230,6 +242,9 @@ public reportHTML (HashMap> re int type = tempatt.getAttributeTypeID(); if(tempatt.getValueString() == null || tempatt.getValueString() == "null"){ + } + else if(type == 2){ + value = new java.text.SimpleDateFormat("MM/dd/yyyy HH:mm:ss").format(new java.util.Date ((tempatt.getValueLong())*1000)); } else { @@ -281,9 +296,9 @@ public reportHTML (HashMap> re } if(entry.getKey().getArtifactTypeID() == 6){ //artifact.append(""); - artifact.append(""); - artifact.append(""); + artifact.append(""); + artifact.append(""); + artifact.append(""); artifact.append(""); nodeRecentObjects.append(artifact); } @@ -316,6 +331,13 @@ public reportHTML (HashMap> re artifact.append(""); nodeHash.append(artifact); } + if(entry.getKey().getArtifactTypeID() == 11){ + artifact.append(""); + artifact.append(""); + artifact.append(""); + artifact.append(""); + nodeDevice.append(artifact); + } cc++; rr.progBarSet(cc); } @@ -359,6 +381,10 @@ public reportHTML (HashMap> re formatted_Report.append(nodeHash); formatted_Report.append("
URLDateNameValueProgram
URLDateReferrerTitleProgram
FileSourceTimeProgram
NamePathSize
NamePathRelated Shortcut
Artifact IDNameSizeAttributeValue
Program NameInstall Date/Time
NameSizeHashset Name
NameSerial #Time
").append(objId.toString()); - artifact.append("").append(attributes.get(6)).append("").append(attributes.get(5)).append("").append(filesize.toString()).append("").append(attributes.get(3)).append("").append(attributes.get(8)).append("").append(file.getName()).append("
").append(attributes.get(18)).append("").append(attributes.get(20)).append("").append(attributes.get(2)).append("
"); } + if(countDevice > 0){ + formatted_Report.append(nodeDevice); + formatted_Report.append(""); + } //end of master loop formatted_Report.append(""); diff --git a/Report/src/org/sleuthkit/autopsy/report/reportInterface.java b/Report/src/org/sleuthkit/autopsy/report/reportInterface.java index 61ab8b8dfe..3775b92fd3 100644 --- a/Report/src/org/sleuthkit/autopsy/report/reportInterface.java +++ b/Report/src/org/sleuthkit/autopsy/report/reportInterface.java @@ -24,4 +24,5 @@ public interface reportInterface{ public HashMap> getKeywordHit(); public HashMap> getInstalledProg(); public String getGroupedKeywordHit(); + public HashMap> getDevices(); } diff --git a/Report/src/org/sleuthkit/autopsy/report/reportPanel.java b/Report/src/org/sleuthkit/autopsy/report/reportPanel.java index bd431208db..e5e5be057e 100644 --- a/Report/src/org/sleuthkit/autopsy/report/reportPanel.java +++ b/Report/src/org/sleuthkit/autopsy/report/reportPanel.java @@ -146,6 +146,7 @@ private void saveReportActionPerformed(java.awt.event.ActionEvent evt) {//GEN-FI String htmlpath = reportUtils.changeExtension(path, ".html"); String xmlpath = reportUtils.changeExtension(path, ".xml"); + String xlspath = reportUtils.changeExtension(path, ".xlsx"); try { Writer out = new BufferedWriter(new OutputStreamWriter(new FileOutputStream(htmlpath), "UTF-8")); @@ -154,6 +155,11 @@ private void saveReportActionPerformed(java.awt.event.ActionEvent evt) {//GEN-FI out.flush(); out.close(); + //xls report + FileOutputStream fos = new FileOutputStream(xlspath); + reportXLS.wb.write(fos); + fos.close(); + FileOutputStream xmlout = new FileOutputStream(xmlpath); XMLOutputter serializer = new XMLOutputter(); serializer.output(reportXML.xmldoc, xmlout); diff --git a/Report/src/org/sleuthkit/autopsy/report/reportPanelAction.java b/Report/src/org/sleuthkit/autopsy/report/reportPanelAction.java index 99e1f9fd46..863edd59d8 100644 --- a/Report/src/org/sleuthkit/autopsy/report/reportPanelAction.java +++ b/Report/src/org/sleuthkit/autopsy/report/reportPanelAction.java @@ -58,6 +58,7 @@ public class reportPanelAction { if(reportlist.contains(8)){Results.putAll(bbreport.getInstalledProg());} if(reportlist.contains(9)){Results.putAll(bbreport.getKeywordHit());} if(reportlist.contains(10)){Results.putAll(bbreport.getHashHit());} + if(reportlist.contains(11)){Results.putAll(bbreport.getDevices());} SwingUtilities.invokeLater(new Runnable() { @Override public void run() { @@ -83,11 +84,20 @@ public class reportPanelAction { // viewReport.append(reportHTML.unformatted_header.toString()); } }); + Thread xlsthread = new Thread(new Runnable() + { + @Override + public void run() + { + reportXLS xlsReport = new reportXLS(Results,rr); + // BrowserControl.openUrl(xlsReport.xlsPath); + } + }); // start our threads xmlthread.start(); htmlthread.start(); - + xlsthread.start(); // display the window // create the popUp window for it @@ -138,6 +148,7 @@ public class reportPanelAction { panel.setFinishedReportText(); popUpWindow.setVisible(true); xmlthread.join(); + xlsthread.join(); } diff --git a/Report/src/org/sleuthkit/autopsy/report/reportXLS.java b/Report/src/org/sleuthkit/autopsy/report/reportXLS.java new file mode 100644 index 0000000000..81ed173a9b --- /dev/null +++ b/Report/src/org/sleuthkit/autopsy/report/reportXLS.java @@ -0,0 +1,348 @@ +/* + * To change this template, choose Tools | Templates + * and open the template in the editor. + */ +package org.sleuthkit.autopsy.report; + +import java.io.FileOutputStream; + +import java.io.IOException; +import java.text.DateFormat; +import java.text.SimpleDateFormat; +import java.util.ArrayList; +import java.util.Date; +import java.util.HashMap; +import java.util.Map.Entry; +import java.util.TreeMap; +import org.apache.poi.ss.usermodel.Cell; +import org.apache.poi.ss.usermodel.CellStyle; +import org.apache.poi.ss.usermodel.Font; +import org.apache.poi.ss.usermodel.Row; +import org.apache.poi.ss.usermodel.Sheet; +import org.apache.poi.ss.usermodel.Workbook; +import org.apache.poi.xssf.usermodel.XSSFWorkbook; +import org.sleuthkit.autopsy.casemodule.Case; +import org.sleuthkit.datamodel.BlackboardArtifact; +import org.sleuthkit.datamodel.BlackboardAttribute; +import org.sleuthkit.datamodel.FsContent; +import org.sleuthkit.datamodel.SleuthkitCase; +import org.sleuthkit.datamodel.TskData; + +/** + * + * @author Alex + */ +public class reportXLS { + public static Workbook wb = new XSSFWorkbook(); + public reportXLS(HashMap> report, reportFilter rr){ + //Empty the workbook first + Workbook wbtemp = new XSSFWorkbook(); + + int countGen = 0; + int countBookmark = 0; + int countCookie = 0; + int countHistory = 0; + int countDownload = 0; + int countRecentObjects = 0; + int countTrackPoint = 0; + int countInstalled = 0; + int countKeyword = 0; + int countHash = 0; + int countDevice = 0; + for (Entry> entry : report.entrySet()) { + if(entry.getKey().getArtifactTypeID() == 1){ + countGen++; + } + if(entry.getKey().getArtifactTypeID() == 2){ + countBookmark++; + } + if(entry.getKey().getArtifactTypeID() == 3){ + + countCookie++; + } + if(entry.getKey().getArtifactTypeID() == 4){ + + countHistory++; + } + if(entry.getKey().getArtifactTypeID() == 5){ + countDownload++; + } + if(entry.getKey().getArtifactTypeID() == 6){ + countRecentObjects++; + } + if(entry.getKey().getArtifactTypeID() == 7){ + countTrackPoint++; + } + if(entry.getKey().getArtifactTypeID() == 8){ + countInstalled++; + } + if(entry.getKey().getArtifactTypeID() == 9){ + countKeyword++; + } + if(entry.getKey().getArtifactTypeID() == 10){ + countHash++; + } + if(entry.getKey().getArtifactTypeID() == 11){ + countDevice++; + } + } + + try{ + Case currentCase = Case.getCurrentCase(); // get the most updated case + SleuthkitCase skCase = currentCase.getSleuthkitCase(); + String caseName = currentCase.getName(); + Integer imagecount = currentCase.getImageIDs().length; + Integer filesystemcount = currentCase.getRootObjectsCount(); + Integer totalfiles = skCase.countFsContentType(TskData.TSK_FS_META_TYPE_ENUM.TSK_FS_META_TYPE_REG); + Integer totaldirs = skCase.countFsContentType(TskData.TSK_FS_META_TYPE_ENUM.TSK_FS_META_TYPE_DIR); + DateFormat datetimeFormat = new SimpleDateFormat("yyyy/MM/dd HH:mm:ss"); + DateFormat dateFormat = new SimpleDateFormat("MM-dd-yyyy-HH-mm-ss"); + Date date = new Date(); + String datetime = datetimeFormat.format(date); + String datenotime = dateFormat.format(date); + + //Generate a sheet per artifact type + Sheet sheetGen = wbtemp.createSheet(BlackboardArtifact.ARTIFACT_TYPE.TSK_GEN_INFO.getDisplayName()); + Sheet sheetHash = wbtemp.createSheet(BlackboardArtifact.ARTIFACT_TYPE.TSK_HASHSET_HIT.getDisplayName()); + Sheet sheetDevice = wbtemp.createSheet(BlackboardArtifact.ARTIFACT_TYPE.TSK_DEVICE_ATTACHED.getDisplayName()); + Sheet sheetInstalled = wbtemp.createSheet(BlackboardArtifact.ARTIFACT_TYPE.TSK_INSTALLED_PROG.getDisplayName()); + Sheet sheetKeyword = wbtemp.createSheet(BlackboardArtifact.ARTIFACT_TYPE.TSK_KEYWORD_HIT.getDisplayName()); + Sheet sheetTrackpoint = wbtemp.createSheet(BlackboardArtifact.ARTIFACT_TYPE.TSK_TRACKPOINT.getDisplayName()); + Sheet sheetRecent = wbtemp.createSheet(BlackboardArtifact.ARTIFACT_TYPE.TSK_RECENT_OBJECT.getDisplayName()); + Sheet sheetCookie = wbtemp.createSheet(BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_COOKIE.getDisplayName()); + Sheet sheetBookmark = wbtemp.createSheet(BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_BOOKMARK.getDisplayName()); + Sheet sheetDownload = wbtemp.createSheet(BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_DOWNLOAD.getDisplayName()); + Sheet sheetHistory = wbtemp.createSheet(BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_HISTORY.getDisplayName()); + + //Bold/underline cell style for the top header rows + CellStyle style = wbtemp.createCellStyle(); + style.setBorderBottom((short) 2); + Font font = wbtemp.createFont(); + font.setFontHeightInPoints((short)16); + font.setFontName("Courier New"); + font.setBoldweight((short)2); + style.setFont(font); + //create the rows in the worksheet for our records + //Create first row and header + sheetGen.createRow(0); + sheetGen.getRow(0).createCell(0).setCellValue("Name"); + sheetGen.getRow(0).createCell(1).setCellValue("Value"); + sheetGen.getRow(0).createCell(2).setCellValue("Date/Time"); + + sheetHash.createRow(0).setRowStyle(style); + sheetHash.getRow(0).createCell(0).setCellValue("Name"); + sheetHash.getRow(0).createCell(1).setCellValue("Size"); + sheetHash.getRow(0).createCell(2).setCellValue("Hashset Name"); + + sheetDevice.createRow(0).setRowStyle(style); + sheetDevice.getRow(0).createCell(0).setCellValue("Name"); + sheetDevice.getRow(0).createCell(1).setCellValue("Serial #"); + sheetDevice.getRow(0).createCell(2).setCellValue("Time"); + + sheetInstalled.createRow(0).setRowStyle(style); + sheetInstalled.getRow(0).createCell(0).setCellValue("Program Name"); + sheetInstalled.getRow(0).createCell(1).setCellValue("Install Date/Time"); + + sheetKeyword.createRow(0).setRowStyle(style); + sheetKeyword.getRow(0).createCell(0).setCellValue("Keyword"); + sheetKeyword.getRow(0).createCell(1).setCellValue("File Name"); + sheetKeyword.getRow(0).createCell(2).setCellValue("Preview"); + sheetKeyword.getRow(0).createCell(3).setCellValue("Keyword LIst"); + + sheetRecent.createRow(0).setRowStyle(style); + sheetRecent.getRow(0).createCell(0).setCellValue("Name"); + sheetRecent.getRow(0).createCell(1).setCellValue("Path"); + sheetRecent.getRow(0).createCell(2).setCellValue("Related Shortcut"); + + sheetCookie.createRow(0).setRowStyle(style); + sheetCookie.getRow(0).createCell(0).setCellValue("URL"); + sheetCookie.getRow(0).createCell(1).setCellValue("Date"); + sheetCookie.getRow(0).createCell(2).setCellValue("Name"); + sheetCookie.getRow(0).createCell(3).setCellValue("Value"); + sheetCookie.getRow(0).createCell(4).setCellValue("Program"); + + sheetBookmark.createRow(0).setRowStyle(style); + sheetBookmark.getRow(0).createCell(0).setCellValue("URL"); + sheetBookmark.getRow(0).createCell(1).setCellValue("Title"); + sheetBookmark.getRow(0).createCell(2).setCellValue("Program"); + + sheetDownload.createRow(0).setRowStyle(style); + sheetDownload.getRow(0).createCell(0).setCellValue("File"); + sheetDownload.getRow(0).createCell(1).setCellValue("Source"); + sheetDownload.getRow(0).createCell(2).setCellValue("Time"); + sheetDownload.getRow(0).createCell(3).setCellValue("Program"); + + sheetHistory.createRow(0).setRowStyle(style); + sheetHistory.getRow(0).createCell(0).setCellValue("URL"); + sheetHistory.getRow(0).createCell(1).setCellValue("Date"); + sheetHistory.getRow(0).createCell(2).setCellValue("Referrer"); + sheetHistory.getRow(0).createCell(3).setCellValue("Title"); + sheetHistory.getRow(0).createCell(4).setCellValue("Program"); + + for(int i = 0;i < wbtemp.getNumberOfSheets();i++){ + Sheet tempsheet = wbtemp.getSheetAt(i); + for (Row temprow : tempsheet){ + for (Cell cell : temprow) { + cell.setCellStyle(style); + } + } + } + + int countedGen = 0; + int countedBookmark = 0; + int countedCookie = 0; + int countedHistory = 0; + int countedDownload = 0; + int countedRecentObjects = 0; + int countedTrackPoint = 0; + int countedInstalled = 0; + int countedKeyword = 0; + int countedHash = 0; + int countedDevice = 0; + + //start populating the sheets in the workbook + for (Entry> entry : report.entrySet()) { + if(reportFilter.cancel == true){ + break; + } + int cc = 0; + Long objId = entry.getKey().getObjectID(); + FsContent file = skCase.getFsContentById(objId); + Long filesize = file.getSize(); + TreeMap attributes = new TreeMap(); + // Get all the attributes, line them up to be added. Place empty string placeholders for each attribute type + int n; + for(n=1;n<=36;n++) + { + attributes.put(n, ""); + + } + for (BlackboardAttribute tempatt : entry.getValue()) + { + if(reportFilter.cancel == true){ + break; + } + String value = ""; + int type = tempatt.getAttributeTypeID(); + if(tempatt.getValueString() == null || "null".equals(tempatt.getValueString())){ + + } + else if(type == 2){ + value = new java.text.SimpleDateFormat("MM/dd/yyyy HH:mm:ss").format(new java.util.Date ((tempatt.getValueLong())*1000)); + } + else + { + value = tempatt.getValueString(); + } + + attributes.put(type, value); + cc++; + } + + + if(entry.getKey().getArtifactTypeID() == 1){ + countedGen++; + Row temp = sheetGen.getRow(countedGen); + + } + if(entry.getKey().getArtifactTypeID() == 2){ + countedBookmark++; + Row temp = sheetBookmark.createRow(countedBookmark); + temp.createCell(0).setCellValue(attributes.get(1)); + temp.createCell(1).setCellValue(attributes.get(3)); + temp.createCell(2).setCellValue(attributes.get(4)); + } + if(entry.getKey().getArtifactTypeID() == 3){ + countedCookie++; + Row temp = sheetCookie.createRow(countedCookie); + temp.createCell(0).setCellValue(attributes.get(1)); + temp.createCell(1).setCellValue(attributes.get(2)); + temp.createCell(2).setCellValue(attributes.get(3)); + temp.createCell(3).setCellValue(attributes.get(6)); + temp.createCell(4).setCellValue(attributes.get(4)); + } + if(entry.getKey().getArtifactTypeID() == 4){ + countedHistory++; + Row temp = sheetHistory.createRow(countedHistory); + temp.createCell(0).setCellValue(attributes.get(1)); + temp.createCell(1).setCellValue(attributes.get(33)); + temp.createCell(2).setCellValue(attributes.get(32)); + temp.createCell(3).setCellValue(attributes.get(3)); + temp.createCell(4).setCellValue(attributes.get(4)); + } + if(entry.getKey().getArtifactTypeID() == 5){ + countedDownload++; + Row temp = sheetDownload.createRow(countedDownload); + temp.createCell(0).setCellValue(attributes.get(8)); + temp.createCell(1).setCellValue(attributes.get(1)); + temp.createCell(2).setCellValue(attributes.get(33)); + temp.createCell(3).setCellValue(attributes.get(4)); + } + if(entry.getKey().getArtifactTypeID() == 6){ + countedRecentObjects++; + Row temp = sheetRecent.createRow(countedRecentObjects); + temp.createCell(0).setCellValue(attributes.get(3)); + temp.createCell(1).setCellValue(attributes.get(8)); + temp.createCell(2).setCellValue(file.getName()); + temp.createCell(3).setCellValue(attributes.get(4)); + } + if(entry.getKey().getArtifactTypeID() == 7){ + // sheetTrackpoint.addContent(artifact); + } + if(entry.getKey().getArtifactTypeID() == 8){ + countedInstalled++; + Row temp = sheetInstalled.createRow(countedInstalled); + temp.createCell(0).setCellValue(attributes.get(4)); + temp.createCell(1).setCellValue(attributes.get(2)); + } + if(entry.getKey().getArtifactTypeID() == 9){ + countedKeyword++; + Row temp = sheetKeyword.createRow(countedKeyword); + temp.createCell(0).setCellValue(attributes.get(10)); + temp.createCell(1).setCellValue(attributes.get(3)); + temp.createCell(2).setCellValue(attributes.get(12)); + temp.createCell(3).setCellValue(attributes.get(13)); + } + if(entry.getKey().getArtifactTypeID() == 10){ + countedHash++; + Row temp = sheetHash.createRow(countedHash); + temp.createCell(0).setCellValue(file.getName().toString()); + temp.createCell(1).setCellValue(filesize.toString()); + temp.createCell(2).setCellValue(attributes.get(30)); + } + if(entry.getKey().getArtifactTypeID() == 11){ + countedDevice++; + Row temp = sheetDevice.createRow(countedDevice); + temp.createCell(0).setCellValue(attributes.get(18)); + temp.createCell(1).setCellValue(attributes.get(20)); + temp.createCell(2).setCellValue(attributes.get(2)); + } + + + cc++; + rr.progBarSet(cc); + } + + + //write out the report to the reports folder + try { + FileOutputStream fos = new FileOutputStream(currentCase.getCaseDirectory()+"/Reports/" + caseName + "-" + datenotime + ".xlsx"); + wbtemp.write(fos); + fos.close(); + wb = wbtemp; + } + catch (IOException e) { + System.err.println(e); + } + + } + + catch(Exception E) + { + String test = E.toString(); + } + + } + + +} diff --git a/Report/src/org/sleuthkit/autopsy/report/reportXML.java b/Report/src/org/sleuthkit/autopsy/report/reportXML.java index 6a25b35ba8..b7cbfc5bdc 100644 --- a/Report/src/org/sleuthkit/autopsy/report/reportXML.java +++ b/Report/src/org/sleuthkit/autopsy/report/reportXML.java @@ -13,6 +13,8 @@ import java.util.HashMap; import java.util.Map.Entry; import java.util.logging.Level; import java.util.logging.Logger; +import java.util.regex.Pattern; +import org.apache.commons.lang3.StringEscapeUtils; import org.jdom.Comment; import org.jdom.Document; import org.jdom.Document.*; @@ -72,6 +74,9 @@ public class reportXML { Element nodeInstalled = new Element("Installed-Programfiles"); Element nodeKeyword = new Element("Keyword-Search-Hits"); Element nodeHash = new Element("Hashset-Hits"); + Element nodeDevice = new Element("Attached-Devices"); + //remove bytes + Pattern INVALID_XML_CHARS = Pattern.compile("[^\\u0009\\u000A\\u000D\\u0020-\\uD7FF\\uE000-\\uFFFD\uD800\uDC00-\uDBFF\uDFFF]"); for (Entry> entry : report.entrySet()) { if(reportFilter.cancel == true){ break; @@ -92,9 +97,11 @@ public class reportXML { break; } Element attribute = new Element("Attribute").setAttribute("Type",tempatt.getAttributeTypeDisplayName()); - Element value = new Element("Value").setText(tempatt.getValueString()); + String tempvalue = tempatt.getValueString(); + //INVALID_XML_CHARS.matcher(tempvalue).replaceAll(""); + Element value = new Element("Value").setText(tempvalue); attribute.addContent(value); - Element context = new Element("Context").setText(tempatt.getContext()); + Element context = new Element("Context").setText(StringEscapeUtils.escapeXml(tempatt.getContext())); attribute.addContent(context); artifact.addContent(attribute); cc++; @@ -136,6 +143,9 @@ public class reportXML { } if(entry.getKey().getArtifactTypeID() == 10){ nodeHash.addContent(artifact); + } + if(entry.getKey().getArtifactTypeID() == 11){ + nodeDevice.addContent(artifact); } cc++; rr.progBarSet(cc); @@ -153,6 +163,7 @@ public class reportXML { root.addContent(nodeInstalled); root.addContent(nodeKeyword); root.addContent(nodeHash); + root.addContent(nodeDevice); try { FileOutputStream out = new FileOutputStream(currentCase.getCaseDirectory()+"/Reports/" + caseName + "-" + datenotime + ".xml");