mstoeck3/autopsy-flatpak
1
0
Fork 0
mirror of https://github.com/overcuriousity/autopsy-flatpak.git synced 2025-07-06 21:00:22 +00:00
Code Issues Packages Projects Releases Wiki Activity

resolved conflict

Browse Source
This commit is contained in:
Brian Carrier 2012-04-11 13:38:31 -04:00
commit 4e0688e464
249 changed files with 978 additions and 17081 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -16,3 +16,4 @@
/KeywordSearch/release/solr/webapps/solr.war
/DataModel/release/modules/ext/sqlite-jdbc-3.7.2.jar
/DataModel/release/modules/lib/zlib.dll

2
BUILDING.txt
View File

@ -13,7 +13,7 @@ needed even if you have a 64-bit system).
3) Download and install Netbeans IDE 7.0.1 (http://netbeans.org/)
4) Download and build the release version of Libewf2 (20120304 or later). All you need is the dll file.
4) Download and build the release version of Libewf2 (20120304 or later). All you need is the dll file. Note that you will get a launching error if you use libewf 1.
- http://sourceforge.net/projects/libewf/
5) Set LIBEWF_HOME environment variable to root directory of LIBEWF

BIN
CoreComponentInterfaces/src/org/sleuthkit/autopsy/images/usb_devices.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 662 B

4
CoreComponents/src/org/sleuthkit/autopsy/corecomponents/Bundle.properties
View File

@ -70,13 +70,13 @@ DataContentViewerString.selectAllMenuItem.text=Select All
DataContentViewerHex.selectAllMenuItem.text=Select All
DataContentViewerArtifact.totalPageLabel.text=100
DataContentViewerArtifact.prevPageButton.text=
DataContentViewerArtifact.pageLabel2.text=Artifact
DataContentViewerArtifact.pageLabel2.text=Result
DataContentViewerArtifact.nextPageButton.text=
DataContentViewerArtifact.currentPageLabel.text=1
DataContentViewerArtifact.ofLabel.text=of
DataContentViewerArtifact.copyMenuItem.text=Copy
DataContentViewerArtifact.selectAllMenuItem.text=Select All
DataContentViewerArtifact.pageLabel.text=Artifact:
DataContentViewerArtifact.pageLabel.text=Result:
AdvancedConfigurationDialog.applyButton.text=OK
DataContentViewerMedia.pauseButton.text=\u25ba

8
CoreComponents/src/org/sleuthkit/autopsy/corecomponents/DataContentViewerArtifact.java
View File

@ -94,7 +94,7 @@ public class DataContentViewerArtifact extends javax.swing.JPanel implements Dat
jPanel1.setPreferredSize(new java.awt.Dimension(622, 424));
outputViewPane.setEditable(false);
outputViewPane.setFont(new java.awt.Font("Courier New", 0, 11));
outputViewPane.setFont(new java.awt.Font("Courier New", 0, 11)); // NOI18N
outputViewPane.setPreferredSize(new java.awt.Dimension(700, 400));
jScrollPane1.setViewportView(outputViewPane);
@ -244,12 +244,12 @@ public class DataContentViewerArtifact extends javax.swing.JPanel implements Dat
@Override
public String getTitle() {
return "Artifact View";
return "Result View";
}
@Override
public String getToolTip() {
return "Displays Blackboard Artifacts associated with the file";
return "Displays Results associated with the file";
}
@Override
@ -307,7 +307,7 @@ public class DataContentViewerArtifact extends javax.swing.JPanel implements Dat
int size = content.getAllArtifacts().size();
return size > 0;
} catch (TskException ex) {
logger.log(Level.WARNING, "Couldn't get All blackboard Artifacts", ex);
logger.log(Level.WARNING, "Couldn't get All Blackboard Artifacts", ex);
}
}
return false;

10
DataModel/src/org/sleuthkit/autopsy/datamodel/ArtifactStringContent.java
View File

@ -52,11 +52,11 @@ public class ArtifactStringContent implements StringContent {
buffer.append("p {font-family:Arial;font-size:10pt;}");
buffer.append("</style>");
buffer.append("</head>");
buffer.append("<h4>");
buffer.append(wrapped.getDisplayName());
buffer.append("</h4>");
buffer.append("<table border='0'>");
buffer.append("<tr>");
buffer.append("<th>Attribute Type</th>");
buffer.append("<th>Value</th>");
buffer.append("<th>Context</th>");
buffer.append("</tr>");
for (BlackboardAttribute attr : wrapped.getAttributes()) {
buffer.append("<tr><td>");
@ -81,10 +81,10 @@ public class ArtifactStringContent implements StringContent {
break;
}
buffer.append("</td>");
buffer.append("<td>");
if (!"".equals(attr.getContext())) {
buffer.append(" (");
buffer.append(attr.getContext());
buffer.append(")");
}
buffer.append("</td>");
buffer.append("</tr>");

2
DataModel/src/org/sleuthkit/autopsy/datamodel/ArtifactTypeNode.java
View File

@ -96,6 +96,8 @@ public class ArtifactTypeNode extends AbstractNode implements DisplayableItemNod
return "programs.png";
case TSK_RECENT_OBJECT:
return "recent_docs.png";
case TSK_DEVICE_ATTACHED:
return "usb_devices.png";
}
return "artifact-icon.png";
}

1
DataModel/src/org/sleuthkit/autopsy/datamodel/ExtractedContentChildren.java
View File

@ -46,6 +46,7 @@ public class ExtractedContentChildren extends ChildFactory<BlackboardArtifact.AR
list.add(BlackboardArtifact.ARTIFACT_TYPE.TSK_WEB_DOWNLOAD);
list.add(BlackboardArtifact.ARTIFACT_TYPE.TSK_RECENT_OBJECT);
list.add(BlackboardArtifact.ARTIFACT_TYPE.TSK_INSTALLED_PROG);
list.add(BlackboardArtifact.ARTIFACT_TYPE.TSK_DEVICE_ATTACHED);
return true;
}

52
DirectoryTree/src/org/sleuthkit/autopsy/directorytree/DataResultFilterNode.java
View File

@ -53,6 +53,7 @@ import org.sleuthkit.autopsy.datamodel.SearchFiltersNode;
import org.sleuthkit.datamodel.BlackboardArtifact;
import org.sleuthkit.datamodel.BlackboardAttribute;
import org.sleuthkit.datamodel.Content;
import org.sleuthkit.datamodel.File;
import org.sleuthkit.datamodel.TskException;
@ -158,33 +159,52 @@ public class DataResultFilterNode extends FilterNode{
@Override
public List<Action> visit(DirectoryNode dir) {
List<Action> actions = new ArrayList<Action>();
if(!dir.getDirectoryBrowseMode()) {
actions.add(new ViewContextAction("View File in Directory", dir));
actions.add(null); // creates a menu separator
}
actions.add(new NewWindowViewAction("View in New Window", dir));
actions.add(new ChangeViewAction("View", 0, dir));
actions.add(null); // creates a menu separator
actions.add(new ExtractAction("Extract Directory", dir));
if(!dir.getDirectoryBrowseMode())
actions.add(new ViewContextAction("View in Parent Directory", dir));
return actions;
}
@Override
public List<Action> visit(FileNode f) {
List<Action> actions = new ArrayList<Action>();
if(!f.getDirectoryBrowseMode()) {
actions.add(new ViewContextAction("View File in Directory", f));
actions.add(null); // creates a menu separator
}
actions.add(new NewWindowViewAction("View in New Window", f));
actions.add(new ExternalViewerAction("Open in External Viewer", f));
actions.add(null); // creates a menu separator
actions.add(new ExtractAction("Extract File", f));
if(!f.getDirectoryBrowseMode())
actions.add(new ViewContextAction("View in Parent Directory", f));
return actions;
}
@Override
public List<Action> visit(BlackboardArtifactNode ba) {
public List<Action> visit(BlackboardArtifactNode ban) {
List<Action> actions = new ArrayList<Action>();
//actions.add(new ViewAssociatedContentAction("View Associated Content", ba));
actions.add(new ViewContextAction("View Source in Directory", ba));
Content c = findLinked(ba);
if(c != null)
actions.add(new ViewContextAction("View Linked in Directory", c));
BlackboardArtifact ba = ban.getLookup().lookup(BlackboardArtifact.class);
if(ba.getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_HASHSET_HIT.getTypeID()
|| ba.getArtifactTypeID() == BlackboardArtifact.ARTIFACT_TYPE.TSK_KEYWORD_HIT.getTypeID()) {
actions.add(new ViewContextAction("View File in Directory", ban));
} else {
Content c = findLinked(ban);
if (c != null) {
actions.add(new ViewContextAction("View File in Directory", c));
}
actions.add(new ViewContextAction("View Source File in Directory", ban));
}
File f = ban.getLookup().lookup(File.class);
if(f != null) {
actions.add(null); // creates a menu separator
actions.add(new NewWindowViewAction("View in New Window", new FileNode(f)));
actions.add(new ExternalViewerAction("Open in External Viewer", new FileNode(f)));
actions.add(null); // creates a menu separator
actions.add(new ExtractAction("Extract File", new FileNode(f)));
}
return actions;
}
@ -201,16 +221,20 @@ public class DataResultFilterNode extends FilterNode{
if(attr.getAttributeTypeID() == BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PATH_ID.getTypeID()) {
switch(attr.getValueType()) {
case INTEGER:
c = art.getSleuthkitCase().getContentById(attr.getValueInt());
int i = attr.getValueInt();
if(i != -1)
c = art.getSleuthkitCase().getContentById(i);
break;
case LONG:
c = art.getSleuthkitCase().getContentById(attr.getValueLong());
long l = attr.getValueLong();
if(l != -1)
c = art.getSleuthkitCase().getContentById(l);
break;
}
}
}
} catch(TskException ex) {
Logger.getLogger(this.getClass().getName()).log(Level.WARNING, "Error getting linked file");
Logger.getLogger(this.getClass().getName()).log(Level.WARNING, "Error getting linked file", ex);
}
return c;
}

8
FileSearch/src/org/sleuthkit/autopsy/filesearch/layer.xml
View File

@ -16,10 +16,18 @@
</folder>
<folder name="Menu">
<folder name="Tools">
<file name="org-sleuthkit-autopsy-report-generatereport-separatorBefore.instance">
<attr name="instanceClass" stringvalue="javax.swing.JSeparator"/>
<attr name="position" intvalue="799"/>
</file>
<file name="org-sleuthkit-autopsy-filesearch-FileSearchAction.shadow">
<attr name="originalFile" stringvalue="Actions/Tools/org-sleuthkit-autopsy-filesearch-FileSearchAction.instance"/>
<attr name="position" intvalue="800"/>
</file>
<file name="org-sleuthkit-autopsy-report-generatereport-separatorAfter.instance">
<attr name="instanceClass" stringvalue="javax.swing.JSeparator"/>
<attr name="position" intvalue="801"/>
</file>
</folder>
</folder>
</filesystem>

2
HashDatabase/src/org/sleuthkit/autopsy/hashdatabase/HashDbMgmtAction.java
View File

@ -36,7 +36,7 @@ import org.sleuthkit.autopsy.coreutils.Log;
*/
class HashDbMgmtAction extends CallableSystemAction {
private static final String ACTION_NAME = "Hash Database Management";
private static final String ACTION_NAME = "Hash Database Configuration";
@Override
public void performAction() {

6
HashDatabase/src/org/sleuthkit/autopsy/hashdatabase/HashDbPanel.java
View File

@ -30,6 +30,8 @@ import java.io.IOException;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.swing.JFileChooser;
import javax.swing.filechooser.FileFilter;
import javax.swing.filechooser.FileNameExtensionFilter;
import org.sleuthkit.autopsy.coreutils.Log;
import org.sleuthkit.datamodel.TskException;
@ -66,6 +68,10 @@ class HashDbPanel extends javax.swing.JPanel {
fc.setDragEnabled(false);
fc.setFileSelectionMode(JFileChooser.FILES_ONLY);
String[] EXTENSION = new String[] { "txt", "idx", "hash", "Hash" };
FileNameExtensionFilter filter = new FileNameExtensionFilter(
"Hash Database File", EXTENSION);
fc.setFileFilter(filter);
fc.setMultiSelectionEnabled(false);
this.initComponents();

4
HashDatabase/src/org/sleuthkit/autopsy/hashdatabase/layer.xml
View File

@ -14,10 +14,6 @@
<attr name="originalFile" stringvalue="Actions/Tools/org-sleuthkit-autopsy-hashdatabase-HashDbMgmtAction.instance"/>
<attr name="position" intvalue="1000"/>
</file>
<file name="SeparatorAfterHashDatabaseSettings.instance">
<attr name="instanceClass" stringvalue="javax.swing.JSeparator"/>
<attr name="position" intvalue="1001"/>
</file>
<file name="Separator1.instance_hidden"/>
<file name="Separator3.instance_hidden"/>
<file name="org-netbeans-modules-autoupdate-ui-actions-PluginManagerAction.shadow_hidden"/>

5
Ingest/src/org/sleuthkit/autopsy/ingest/Bundle.properties
View File

@ -20,8 +20,8 @@ IngestDialogPanel.freqSliderLabel.text=Refresh interval (minutes)
IngestDialogPanel.freqSliderLabel.toolTipText=null
IngestDialogPanel.freqSlider.toolTipText=<html>Maximum time in minutes for ingest modules to refresh and report data to user. <br />Lower value presents data more frequently but may impact performance and lenghten the overall ingest run.<br />Higher value is improves performance, but data will be refreshed less frequently (recommended for an unattended run).<br />The value can be adjusted only when no ingest module is currently running</html>
IngestMessageDetailsPanel.backButton.text=
IngestMessageDetailsPanel.viewArtifactButton.text=View Artifact
IngestMessageDetailsPanel.viewContentButton.text=View Content
IngestMessageDetailsPanel.viewArtifactButton.text=Go to Result
IngestMessageDetailsPanel.viewContentButton.text=Go to Directory
IngestMessagePanel.sortByLabel.text=Sort by:
IngestMessagePanel.sortByComboBox.toolTipText=Sort messages by time (chronological order) or message priority
IngestDialogPanel.advancedButton.text=Advanced
@ -30,3 +30,4 @@ IngestMessageDetailsPanel.messageDetailsPane.toolTipText=
IngestMessagesToolbar.toolTipText=
IngestMessageDetailsPanel.copyMenuItem.text=Copy
IngestMessageDetailsPanel.selectAllMenuItem.text=Select All
IngestMessageTopComponent.displayName=Ingest Inbox

47
Ingest/src/org/sleuthkit/autopsy/ingest/IngestManager.java
View File

@ -46,6 +46,7 @@ import org.openide.util.Lookup;
import org.sleuthkit.autopsy.ingest.IngestMessage.MessageType;
import org.sleuthkit.datamodel.FsContent;
import org.sleuthkit.datamodel.Image;
import org.sleuthkit.datamodel.TskData;
/**
* IngestManager sets up and manages ingest services
@ -553,8 +554,6 @@ public class IngestManager {
return ret;
}
//image worker to remove itself when complete or interrupted
void removeImageIngestWorker(IngestImageThread worker) {
//remove worker
@ -642,7 +641,7 @@ public class IngestManager {
void enqueue(FsContent fsContent, IngestServiceFsContent service) {
//fsContentUnits.put(fsContent, Collections.singletonList(service));
List<IngestServiceFsContent> services = fsContentUnits.get(fsContent);
if(services == null) {
if (services == null) {
services = new ArrayList<IngestServiceFsContent>();
fsContentUnits.put(fsContent, services);
}
@ -652,7 +651,7 @@ public class IngestManager {
void enqueue(FsContent fsContent, List<IngestServiceFsContent> services) {
List<IngestServiceFsContent> oldServices = fsContentUnits.get(fsContent);
if(oldServices == null) {
if (oldServices == null) {
oldServices = new ArrayList<IngestServiceFsContent>();
fsContentUnits.put(fsContent, oldServices);
}
@ -690,9 +689,10 @@ public class IngestManager {
* @return true if the service is enqueued to do work
*/
boolean hasServiceEnqueued(IngestServiceFsContent service) {
for(List<IngestServiceFsContent> list : fsContentUnits.values()) {
if(list.contains(service))
for (List<IngestServiceFsContent> list : fsContentUnits.values()) {
if (list.contains(service)) {
return true;
}
}
return false;
}
@ -705,8 +705,8 @@ public class IngestManager {
public String printQueue() {
StringBuilder sb = new StringBuilder();
/*for (QueueUnit<FsContent, IngestServiceFsContent> u : fsContentUnits) {
sb.append(u.toString());
sb.append("\n");
sb.append(u.toString());
sb.append("\n");
}*/
return sb.toString();
}
@ -731,7 +731,7 @@ public class IngestManager {
void enqueue(Image image, IngestServiceImage service) {
List<IngestServiceImage> services = imageUnits.get(image);
if(services == null) {
if (services == null) {
services = new ArrayList<IngestServiceImage>();
imageUnits.put(image, services);
}
@ -740,7 +740,7 @@ public class IngestManager {
void enqueue(Image image, List<IngestServiceImage> services) {
List<IngestServiceImage> oldServices = imageUnits.get(image);
if(oldServices == null) {
if (oldServices == null) {
oldServices = new ArrayList<IngestServiceImage>();
imageUnits.put(image, oldServices);
}
@ -822,11 +822,11 @@ public class IngestManager {
sb.append("Total errors: ").append(errorsTotal).append("<br />");
/*
if (errorsTotal > 0) {
sb.append("Errors per service:");
for (IngestServiceAbstract service : errors.keySet()) {
final int errorsService = errors.get(service);
sb.append("\t").append(service.getName()).append(": ").append(errorsService).append("<br />");
}
sb.append("Errors per service:");
for (IngestServiceAbstract service : errors.keySet()) {
final int errorsService = errors.get(service);
sb.append("\t").append(service.getName()).append(": ").append(errorsService).append("<br />");
}
}
* */
@ -926,13 +926,18 @@ public class IngestManager {
fsContentServiceResults.clear();
}
final FsContent fileToProcess = unit.getKey();
progress.progress(fileToProcess.getName(), processedFiles);
for (IngestServiceFsContent service : unit.getValue()) {
if (isCancelled()) {
return null;
}
try {
IngestServiceFsContent.ProcessResult result = service.process(unit.getKey());
IngestServiceFsContent.ProcessResult result = service.process(fileToProcess);
//handle unconditional stop
if (result == IngestServiceFsContent.ProcessResult.STOP) {
break;
@ -956,7 +961,7 @@ public class IngestManager {
progress.switchToIndeterminate();
progress.switchToDeterminate(numFsContents);
}
progress.progress(unit.getKey().getName(), ++processedFiles);
++processedFiles;
--numFsContents;
} //end of this fsContent
logger.log(Level.INFO, "Done background processing");
@ -1001,7 +1006,6 @@ public class IngestManager {
}
private void handleInterruption() {
for (IngestServiceFsContent s : fsContentServices) {
s.stop();
@ -1099,10 +1103,10 @@ public class IngestManager {
//addImage((IngestServiceImage) service, image);
break;
case FsContent:
if(fsContents == null) {
if (fsContents == null) {
long start = System.currentTimeMillis();
fsContents = new GetAllFilesContentVisitor().visit(image);
logger.info("Get all files took " + (System.currentTimeMillis()-start) + "ms");
logger.info("Get all files took " + (System.currentTimeMillis() - start) + "ms");
}
//enqueue the same singleton fscontent service
logger.log(Level.INFO, "Adding image " + image.getName() + " with " + fsContents.size() + " number of fsContent to service " + service.getName());
@ -1113,8 +1117,9 @@ public class IngestManager {
}
progress.progress(serviceName + " " + imageName, ++processed);
}
if(fsContents != null)
if (fsContents != null) {
fsContents.clear();
}
}
//logger.log(Level.INFO, fsContentQueue.printQueue());

4
Ingest/src/org/sleuthkit/autopsy/ingest/IngestMessageDetailsPanel.form
View File

@ -42,7 +42,7 @@
<Group type="103" groupAlignment="0" attributes="0">
<Group type="102" attributes="0">
<Component id="backButton" min="-2" pref="23" max="-2" attributes="0"/>
<EmptySpace pref="153" max="32767" attributes="0"/>
<EmptySpace pref="147" max="32767" attributes="0"/>
<Component id="viewArtifactButton" min="-2" max="-2" attributes="0"/>
<EmptySpace type="unrelated" min="-2" max="-2" attributes="0"/>
<Component id="viewContentButton" min="-2" max="-2" attributes="0"/>
@ -70,7 +70,7 @@
<Component class="javax.swing.JButton" name="backButton">
<Properties>
<Property name="icon" type="javax.swing.Icon" editor="org.netbeans.modules.form.editors2.IconEditor">
<Image iconType="3" name="/org/sleuthkit/autopsy/ingest/arrow_left.gif"/>
<Image iconType="3" name="/org/sleuthkit/autopsy/ingest/btn_step_back.png"/>
</Property>
<Property name="text" type="java.lang.String" editor="org.netbeans.modules.i18n.form.FormI18nStringEditor">
<ResourceString bundle="org/sleuthkit/autopsy/ingest/Bundle.properties" key="IngestMessageDetailsPanel.backButton.text" replaceFormat="org.openide.util.NbBundle.getMessage({sourceFileName}.class, &quot;{key}&quot;)"/>

4
Ingest/src/org/sleuthkit/autopsy/ingest/IngestMessageDetailsPanel.java
View File

@ -107,7 +107,7 @@ class IngestMessageDetailsPanel extends javax.swing.JPanel {
selectAllMenuItem.setText(org.openide.util.NbBundle.getMessage(IngestMessageDetailsPanel.class, "IngestMessageDetailsPanel.selectAllMenuItem.text")); // NOI18N
rightClickMenu.add(selectAllMenuItem);
backButton.setIcon(new javax.swing.ImageIcon(getClass().getResource("/org/sleuthkit/autopsy/ingest/arrow_left.gif"))); // NOI18N
backButton.setIcon(new javax.swing.ImageIcon(getClass().getResource("/org/sleuthkit/autopsy/ingest/btn_step_back.png"))); // NOI18N
backButton.setText(org.openide.util.NbBundle.getMessage(IngestMessageDetailsPanel.class, "IngestMessageDetailsPanel.backButton.text")); // NOI18N
backButton.setAlignmentY(0.0F);
backButton.setHorizontalTextPosition(javax.swing.SwingConstants.CENTER);
@ -152,7 +152,7 @@ class IngestMessageDetailsPanel extends javax.swing.JPanel {
layout.createParallelGroup(javax.swing.GroupLayout.Alignment.LEADING)
.addGroup(layout.createSequentialGroup()
.addComponent(backButton, javax.swing.GroupLayout.PREFERRED_SIZE, 23, javax.swing.GroupLayout.PREFERRED_SIZE)
.addPreferredGap(javax.swing.LayoutStyle.ComponentPlacement.RELATED, 153, Short.MAX_VALUE)
.addPreferredGap(javax.swing.LayoutStyle.ComponentPlacement.RELATED, 147, Short.MAX_VALUE)
.addComponent(viewArtifactButton)
.addPreferredGap(javax.swing.LayoutStyle.ComponentPlacement.UNRELATED)
.addComponent(viewContentButton))

6
Ingest/src/org/sleuthkit/autopsy/ingest/IngestMessageTopComponent.form
View File

@ -1,6 +1,12 @@
<?xml version="1.1" encoding="UTF-8" ?>
<Form version="1.5" maxVersion="1.7" type="org.netbeans.modules.form.forminfo.JPanelFormInfo">
<Properties>
<Property name="displayName" type="java.lang.String" editor="org.netbeans.modules.i18n.form.FormI18nStringEditor">
<ResourceString bundle="org/sleuthkit/autopsy/ingest/Bundle.properties" key="IngestMessageTopComponent.displayName" replaceFormat="org.openide.util.NbBundle.getMessage({sourceFileName}.class, &quot;{key}&quot;)"/>
</Property>
<Property name="name" type="java.lang.String" value="Ingest Inbox" noResource="true"/>
</Properties>
<AuxValues>
<AuxValue name="FormSettings_autoResourcing" type="java.lang.Integer" value="1"/>
<AuxValue name="FormSettings_autoSetComponentName" type="java.lang.Boolean" value="false"/>

3
Ingest/src/org/sleuthkit/autopsy/ingest/IngestMessageTopComponent.java
View File

@ -90,6 +90,9 @@ public final class IngestMessageTopComponent extends TopComponent implements Ing
// <editor-fold defaultstate="collapsed" desc="Generated Code">//GEN-BEGIN:initComponents
private void initComponents() {
setDisplayName(org.openide.util.NbBundle.getMessage(IngestMessageTopComponent.class, "IngestMessageTopComponent.displayName")); // NOI18N
setName("Ingest Inbox"); // NOI18N
javax.swing.GroupLayout layout = new javax.swing.GroupLayout(this);
this.setLayout(layout);
layout.setHorizontalGroup(

BIN
Ingest/src/org/sleuthkit/autopsy/ingest/arrow_left.gif
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 874 B

BIN
Ingest/src/org/sleuthkit/autopsy/ingest/back-button.png
View File

Binary file not shown.
Side by Side

Before

Width:  |  Height:  |  Size: 1.1 KiB

BIN
Ingest/src/org/sleuthkit/autopsy/ingest/btn_step_back.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 1.6 KiB

15
KNOWN_ISSUES.txt
View File

@ -2,10 +2,19 @@ Known issues and limitations
We plan to address the following issues in future releases.
General:
- Only a single instance of the application can be started at once.
There is no check if another instance is already running. Running a second instance will cause issues.
Case:
- Closing a case in certain situations (when ingest is running or processing is being done in the background) may cause stability issues.
If case cannot be cleanly closed, try closing the application.
Ingest:
- Ingest can fail and cause unexpected behavior if "Add image" action is performed while ingest is running.
- Ingest may fail and cause unexpected behavior if "Add image" action is performed while ingest is running on a previously added image.
Keyword search module:
- Keyword search module does not currently search unallocated space,
- Keyword search maximum size of files to be indexed and searched is 200MB,
- Keyword search maximum size of unknown files to be searched is 10MB.
- Keyword search maximum size of files to be indexed and searched is 100MB,
- Keyword search maximum size of unknown types of files to be indexed and searched (using string extraction) is 1MB.

4
KeywordSearch/src/org/sleuthkit/autopsy/keywordsearch/KeywordSearchIngestService.java
View File

@ -18,8 +18,6 @@
*/
package org.sleuthkit.autopsy.keywordsearch;
import java.beans.PropertyChangeListener;
import java.beans.PropertyChangeSupport;
import java.util.ArrayList;
import java.util.Collection;
import java.util.HashMap;
@ -476,7 +474,7 @@ public final class KeywordSearchIngestService implements IngestServiceFsContent
boolean ingestible = false;
final String fileName = fsContent.getName();
for (String ext : ingestibleExtensions) {
if (fileName.endsWith(ext)) {
if (fileName.toLowerCase().endsWith(ext)) {
ingestible = true;
break;
}

3
MenuActions/src/org/sleuthkit/autopsy/menuactions/layer.xml
View File

@ -16,6 +16,7 @@
</folder>
</folder>
<folder name="Menu">
<!--
<folder name="Tools">
<file name="org-sleuthkit-autopsy-menuactions-DataExplorerMenu.instance">
<attr name="position" intvalue="1225"/>
@ -28,7 +29,7 @@
<attr name="instanceClass" stringvalue="javax.swing.JSeparator"/>
<attr name="position" intvalue="1301"/>
</file>
</folder>
</folder> -->
<folder name="Window">
<file name="org-netbeans-modules-favorites-View.shadow_hidden"/>
<file name="org-sleuthkit-autopsy-menuactions-DataResultMenu-separatoBefore.instance">

4
RecentActivity/nbproject/genfiles.properties
View File

@ -1,8 +1,8 @@
build.xml.data.CRC32=9b8a08d3
build.xml.data.CRC32=dacaa05a
build.xml.script.CRC32=d323407a
build.xml.stylesheet.CRC32=a56c6a5b@1.46.1
# This file is used by a NetBeans-based IDE to track changes in generated files such as build-impl.xml.
# Do not edit this file. You may delete it but then the IDE will never regenerate such files for you.
nbproject/build-impl.xml.data.CRC32=9b8a08d3
nbproject/build-impl.xml.data.CRC32=dacaa05a
nbproject/build-impl.xml.script.CRC32=aef16a21
nbproject/build-impl.xml.stylesheet.CRC32=238281d1@1.46.1

2
RecentActivity/nbproject/project.properties
View File

@ -1,4 +1,4 @@
file.reference.jcalendarbutton-1.4.5.jar=release/modules/ext/jcalendarbutton-1.4.5.jar
file.reference.gson-2.1.jar=release/modules/ext/gson-2.1.jar
file.reference.jdom-1.1.2.jar=release/modules/ext/jdom-1.1.2.jar
file.reference.sqlite-jdbc-3.7.6.3-20110609.081603-3.jar=release/modules/ext/sqlite-jdbc-3.7.6.3-20110609.081603-3.jar
javac.source=1.6

8
RecentActivity/nbproject/project.xml
View File

@ -195,12 +195,12 @@
<binary-origin>release/modules/ext/gson-2.1.jar</binary-origin>
</class-path-extension>
<class-path-extension>
<runtime-relative-path>ext/jdom-1.1.2.jar</runtime-relative-path>
<binary-origin>release/modules/ext/jdom-1.1.2.jar</binary-origin>
<runtime-relative-path>ext/commons-lang3-3.1.jar</runtime-relative-path>
<binary-origin>release/modules/ext/commons-lang3-3.1.jar</binary-origin>
</class-path-extension>
<class-path-extension>
<runtime-relative-path>ext/jcalendarbutton-1.4.5.jar</runtime-relative-path>
<binary-origin>release/modules/ext/jcalendarbutton-1.4.5.jar</binary-origin>
<runtime-relative-path>ext/jdom-1.1.2.jar</runtime-relative-path>
<binary-origin>release/modules/ext/jdom-1.1.2.jar</binary-origin>
</class-path-extension>
</data>
</configuration>

BIN
RecentActivity/release/modules/ext/commons-lang3-3.1.jar Normal file
View File

Binary file not shown.

72
RecentActivity/release/rr/plugins/acmru.pl
View File

@ -1,72 +0,0 @@
#-----------------------------------------------------------
# acmru.pl
# Plugin for Registry Ripper, NTUSER.DAT edition - gets the
# ACMru values
#
# Change history
#
#
# References
#
#
# copyright 2008 H. Carvey
#-----------------------------------------------------------
package acmru;
use strict;
my %config = (hive => "NTUSER\.DAT",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
osmask => 22,
version => 20080324);
sub getConfig{return %config}
sub getShortDescr {
return "Gets contents of user's ACMru key";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $ntuser = shift;
::logMsg("Launching acmru v.".$VERSION);
my $reg = Parse::Win32Registry->new($ntuser);
my $root_key = $reg->get_root_key;
my $key_path = 'Software\\Microsoft\\Search Assistant\\ACMru';
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg("ACMru - Search Assistant");
::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
my @subkeys = $key->get_list_of_subkeys();
if (scalar(@subkeys) > 0) {
foreach my $s (@subkeys) {
::rptMsg($s->get_name()." [".gmtime($s->get_timestamp())." (UTC)]");
my @vals = $s->get_list_of_values();
my %ac_vals;
foreach my $v (@vals) {
$ac_vals{$v->get_name()} = $v->get_data();
}
foreach my $a (sort {$a <=> $b} keys %ac_vals) {
::rptMsg("\t".$a." -> ".$ac_vals{$a});
}
::rptMsg("");
}
}
else {
::rptMsg($key_path." has no subkeys.");
}
}
else {
::rptMsg($key_path." not found.");
}
}
1;

93
RecentActivity/release/rr/plugins/adoberdr.pl
View File

@ -1,93 +0,0 @@
#-----------------------------------------------------------
# adoberdr.pl
# Plugin for Registry Ripper
# Parse Adobe Reader MRU keys
#
# Change history
# 20100218 - added checks for versions 4.0, 5.0, 9.0
# 20091125 - modified output to make a bit more clear
#
# References
#
# Note: LastWrite times on c subkeys will all be the same,
# as each subkey is modified as when a new entry is added
#
# copyright 2010 Quantum Analytics Research, LLC
#-----------------------------------------------------------
package adoberdr;
use strict;
my %config = (hive => "NTUSER\.DAT",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
osmask => 22,
version => 20100218);
sub getConfig{return %config}
sub getShortDescr {
return "Gets user's Adobe Reader cRecentFiles values";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $ntuser = shift;
::logMsg("Launching adoberdr v.".$VERSION);
my $reg = Parse::Win32Registry->new($ntuser);
my $root_key = $reg->get_root_key;
::rptMsg("Adoberdr v.".$VERSION);
# First, let's find out which version of Adobe Acrobat Reader is installed
my $version;
my $tag = 0;
my @versions = ("4\.0","5\.0","6\.0","7\.0","8\.0","9\.0");
foreach my $ver (@versions) {
my $key_path = "Software\\Adobe\\Acrobat Reader\\".$ver."\\AVGeneral\\cRecentFiles";
if (defined($root_key->get_subkey($key_path))) {
$version = $ver;
$tag = 1;
}
}
if ($tag) {
::rptMsg("Adobe Acrobat Reader version ".$version." located.");
my $key_path = "Software\\Adobe\\Acrobat Reader\\".$version."\\AVGeneral\\cRecentFiles";
my $key = $root_key->get_subkey($key_path);
if ($key) {
::rptMsg($key_path);
::rptMsg("");
# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
my %arkeys;
my @subkeys = $key->get_list_of_subkeys();
if (scalar @subkeys > 0) {
foreach my $s (@subkeys) {
my $num = $s->get_name();
my $data = $s->get_value('sDI')->get_data();
$num =~ s/^c//;
$arkeys{$num}{lastwrite} = $s->get_timestamp();
$arkeys{$num}{data} = $data;
}
::rptMsg("Most recent PDF opened: ".gmtime($arkeys{1}{lastwrite})." (UTC)");
foreach my $k (sort keys %arkeys) {
::rptMsg(" c".$k." ".$arkeys{$k}{data});
}
}
else {
::rptMsg($key_path." has no subkeys.");
}
}
else {
::rptMsg("Could not access ".$key_path);
}
}
else {
::rptMsg("Adobe Acrobat Reader version not found.");
}
}
1;

95
RecentActivity/release/rr/plugins/aim.pl
View File

@ -1,95 +0,0 @@
#-----------------------------------------------------------
# aim
#
# copyright 2008 H. Carvey, keydet89@yahoo.com
#-----------------------------------------------------------
package aim;
use strict;
my %config = (hive => "NTUSER\.DAT",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
osmask => 22,
version => 20080325);
sub getConfig{return %config}
sub getShortDescr {
return "Gets info from the AOL Instant Messenger (not AIM) install";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching aim plugin v.".$VERSION);
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
my $key_path = 'Software\\America Online\\AOL Instant Messenger (TM)\\CurrentVersion\\Users';
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg("AIM");
::rptMsg($key_path);
::rptMsg("");
my @subkeys = $key->get_list_of_subkeys();
if (scalar(@subkeys) > 0) {
foreach my $s (@subkeys) {
my $user = $s->get_name();
::rptMsg("User: $user [".gmtime($s->get_timestamp())."]");
my $login = "Login";
my $recent = "recent IM ScreenNames";
my $recent2 = "recent ScreenNames";
my @userkeys = $s->get_list_of_subkeys();
foreach my $u (@userkeys) {
my $us = $u->get_name();
# See if we can get the encrypted password
if ($us =~ m/^$login/) {
my $pwd = "";
eval {
$pwd = $u->get_value("Password1")->get_data();
};
::rptMsg("Pwd: ".$pwd) if ($pwd ne "");
}
# See if we can get recent folks they've chatted with...
if ($us eq $recent || $us eq $recent2) {
my @vals = $u->get_list_of_values();
if (scalar(@vals) > 0) {
::rptMsg($user."\\".$us);
my %sns;
foreach my $v (@vals) {
$sns{$v->get_name()} = $v->get_data();
}
foreach my $i (sort {$a <=> $b} keys %sns) {
::rptMsg("\t\t".$i." -> ".$sns{$i});
}
}
else {
# No values
}
}
}
::rptMsg("");
}
}
else {
::rptMsg($key_path." has no subkeys.");
::logMsg($key_path." has no subkeys.");
}
}
else {
::rptMsg($key_path." not found.");
::logMsg($key_path." not found.");
}
}
1;

3
RecentActivity/release/rr/plugins/all
View File

@ -1,3 +0,0 @@
#-------------------------------------
# All
regtime

61
RecentActivity/release/rr/plugins/appinitdlls.pl
View File

@ -1,61 +0,0 @@
#-----------------------------------------------------------
# appinitdlls
#
#
# copyright 2008 H. Carvey, keydet89@yahoo.com
#-----------------------------------------------------------
package appinitdlls;
use strict;
my %config = (hive => "Software",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 1,
osmask => 22,
version => 20080324);
sub getConfig{return %config}
sub getShortDescr {
return "Gets contents of AppInit_DLLs value";
}
sub getDescr{}
sub getRefs {
my %refs = ("Working with the AppInit_DLLs Reg Value" =>
"http://support.microsoft.com/kb/q197571");
return %refs;
}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching appinitdlls v.".$VERSION);
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
my $key_path = 'Microsoft\\Windows NT\\CurrentVersion\\Windows';
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg("AppInit_DLLs");
::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
::rptMsg("");
my @vals = $key->get_list_of_values();
foreach my $v (@vals) {
my $name = $v->get_name();
if ($name eq "AppInit_DLLs") {
my $data = $v->get_data();
$data = "{blank}" if ($data eq "");
::rptMsg($name." -> ".$data);
}
}
}
else {
::rptMsg($key_path." not found.");
::logMsg($key_path." not found.");
}
}
1;

96
RecentActivity/release/rr/plugins/applets.pl
View File

@ -1,96 +0,0 @@
#-----------------------------------------------------------
# applets.pl
# Plugin for Registry Ripper
# Windows\CurrentVersion\Applets Recent File List values
#
# Change history
#
#
# References
#
#
# copyright 2008 H. Carvey
#-----------------------------------------------------------
package applets;
use strict;
my %config = (hive => "NTUSER\.DAT",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
osmask => 22,
version => 20080324);
sub getConfig{return %config}
sub getShortDescr {
return "Gets contents of user's Applets key";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $ntuser = shift;
::logMsg("Launching applets v.".$VERSION);
my $reg = Parse::Win32Registry->new($ntuser);
my $root_key = $reg->get_root_key;
my $key_path = 'Software\\Microsoft\\Windows\\CurrentVersion\\Applets';
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg("Applets");
::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
::rptMsg("");
# Locate files opened in MS Paint
my $paint_key = 'Paint\\Recent File List';
my $paint = $key->get_subkey($paint_key);
if (defined $paint) {
::rptMsg($key_path."\\".$paint_key);
::rptMsg("LastWrite Time ".gmtime($paint->get_timestamp())." (UTC)");
my @vals = $paint->get_list_of_values();
if (scalar(@vals) > 0) {
my %files;
# Retrieve values and load into a hash for sorting
foreach my $v (@vals) {
my $val = $v->get_name();
my $data = $v->get_data();
my $tag = (split(/File/,$val))[1];
$files{$tag} = $val.":".$data;
}
# Print sorted content to report file
foreach my $u (sort {$a <=> $b} keys %files) {
my ($val,$data) = split(/:/,$files{$u},2);
::rptMsg(" ".$val." -> ".$data);
}
}
else {
::rptMsg($key_path."\\".$paint_key." has no values.");
}
}
else {
::rptMsg($key_path."\\".$paint_key." not found.");
}
# Get Last Registry key opened in RegEdit
my $reg_key = "Regedit";
my $reg = $key->get_subkey($reg_key);
if (defined $reg) {
::rptMsg("");
::rptMsg($key_path."\\".$reg_key);
::rptMsg("LastWrite Time ".gmtime($reg->get_timestamp())." (UTC)");
my $lastkey = $reg->get_value("LastKey")->get_data();
::rptMsg("RegEdit LastKey value -> ".$lastkey);
}
}
else {
::rptMsg($key_path." not found.");
::logMsg($key_path." not found.");
}
}
1;

83
RecentActivity/release/rr/plugins/apppaths.pl
View File

@ -1,83 +0,0 @@
#-----------------------------------------------------------
# apppaths
# Gets contents of App Paths subkeys from the Software hive,
# diplaying the EXE name and path; all entries are sorted by
# LastWrite time
#
# References
#
# copyright 2008 H. Carvey, keydet89@yahoo.com
#-----------------------------------------------------------
package apppaths;
use strict;
my %config = (hive => "Software",
osmask => 22,
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 1,
version => 20080404);
sub getConfig{return %config}
sub getShortDescr {
return "Gets content of App Paths key";
}
sub getDescr{}
sub getRefs {
my %refs = ("You cannot open Help and Support Center in Windows XP" =>
"http://support.microsoft.com/kb/888018",
"Another installation program starts..." =>
"http://support.microsoft.com/kb/888470");
return %refs;
}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching apppaths v.".$VERSION);
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
my $key_path = "Microsoft\\Windows\\CurrentVersion\\App Paths";
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg("App Paths");
::rptMsg($key_path);
::rptMsg("");
my %apps;
my @subkeys = $key->get_list_of_subkeys();
if (scalar(@subkeys) > 0) {
foreach my $s (@subkeys) {
my $name = $s->get_name();
my $lastwrite = $s->get_timestamp();
my $path;
eval {
$path = $s->get_value("")->get_data();
};
push(@{$apps{$lastwrite}},$name." [".$path."]");
}
foreach my $t (reverse sort {$a <=> $b} keys %apps) {
::rptMsg(gmtime($t)." (UTC)");
foreach my $item (@{$apps{$t}}) {
::rptMsg(" $item");
}
}
}
else {
::rptMsg($key_path." has no subkeys.");
::logMsg($key_path." has no subkeys.");
}
}
else {
::rptMsg($key_path." not found.");
::logMsg($key_path." not found.");
}
}
1;

133
RecentActivity/release/rr/plugins/arpcache.pl
View File

@ -1,133 +0,0 @@
#-----------------------------------------------------------
# arpcache.pl
# Retrieves CurrentVersion\App Management\ARPCache entries; subkeys appear
# to maintain information about paths to installed applications in the
# SlowInfoCache value(0x10 - FILETIME object, null term. string with path
# starts at 0x1c)
#
# Change history
# 20090413 - Created
#
# References
# No references, but the subkeys appear to hold information about
# installed applications; some SlowInfoCache values appear to contain
# timestamp data (FILETIME object) and/or path information. Posts on
# the Internet indicate the existence of Kazaa beneath the APRCache key,
# as well as possibly an "Outerinfo" subkey indicating that spyware is
# installed.
#
# copyright 2009 H. Carvey
#-----------------------------------------------------------
package arpcache;
use strict;
my %config = (hive => "NTUSER\.DAT",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
osmask => 22,
version => 20090413);
sub getConfig{return %config}
sub getShortDescr {
return "Retrieves CurrentVersion\\App Management\\ARPCache entries";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
my %arpcache;
sub pluginmain {
my $class = shift;
my $ntuser = shift;
::logMsg("Launching arpcache v.".$VERSION);
my $reg = Parse::Win32Registry->new($ntuser);
my $root_key = $reg->get_root_key;
my $key_path = 'Software\\Microsoft\\Windows\\CurrentVersion\\App Management\\ARPCache';
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
::rptMsg("");
my @subkeys = $key->get_list_of_subkeys();
if (scalar(@subkeys) > 0) {
foreach my $s (@subkeys) {
my $lw = $s->get_timestamp();
my $name = $s->get_name();
my $path;
eval {
my $i = $s->get_value("SlowInfoCache")->get_data();
$path = parsePath($i);
};
($@) ? ($name .= "|") : ($name .= "|".$path);
my $date;
eval {
my $i = $s->get_value("SlowInfoCache")->get_data();
$date = parseDate($i);
};
($@) ? ($name .= "|") : ($name .= "|".$date);
push(@{$arpcache{$lw}},$name);
}
foreach my $t (reverse sort {$a <=> $b} keys %arpcache) {
::rptMsg(gmtime($t)." (UTC)");
foreach my $item (@{$arpcache{$t}}) {
my ($name,$path,$date) = split(/\|/,$item,3);
::rptMsg(" ".$name);
my $str = $path unless ($path eq "");
$str .= " [".gmtime($date)."]" unless ($date == 0);
::rptMsg(" -> ".$str) unless ($str eq "");
}
}
}
else {
::rptMsg($key_path." has no subkeys.");
::logMsg($key_path." has no subkeys.");
}
}
else {
::rptMsg($key_path." not found.");
::logMsg($key_path." not found.");
}
}
1;
sub parseDate {
my $data = shift;
my ($t1,$t2) = unpack("VV",substr($data,0x10,8));
return ::getTime($t1,$t2);
}
sub parsePath {
my $data = shift;
my $ofs = 0x1c;
my $tag = 1;
my $str = substr($data,$ofs,2);
if (unpack("v",$str) == 0) {
return "";
}
else {
while($tag) {
$ofs += 2;
my $i = substr($data,$ofs,2);
if (unpack("v",$i) == 0) {
$tag = 0;
}
else {
$str .= $i;
}
}
}
$str =~ s/\00//g;
return $str;
}

87
RecentActivity/release/rr/plugins/assoc.pl
View File

@ -1,87 +0,0 @@
#-----------------------------------------------------------
# assoc.pl
# Plugin to extract file association data from the Software hive file
# Can take considerable time to run; recommend running it via rip.exe
#
# copyright 2008 H. Carvey, keydet89@yahoo.com
#-----------------------------------------------------------
package assoc;
use strict;
my %config = (hive => "Software",
osmask => 22,
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
version => 20080815);
sub getConfig{return %config}
sub getShortDescr {
return "Get list of file ext associations";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching assoc v.".$VERSION);
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
my $key_path = "Classes";
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg("assoc");
::rptMsg($key_path);
# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
::rptMsg("");
# First step will be to get a list of all of the file extensions
my %ext;
my @sk = $key->get_list_of_subkeys();
if (scalar(@sk) > 0) {
foreach my $s (@sk) {
my $name = $s->get_name();
next unless ($name =~ m/^\.\w+$/);
my $data;
eval {
$data = $s->get_value("")->get_data();
};
if ($@) {
# Error generated, as "(Default)" value was not found
}
else {
$ext{$name} = $data if ($data ne "");
}
}
# Once a list of all file ext subkeys has been compiled, access the file type
# to determine the command line used to launch files with that extension
foreach my $e (keys %ext) {
my $cmd;
eval {
$cmd = $key->get_subkey($ext{$e}."\\shell\\open\\command")->get_value("")->get_data();
};
if ($@) {
# error generated attempting to locate <file type>.\shell\open\command\(Default) value
}
else {
::rptMsg($e." : ".$cmd);
}
}
}
else {
::rptMsg($key_path." has no subkeys.");
}
}
else {
::rptMsg($key_path." not found.");
::logMsg($key_path." not found.");
}
}
1;

66
RecentActivity/release/rr/plugins/auditfail.pl
View File

@ -1,66 +0,0 @@
#-----------------------------------------------------------
# auditfail.pl
#
# Ref:
# http://support.microsoft.com/kb/140058
#
# copyright 2008 H. Carvey, keydet89@yahoo.com
#-----------------------------------------------------------
package auditfail;
use strict;
my %config = (hive => "System",
osmask => 22,
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
version => 20081212);
sub getConfig{return %config}
sub getShortDescr {
return "Get CrashOnAuditFail value";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
my %val = (0 => "Feature is off; the system will not halt",
1 => "Feature is on; the system will halt when events cannot be written to the ".
"Security Event Log",
2 => "Feature is on and has been triggered; only Administrators can log in");
sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching auditfail v.".$VERSION);
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
# Code for System file, getting CurrentControlSet
my $current;
my $key_path = 'Select';
my $key;
if ($key = $root_key->get_subkey($key_path)) {
$current = $key->get_value("Current")->get_data();
my $lsa_path = "ControlSet00".$current."\\Control\\Lsa";
my $lsa;
if ($lsa = $root_key->get_subkey($lsa_path)) {
eval {
my $crash = $lsa->get_value("crashonauditfail")->get_data();
::rptMsg("CrashOnAuditFail = ".$crash);
::rptMsg($val{$crash});
};
::rptMsg($@) if ($@);
}
}
else {
::rptMsg($key_path." not found.");
::logMsg($key_path." not found.");
}
}
1;

88
RecentActivity/release/rr/plugins/auditpol.pl
View File

@ -1,88 +0,0 @@
#-----------------------------------------------------------
# auditpol
# Get the audit policy from the Security hive file
#
# copyright 2008 H. Carvey, keydet89@yahoo.com
#-----------------------------------------------------------
package auditpol;
use strict;
my %config = (hive => "Security",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 1,
osmask => 22,
version => 20080327);
sub getConfig{return %config}
sub getShortDescr {
return "Get audit policy from the Security hive file";
}
sub getDescr{}
sub getRefs {
my %refs = ("How To Determine Audit Policies from the Registry" =>
"http://support.microsoft.com/default.aspx?scid=kb;EN-US;q246120");
return %refs;
}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
my %audit = (0 => "N",
1 => "S",
2 => "F",
3 => "S/F");
sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching auditpol v.".$VERSION);
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
my $key_path = "Policy\\PolAdtEv";
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg("auditpol");
::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
::rptMsg("");
my $data;
eval {
$data = $key->get_value("")->get_data();
};
if ($@) {
::rptMsg("Error occurred getting data from ".$key_path);
::rptMsg(" - ".$@);
}
else {
# Check to see if auditing is enabled
my $enabled = unpack("C",substr($data,0,1));
if ($enabled) {
::rptMsg("Auditing is enabled.");
# Get audit configuration settings
my @vals = unpack("V*",$data);
::rptMsg("\tAudit System Events = ".$audit{$vals[1]});
::rptMsg("\tAudit Logon Events = ".$audit{$vals[2]});
::rptMsg("\tAudit Object Access = ".$audit{$vals[3]});
::rptMsg("\tAudit Privilege Use = ".$audit{$vals[4]});
::rptMsg("\tAudit Process Tracking = ".$audit{$vals[5]});
::rptMsg("\tAudit Policy Change = ".$audit{$vals[6]});
::rptMsg("\tAudit Account Management = ".$audit{$vals[7]});
::rptMsg("\tAudit Dir Service Access = ".$audit{$vals[8]});
::rptMsg("\tAudit Account Logon Events = ".$audit{$vals[9]});
}
else {
::rptMsg("**Auditing is NOT enabled.");
}
}
}
else {
::rptMsg($key_path." not found.");
::logMsg($key_path." not found.");
}
}
1;

66
RecentActivity/release/rr/plugins/autoendtasks.pl
View File

@ -1,66 +0,0 @@
#-----------------------------------------------------------
# autoendtasks.pl
#
# History
# 20081128 - created
#
# Ref:
# http://support.microsoft.com/kb/555619
# This Registry setting tells XP (and Vista) to automatically
# end non-responsive tasks; value may not exist on Vista.
#
# copyright 2008 H. Carvey, keydet89@yahoo.com
#-----------------------------------------------------------
package autoendtasks;
use strict;
my %config = (hive => "NTUSER\.DAT",
osmask => 22,
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
version => 20081128);
sub getConfig{return %config}
sub getShortDescr {
return "Automatically end a non-responsive task";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching autoendtasks v.".$VERSION);
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
my $key_path = 'Control Panel\\Desktop';
my $key;
if ($key = $root_key->get_subkey($key_path)) {
# ::rptMsg("autoendtasks");
::rptMsg($key_path);
# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
::rptMsg("");
my $autoend;
eval {
$autoend = $key->get_value("AutoEndTasks")->get_data();
};
if ($@) {
::rptMsg("AutoEndTasks value not found.");
}
else {
::rptMsg("AutoEndTasks = ".$autoend);
}
}
else {
::rptMsg($key_path." not found.");
::logMsg($key_path." not found.");
}
}
1;

6
RecentActivity/release/rr/plugins/autopsysystem Normal file
View File

@ -0,0 +1,6 @@
# List of plugins for the Registry Ripper
#-------------------------------------
# system
autopsyusb
#autopsyusbdevices

14
RecentActivity/release/rr/plugins/usb.pl → RecentActivity/release/rr/plugins/autopsyusb.pl
View File

@ -6,7 +6,7 @@
#
# copyright 2008 H. Carvey, keydet89@yahoo.com
#-----------------------------------------------------------
package usb;
package autopsyusb;
use strict;
my %config = (hive => "System",
@ -45,7 +45,7 @@ sub pluginmain {
$ccs = "ControlSet00".$current;
}
else {
::rptMsg($key_path." not found.");
#::rptMsg($key_path." not found.");
return;
}
@ -58,7 +58,8 @@ sub pluginmain {
my $key_path = $ccs."\\Enum\\USB";
my $key;
if ($key = $root_key->get_subkey($key_path)) {
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg("<usb><time>N/A</time><artifacts>");
my @subkeys = $key->get_list_of_subkeys();
if (scalar(@subkeys) > 0) {
@ -93,19 +94,20 @@ sub pluginmain {
};
::rptMsg($str);
::rptMsg("<device name=\"" . $sn_lw. "\" dev=\"" . $dev_class . "\" >" . $serial . "</device>");
}
}
}
}
else {
::rptMsg($key_path." has no subkeys.");
::logMsg($key_path." has no subkeys.");
#::logMsg($key_path." has no subkeys.");
}
::rptMsg("</artifacts></usb>");
}
else {
::rptMsg($key_path." not found.");
::logMsg($key_path." not found.");
#::logMsg($key_path." not found.");
}
}
1;

6
RecentActivity/release/rr/plugins/usbdevices.pl → RecentActivity/release/rr/plugins/autopsyusbdevices.pl
View File

@ -7,7 +7,7 @@
#
# copyright 2010 Quantum Analytics Research, LLC
#-----------------------------------------------------------
package usbdevices;
package autopsyusbdevices;
use strict;
my %config = (hive => "System",
@ -98,11 +98,11 @@ sub pluginmain {
}
}
else {
::rptMsg($key_path." has no subkeys.");
#::rptMsg($key_path." has no subkeys.");
}
}
else {
::rptMsg($key_path." not found.");
#::rptMsg($key_path." not found.");
}
}
1;

74
RecentActivity/release/rr/plugins/autorun.pl
View File

@ -1,74 +0,0 @@
#-----------------------------------------------------------
# autorun.pl
# Get autorun settings
#
# Change history
#
#
# References
# http://support.microsoft.com/kb/953252
# http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit
# /regentry/91525.mspx?mfr=true
#
# copyright 2008-2009 H. Carvey
#-----------------------------------------------------------
package autorun;
use strict;
my %config = (hive => "NTUSER\.DAT",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
osmask => 22,
version => 20081212);
sub getConfig{return %config}
sub getShortDescr {
return "Gets autorun settings";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $ntuser = shift;
::logMsg("Launching autorun v.".$VERSION);
my $reg = Parse::Win32Registry->new($ntuser);
my $root_key = $reg->get_root_key;
my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer";
my $key;
if ($key = $root_key->get_subkey($key_path)) {
# ::rptMsg($key_path);
# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
eval {
my $nodrive = $key->get_value("NoDriveTypeAutoRun")->get_data();
my $str = sprintf "%-20s 0x%x","NoDriveTypeAutoRun",$nodrive;
::rptMsg($str);
};
::rptMsg("Error: ".$@) if ($@);
# http://support.microsoft.com/kb/953252
eval {
my $honor = $key->get_value("HonorAutorunSetting")->get_data();
my $str = sprintf "%-20s 0x%x","HonorAutorunSetting",$honor;
::rptMsg($str);
};
::rptMsg("HonorAutorunSetting not found.") if ($@);
::rptMsg("");
::rptMsg("Autorun settings in the HKLM hive take precedence over those in");
::rptMsg("the HKCU hive.");
}
else {
::rptMsg($key_path." not found.");
::logMsg($key_path." not found.");
}
}
1;

170
RecentActivity/release/rr/plugins/bagtest.pl
View File

@ -1,170 +0,0 @@
#-----------------------------------------------------------
# bagtest.pl
#
# copyright 2009 H. Carvey, keydet89@yahoo.com
#-----------------------------------------------------------
package bagtest;
use strict;
my %config = (hive => "NTUSER\.DAT",
osmask => 22,
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
version => 20090828);
sub getConfig{return %config}
sub getShortDescr {
return "Test -- BagMRU";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching bagtest v.".$VERSION);
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
my $key_path = "Software\\Microsoft\\Windows\\Shell\\BagMRU";
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg($key_path);
# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
::rptMsg("");
my $subtree_iter = $key->get_subtree_iterator;
while (my ($k, $val) = $subtree_iter->get_next) {
if (defined $val) {
next unless ($val->get_name() =~ m/^\d+/);
my $path;
my $data = $val->get_data();
my $size = unpack("v",substr($data,0,20));
my $type = unpack("C",substr($data,2,1));
my $name = (split(/BagMRU/,$k->get_path()))[1];
if ($type == 0x47 || $type == 0x46 || $type == 0x42 || $type == 0x41 ||
$type == 0xc3) {
my $str1 = getStrings1($data);
$path = $str1;
}
elsif ($type == 0x31 || $type == 0x32) {
my($ascii,$uni) = getStrings2($data);
$path = $uni;
}
elsif ($type == 0x2f) {
# bytes 3-5 of $data contain a drive letter
$path = substr($data,0x03,3);
}
else {
# Nothing
}
# my $str = sprintf "%-30s %-3s %-4s 0x%x",$name."\\".$val->get_name(),$size,length($data),$type;
my $str = sprintf "%-25s ".$path,$name."\\".$val->get_name();
::rptMsg($str);
}
else {
}
}
}
else {
::rptMsg($key_path." not found.");
::logMsg($key_path." not found.");
}
}
#sub getStrings1 {
# my $data = shift;
# my $str;
# my $cursor = 0x05;
# my $tag = 1;
#
# while($tag) {
# my $byte = substr($data,$cursor,1);
# if (unpack("C",$byte) == 0x00) {
# $tag = 0;
# }
# else {
# $str .= $byte;
# $cursor += 1;
# }
# }
# return $str;
#}
sub getStrings1 {
my $data = shift;
my $d = substr($data,0x05,length($data) - 1);
$d =~ s/\00/-/g;
$d =~ s/[[:cntrl:]]//g;
my @t = split(/-/,$d);
my @s;
for my $i (1..scalar(@t) - 1) {
push(@s,$t[$i]) if (length($t[$i]) > 2);
}
return $t[0]." (".join(',',@s).")";
}
sub getStrings2 {
# ASCII short name starts at 0x0E, and is \00 terminated; 0x14 bytes
# after that is the null-term Unicode name
my $data = shift;
my ($ascii,$uni);
my $cursor = 0x0e;
my $tag = 1;
while($tag) {
my $byte = substr($data,$cursor,1);
if (unpack("C",$byte) == 0x00) {
$tag = 0;
}
else {
$ascii .= $byte;
$cursor += 1;
}
}
$cursor += 0x14;
$uni = substr($data,$cursor,length($data) - 1);
$uni =~ s/\00//g;
$uni =~ s/[[:cntrl:]]//g;
return ($ascii,$uni);
}
1;
# Original code to traverse through values and subkeys
# Retain for legacy code purposes
#sub traverse {
# my $key = shift;
#
# foreach my $val ($key->get_list_of_values()) {
# next unless ($val->get_name() =~ m/\d+/);
#
# ::rptMsg($val->get_name());
#
# }
#
# foreach my $subkey ($key->get_list_of_subkeys()) {
# traverse($subkey);
# }
#}

161
RecentActivity/release/rr/plugins/bagtest2.pl
View File

@ -1,161 +0,0 @@
#-----------------------------------------------------------
# bagtest2.pl
#
# copyright 2009 H. Carvey, keydet89@yahoo.com
#-----------------------------------------------------------
package bagtest2;
use strict;
my %config = (hive => "NTUSER\.DAT",
osmask => 22,
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
version => 20090828);
sub getConfig{return %config}
sub getShortDescr {
return "Test -- BagMRU";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
my %bagmru;
sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching bagtest v.".$VERSION);
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
my $key_path = "Software\\Microsoft\\Windows\\Shell\\BagMRU";
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg($key_path);
# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
::rptMsg("");
traverse($key);
foreach my $i (sort keys %bagmru) {
my $str = sprintf "%-30s ".$bagmru{$i},$i;
::rptMsg($str);
}
}
else {
::rptMsg($key_path." not found.");
::logMsg($key_path." not found.");
}
}
sub traverse {
my $key = shift;
my $name = (split(/BagMRU/,$key->get_path()))[1];
my @bags;
foreach my $val ($key->get_list_of_values()) {
next unless ($val->get_name() =~ m/\d+/);
my $path;
my $data = $val->get_data();
my $size = unpack("v",substr($data,0,20));
my $type = unpack("C",substr($data,2,1));
if ($type == 0x47 || $type == 0x46 || $type == 0x42 || $type == 0x41 ||
$type == 0xc3) {
my $str1 = getStrings1($data);
$path = $str1;
}
elsif ($type == 0x31 || $type == 0x32 || $type == 0xb1) {
my($ascii,$uni) = getStrings2($data);
$path = $uni;
}
elsif ($type == 0x2f) {
# bytes 3-5 of $data contain a drive letter
$path = substr($data,0x03,3);
}
else {
# Nothing
}
$bagmru{$name."\\".$val->get_name()} = $path;
}
foreach my $subkey ($key->get_list_of_subkeys()) {
traverse($subkey);
}
}
sub getStrings1 {
my $data = shift;
my $d = substr($data,0x05,length($data) - 1);
$d =~ s/\00/-/g;
$d =~ s/[[:cntrl:]]//g;
my @t = split(/-/,$d);
my @s;
for my $i (1..scalar(@t) - 1) {
push(@s,$t[$i]) if (length($t[$i]) > 2);
}
return $t[0]." (".join(',',@s).")";
}
sub getStrings2 {
# ASCII short name starts at 0x0E, and is \00 terminated; 0x14 bytes
# after that is the null-term Unicode name
my $data = shift;
my ($ascii,$uni);
my $cursor = 0x0e;
my $tag = 1;
while($tag) {
my $byte = substr($data,$cursor,1);
if (unpack("C",$byte) == 0x00) {
$tag = 0;
}
else {
$ascii .= $byte;
$cursor += 1;
}
}
$cursor += 0x14;
if ($ascii eq "RECENT") {
$uni = substr($data,$cursor,length($data) - 1);
$uni =~ s/\00//g;
$uni =~ s/[[:cntrl:]]//g;
}
else {
my $tag = 1;
my $count = 0;
while($tag) {
my $byte = substr($data,$cursor,2);
if ($count > 2 && unpack("v",$byte) == 0x00) {
$tag = 0;
}
else {
$uni .= $byte;
$count++;
$cursor += 2;
}
}
$uni =~ s/\00//g;
$uni =~ s/[[:cntrl:]]//g;
}
return ($ascii,$uni);
}
1;

127
RecentActivity/release/rr/plugins/banner.pl
View File

@ -1,127 +0,0 @@
#-----------------------------------------------------------
# banner
# Get banner information from the SOFTWARE hive file (if any)
#
# Written By:
# Special Agent Brook William Minnick
# Brook_Minnick@doioig.gov
# U.S. Department of the Interior - Office of Inspector General
# Computer Crimes Unit
# 12030 Sunrise Valley Drive Suite 250
# Reston, VA 20191
#-----------------------------------------------------------
package banner;
use strict;
my %config = (hive => "Software",
osmask => 22,
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
version => 20081119);
sub getConfig{return %config}
sub getShortDescr {
return "Get HKLM\\SOFTWARE.. Logon Banner Values";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching banner v.".$VERSION);
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
my $key_path = "Microsoft\\Windows\\CurrentVersion\\policies\\system";
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg("Logon Banner Information");
::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
::rptMsg("");
# GET LEGALNOTICECAPTION --
my $caption;
eval {
$caption = $key->get_value("Legalnoticecaption")->get_data();
};
if ($@) {
::rptMsg("Legalnoticecaption value not found.");
}
else {
::rptMsg("Legalnoticecaption value = ".$caption);
}
::rptMsg("");
# GET LEGALNOTICETEXT --
my $banner;
eval {
$banner = $key->get_value("Legalnoticetext")->get_data();
};
if ($@) {
::rptMsg("Legalnoticetext value not found.");
}
else {
::rptMsg("Legalnoticetext value = ".$banner);
}
::rptMsg("");
}
else {
::rptMsg($key_path." not found.");
::logMsg($key_path." not found.");
}
my $key_path = "Microsoft\\Windows NT\\CurrentVersion\\Winlogon";
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
::rptMsg("");
# GET LEGALNOTICECAPTION --
my $caption2;
eval {
$caption2 = $key->get_value("Legalnoticecaption")->get_data();
};
if ($@) {
::rptMsg("Legalnoticecaption value not found.");
}
else {
::rptMsg("Legalnoticecaption value = ".$caption2);
}
::rptMsg("");
# GET LEGALNOTICETEXT --
my $banner2;
eval {
$banner2 = $key->get_value("Legalnoticetext")->get_data();
};
if ($@) {
::rptMsg("Legalnoticetext value not found.");
}
else {
::rptMsg("Legalnoticetext value = ".$banner2);
}
::rptMsg("");
}
else {
::rptMsg($key_path." not found.");
::logMsg($key_path." not found.");
}
}
1;

107
RecentActivity/release/rr/plugins/bho.pl
View File

@ -1,107 +0,0 @@
#-----------------------------------------------------------
# bho
#
# copyright 2008 H. Carvey, keydet89@yahoo.com
#-----------------------------------------------------------
package bho;
use strict;
my %config = (hive => "Software",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 1,
osmask => 22,
version => 20080418);
sub getConfig{return %config}
sub getShortDescr {
return "Gets Browser Helper Objects from Software hive";
}
sub getDescr{}
sub getRefs {
my %refs = ("Browser Helper Objects" =>
"http://msdn2.microsoft.com/en-us/library/bb250436.aspx");
return %refs;
}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $hive = shift;
my %bhos;
::logMsg("Launching bho v.".$VERSION);
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
my $key_path = "Microsoft\\Windows\\CurrentVersion\\Explorer\\Browser Helper Objects";;
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg("Browser Helper Objects");
::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
::rptMsg("");
my @subkeys = $key->get_list_of_subkeys();
if (scalar (@subkeys) > 0) {
foreach my $s (@subkeys) {
my $name = $s->get_name();
next if ($name =~ m/^-/);
my $clsid_path = "Classes\\CLSID\\".$name;
my $clsid;
if ($clsid = $root_key->get_subkey($clsid_path)) {
my $class;
my $mod;
my $lastwrite;
eval {
$class = $clsid->get_value("")->get_data();
$bhos{$name}{class} = $class;
};
if ($@) {
::logMsg("\tError getting Class name for CLSID\\".$name);
::logMsg("\t".$@);
}
eval {
$mod = $clsid->get_subkey("InProcServer32")->get_value("")->get_data();
$bhos{$name}{module} = $mod;
};
if ($@) {
::logMsg("\tError getting Module name for CLSID\\".$name);
::logMsg("\t".$@);
}
eval{
$lastwrite = $clsid->get_subkey("InProcServer32")->get_timestamp();
$bhos{$name}{lastwrite} = $lastwrite;
};
if ($@) {
::logMsg("\tError getting LastWrite time for CLSID\\".$name);
::logMsg("\t".$@);
}
foreach my $b (keys %bhos) {
::rptMsg($b);
::rptMsg("\tClass => ".$bhos{$b}{class});
::rptMsg("\tModule => ".$bhos{$b}{module});
::rptMsg("\tLastWrite => ".gmtime($bhos{$b}{lastwrite}));
::rptMsg("");
}
}
else {
::rptMsg($clsid_path." not found.");
::rptMsg("");
::logMsg($clsid_path." not found.");
}
}
}
else {
::rptMsg($key_path." has no subkeys. No BHOs installed.");
::logMsg($key_path." has no subkeys.");
}
}
else {
::rptMsg($key_path." not found.");
::logMsg($key_path." not found.");
}
}
1;

81
RecentActivity/release/rr/plugins/bitbucket.pl
View File

@ -1,81 +0,0 @@
#-----------------------------------------------------------
# bitbucket
# Get HKLM\..\BitBucket keys\values (if any)
#
# Change history
# 20091020 - Updated; collected additional values
#
# References
#
# copyright 2009 H. Carvey, keydet89@yahoo.com
#-----------------------------------------------------------
package bitbucket;
use strict;
my %config = (hive => "Software",
osmask => 22,
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
version => 20080418);
sub getConfig{return %config}
sub getShortDescr {
return "Get HKLM\\..\\BitBucket keys\\values";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching bitbucket v.".$VERSION);
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
my $key_path = "Microsoft\\Windows\\CurrentVersion\\Explorer\\BitBucket";
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
::rptMsg("");
eval {
my $global = $key->get_value("UseGlobalSettings")->get_data();
::rptMsg("UseGlobalSettings = ".$global);
};
eval {
my $nuke = $key->get_value("NukeOnDelete")->get_data();
::rptMsg("NukeOnDelete = ".$nuke);
};
::rptMsg("");
my @subkeys = $key->get_list_of_subkeys();
if (scalar(@subkeys) > 0) {
foreach my $s (@subkeys) {
::rptMsg($key_path."\\".$s->get_name());
::rptMsg("LastWrite Time = ".gmtime($s->get_timestamp())." (UTC)");
eval {
my $vol = $s->get_value("VolumeSerialNumber")->get_data();
::rptMsg("VolumeSerialNumber = 0x".uc(sprintf "%1x",$vol));
};
::rptMsg("");
}
}
else {
::rptMsg($key_path." has no subkeys.");
}
}
else {
::rptMsg($key_path." not found.");
::logMsg($key_path." not found.");
}
}
1;

71
RecentActivity/release/rr/plugins/bitbucket_user.pl
View File

@ -1,71 +0,0 @@
#-----------------------------------------------------------
# bitbucket_user
# Get HKLM\..\BitBucket keys\values (if any)
#
# Change history
#
# References
#
# NOTE: In limited testing, the volume letter subkeys beneath the
# BitBucket key appear to be volatile.
#
# copyright 2009 H. Carvey, keydet89@yahoo.com
#-----------------------------------------------------------
package bitbucket_user;
use strict;
my %config = (hive => "NTUSER\.DAT",
osmask => 22,
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
version => 20091020);
sub getConfig{return %config}
sub getShortDescr {
return "TEST - Get user BitBucket values";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching bitbucket_user v.".$VERSION);
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\BitBucket";
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
::rptMsg("");
my @subkeys = $key->get_list_of_subkeys();
if (scalar(@subkeys) > 0) {
foreach my $s (@subkeys) {
::rptMsg($key_path."\\".$s->get_name());
::rptMsg("LastWrite Time = ".gmtime($s->get_timestamp())." (UTC)");
eval {
my $purge = $s->get_value("NeedToPurge")->get_data();
::rptMsg(" NeedToPurge = ".$purge);
};
::rptMsg("");
}
}
else {
::rptMsg($key_path." has no subkeys.");
}
}
else {
::rptMsg($key_path." not found.");
}
}
1;

63
RecentActivity/release/rr/plugins/brisv.pl
View File

@ -1,63 +0,0 @@
#-----------------------------------------------------------
# brisv.pl
# Plugin to detect the presence of Trojan.Brisv.A
# Symantec write-up: http://www.symantec.com/security_response/writeup.jsp
# ?docid=2008-071823-1655-99
#
# Change History:
# 20090210: Created
#
# Info on URLAndExitCommandsEnabled value:
# http://support.microsoft.com/kb/828026
#
# copyright 2009 H. Carvey, keydet89@yahoo.com
#-----------------------------------------------------------
package brisv;
use strict;
my %config = (hive => "NTUSER\.DAT",
osmask => 22,
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
version => 20090210);
sub getConfig{return %config}
sub getShortDescr {
return "Detect artifacts of a Troj\.Brisv\.A infection";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching brisv v.".$VERSION);
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
my $key_path = "Software\\Microsoft\\PIMSRV";
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
::rptMsg("");
my $mp_path = "Software\\Microsoft\\MediaPlayer\\Preferences";
my $url;
eval {
$url = $key->get_subkey($mp_path)->get_value("URLAndExitCommandsEnabled")->get_data();
::rptMsg($mp_path."\\URLAndExitCommandsEnabled value set to ".$url);
};
# if an error occurs within the eval{} statement, do nothing
}
else {
::rptMsg($key_path." not found.");
}
}
1;

120
RecentActivity/release/rr/plugins/clampi.pl
View File

@ -1,120 +0,0 @@
#-----------------------------------------------------------
# clampi.pl
# Checks keys/values set by new version of Trojan.Clampi
#
# Change history
# 20091019 - created
#
# NOTE: This is purely a test plugin, and based solely on the below
# reference. It has not been tested on any systems that were
# known to be infected.
#
# References
# http://www.symantec.com/connect/blogs/inside-trojanclampi-stealing-your-information
#
# copyright 2009 H. Carvey
#-----------------------------------------------------------
package clampi;
use strict;
my %config = (hive => "NTUSER\.DAT",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
osmask => 22,
version => 20091019);
sub getConfig{return %config}
sub getShortDescr {
return "TEST - Checks for keys set by Trojan\.Clampi PROT module";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $ntuser = shift;
::logMsg("Launching clampi v.".$VERSION);
my $reg = Parse::Win32Registry->new($ntuser);
my $root_key = $reg->get_root_key;
my $count = 0;
my $key_path = 'Software\\Microsoft\\Internet Explorer\\Main';
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
::rptMsg("");
my ($form1, $form2, $form3);
eval {
$form1 = $key->get_value("Use FormSuggest")->get_data();
::rptMsg("\tUse FormSuggest = ".$form1);
$count++ if ($form1 eq "true");
};
eval {
$form2 = $key->get_value("FormSuggest_Passwords")->get_data();
::rptMsg("\tFormSuggest_Passwords = ".$form2);
$count++ if ($form2 eq "true");
};
eval {
$form3 = $key->get_value("FormSuggest_PW_Ask")->get_data();
::rptMsg("\tUse FormSuggest = ".$form3);
$count++ if ($form3 eq "no");
};
}
else {
::rptMsg($key_path." not found.");
}
::rptMsg("");
my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AutoComplete";
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
::rptMsg("");
my $auto;
eval {
$auto = $key->get_value("AutoSuggest")->get_data();
::rptMsg("\tAutoSuggest = ".$auto);
$count++ if ($auto eq "true");
};
}
else {
::rptMsg($key_path." not found.");
}
::rptMsg("");
my $key_path = "Software\\Microsoft\\Internet Account Manager\\Accounts";
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
::rptMsg("");
my $prompt;
eval {
$prompt = $key->get_value("POP3 Prompt for Password")->get_data();
::rptMsg("\tPOP3 Prompt for Password = ".$prompt);
$count++ if ($prompt eq "true");
};
}
else {
::rptMsg($key_path." not found.");
}
::rptMsg("");
if ($count == 5) {
::rptMsg("The system may have been infected with the Trojan.Clampi PROT module.");
}
else {
::rptMsg("The system does not appear to have been infected with the Trojan.Clampi");
::rptMsg("PROT module.");
}
}
1;

78
RecentActivity/release/rr/plugins/clampitm.pl
View File

@ -1,78 +0,0 @@
#-----------------------------------------------------------
# clampitm.pl
# Checks keys/values set by new version of Trojan.Clampi
#
# Change history
# 20100624 - created
#
# NOTE: This is purely a test plugin, and based solely on the below
# reference. It has not been tested on any systems that were
# known to be infected.
#
# References
# http://us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/ilomo_external.pdf
#
# copyright 2010 Quantum Analytics Research, LLC
#-----------------------------------------------------------
package clampitm;
use strict;
my %config = (hive => "NTUSER\.DAT",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
osmask => 22,
version => 20100624);
sub getConfig{return %config}
sub getShortDescr {
return "Checks for IOCs for Clampi (per Trend Micro)";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $ntuser = shift;
::logMsg("Launching clampitm v.".$VERSION);
my $reg = Parse::Win32Registry->new($ntuser);
my $root_key = $reg->get_root_key;
my $count = 0;
my $key_path = 'Software\\Microsoft\\Internet Explorer\\Settings';
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg("ClampiTM plugin");
::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
::rptMsg("");
my $tag = 1;
my @list = qw/GatesList GID KeyE KeyM PID/;
my @vals = $key->get_list_of_values();
if (scalar (@vals) > 0) {
foreach my $v (@vals) {
my $name = $v->get_name();
if (grep(/$name/,@list)) {
::rptMsg(sprintf "%-10s %-30s",$name,$v->get_data());
$tag = 0;
}
}
if ($tag) {
::rptMsg("No Clampi values found.");
}
}
else {
::rptMsg($key_path." has no values.");
}
}
else {
::rptMsg($key_path." not found.");
}
}
1;

80
RecentActivity/release/rr/plugins/clsid.pl
View File

@ -1,80 +0,0 @@
#-----------------------------------------------------------
# clsid.pl
# Plugin to extract file association data from the Software hive file
# Can take considerable time to run; recommend running it via rip.exe
#
# History
# 20100227 - created
#
# References
# http://msdn.microsoft.com/en-us/library/ms724475%28VS.85%29.aspx
#
# copyright 2010, Quantum Analytics Research, LLC
#-----------------------------------------------------------
package clsid;
use strict;
my %config = (hive => "Software",
osmask => 22,
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
version => 20100227);
sub getConfig{return %config}
sub getShortDescr {
return "Get list of CLSID/registered classes";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $hive = shift;
my %clsid;
::logMsg("Launching clsid v.".$VERSION);
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
my $key_path = "Classes\\CLSID";
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg($key_path);
# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
::rptMsg("");
# First step will be to get a list of all of the file extensions
my %ext;
my @sk = $key->get_list_of_subkeys();
if (scalar(@sk) > 0) {
foreach my $s (@sk) {
my $name = $s->get_name();
eval {
my $n = $s->get_value("")->get_data();
$name .= " ".$n unless ($n eq "");
};
push(@{$clsid{$s->get_timestamp()}},$name);
}
foreach my $t (reverse sort {$a <=> $b} keys %clsid) {
::rptMsg(gmtime($t)." Z");
foreach my $item (@{$clsid{$t}}) {
::rptMsg(" ".$item);
}
}
}
else {
::rptMsg($key_path." has no subkeys.");
}
}
else {
::rptMsg($key_path." not found.");
}
}
1;

75
RecentActivity/release/rr/plugins/cmd_shell.pl
View File

@ -1,75 +0,0 @@
#-----------------------------------------------------------
# cmd_shell
#
#
# Change History
# 20100830 - added "cs" shell command to the path
# 20080328 - created
#
# References
# http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?
# Name=TrojanClicker%3AWin32%2FVB.GE
#
# copyright 2010 Quantum Analytics Research, LLC
#-----------------------------------------------------------
package cmd_shell;
use strict;
my %config = (hive => "Software",
osmask => 22,
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 1,
version => 20100830);
sub getConfig{return %config}
sub getShortDescr {
return "Gets shell open cmds for various file types";
}
sub getDescr{}
sub getRefs {
my %refs = ("You Are Unable to Start a Program with an .exe File Extension" =>
"http://support.microsoft.com/kb/310585");
return %refs;
}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching cmd_shell v.".$VERSION);
my @shells = ("exe","cmd","bat","cs","hta","pif");
foreach my $sh (@shells) {
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
my $key_path = "Classes\\".$sh."file\\shell\\open\\command";
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg("cmd_shell");
::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
::rptMsg("");
my $val;
eval {
$val = $key->get_value("")->get_data();
::rptMsg("\tCmd: ".$val);
};
::rptMsg("Error: ".$@) if ($@);
}
else {
::rptMsg($key_path." not found.");
::logMsg($key_path." not found.");
}
}
::rptMsg("");
}
1;

75
RecentActivity/release/rr/plugins/codeid.pl
View File

@ -1,75 +0,0 @@
#-----------------------------------------------------------
# codeid
# Get DefaultLevel value from CodeIdentifiers key
#
#
# Change History
# 20100608 - created
#
# References
# SANS ISC blog - http://isc.sans.edu/diary.html?storyid=8917
# CodeIdentifiers key
# - http://technet.microsoft.com/en-us/library/bb457006.aspx
# SAFER_LEVELID_FULLYTRUSTED value
# - http://msdn.microsoft.com/en-us/library/ms722424%28VS.85%29.aspx
# (262144 == Unrestricted)
#
# copyright 2010 Quantum Analytics Research, LLC
#-----------------------------------------------------------
package codeid;
use strict;
my %config = (hive => "Software",
osmask => 22,
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
version => 20100608);
sub getConfig{return %config}
sub getShortDescr {
return "Gets CodeIdentifier DefaultLevel value";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching codeid v.".$VERSION);
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
my $key_path = "Policies\\Microsoft\\Windows\\Safer\\CodeIdentifiers";
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg("CodeID");
::rptMsg($key_path);
my $lastwrite = $key->get_timestamp();
::rptMsg(" LastWrite time: ".gmtime($lastwrite)." Z");
::rptMsg("");
my $level;
eval {
$level = $key->get_value("DefaultLevel")->get_data();
::rptMsg(sprintf "DefaultLevel = 0x%08x",$level);
};
my $exe;
eval {
$exe = $key->get_value("ExecutableTypes")->get_data();
$exe =~ s/\s/,/g;
::rptMsg("ExecutableTypes = ".$exe);
};
}
else {
::rptMsg($key_path." not found.");
}
}
1;

145
RecentActivity/release/rr/plugins/comdlg32.pl
View File

@ -1,145 +0,0 @@
#-----------------------------------------------------------
# comdlg32.pl
# Plugin for Registry Ripper
#
# Change history
# 20100402 - updated IAW Chad Tilbury's post to SANS
# Forensic Blog
# 20080324 - created
#
# References
# Win2000 - http://support.microsoft.com/kb/319958
# XP - http://support.microsoft.com/kb/322948/EN-US/
#
# copyright 20100402 Quantum Analytics Research, LLC
#-----------------------------------------------------------
package comdlg32;
use strict;
my %config = (hive => "NTUSER\.DAT",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
osmask => 22,
version => 20100402);
sub getConfig{return %config}
sub getShortDescr {
return "Gets contents of user's ComDlg32 key";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $ntuser = shift;
::logMsg("Launching comdlg32 v.".$VERSION);
my $reg = Parse::Win32Registry->new($ntuser);
my $root_key = $reg->get_root_key;
::rptMsg("comdlg32 v.".$VERSION);
# LastVistedMRU
my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComDlg32\\LastVisitedMRU";
my $key;
my @vals;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg("ComDlg32\\LastVisitedMRU");
::rptMsg("**All values printed in MRUList order.");
::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
my %lvmru;
my @mrulist;
@vals = $key->get_list_of_values();
if (scalar(@vals) > 0) {
# First, read in all of the values and the data
foreach my $v (@vals) {
$lvmru{$v->get_name()} = $v->get_data();
}
# Then, remove the MRUList value
if (exists $lvmru{MRUList}) {
::rptMsg(" MRUList = ".$lvmru{MRUList});
@mrulist = split(//,$lvmru{MRUList});
delete($lvmru{MRUList});
foreach my $m (@mrulist) {
my ($file,$dir) = split(/\00\00/,$lvmru{$m},2);
$file =~ s/\00//g;
$dir =~ s/\00//g;
::rptMsg(" ".$m." -> EXE: ".$file);
::rptMsg(" -> Last Dir: ".$dir);
}
}
else {
::rptMsg($key_path." does not have an MRUList value.");
}
}
else {
::rptMsg($key_path." has no values.");
}
}
else {
::rptMsg($key_path." not found.");
}
::rptMsg("");
# OpenSaveMRU
my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComDlg32\\OpenSaveMRU";
my $key;
my @vals;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg("ComDlg32\\OpenSaveMRU");
::rptMsg("**All values printed in MRUList order.");
::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
# First, process OpenSaveMRU key values
parseOpenSaveValues($key);
::rptMsg("");
# Now, let's get the subkeys
my @sk = $key->get_list_of_subkeys();
if (scalar(@sk) > 0) {
foreach my $s (@sk) {
parseOpenSaveValues($s);
::rptMsg("");
}
}
else {
::rptMsg($key_path." has no subkeys.");
}
}
else {
::rptMsg($key_path." not found.");
}
}
sub parseOpenSaveValues {
my $key = shift;
::rptMsg("OpenSaveMRU\\".$key->get_name());
::rptMsg("LastWrite Time: ".gmtime($key->get_timestamp())." Z");
my %osmru;
my @vals = $key->get_list_of_values();
if (scalar(@vals) > 0) {
map{$osmru{$_->get_name()} = $_->get_data()}(@vals);
if (exists $osmru{MRUList}) {
::rptMsg(" MRUList = ".$osmru{MRUList});
my @mrulist = split(//,$osmru{MRUList});
delete($osmru{MRUList});
foreach my $m (@mrulist) {
::rptMsg(" ".$m." -> ".$osmru{$m});
}
}
else {
::rptMsg($key->get_name()." does not have an MRUList value.");
}
}
else {
::rptMsg($key->get_name()." has no values.");
}
}
1;

225
RecentActivity/release/rr/plugins/comdlg32a.pl
View File

@ -1,225 +0,0 @@
#-----------------------------------------------------------
# comdlg32a.pl
# Plugin for Registry Ripper
#
# Change history
# 20100409 - updated to include Vista and above
# 20100402 - updated IAW Chad Tilbury's post to SANS
# Forensic Blog
# 20080324 - created
#
# References
# Win2000 - http://support.microsoft.com/kb/319958
# XP - http://support.microsoft.com/kb/322948/EN-US/
#
# copyright 20100402 Quantum Analytics Research, LLC
#-----------------------------------------------------------
package comdlg32a;
use strict;
my %config = (hive => "NTUSER\.DAT",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
osmask => 22,
version => 20100409);
sub getConfig{return %config}
sub getShortDescr {
return "Gets contents of user's ComDlg32 key";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $ntuser = shift;
::logMsg("Launching comdlg32a v.".$VERSION);
my $reg = Parse::Win32Registry->new($ntuser);
my $root_key = $reg->get_root_key;
::rptMsg("comdlg32 v.".$VERSION);
# LastVistedMRU
my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComDlg32";
my $key;
my @vals;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
my @subkeys = $key->get_list_of_subkeys();
if (scalar @subkeys > 0) {
foreach my $s (@subkeys) {
parseLastVisitedMRU($s) if ($s->get_name() eq "LastVisitedMRU");
parseOpenSaveMRU($s) if ($s->get_name() eq "OpenSaveMRU");
}
}
else {
::rptMsg($key_path." has no subkeys.");
}
}
}
sub parseLastVisitedMRU {
my $key = shift;
my %lvmru;
my @mrulist;
my @vals = $key->get_list_of_values();
if (scalar(@vals) > 0) {
# First, read in all of the values and the data
foreach my $v (@vals) {
$lvmru{$v->get_name()} = $v->get_data();
}
# Then, remove the MRUList value
if (exists $lvmru{MRUList}) {
::rptMsg(" MRUList = ".$lvmru{MRUList});
@mrulist = split(//,$lvmru{MRUList});
delete($lvmru{MRUList});
foreach my $m (@mrulist) {
my ($file,$dir) = split(/\00\00/,$lvmru{$m},2);
$file =~ s/\00//g;
$dir =~ s/\00//g;
::rptMsg(" ".$m." -> EXE: ".$file);
::rptMsg(" -> Last Dir: ".$dir);
}
}
else {
::rptMsg("LastVisitedMRU key does not have an MRUList value.");
}
}
else {
::rptMsg("LastVisitedMRU key has no values.");
}
::rptMsg("");
}
sub parseOpenSaveMRU {
my $key = shift;
parseOpenSaveValues($key);
::rptMsg("");
# Now, let's get the subkeys
my @sk = $key->get_list_of_subkeys();
if (scalar(@sk) > 0) {
foreach my $s (@sk) {
parseOpenSaveValues($s);
::rptMsg("");
}
}
else {
::rptMsg("OpenSaveMRU key has no subkeys.");
}
::rptMsg("");
}
sub parseOpenSaveValues {
my $key = shift;
::rptMsg("OpenSaveMRU\\".$key->get_name());
::rptMsg("LastWrite Time: ".gmtime($key->get_timestamp())." Z");
my %osmru;
my @vals = $key->get_list_of_values();
if (scalar(@vals) > 0) {
map{$osmru{$_->get_name()} = $_->get_data()}(@vals);
if (exists $osmru{MRUList}) {
::rptMsg(" MRUList = ".$osmru{MRUList});
my @mrulist = split(//,$osmru{MRUList});
delete($osmru{MRUList});
foreach my $m (@mrulist) {
::rptMsg(" ".$m." -> ".$osmru{$m});
}
}
else {
::rptMsg($key->get_name()." does not have an MRUList value.");
}
}
else {
::rptMsg($key->get_name()." has no values.");
}
}
sub parseCIDSizeMRU {
my $key = shift;
my %lvmru;
my @mrulist;
my @vals = $key->get_list_of_values();
if (scalar(@vals) > 0) {
# First, read in all of the values and the data
foreach my $v (@vals) {
$lvmru{$v->get_name()} = $v->get_data();
}
# Then, remove the MRUList value
if (exists $lvmru{MRUListEx}) {
delete($lvmru{MRUListEx});
foreach my $m (keys %lvmru) {
my $file = parseStr($lvmru{$m});
my $str = sprintf "%-4s ".$file,$m;
::rptMsg(" ".$str);
}
}
else {
::rptMsg($key_path." does not have an MRUList value.");
}
}
else {
::rptMsg($key_path." has no values.");
}
}
sub parseLastVisitedPidlMRU {
my $key = shift;
my %lvmru;
my @mrulist;
@vals = $key->get_list_of_values();
if (scalar(@vals) > 0) {
# First, read in all of the values and the data
foreach my $v (@vals) {
$lvmru{$v->get_name()} = $v->get_data();
}
# Then, remove the MRUList value
if (exists $lvmru{MRUListEx}) {
delete($lvmru{MRUListEx});
foreach my $m (keys %lvmru) {
my $file = parseStr($lvmru{$m});
my $str = sprintf "%-4s ".$file,$m;
::rptMsg(" ".$str);
}
}
else {
::rptMsg("LastVisitedPidlMRU key does not have an MRUList value.");
}
}
else {
::rptMsg("LastVisitedPidlMRU key has no values.");
}
}
sub parseStr {
my $data = $_[0];
my $temp;
my $tag = 1;
my $ofs = 0;
while ($tag) {
my $t = substr($data,$ofs,2);
if (unpack("v",$t) == 0x00) {
$tag = 0;
}
else {
$temp .= $t;
$ofs += 2;
}
}
$temp =~ s/\00//g;
return $temp;
}
1;

65
RecentActivity/release/rr/plugins/compdesc.pl
View File

@ -1,65 +0,0 @@
#-----------------------------------------------------------
# compdesc.pl
# Plugin for Registry Ripper,
# ComputerDescriptions key parser
#
# Change history
#
#
# References
#
#
# copyright 2008 H. Carvey
#-----------------------------------------------------------
package compdesc;
use strict;
my %config = (hive => "NTUSER\.DAT",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
osmask => 22,
version => 20080324);
sub getConfig{return %config}
sub getShortDescr {
return "Gets contents of user's ComputerDescriptions key";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $ntuser = shift;
::logMsg("Launching compdesc v.".$VERSION);
my $reg = Parse::Win32Registry->new($ntuser);
my $root_key = $reg->get_root_key;
my $key_path = 'Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComputerDescriptions';
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg("ComputerDescriptions");
::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
my @vals = $key->get_list_of_values();
if (scalar(@vals) > 0) {
foreach my $v (@vals) {
::rptMsg(" ".$v->get_name()." ".$v->get_data());
}
}
else {
::rptMsg($key_path." has no values.");
::logMsg($key_path." has no values.");
}
}
else {
::rptMsg($key_path." not found.");
::logMsg($key_path." not found.");
}
}
1;

75
RecentActivity/release/rr/plugins/compname.pl
View File

@ -1,75 +0,0 @@
#-----------------------------------------------------------
# compname.pl
# Plugin for Registry Ripper; Access System hive file to get the
# computername
#
# Change history
# 20090727 - added Hostname
#
# References
# http://support.microsoft.com/kb/314053/
#
# copyright 2009 H. Carvey
#-----------------------------------------------------------
package compname;
use strict;
my %config = (hive => "System",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
osmask => 22,
version => 20090727);
sub getConfig{return %config}
sub getShortDescr {
return "Gets ComputerName and Hostname values from System hive";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching compname v.".$VERSION);
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
# First thing to do is get the ControlSet00x marked current...this is
# going to be used over and over again in plugins that access the system
# file
my ($current,$ccs);
my $key_path = 'Select';
my $key;
if ($key = $root_key->get_subkey($key_path)) {
$current = $key->get_value("Current")->get_data();
$ccs = "ControlSet00".$current;
my $cn_path = $ccs."\\Control\\ComputerName\\ComputerName";
my $cn;
if ($cn = $root_key->get_subkey($cn_path)) {
my $name = $cn->get_value("ComputerName")->get_data();
::rptMsg("ComputerName = ".$name);
}
else {
::rptMsg($cn_path." not found.");
::logMsg($cn_path." not found.");
}
}
else {
::rptMsg($key_path." not found.");
::logMsg($key_path." not found.");
}
my $hostname;
eval {
my $host_path = $ccs."\\Services\\Tcpip\\Parameters";
$hostname = $root_key->get_subkey($host_path)->get_value("Hostname")->get_data();
::rptMsg("TCP/IP Hostname = ".$hostname);
};
}
1;

64
RecentActivity/release/rr/plugins/controlpanel.pl
View File

@ -1,64 +0,0 @@
#-----------------------------------------------------------
# controlpanel.pl
# Vista ControlPanel key seems to contain some interesting info about the
# user's activities...
#
# copyright 2008 H. Carvey, keydet89@yahoo.com
#-----------------------------------------------------------
package controlpanel;
use strict;
my %config = (hive => "NTUSER\.DAT",
osmask => 64,
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
version => 20080428);
sub getConfig{return %config}
sub getShortDescr {
return "Look for RecentTask* values in ControlPanel key (Vista)";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching controlpanel v.".$VERSION);
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ControlPanel";
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
::rptMsg("");
::rptMsg("Analysis Tip: The RecentTask* entries appear to only be populated through the");
::rptMsg("choices in the Control Panel Home view (in Vista). As each new choice is");
::rptMsg("selected, the most recent choice is added as RecentTask1, and each ");
::rptMsg("RecentTask* entry is incremented and pushed down in the stack.");
::rptMsg("");
my @vals = $key->get_list_of_values();
if (scalar(@vals) > 0) {
foreach my $v (@vals) {
my $str = sprintf "%-15s %-45s",$v->get_name(),$v->get_data();
::rptMsg($str);
}
::rptMsg("");
}
else {
::rptMsg($key_path." has no values.");
}
}
else {
::rptMsg($key_path." not found.");
}
}
1;

72
RecentActivity/release/rr/plugins/cpldontload.pl
View File

@ -1,72 +0,0 @@
#-----------------------------------------------------------
# cpldontload.pl
# Check contents of user's Control Panel\don't load key
#
# Change history
# 20100116 - created
#
# References
# W32.Nekat - http://www.symantec.com/security_response/
# writeup.jsp?docid=2008-011419-0705-99&tabid=2
# http://www.2-viruses.com/remove-antispywarexp2009
#
# Notes: Some malware appears to hide various Control Panel applets
# using this means. If some sort of malware/spyware is thought
# to be on the system, check the settings and note the key
# LastWrite time.
#
#
# copyright 2010 Quantum Analytics Research, LLC
#-----------------------------------------------------------
package cpldontload;
use strict;
my %config = (hive => "NTUSER\.DAT",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
osmask => 22,
version => 20100116);
sub getConfig{return %config}
sub getShortDescr {
return "Gets contents of user's Control Panel don't load key";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $ntuser = shift;
::logMsg("Launching cpldontload v.".$VERSION);
my $reg = Parse::Win32Registry->new($ntuser);
my $root_key = $reg->get_root_key;
my $key_path = "Control Panel\\don\'t load";
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
::rptMsg("");
my @vals = $key->get_list_of_values();
if (scalar @vals > 0) {
foreach my $v (@vals) {
my $str = sprintf "%-20s %-5s",$v->get_name(),$v->get_data();
::rptMsg($str);
}
}
else {
::rptMsg($key_path." has no values.");
}
}
else {
::rptMsg($key_path." not found.");
}
}
1;

93
RecentActivity/release/rr/plugins/crashcontrol.pl
View File

@ -1,93 +0,0 @@
#-----------------------------------------------------------
# crashcontrol.pl
#
# Ref:
# http://support.microsoft.com/kb/254649
# http://support.microsoft.com/kb/274598
#
# copyright 2008-2009 H. Carvey, keydet89@yahoo.com
#-----------------------------------------------------------
package crashcontrol;
use strict;
my %config = (hive => "System",
osmask => 22,
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
version => 20081212);
sub getConfig{return %config}
sub getShortDescr {
return "Get crash control information";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
my %dumpenabled = (0 => "None",
1 => "Complete memory dump",
2 => "Kernel memory dump",
3 => "Small (64kb) memory dump");
sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching crashcontrol v.".$VERSION);
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
# Code for System file, getting CurrentControlSet
my $current;
my $key_path = 'Select';
my $key;
if ($key = $root_key->get_subkey($key_path)) {
$current = $key->get_value("Current")->get_data();
my $cc_path = "ControlSet00".$current."\\Control\\CrashControl";
my $cc;
if ($cc = $root_key->get_subkey($cc_path)) {
eval {
my $cde = $cc->get_value("CrashDumpEnabled")->get_data();
::rptMsg("CrashDumpEnabled = ".$cde." [".$dumpenabled{$cde}."]");
};
eval {
my $df = $cc->get_value("DumpFile")->get_data();
::rptMsg("DumpFile = ".$df);
};
eval {
my $mini = $cc->get_value("MinidumpDir")->get_data();
::rptMsg("MinidumpDir = ".$mini);
};
eval {
my $logevt = $cc->get_value("LogEvent")->get_data();
::rptMsg("LogEvent = ".$logevt);
::rptMsg(" Logs an event to the System Event Log (event ID = 1001, source = Save Dump)") if ($logevt == 1);
};
eval {
my $sendalert = $cc->get_value("SendAlert")->get_data();
::rptMsg("SendAlert = ".$sendalert);
::rptMsg(" Sends a \'net send\' pop-up if a crash occurs") if ($sendalert == 1);
};
}
else {
::rptMsg($cc_path." not found.");
}
}
else {
::rptMsg($key_path." not found.");
::logMsg($key_path." not found.");
}
}
1;

115
RecentActivity/release/rr/plugins/crashdump.pl
View File

@ -1,115 +0,0 @@
#-----------------------------------------------------------
# crashdump.pl
# Author: Don C. Weber
# Plugin for Registry Ripper; Access System hive file to get the
# crashdump settings from System hive
#
# Change history
#
#
# References
# Overview of memory dump file options for Windows Server 2003, Windows XP, and Windows 2000: http://support.microsoft.com/kb/254649/
#
# Author: Don C. Weber, http://www.cutawaysecurity.com/blog/cutaway-security
#-----------------------------------------------------------
package crashdump;
use strict;
my %config = (hive => "System",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
osmask => 22,
version => 20081219);
sub getConfig{return %config}
sub getShortDescr {
return "Gets crashdump settings from System hive";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching crashdump v.".$VERSION);
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
# First thing to do is get the ControlSet00x marked current...this is
# going to be used over and over again in plugins that access the system
# file
my $current;
my $key_path = 'Select';
my $key;
if ($key = $root_key->get_subkey($key_path)) {
$current = $key->get_value("Current")->get_data();
my $ccs = "ControlSet00".$current;
my $win_path = $ccs."\\Control\\CrashControl";
my $win;
if ($win = $root_key->get_subkey($win_path)) {
::rptMsg("CrashControl Configuration");
::rptMsg($win_path);
::rptMsg("LastWrite Time ".gmtime($win->get_timestamp())." (UTC)");
}
else {
::rptMsg($win_path." not found.");
}
my %vals = getKeyValues($win);
if (scalar(keys %vals) > 0) {
foreach my $v (keys %vals) {
if ($v eq "CrashDumpEnabled"){
if ($vals{$v} == 0x00){
::rptMsg("\t".$v." -> None");
} elsif ($vals{$v} == 0x01){
::rptMsg("\t".$v." -> Complete memory dump");
} elsif ($vals{$v} == 0x02){
::rptMsg("\t".$v." -> Kernel memory dump");
} elsif ($vals{$v} == 0x03){
::rptMsg("\t".$v." -> Small memory dump (64KB)");
} else{
::rptMsg($v." has no value.");
}
}else{
if (($v eq "MinidumpDir") || ($v eq "DumpFile")){
::rptMsg("\t".$v." location ".$vals{$v});
} else{
($vals{$v}) ? ::rptMsg("\t".$v." is Enabled") : ::rptMsg("\t".$v." is Disabled");
}
}
}
}
else {
# ::rptMsg($key_path." has no values.");
}
::rptMsg("");
::rptMsg("Analysis Tips: For crash dump information and tools check http://support.microsoft.com/kb/254649/");
}
else {
::rptMsg($key_path." not found.");
::logMsg($key_path." not found.");
}
}
sub getKeyValues {
my $key = shift;
my %vals;
my @vk = $key->get_list_of_values();
if (scalar(@vk) > 0) {
foreach my $v (@vk) {
next if ($v->get_name() eq "" && $v->get_data() eq "");
$vals{$v->get_name()} = $v->get_data();
}
}
else {
}
return %vals;
}
1;

143
RecentActivity/release/rr/plugins/ctrlpnl.pl
View File

@ -1,143 +0,0 @@
#-----------------------------------------------------------
# ctrlpnl.pl
# Get Control Panel info from the Software hive
#
# Change history:
# 20100116 - created
#
# References:
# http://support.microsoft.com/kb/292463
# http://learning.infocollections.com/ebook%202/Computer/
# Operating%20Systems/Windows/Windows.XP.Hacks/
# 0596005113_winxphks-chp-2-sect-3.html
# http://msdn.microsoft.com/en-us/library/cc144195%28VS.85%29.aspx
#
# Notes:
#
# copyright 2010 Quantum Analytics Research, LLC
#-----------------------------------------------------------
package ctrlpnl;
use strict;
my %config = (hive => "Software",
osmask => 22,
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
version => 20100116);
sub getConfig{return %config}
sub getShortDescr {
return "Get Control Panel info from Software hive";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
my %comp;
sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching ctrlpnl v.".$VERSION);
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
my $key_path = "Microsoft\\Windows\\CurrentVersion\\Control Panel";
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg("");
::rptMsg($key_path);
::rptMsg("");
# Cpls section
if (my $cpl = $key->get_subkey("Cpls")) {
my @vals = $cpl->get_list_of_values();
if (scalar @vals > 0) {
::rptMsg("Cpls key");
foreach my $v (@vals) {
my $str = sprintf "%-10s %-50s",$v->get_name(),$v->get_data();
::rptMsg($str);
}
::rptMsg("");
}
else {
::rptMsg("Cpls key has no values.");
}
}
else {
::rptMsg("Cpls key not found.");
}
# don't load section
# The 'don't load' key prevents applets from being loaded
# Be sure to check the user's don't load key, as well
if (my $cpl = $key->get_subkey("don't load")) {
my @vals = $cpl->get_list_of_values();
if (scalar @vals > 0) {
::rptMsg("don't load key");
foreach my $v (@vals) {
::rptMsg($v->get_name());
}
::rptMsg("");
}
else {
::rptMsg("don't load key has no values.");
}
}
else {
::rptMsg("don't load key not found.");
}
# Extended Properties section
if (my $ext = $key->get_subkey("Extended Properties")) {
my @sk = $ext->get_list_of_subkeys();
if (scalar @sk > 0) {
foreach my $s (@sk) {
my @vals = $s->get_list_of_values();
if (scalar @vals > 0) {
::rptMsg($s->get_name()." [".gmtime($s->get_timestamp)." UTC]");
# Ref: http://support.microsoft.com/kb/292463
my %cat = (0x00000000 => "Other Control Panel Options",
0x00000001 => "Appearance and Themes",
0x00000002 => "Printers and Other Hardware",
0x00000003 => "Network and Internet Connections",
0x00000004 => "Sounds, Speech, and Audio Devices",
0x00000005 => "Performance and Maintenance",
0x00000006 => "Date, Time, Language, and Regional Options",
0x00000007 => "Accessibility Options",
0xFFFFFFFF => "No Category");
my %prop;
foreach my $v (@vals) {
push(@{$prop{$v->get_data()}},$v->get_name());
}
foreach my $t (sort {$a <=> $b} keys %prop) {
(exists $cat{$t}) ? (::rptMsg($cat{$t})) : (::rptMsg("Category ".$t));
foreach my $i (@{$prop{$t}}) {
::rptMsg(" ".$i);
}
::rptMsg("");
}
}
}
::rptMsg("");
}
else {
::rptMsg("Extended Properties key has no subkeys.");
}
}
else {
::rptMsg("Extended Properties key not found.");
}
}
else {
::rptMsg($key_path." not found.");
}
}
1;

82
RecentActivity/release/rr/plugins/ddm.pl
View File

@ -1,82 +0,0 @@
#-----------------------------------------------------------
# ddm.pl
#
# History:
# 20081129 - created
#
# Note - Not really sure what this is for or could be used for, other
# than to show devices that had been connected to the system
#
#
# copyright 2008 H. Carvey, keydet89@yahoo.com
#-----------------------------------------------------------
package ddm;
use strict;
my %config = (hive => "System",
osmask => 22,
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
version => 20081129);
sub getConfig{return %config}
sub getShortDescr {
return "Get DDM data from Control Subkey";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching ddm v.".$VERSION);
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
# Code for System file, getting CurrentControlSet
my $current;
my $key_path = 'Select';
my $key;
if ($key = $root_key->get_subkey($key_path)) {
$current = $key->get_value("Current")->get_data();
my $ccs = "ControlSet00".$current;
my $key_path = $ccs."\\Control\\DDM";
my $key;
my %dev;
if ($key = $root_key->get_subkey($key_path)) {
my @subkeys = $key->get_list_of_subkeys();
if (scalar (@subkeys) > 0) {
foreach my $s (@subkeys) {
my $name = $s->get_name();
my $tag = (split(/\./,$name,2))[1];
$dev{$tag}{timestamp} = $s->get_timestamp();
eval {
$dev{$tag}{make} = $s->get_value("MakeName")->get_data();
$dev{$tag}{model} = $s->get_value("ModelName")->get_data();
};
}
foreach my $d (sort keys %dev) {
::rptMsg(gmtime($dev{$d}{timestamp})."Z Device\.".$d." ".$dev{$d}{make}." ".$dev{$d}{model});
}
}
else {
::rptMsg($key_path." has no subkeys.");
}
}
else {
::rptMsg($key_path." not found.");
# ::logMsg($key_path." not found.");
}
}
else {
::logMsg("Current value not found.");
}
}
1;

78
RecentActivity/release/rr/plugins/defbrowser.pl
View File

@ -1,78 +0,0 @@
#-----------------------------------------------------------
# defbrowser.pl
# Get default browser information - check #1 can apply to HKLM
# as well as to HKCU
#
# Change History:
# 20091116 - Added Check #1
# 20081105 - created
#
# copyright 2009 H. Carvey, keydet89@yahoo.com
#-----------------------------------------------------------
package defbrowser;
use strict;
my %config = (hive => "Software",
osmask => 22,
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
version => 20091116);
sub getConfig{return %config}
sub getShortDescr {
return "Gets default browser setting from HKLM";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching defbrowser v.".$VERSION);
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
my $key_path = "Clients\\StartMenuInternet";
if (my $key = $root_key->get_subkey($key_path)) {
::rptMsg("Default Browser Check #1");
::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
::rptMsg("");
my $browser = $key->get_value("")->get_data();
::rptMsg("Default Browser : ".$browser);
}
else {
::rptMsg($key_path." not found.");
}
::rptMsg("");
my $key_path = "Classes\\HTTP\\shell\\open\\command";
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg("Default Browser Check #2");
::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
::rptMsg("");
my $browser;
eval {
$browser = $key->get_value("")->get_data();
};
if ($@) {
::rptMsg("Error locating default browser setting.");
}
else {
::rptMsg("Default Browser = ".$browser);
}
}
else {
::rptMsg($key_path." not found.");
}
}
1;

125
RecentActivity/release/rr/plugins/devclass.pl
View File

@ -1,125 +0,0 @@
#-----------------------------------------------------------
# devclass
# Get USB device info from the DeviceClasses keys in the System
# hive (Disks and Volumes GUIDs)
#
# Change History:
# 20100901 - spelling error in output corrected
# 20080331 - created
#
# copyright 2010 Quantum Analytics Research, LLC
#-----------------------------------------------------------
package devclass;
use strict;
my %config = (hive => "System",
osmask => 22,
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
version => 20100901);
sub getConfig{return %config}
sub getShortDescr {
return "Get USB device info from the DeviceClasses keys in the System hive";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching devclass v.".$VERSION);
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
# Code for System file, getting CurrentControlSet
my $current;
my $ccs;
my $key_path = 'Select';
my $key;
if ($key = $root_key->get_subkey($key_path)) {
$current = $key->get_value("Current")->get_data();
$ccs = "ControlSet00".$current;
}
else {
::logMsg("Could not find ".$key_path);
return
}
# Get devices from the Disk GUID
my $key_path = $ccs."\\Control\\DeviceClasses\\{53f56307-b6bf-11d0-94f2-00a0c91efb8b}";
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg("DevClasses - Disks");
::rptMsg($key_path);
::rptMsg("");
my %disks;
my @subkeys = $key->get_list_of_subkeys();
if (scalar(@subkeys) > 0) {
foreach my $s (@subkeys) {
my $name = $s->get_name();
next unless (grep(/USBSTOR/,$name));
my $lastwrite = $s->get_timestamp();
my ($dev, $serial) = (split(/#/,$name))[4,5];
push(@{$disks{$lastwrite}},$dev.",".$serial);
}
foreach my $t (reverse sort {$a <=> $b} keys %disks) {
::rptMsg(gmtime($t)." (UTC)");
foreach my $item (@{$disks{$t}}) {
::rptMsg("\t$item");
}
}
}
else {
::rptMsg($key_path." has no subkeys.");
::logMsg($key_path." has no subkeys.");
}
}
else {
::rptMsg($key_path." not found.");
::logMsg($key_path." not found.");
}
::rptMsg("");
# Get devices from the Volume GUID
my $key_path = $ccs."\\Control\\DeviceClasses\\{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}";
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg("DevClasses - Volumes");
::rptMsg($key_path);
::rptMsg("");
my %vols;
my @subkeys = $key->get_list_of_subkeys();
if (scalar(@subkeys) > 0) {
foreach my $s (@subkeys) {
my $name = $s->get_name();
next unless (grep(/RemovableMedia/,$name));
my $lastwrite = $s->get_timestamp();
my $ppi = (split(/#/,$name))[5];
push(@{$vols{$lastwrite}},$ppi);
}
foreach my $t (reverse sort {$a <=> $b} keys %vols) {
::rptMsg(gmtime($t)." (UTC)");
foreach my $item (@{$vols{$t}}) {
::rptMsg("\tParentIdPrefix: ".$item);
}
}
}
else {
::rptMsg($key_path." has no subkeys.");
::logMsg($key_path." has no subkeys.");
}
}
else {
::rptMsg($key_path." not found.");
::logMsg($key_path." not found.");
}
}
1;

63
RecentActivity/release/rr/plugins/dfrg.pl
View File

@ -1,63 +0,0 @@
#-----------------------------------------------------------
# dfrg.pl
# Gets contents of Dfrg\BootOptimizeFunction key
#
# Change history:
# 20110321 - created
#
# References
# http://technet.microsoft.com/en-us/library/cc784391%28WS.10%29.aspx
#
# copyright 2011 Quantum Analytics Research, LLC (keydet89@yahoo.com)
#-----------------------------------------------------------
package dfrg;
use strict;
my %config = (hive => "Software",
osmask => 22,
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
version => 20110321);
sub getConfig{return %config}
sub getShortDescr {
return "Gets content of Dfrg BootOptim. key";
}
sub getDescr{}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching dfrg v.".$VERSION);
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
my $key_path = "Microsoft\\Dfrg\\BootOptimizeFunction";
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg("Dfrg");
::rptMsg($key_path);
::rptMsg("");
my @vals = $key->get_list_of_values();
if (scalar(@vals) > 0) {
foreach my $v (@vals) {
::rptMsg(sprintf "%-20s %-20s",$v->get_name(),$v->get_data());
}
}
else {
::rptMsg($key_path." has no values.");
}
}
else {
::rptMsg($key_path." not found.");
::logMsg($key_path." not found.");
}
}
1;

73
RecentActivity/release/rr/plugins/disablelastaccess.pl
View File

@ -1,73 +0,0 @@
#-----------------------------------------------------------
# disablelastaccess.pl
#
# References:
# http://support.microsoft.com/kb/555041
# http://support.microsoft.com/kb/894372
#
# copyright 2008 H. Carvey, keydet89@yahoo.com
#-----------------------------------------------------------
package disablelastaccess;
use strict;
my %config = (hive => "System",
osmask => 22,
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
version => 20090118);
sub getConfig{return %config}
sub getShortDescr {
return "Get NTFSDisableLastAccessUpdate value";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching disablelastaccess v.".$VERSION);
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
# Code for System file, getting CurrentControlSet
my $current;
my $key_path = 'Select';
my $key;
my $ccs;
if ($key = $root_key->get_subkey($key_path)) {
$current = $key->get_value("Current")->get_data();
$ccs = "ControlSet00".$current;
}
my $key_path = $ccs."\\Control\\FileSystem";
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg("NtfsDisableLastAccessUpdate");
::rptMsg($key_path);
my @vals = $key->get_list_of_values();
my $found = 0;
if (scalar(@vals) > 0) {
foreach my $v (@vals) {
if ($v->get_name() eq "NtfsDisableLastAccessUpdate") {
::rptMsg("NtfsDisableLastAccessUpdate = ".$v->get_data());
$found = 1;
}
}
::rptMsg("NtfsDisableLastAccessUpdate value not found.") if ($found == 0);
}
else {
::rptMsg($key_path." has no values.");
}
}
else {
::rptMsg($key_path." not found.");
}
}
1;

69
RecentActivity/release/rr/plugins/dllsearch.pl
View File

@ -1,69 +0,0 @@
#-----------------------------------------------------------
# dllsearch.pl
#
# References:
# http://support.microsoft.com/kb/2264107
#
# Change History:
# 20100824: created
#
# copyright 2010 Quantum Analytics Research, LLC
#-----------------------------------------------------------
package dllsearch;
use strict;
my %config = (hive => "System",
osmask => 22,
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
version => 20100824);
sub getConfig{return %config}
sub getShortDescr {
return "Get crash control information";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching dllsearch v.".$VERSION);
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
# Code for System file, getting CurrentControlSet
my $current;
my $key_path = 'Select';
my $key;
if ($key = $root_key->get_subkey($key_path)) {
$current = $key->get_value("Current")->get_data();
my $cc_path = "ControlSet00".$current."\\Control\\Session Manager";
my $cc;
if ($cc = $root_key->get_subkey($cc_path)) {
::rptMsg("dllsearch v.".$VERSION);
::rptMsg("");
my $found = 1;
eval {
my $cde = $cc->get_value("CWDIllegalInDllSearch")->get_data();
$found = 0;
::rptMsg(sprintf "CWDIllegalInDllSearch = 0x%x",$cde);
};
::rptMsg("CWDIllegalInDllSearch value not found.") if ($found);
}
else {
::rptMsg($cc_path." not found.");
}
}
else {
::rptMsg($key_path." not found.");
}
}
1;

74
RecentActivity/release/rr/plugins/domains.pl
View File

@ -1,74 +0,0 @@
#-----------------------------------------------------------
# domains.pl
#
#
# Change history
# 20100116 - Created
#
# References
# http://support.microsoft.com/kb/919748
# http://support.microsoft.com/kb/922704
#
# copyright 2010 Quantum Analytics Research, LLC
#-----------------------------------------------------------
package domains;
use strict;
my %config = (hive => "NTUSER\.DAT",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
osmask => 22,
version => 20100116);
sub getConfig{return %config}
sub getShortDescr {
return "Gets contents Internet Settings\\ZoneMap\\Domains key";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $ntuser = shift;
::logMsg("Launching domains v.".$VERSION);
my $reg = Parse::Win32Registry->new($ntuser);
my $root_key = $reg->get_root_key;
my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap";
my $key;
if ($key = $root_key->get_subkey($key_path."\\Domains")) {
::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
::rptMsg("");
my @subkeys = $key->get_list_of_subkeys();
if (scalar(@subkeys) > 0) {
foreach my $s (@subkeys) {
::rptMsg($s->get_name()." [".gmtime($s->get_timestamp())." (UTC)]");
my @vals = $s->get_list_of_values();
if (scalar @vals > 0) {
foreach my $v (@vals) {
::rptMsg(" ".$v->get_name()." -> ".$v->get_data);
}
}
::rptMsg("");
}
}
else {
::rptMsg($key_path." has no subkeys.");
::logMsg($key_path." has no subkeys.");
}
}
else {
::rptMsg($key_path." not found.");
::logMsg($key_path." not found.");
}
}
1;

77
RecentActivity/release/rr/plugins/drwatson.pl
View File

@ -1,77 +0,0 @@
#-----------------------------------------------------------
# drwatson.pl
# Author: Don C. Weber
# Plugin for Registry Ripper; Access Software hive file to get the
# Dr. Watson settings from Software hive
#
# Change history
#
#
# References
# Dr Watson: http://www.windowsnetworking.com/kbase/WindowsTips/Windows2000/RegistryTips/RegistryTools/DrWatson.html
#
# Author: Don C. Weber, http://www.cutawaysecurity.com/blog/cutaway-security
#-----------------------------------------------------------
package drwatson;
use strict;
my %config = (hive => "Software",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
osmask => 22,
version => 20081219);
sub getConfig{return %config}
sub getShortDescr {
return "Gets Dr. Watson settings from Software hive";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching drwatson v.".$VERSION);
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
my $key_path = "Microsoft\\Windows NT\\CurrentVersion\\AeDebug";
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
($key->get_value('Auto') == 0x0) ? ::rptMsg("Debugging is Disabled") : ::rptMsg("Debugging is Enabled");
eval {
::rptMsg("Debugger: ".$key->get_value('Debugger')->get_data());
};
} else {
::rptMsg($key_path." not found.");
::logMsg($key_path." not found.");
}
::rptMsg("");
my $key_path = "Microsoft\\DrWatson";
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
($key->get_value('LogFilePath')) ? ::rptMsg("DrWatson LogFile Path location: ".$key->get_value('LogFilePath')->get_data()) : ::rptMsg("DrWatson LogFile Path location: %SystemRoot%\\Documents and Settings\\All Users\\Documents\\DrWatson");
($key->get_value('CreateCrashDump') == 0x0) ? ::rptMsg("CreateCrashDump is Disabled") : ::rptMsg("CreateCrashDump is Enabled");
($key->get_value('CrashDumpFile')) ? ::rptMsg("Crash Dump Path and Name: ".$key->get_value('CrashDumpFile')->get_data()) : ::rptMsg("CrashDumpFile is not set");
($key->get_value('AppendToLogFile') == 0x0) ? ::rptMsg("AppendToLogFile is set to create a new file each time") : ::rptMsg("AppendToLogFile is set to append");
} else {
::rptMsg($key_path." not found.");
::logMsg($key_path." not found.");
}
::rptMsg("");
::rptMsg("Analysis Tips: For Dr. Watson settings information check: http://www.windowsnetworking.com/kbase/WindowsTips/Windows2000/RegistryTips/RegistryTools/DrWatson.html");
}
1;

78
RecentActivity/release/rr/plugins/esent.pl
View File

@ -1,78 +0,0 @@
#-----------------------------------------------------------
# esent
# Get contents of Esent\Process key from Software hive
#
# Note: Not sure why I wrote this one; just thought it might come
# in handy as info about this key is developed.
#
# copyright 2010 Quantum Analytics Research, LLC
#-----------------------------------------------------------
package esent;
use strict;
my %config = (hive => "Software",
osmask => 22,
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 1,
version => 20101202);
sub getConfig{return %config}
sub getShortDescr {
return "Get ESENT\\Process key contents";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching esent v.".$VERSION);
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
my $key_path = "Microsoft\\ESENT\\Process";
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg($key_path);
# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
::rptMsg("");
my @sk = $key->get_list_of_subkeys();
if (scalar(@sk) > 0) {
my %esent;
foreach my $s (@sk) {
my $sk = $s->get_subkey("DEBUG");
# my $lw = $s->get_timestamp();
my $lw = $sk->get_timestamp();
my $name = $s->get_name();
push(@{$esent{$lw}},$name);
}
foreach my $t (reverse sort {$a <=> $b} keys %esent) {
::rptMsg(gmtime($t)." (UTC)");
foreach my $item (@{$esent{$t}}) {
::rptMsg(" $item");
}
}
}
else {
::rptMsg($key_path." has no subkeys.");
}
}
else {
::rptMsg($key_path." not found.");
}
}
1;

156
RecentActivity/release/rr/plugins/eventlog.pl
View File

@ -1,156 +0,0 @@
#-----------------------------------------------------------
# eventlog.pl
#
# copyright 2008 H. Carvey, keydet89@yahoo.com
#-----------------------------------------------------------
package eventlog;
use strict;
my %config = (hive => "System",
osmask => 22,
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
version => 20090112);
sub getConfig{return %config}
sub getShortDescr {
return "Get EventLog configuration info";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching eventlog v.".$VERSION);
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
# Code for System file, getting CurrentControlSet
my $current;
my $key_path = 'Select';
my $key;
if ($key = $root_key->get_subkey($key_path)) {
$current = $key->get_value("Current")->get_data();
my $evt_path = "ControlSet00".$current."\\Services\\Eventlog";
my $evt;
if ($evt = $root_key->get_subkey($evt_path)) {
::rptMsg("");
my @subkeys = $evt->get_list_of_subkeys();
if (scalar (@subkeys) > 0) {
foreach my $s (@subkeys) {
my $logname = $s->get_name();
::rptMsg($logname." \\ ".scalar gmtime($s->get_timestamp())."Z");
eval {
my $file = $s->get_value("File")->get_data();
::rptMsg(" File = ".$file);
};
eval {
my $display = $s->get_value("DisplayNameFile")->get_data();
::rptMsg(" DisplayNameFile = ".$display);
};
eval {
my $max = $s->get_value("MaxSize")->get_data();
::rptMsg(" MaxSize = ".processSize($max));
};
eval {
my $ret = $s->get_value("Retention")->get_data();
::rptMsg(" Retention = ".processRetention($ret));
};
# AutoBackupLogFiles; http://support.microsoft.com/kb/312571/
eval {
my $auto = $s->get_value("AutoBackupLogFiles")->get_data();
::rptMsg(" AutoBackupLogFiles = ".$auto);
};
# Check WarningLevel value on Security EventLog; http://support.microsoft.com/kb/945463
eval {
if ($logname eq "Security") {
my $wl = $s->get_value("WarningLevel")->get_data();
::rptMsg(" WarningLevel = ".$wl);
}
};
::rptMsg("");
}
}
else {
::rptMsg($evt_path." has no subkeys.");
}
}
else {
::rptMsg($evt_path." not found.");
::logMsg($evt_path." not found.");
}
}
else {
::rptMsg($key_path." not found.");
::logMsg($key_path." not found.");
}
}
1;
sub processSize {
my $sz = shift;
my $kb = 1024;
my $mb = $kb * 1024;
my $gb = $mb * 1024;
if ($sz > $gb) {
my $d = $sz/$gb;
my $l = length((split(/\./,$d,2))[0]) + 2;
return sprintf "%$l.2fGB",$d;
}
elsif ($sz > $mb) {
my $d = $sz/$mb;
my $l = length((split(/\./,$d,2))[0]) + 2;
return sprintf "%$l.2fMB",$d;
}
elsif ($sz > $kb) {
my $d = $sz/$kb;
my $l = length((split(/\./,$d,2))[0]) + 2;
return sprintf "%$l.2fKB",$d;
}
else {return $sz."B"};
}
sub processRetention {
# Retention maintained in seconds
# http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/
# regentry/30709.mspx?mfr=true
my $ret = shift;
my $min = 60;
my $hr = $min * 60;
my $day = $hr * 24;
if ($ret > $day) {
my $d = $ret/$day;
my $l = length((split(/\./,$d,2))[0]) + 2;
return sprintf "%$l.2f days",$d;
}
elsif ($ret > $hr) {
my $d = $ret/$hr;
my $l = length((split(/\./,$d,2))[0]) + 2;
return sprintf "%$l.2f hr",$d;
}
elsif ($ret > $min) {
my $d = $ret/$min;
my $l = length((split(/\./,$d,2))[0]) + 2;
return sprintf "%$l.2f min",$d;
}
else {return $ret." sec"};
}

98
RecentActivity/release/rr/plugins/eventlogs.pl
View File

@ -1,98 +0,0 @@
#-----------------------------------------------------------
# eventlogs.pl
# Author: Don C. Weber
# Plugin for Registry Ripper; Access System hive file to get the
# Event Log settings from System hive
#
# Change history
#
#
# References
# Eventlog Key: http://msdn.microsoft.com/en-us/library/aa363648(VS.85).aspx
#
# Author: Don C. Weber, http://www.cutawaysecurity.com/blog/cutaway-security
#-----------------------------------------------------------
package eventlogs;
use strict;
my %config = (hive => "System",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
osmask => 22,
version => 20081219);
sub getConfig{return %config}
sub getShortDescr {
return "Gets Event Log settings from System hive";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching eventlogs v.".$VERSION);
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
# First thing to do is get the ControlSet00x marked current...this is
# going to be used over and over again in plugins that access the system
# file
my $current;
my $key_path = 'Select';
my $key;
if ($key = $root_key->get_subkey($key_path)) {
$current = $key->get_value("Current")->get_data();
my $ccs = "ControlSet00".$current;
my $win_path = $ccs."\\Services\\Eventlog";
my $win;
if ($win = $root_key->get_subkey($win_path)) {
::rptMsg("EventLog Configuration");
::rptMsg($win_path);
::rptMsg("LastWrite Time ".gmtime($win->get_timestamp())." (UTC)");
my $cn;
if ($cn = $win->get_value("ComputerName")->get_data()) {
::rptMsg("ComputerName = ".$cn);
}
else {
::rptMsg("ComputerName value not found.");
}
}
else {
::rptMsg($win_path." not found.");
}
# Cycle through each type of log
my $logname;
my $evpath;
my $evlog;
my @list_logs = $win->get_list_of_subkeys();
foreach $logname (@list_logs){
::rptMsg("");
$evpath = $win_path."\\".$logname->get_name();
if ($evlog = $root_key->get_subkey($evpath)) {
::rptMsg(" ".$logname->get_name()." EventLog");
::rptMsg(" ".$evpath);
::rptMsg(" LastWrite Time ".gmtime($evlog->get_timestamp())." (UTC)");
::rptMsg(" Configuration Settings");
::rptMsg(" Log location: ".$evlog->get_value('File')->get_data());
::rptMsg(" Log Size: ".$evlog->get_value('MaxSize')->get_data()." Bytes");
($evlog->get_value('AutoBackupLogFiles') == 0x0) ? ::rptMsg(" AutoBackupLogFiles is Disabled") : ::rptMsg(" AutoBackupLogFiles is Enabled")
}
else {
::rptMsg($logname->get_name()." Event Log not found.");
}
}
::rptMsg("");
::rptMsg("Analysis Tips: For Event Log settings information check: http://msdn.microsoft.com/en-us/library/aa363648(VS.85).aspx");
}
else {
::rptMsg($key_path." not found.");
::logMsg($key_path." not found.");
}
}
1;

73
RecentActivity/release/rr/plugins/fileexts.pl
View File

@ -1,73 +0,0 @@
#-----------------------------------------------------------
# fileexts.pl
#
# copyright 2008 H. Carvey, keydet89@yahoo.com
#-----------------------------------------------------------
package fileexts;
use strict;
my %config = (hive => "NTUSER\.DAT",
osmask => 22,
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
version => 20080818);
sub getConfig{return %config}
sub getShortDescr {
return "Get user FileExts values";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching fileexts v.".$VERSION);
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts";
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg("fileexts");
::rptMsg($key_path);
::rptMsg("");
my @sk = $key->get_list_of_subkeys();
if (scalar(@sk) > 0) {
foreach my $s (@sk) {
my $name = $s->get_name();
next unless ($name =~ m/^\.\w+/);
eval {
my $data = $s->get_subkey("OpenWithList")->get_value("MRUList")->get_data();
if ($data =~ m/^\w/) {
::rptMsg("File Extension: ".$name);
::rptMsg("LastWrite: ".gmtime($s->get_subkey("OpenWithList")->get_timestamp()));
::rptMsg("MRUList: ".$data);
my @list = split(//,$data);
foreach my $l (@list) {
my $valdata = $s->get_subkey("OpenWithList")->get_value($l)->get_data();
::rptMsg(" ".$l." => ".$valdata);
}
::rptMsg("");
}
};
}
}
else {
::rptMsg($key_path." does not have subkeys.");
}
}
else {
::rptMsg($key_path." not found.");
::logMsg($key_path." not found.");
}
}
1;

95
RecentActivity/release/rr/plugins/findexes.pl
View File

@ -1,95 +0,0 @@
#! c:\perl\bin\perl.exe
#-----------------------------------------------------------
# findexes.pl
# Plugin for RegRipper; traverses through a Registry hive,
# looking for values with binary data types, and checks to see
# if they start with "MZ"; if so, records the value path, key
# LastWrite time, and length of the data
#
# Change history
# 20090728 - Created
#
# copyright 2009 H. Carvey
#-----------------------------------------------------------
package findexes;
use strict;
my %config = (hive => "All",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
osmask => 22,
version => 20090728);
sub getConfig{return %config}
sub getShortDescr {
return "Scans a hive file looking for binary value data that contains MZ";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
my %vals;
my $bin_count = 0;
my $exe_count = 0;
sub pluginmain {
my $class = shift;
my $file = shift;
my $reg = Parse::Win32Registry->new($file);
my $root_key = $reg->get_root_key;
::logMsg("Launching findexes v.".$VERSION);
traverse($root_key);
# Data structure containing findings is a hash of hashes
foreach my $k (keys %vals) {
::rptMsg("Key: ".$k." LastWrite time: ".gmtime($vals{$k}{lastwrite}));
foreach my $i (keys %{$vals{$k}}) {
next if ($i eq "lastwrite");
::rptMsg(" Value: ".$i." Length: ".$vals{$k}{$i}." bytes");
}
::rptMsg("");
}
::rptMsg("Number of values w/ binary data types: ".$bin_count);
::rptMsg("Number of values w/ MZ in binary data: ".$exe_count);
}
sub traverse {
my $key = shift;
# my $ts = $key->get_timestamp();
foreach my $val ($key->get_list_of_values()) {
my $type = $val->get_type();
if ($type == 0 || $type == 3) {
$bin_count++;
my $data = $val->get_data();
# This code looks for data that starts with MZ
# my $i = unpack("v",substr($data,0,2));
# if ($i == 0x5a4d) {
if (grep(/MZ/,$data)) {
$exe_count++;
my $path;
my @p = split(/\\/,$key->get_path());
if (scalar(@p) == 1) {
$path = "root";
}
else {
shift(@p);
$path = join('\\',@p);
}
$vals{$path}{lastwrite} = $key->get_timestamp();
$vals{$path}{$val->get_name()} = length($data);
}
}
}
foreach my $subkey ($key->get_list_of_subkeys()) {
traverse($subkey);
}
}
1;

116
RecentActivity/release/rr/plugins/fw_config.pl
View File

@ -1,116 +0,0 @@
#-----------------------------------------------------------
# fw_config
#
# References
# http://technet2.microsoft.com/WindowsServer/en/library/47f25d7d-
# 882b-4f87-b05f-31e5664fc15e1033.mspx?mfr=true
#
#
# copyright 2008 H. Carvey, keydet89@yahoo.com
#-----------------------------------------------------------
package fw_config;
use strict;
my %config = (hive => "System",
osmask => 20,
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
version => 20080328);
sub getConfig{return %config}
sub getShortDescr {
return "Gets the Windows Firewall config from the System hive";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching fw_config v.".$VERSION);
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
# Code for System file, getting CurrentControlSet
my $current;
my $ccs;
my $select_path = 'Select';
my $sel;
if ($sel = $root_key->get_subkey($select_path)) {
$current = $sel->get_value("Current")->get_data();
$ccs = "ControlSet00".$current;
}
else {
::rptMsg($select_path." could not be found.");
::logMsg($select_path." could not be found.");
return;
}
my @profiles = ("DomainProfile","StandardProfile");
foreach my $profile (@profiles) {
my $key_path = $ccs."\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\".$profile;
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg("Windows Firewall Configuration");
::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
my %vals = getKeyValues($key);
if (scalar(keys %vals) > 0) {
foreach my $v (keys %vals) {
::rptMsg("\t".$v." -> ".$vals{$v});
}
}
else {
# ::rptMsg($key_path." has no values.");
}
my @configs = ("RemoteAdminSettings",
"IcmpSettings",
"GloballyOpenPorts\\List",
"AuthorizedApplications\\List");
foreach my $config (@configs) {
eval {
my %vals = getKeyValues($key->get_subkey($config));
if (scalar(keys %vals) > 0) {
::rptMsg("");
::rptMsg($key_path."\\".$config);
::rptMsg("LastWrite Time ".gmtime($key->get_subkey($config)->get_timestamp())." (UTC)");
foreach my $v (keys %vals) {
::rptMsg("\t".$v." -> ".$vals{$v});
}
}
};
}
}
else {
::rptMsg($key_path." not found.");
::logMsg($key_path." not found.");
}
::rptMsg("");
} # end foreach
}
sub getKeyValues {
my $key = shift;
my %vals;
my @vk = $key->get_list_of_values();
if (scalar(@vk) > 0) {
foreach my $v (@vk) {
next if ($v->get_name() eq "" && $v->get_data() eq "");
$vals{$v->get_name()} = $v->get_data();
}
}
else {
}
return %vals;
}
1;

71
RecentActivity/release/rr/plugins/gthist.pl
View File

@ -1,71 +0,0 @@
#-----------------------------------------------------------
# gthist.pl
# Google Toolbar Search History plugin
#
#
# Change history
# 20100218 - created
#
# References
#
#
#
# copyright 2010 Quantum Analytics Research, LLC
#-----------------------------------------------------------
package gthist;
use strict;
my %config = (hive => "NTUSER\.DAT",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
osmask => 22,
version => 20100218);
sub getConfig{return %config}
sub getShortDescr {
return "Gets Google Toolbar Search History";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $ntuser = shift;
my %hist;
::logMsg("Launching gthist v.".$VERSION);
my $reg = Parse::Win32Registry->new($ntuser);
my $root_key = $reg->get_root_key;
my $key_path = 'Software\\Google\\NavClient\\1.1\\History';
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
my @vals = $key->get_list_of_values();
if (scalar @vals > 0) {
::rptMsg("");
foreach my $v (@vals) {
my $tv = unpack("V",$v->get_data());
$hist{$tv} = $v->get_name();
}
foreach my $t (reverse sort {$a <=> $b} keys %hist) {
my $str = gmtime($t)." ".$hist{$t};
::rptMsg($str);
}
}
else {
::rptMsg($key_path." has no values.");
}
}
else {
::rptMsg($key_path." not found.");
}
}
1;

74
RecentActivity/release/rr/plugins/gtwhitelist.pl
View File

@ -1,74 +0,0 @@
#-----------------------------------------------------------
# gtwhitelist.pl
# Google Toolbar Search History plugin
#
#
# Change history
# 20100218 - created
#
# References
#
#
#
# copyright 2010 Quantum Analytics Research, LLC
#-----------------------------------------------------------
package gtwhitelist;
use strict;
my %config = (hive => "NTUSER\.DAT",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
osmask => 22,
version => 20100218);
sub getConfig{return %config}
sub getShortDescr {
return "Gets Google Toolbar whitelist values";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $ntuser = shift;
my %hist;
::logMsg("Launching gtwhitelist v.".$VERSION);
my $reg = Parse::Win32Registry->new($ntuser);
my $root_key = $reg->get_root_key;
my $key_path = 'Software\\Google\\Google Toolbar\\4.0\\whitelist';
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
my $allow2;
eval {
$allow2 = $key->get_value("allow2")->get_data();
my @vals = split(/\|/,$allow2);
::rptMsg("");
::rptMsg("whitelist");
foreach my $v (@vals) {
next if ($v eq "");
::rptMsg(" ".$v);
}
::rptMsg("");
};
my $lastmod;
eval {
$lastmod = $key->get_value("lastmod")->get_data();
::rptMsg("lastmod ".gmtime($lastmod)." (UTC)");
};
}
else {
::rptMsg($key_path." not found.");
}
}
1;

78
RecentActivity/release/rr/plugins/hibernate.pl
View File

@ -1,78 +0,0 @@
#-----------------------------------------------------------
# hibernate.pl
#
# Ref:
# http://support.microsoft.com/kb/293399 & testing
#
# copyright 2008-2009 H. Carvey, keydet89@yahoo.com
#-----------------------------------------------------------
package hibernate;
use strict;
my %config = (hive => "System",
osmask => 22,
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
version => 20081216);
sub getConfig{return %config}
sub getShortDescr {
return "Check hibernation status";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching hibernate v.".$VERSION);
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
# Code for System file, getting CurrentControlSet
my $current;
my $key_path = 'Select';
my $key;
if ($key = $root_key->get_subkey($key_path)) {
$current = $key->get_value("Current")->get_data();
my $ccs = "ControlSet00".$current;
my $power_path = $ccs."\\Control\\Session Manager\\Power";
my $power;
if ($power = $root_key->get_subkey($power_path)) {
my $heur;
eval {
my $bin_val = $power->get_value("Heuristics")->get_data();
$heur = (unpack("v*",$bin_val))[3];
if ($heur == 0) {
::rptMsg("Hibernation disabled.");
}
elsif ($heur == 1) {
::rptMsg("Hibernation enabled.");
}
else {
::rptMsg("Unknown hibernation value: ".$heur);
}
};
::rptMsg("Error reading Heuristics value.") if ($@);
}
else {
::rptMsg($power_path." not found.");
}
}
else {
::rptMsg($key_path." not found.");
# ::logMsg($key_path." not found.");
}
}
1;

123
RecentActivity/release/rr/plugins/ide.pl
View File

@ -1,123 +0,0 @@
#-----------------------------------------------------------
# ide.pl
# Get IDE device info from the System hive file
#
# copyright 2008 H. Carvey, keydet89@yahoo.com
#-----------------------------------------------------------
package ide;
use strict;
my %config = (hive => "System",
osmask => 22,
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
version => 20080418);
sub getConfig{return %config}
sub getShortDescr {
return "Get IDE device info from the System hive file";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching ide v.".$VERSION);
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
::rptMsg("IDE");
# Code for System file, getting CurrentControlSet
my $current;
my $ccs;
my $key_path = 'Select';
my $key;
if ($key = $root_key->get_subkey($key_path)) {
$current = $key->get_value("Current")->get_data();
$ccs = "ControlSet00".$current;
}
else {
::logMsg("Could not find ".$key_path);
return
}
my $key_path = $ccs."\\Enum\\IDE";
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
my @subkeys = $key->get_list_of_subkeys();
if (scalar(@subkeys) > 0) {
foreach my $s (@subkeys) {
::rptMsg("");
::rptMsg($s->get_name()." [".gmtime($s->get_timestamp())."]");
my @sk = $s->get_list_of_subkeys();
if (scalar(@sk) > 0) {
foreach my $s2 (@sk) {
::rptMsg($s2->get_name()." [".gmtime($s2->get_timestamp())." (UTC)]");
eval {
::rptMsg("FriendlyName : ".$s2->get_value("FriendlyName")->get_data());
};
::rptMsg("");
}
}
}
}
else {
::rptMsg($key_path." has no subkeys.");
::logMsg($key_path." has no subkeys.");
}
}
else {
::rptMsg($key_path." not found.");
::logMsg($key_path." not found.");
}
my $key_path = $ccs."\\Control\\DeviceClasses\\{53f56307-b6bf-11d0-94f2-00a0c91efb8b}";
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg("DevClasses - Disks");
::rptMsg($key_path);
my %disks;
my @subkeys = $key->get_list_of_subkeys();
if (scalar(@subkeys) > 0) {
foreach my $s (@subkeys) {
my $name = $s->get_name();
next unless (grep(/IDE/,$name));
my $lastwrite = $s->get_timestamp();
my ($dev, $serial) = (split(/#/,$name))[4,5];
push(@{$disks{$lastwrite}},$dev.",".$serial);
}
if (scalar(keys %disks) == 0) {
::rptMsg("No IDE subkeys were found.");
return;
}
::rptMsg("");
foreach my $t (reverse sort {$a <=> $b} keys %disks) {
::rptMsg(gmtime($t)." (UTC)");
foreach my $item (@{$disks{$t}}) {
::rptMsg("\t$item");
}
}
}
else {
::rptMsg($key_path." has no subkeys.");
::logMsg($key_path." has no subkeys.");
}
}
else {
::rptMsg($key_path." not found.");
::logMsg($key_path." not found.");
}
}
1;

82
RecentActivity/release/rr/plugins/ie_main.pl
View File

@ -1,82 +0,0 @@
#-----------------------------------------------------------
# ie_main.pl
# Checks keys/values set by new version of Trojan.Clampi
#
# Change history
# 20091019 - created
#
#
# References
# http://support.microsoft.com/kb/895339
# http://support.microsoft.com/kb/176497
#
# copyright 2009 H. Carvey
#-----------------------------------------------------------
package ie_main;
use strict;
my %config = (hive => "NTUSER\.DAT",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
osmask => 22,
version => 20091019);
sub getConfig{return %config}
sub getShortDescr {
return "Gets values beneath user's Internet Explorer\\Main key";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $ntuser = shift;
::logMsg("Launching ie_main v.".$VERSION);
my $reg = Parse::Win32Registry->new($ntuser);
my $root_key = $reg->get_root_key;
my $key_path = 'Software\\Microsoft\\Internet Explorer\\Main';
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
::rptMsg("");
my %main;
my @vals = $key->get_list_of_values();
if (scalar(@vals) > 0) {
foreach my $v (@vals) {
my $name = $v->get_name();
my $data = $v->get_data();
next if ($name eq "Window_Placement");
$data = unpack("V",$data) if ($name eq "Do404Search");
if ($name eq "IE8RunOnceLastShown_TIMESTAMP" || $name eq "IE8TourShownTime") {
my ($t0,$t1) = unpack("VV",$data);
$data = gmtime(::getTime($t0,$t1))." UTC";
}
$main{$name} = $data;
}
foreach my $n (keys %main) {
my $str = sprintf "%-35s %-20s",$n,$main{$n};
::rptMsg($str);
}
}
else {
::rptMsg($key_path." has no values.");
}
}
else {
::rptMsg($key_path." not found.");
}
}
1;

72
RecentActivity/release/rr/plugins/ie_settings.pl
View File

@ -1,72 +0,0 @@
#! c:\perl\bin\perl.exe
#-----------------------------------------------------------
# ie_settings.pl
# Gets IE settings
#
# Change history
#
#
# References
#
#
#
# copyright 2009 H. Carvey
#-----------------------------------------------------------
package ie_settings;
use strict;
my %config = (hive => "NTUSER\.DAT",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 1,
osmask => 22,
version => 20091016);
sub getConfig{return %config}
sub getShortDescr {
return "Gets IE settings";
}
sub getDescr{}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $ntuser = shift;
::logMsg("Launching ie_settings v.".$VERSION);
my $reg = Parse::Win32Registry->new($ntuser);
my $root_key = $reg->get_root_key;
my $key_path = 'Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings';
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg($key_path);
# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
my $ua;
eval {
$ua = $key->get_value("User Agent")->get_data();
::rptMsg("User Agent = ".$ua);
};
my $zonessecupgrade;
eval {
$zonessecupgrade = $key->get_value("ZonesSecurityUpgrade")->get_data();
my ($z0,$z1) = unpack("VV",$zonessecupgrade);
::rptMsg("ZonesSecurityUpgrade = ".gmtime(::getTime($z0,$z1))." (UTC)");
};
my $daystokeep;
eval {
$daystokeep = $key->get_subkey("Url History")->get_value("DaysToKeep")->get_data();
::rptMsg("DaysToKeep = ".$daystokeep);
};
}
else {
::rptMsg($key_path." not found.");
}
}
1;

60
RecentActivity/release/rr/plugins/ie_version.pl
View File

@ -1,60 +0,0 @@
#-----------------------------------------------------------
# ie_version
# Get IE version and build
#
# copyright 2009 H. Carvey
#-----------------------------------------------------------
package ie_version;
use strict;
my %config = (hive => "Software",
osmask => 22,
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
version => 20091016);
sub getConfig{return %config}
sub getShortDescr {
return "Get IE version and build";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching ie_version v.".$VERSION);
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
my $key_path = "Microsoft\\Internet Explorer";
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
::rptMsg("");
my $version;
my $build;
eval {
$build = $key->get_value("Build")->get_data();
::rptMsg("IE Build = ".$build);
};
eval {
$version= $key->get_value("Version")->get_data();
::rptMsg("IE Version = ".$version);
};
}
else {
::rptMsg($key_path." not found.");
}
}
1;

85
RecentActivity/release/rr/plugins/imagedev.pl
View File

@ -1,85 +0,0 @@
#-----------------------------------------------------------
# imagedev.pl
#
# copyright 2008 H. Carvey, keydet89@yahoo.com
#-----------------------------------------------------------
package imagedev;
use strict;
my %config = (hive => "System",
osmask => 22,
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
version => 20080730);
sub getConfig{return %config}
sub getShortDescr {
return " -- ";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching imagedev v.".$VERSION);
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
# Code for System file, getting CurrentControlSet
my $current;
my $ccs;
eval {
my $key_path = 'Select';
my $key;
if ($key = $root_key->get_subkey($key_path)) {
$current = $key->get_value("Current")->get_data();
$ccs = "ControlSet00".$current;
}
};
if ($@) {
::rptMsg("Problem locating proper controlset: $@");
return;
}
my $key_path = $ccs."\\Control\\Class\\{6BDD1FC6-810F-11D0-BEC7-08002BE2092F}";
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg("imagedev");
::rptMsg($key_path);
# ::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
::rptMsg("");
my @sk = $key->get_list_of_subkeys();
if (scalar(@sk) > 0) {
::rptMsg("Still Image Capture Devices");
foreach my $s (@sk) {
my $name = $s->get_name();
next unless ($name =~ m/^\d{4}$/);
my $friendly;
eval {
$friendly = $s->get_value("FriendlyName")->get_data();
::rptMsg(" ".$friendly);
};
if ($@) {
::logMsg("Error getting device FriendlyName in imagedev: ".$@);
}
}
}
else {
::rptMsg($key_path." has no subkeys.");
}
}
else {
::rptMsg($key_path." not found.");
::logMsg($key_path." not found.");
}
}
1;

99
RecentActivity/release/rr/plugins/imagefile.pl
View File

@ -1,99 +0,0 @@
#-----------------------------------------------------------
# imagefile
#
# References:
# http://msdn2.microsoft.com/en-us/library/a329t4ed(VS\.80)\.aspx
# http://support.microsoft.com/kb/2264107
#
# Change history:
# 20100824 - added check for "CWDIllegalInDllSearch" value
#
# copyright 2010 Quantum Analytics Research, LLC
#-----------------------------------------------------------
package imagefile;
use strict;
my %config = (hive => "Software",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
osmask => 22,
version => 20100824);
sub getConfig{return %config}
sub getShortDescr {
return "Checks IFEO subkeys for Debugger/CWDIllegalInDllSearch values";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching imagefile v.".$VERSION);
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
my $key_path = "Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options";
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg("Image File Execution Options");
::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
::rptMsg("");
my @subkeys = $key->get_list_of_subkeys();
if (scalar(@subkeys) > 0) {
my %debug;
my $i = "Your Image File Name here without a path";
foreach my $s (@subkeys) {
my $name = $s->get_name();
next if ($name =~ m/^$i/i);
my $debugger = "";
eval {
$debugger = $s->get_value("Debugger")->get_data();
};
# If the eval{} throws an error, it's b/c the Debugger value isn't
# found within the key, so we don't need to do anything w/ the error
if ($debugger ne "") {
$debug{$name}{debug} = $debugger;
$debug{$name}{lastwrite} = $s->get_timestamp();
}
my $dllsearch = "";
eval {
$dllsearch = $s->get_value("CWDIllegalInDllSearch")->get_data();
};
# If the eval{} throws an error, it's b/c the Debugger value isn't
# found within the key, so we don't need to do anything w/ the error
if ($dllsearch ne "") {
$debug{$name}{dllsearch} = $debugger;
$debug{$name}{lastwrite} = $s->get_timestamp();
}
}
if (scalar (keys %debug) > 0) {
foreach my $d (keys %debug) {
::rptMsg($d." LastWrite: ".gmtime($debug{$d}{lastwrite}));
::rptMsg(" Debugger : ".$debug{$d}{debug}) if (exists $debug{$d}{debug});
::rptMsg(" CWDIllegalInDllSearch: ".$debug{$d}{dllsearch}) if (exists $debug{$d}{dllsearch});
}
}
else {
::rptMsg("No Debugger/CWDIllegalInDllSearch values found.");
}
}
else {
::rptMsg($key_path." has no subkeys.");
::logMsg($key_path." has no subkeys");
}
}
else {
::rptMsg($key_path." not found.");
::logMsg($key_path." not found.");
}
}
1;

77
RecentActivity/release/rr/plugins/init_dlls.pl
View File

@ -1,77 +0,0 @@
#-----------------------------------------------------------
# init_dlls.pl
# Plugin to assist in the detection of malware per Mark Russinovich's
# blog post (References, below)
#
# Change History:
# 20110309 - created
#
# References
# http://blogs.technet.com/b/markrussinovich/archive/2011/02/27/3390475.aspx
#
# copyright 2011 Quantum Analytics Research, LLC
#-----------------------------------------------------------
package init_dlls;
use strict;
my %config = (hive => "Software",
osmask => 22,
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
version => 20110309);
sub getConfig{return %config}
sub getShortDescr {
return "Check for odd **pInit_Dlls keys";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
my @init;
sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching init_dlls v.".$VERSION);
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
my $key_path = "Microsoft\\Windows NT\\CurrentVersion\\Windows";
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg("init_dlls");
::rptMsg($key_path);
::rptMsg("LastWrite: ".gmtime($key->get_timestamp()));
::rptMsg("");
my @vals = $key->get_list_of_values();
if (scalar(@vals) > 0) {
foreach my $v (@vals) {
my $name = $v->get_name();
next if ($name eq "AppInit_DLLs");
push(@init,$name) if ($name =~ m/Init_DLLs$/);
}
if (scalar @init > 0) {
foreach my $n (@init) {
::rptMsg($n);
}
}
else {
::rptMsg("No additional values named *Init_DLLs located.");
}
}
else {
::rptMsg($key_path." has no values.");
}
}
else {
::rptMsg($key_path." not found.");
}
}
1;

120
RecentActivity/release/rr/plugins/installedcomp.pl
View File

@ -1,120 +0,0 @@
#-----------------------------------------------------------
# installedcomp.pl
# Get info about Installed Components
#
# Change history:
# 20100116 - updated for slightly better coverage
# 20100115 - created
#
# References:
#
# Notes: Look for out of place entries, particularly those
# that point to the Recycle Bin or a temp directory
#
# copyright 2010 Quantum Analytics Research, LLC
#-----------------------------------------------------------
package installedcomp;
use strict;
my %config = (hive => "Software",
osmask => 22,
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
version => 20100116);
sub getConfig{return %config}
sub getShortDescr {
return "Get info about Installed Components/StubPath";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
my %comp;
sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching installedcomp v.".$VERSION);
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
my $key_path = "Microsoft\\Active Setup\\Installed Components";
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg("");
::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
::rptMsg("");
my @subkeys = $key->get_list_of_subkeys();
if (scalar(@subkeys) > 0) {
foreach my $s (@subkeys) {
my $lastwrite = $s->get_timestamp();
my $str;
eval {
$str = $s->get_value("ComponentID")->get_data();
};
eval {
my $ver = $s->get_value("Version")->get_data();
$str .= " v.".$ver if ($ver && $s->get_value("Version")->get_type() == 1);
};
eval {
my $stub = $s->get_value("StubPath")->get_data();
$str .= "; ".$stub if ($stub ne "");
};
# If the $str scalar is empty at this point, that means that for
# some reason, we haven't been able to populate the information
# we're looking for; in this case, we'll go looking for some info
# in a different area of the hive; the BHO.pl plugin does this, as
# well. I'd rather that the plugin look for the Classes info than
# leave a blank entry in the output.
if ($str eq "") {
my $name = $s->get_name();
my $class_path = "Classes\\CLSID\\".$name;
my $proc;
if ($proc = $root_key->get_subkey($class_path)) {
# Try these two eval{} statements because I've seen the different
# spellings for InProcServer32/InprocServer32 in sequential keys
eval {
$str = $proc->get_subkey("InprocServer32")->get_value("")->get_data();
};
eval {
$str = $proc->get_subkey("InProcServer32")->get_value("")->get_data();
};
}
else {
$str = $name." class not found.";
}
}
push(@{$comp{$lastwrite}},$str);
}
foreach my $t (reverse sort {$a <=> $b} keys %comp) {
::rptMsg(gmtime($t)." (UTC)");
foreach my $item (@{$comp{$t}}) {
::rptMsg(" ".$item);
}
::rptMsg("");
}
}
else {
::rptMsg($key_path." has no subkeys.");
}
}
else {
::rptMsg($key_path." not found.");
}
}
1;

67
RecentActivity/release/rr/plugins/javafx.pl
View File

@ -1,67 +0,0 @@
#-----------------------------------------------------------
# javafx.pl
# Plugin written based on Cory Harrell's Exploit Artifacts posts at
# http://journeyintoir.blogspot.com/
#
# Change history
# 20110322 - created
#
# References
# http://java.sun.com/j2se/1.4.2/runtime_win32.html
#
# copyright 2011 Quantum Analytics Research, LLC
#-----------------------------------------------------------
package javafx;
use strict;
my %config = (hive => "NTUSER\.DAT",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
osmask => 22,
version => 20110322);
sub getConfig{return %config}
sub getShortDescr {
return "Gets contents of user's JavaFX key";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $ntuser = shift;
::logMsg("Launching javafx v.".$VERSION);
my $reg = Parse::Win32Registry->new($ntuser);
my $root_key = $reg->get_root_key;
my $key_path = "Software\\JavaSoft\\Java Update\\Policy\\JavaFX";
my $key;
my @vals;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg("javafx v.".$VERSION);
::rptMsg($key_path);
::rptMsg("LastWrite time: ".gmtime($key->get_timestamp()));
::rptMsg("");
@vals = $key->get_list_of_values();
if (scalar(@vals) > 0) {
# First, read in all of the values and the data
foreach my $v (@vals) {
::rptMsg(sprintf "%-25s %-20s",$v->get_name(), $v->get_data());
}
}
else {
::rptMsg($key_path." has no values.");
}
}
else {
::rptMsg($key_path." not found.");
}
}
1;

90
RecentActivity/release/rr/plugins/kb950582.pl
View File

@ -1,90 +0,0 @@
#-----------------------------------------------------------
# kb950582.pl
# Get autorun settings WRT KB950582
#
# Change history
# 18 Dec 2008 - Updated to new name; added checks for Registry
# keys
#
# References
# http://support.microsoft.com/kb/953252
# http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit
# /regentry/91525.mspx?mfr=true
#
# copyright 2008-2009 H. Carvey
#-----------------------------------------------------------
package kb950582;
use strict;
my %config = (hive => "Software",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
osmask => 22,
version => 20081212);
sub getConfig{return %config}
sub getShortDescr {
return "KB950582 - Gets autorun settings from HKLM hive";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching kb950582 v.".$VERSION);
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
eval {
my $path = "Microsoft\\Windows\\CurrentVersion\\Uninstall\\KB950582";
if (my $kbkey = $root_key->get_subkey($path)) {
my $install = $kbkey->get_value("InstallDate")->get_data();
::rptMsg("KB950528 Uninstall Key ".gmtime($kbkey->get_timestamp()));
::rptMsg(" InstallDate = ".$install."\n");
}
};
::rptMsg("Uninstall\\KB950528 does not appear to be installed.\n") if ($@);
eval {
my $path = "Microsoft\\Updates\\Windows XP\\SP4\\KB950582";
if (my $kbkey = $root_key->get_subkey($path)) {
my $install = $kbkey->get_value("InstalledDate")->get_data();
::rptMsg("KB950528 Update Key ".gmtime($kbkey->get_timestamp()));
::rptMsg(" InstalledDate = ".$install."\n");
}
};
::rptMsg("KB950528 does not appear to be installed.\n") if ($@);
my $key_path = "Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer";
my $key;
if ($key = $root_key->get_subkey($key_path)) {
eval {
my $nodrive = $key->get_value("NoDriveTypeAutoRun")->get_data();
my $str = sprintf "%-20s 0x%x","NoDriveTypeAutoRun",$nodrive;
::rptMsg($str);
};
::rptMsg("Error: ".$@) if ($@);
# http://support.microsoft.com/kb/953252
eval {
my $honor = $key->get_value("HonorAutorunSetting")->get_data();
my $str = sprintf "%-20s 0x%x","HonorAutorunSetting",$honor;
::rptMsg($str);
};
::rptMsg("HonorAutorunSetting not found.") if ($@);
::rptMsg("");
::rptMsg("Autorun settings in the HKLM hive take precedence over those in");
::rptMsg("the HKCU hive.");
}
else {
::rptMsg($key_path." not found.");
}
}
1;

65
RecentActivity/release/rr/plugins/kbdcrash.pl
View File

@ -1,65 +0,0 @@
#-----------------------------------------------------------
# kbdcrash.pl
#
# Ref:
# http://support.microsoft.com/kb/244139
#
# copyright 2008-2009 H. Carvey, keydet89@yahoo.com
#-----------------------------------------------------------
package kbdcrash;
use strict;
my %config = (hive => "System",
osmask => 22,
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
version => 20081212);
sub getConfig{return %config}
sub getShortDescr {
return "Checks to see if system is config to crash via keyboard";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
my $enabled = 0;
sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching kbdcrash v.".$VERSION);
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
# Code for System file, getting CurrentControlSet
my $current;
my $key_path = 'Select';
my $key;
if ($key = $root_key->get_subkey($key_path)) {
$current = $key->get_value("Current")->get_data();
my $svc = "ControlSet00".$current."\\Services";
eval {
my $ps2 = $svc->get_subkey("i8042prt\\Parameters")->get_value("CrashOnCtrlScroll")->get_data();
::rptMsg("CrashOnCtrlScroll set for PS2 keyboard") if ($ps2 == 1);
$enabled = 1 if ($ps2 == 1);
};
eval {
my $usb = $svc->get_subkey("kbdhid\\Parameters")->get_value("CrashOnCtrlScroll")->get_data();
::rptMsg("CrashOnCtrlScroll set for USB keyboard") if ($usb == 1);
$enabled = 1 if ($usb == 1);
};
::rptMsg("CrashOnCtrlScroll not set");
}
else {
::rptMsg($key_path." not found.");
::logMsg($key_path." not found.");
}
}
1;

71
RecentActivity/release/rr/plugins/landesk.pl
View File

@ -1,71 +0,0 @@
#-----------------------------------------------------------
# LANDESK Monitor Logs
#
#
# Change history
# 20090729 - updates, H. Carvey
#
# copyright 2009 Don C. Weber
#-----------------------------------------------------------
package landesk;
use strict;
my %config = (hive => "Software",
osmask => 22,
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
version => 20090729);
sub getConfig{return %config}
sub getShortDescr {
return "Get list of programs monitored by LANDESK from Software hive file";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
my %ls;
sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching LANDESK v.".$VERSION);
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
my $key_path = "LANDesk\\ManagementSuite\\WinClient\\SoftwareMonitoring\\MonitorLog";
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg($key_path);
::rptMsg("");
my @subkeys = $key->get_list_of_subkeys();
if (scalar(@subkeys) > 0) {
foreach my $s (@subkeys) {
eval {
my ($val1,$val2) = unpack("VV",$s->get_value("Last Started")->get_data());
# Push the data into a hash of arrays
push(@{$ls{::getTime($val1,$val2)}},$s->get_name());
};
}
foreach my $t (reverse sort {$a <=> $b} keys %ls) {
::rptMsg(gmtime($t)." (UTC)");
foreach my $item (@{$ls{$t}}) {
::rptMsg("\t$item");
}
}
}
else {
::rptMsg($key_path." does not appear to have any subkeys.")
}
}
else {
::rptMsg($key_path." not found.");
}
}
1;

96
RecentActivity/release/rr/plugins/legacy.pl
View File

@ -1,96 +0,0 @@
#-----------------------------------------------------------
# legacy.pl
#
#
# Change history
# 20090429 - created
#
# Reference: http://support.microsoft.com/kb/310592
#
#
# Analysis Tip:
#
# copyright 2009 H. Carvey
#-----------------------------------------------------------
package legacy;
my %config = (hive => "System",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
osmask => 22,
version => 20090429);
sub getConfig{return %config}
sub getShortDescr {
return "Lists LEGACY_ entries in Enum\\Root key";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $hive = shift;
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key();
# First thing to do is get the ControlSet00x marked current...this is
# going to be used over and over again in plugins that access the system
# file
my $current;
my $key_path = 'Select';
my $key;
if ($key = $root_key->get_subkey($key_path)) {
$current = $key->get_value("Current")->get_data();
my $ccs = "ControlSet00".$current;
my $root_path = $ccs."\\Enum\\Root";
my %legacy;
if (my $root = $root_key->get_subkey($root_path)) {
my @sk = $root->get_list_of_subkeys();
if (scalar(@sk) > 0) {
foreach my $s (@sk) {
my $name = $s->get_name();
next unless ($name =~ m/^LEGACY_/);
push(@{$legacy{$s->get_timestamp()}},$name);
eval {
my @s_sk = $s->get_list_of_subkeys();
if (scalar(@s_sk) > 0) {
foreach my $s_s (@s_sk) {
my $desc;
eval {
$desc = $s_s->get_value("DeviceDesc")->get_data();
push(@{$legacy{$s_s->get_timestamp()}},$name."\\".$s_s->get_name()." - ".$desc);
};
push(@{$legacy{$s_s->get_timestamp()}},$name."\\".$s_s->get_name()) if ($@);
}
}
};
}
}
else {
::rptMsg($root_path." has no subkeys.");
}
foreach my $t (reverse sort {$a <=> $b} keys %legacy) {
::rptMsg(gmtime($t)." (UTC)");
foreach my $item (@{$legacy{$t}}) {
::rptMsg("\t$item");
}
}
}
else {
::rptMsg($root_path." not found.");
}
}
else {
::rptMsg($key_path." not found.");
}
}
1;

69
RecentActivity/release/rr/plugins/listsoft.pl
View File

@ -1,69 +0,0 @@
#! c:\perl\bin\perl.exe
#-----------------------------------------------------------
# listsoft.pl
# Plugin for Registry Ripper; traverses thru the Software
# key of an NTUSER.DAT file, extracting all of the subkeys
# and listing them in order by LastWrite time.
#
# Change history
#
#
# copyright 2008 H. Carvey
#-----------------------------------------------------------
package listsoft;
use strict;
my %config = (hive => "NTUSER\.DAT",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
osmask => 22,
version => 20080324);
sub getConfig{return %config}
sub getShortDescr {
return "Lists contents of user's Software key";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $file = shift;
my $reg = Parse::Win32Registry->new($file);
my $root_key = $reg->get_root_key;
::logMsg("Launching listsoft v.".$VERSION);
my %soft;
my $key_path = 'Software';
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg("listsoft v.".$VERSION);
::rptMsg("List the contents of the Software key in the NTUSER\.DAT hive");
::rptMsg("file, in order by LastWrite time.");
::rptMsg("");
my @subkeys = $key->get_list_of_subkeys();
if (scalar(@subkeys) > 0) {
foreach my $s (@subkeys) {
push(@{$soft{$s->get_timestamp()}},$s->get_name());
}
foreach my $t (reverse sort {$a <=> $b} keys %soft) {
foreach my $item (@{$soft{$t}}) {
::rptMsg(gmtime($t)."Z \t".$item);
}
}
}
else {
::logMsg($key_path." has no subkeys.");
}
}
else {
::logMsg("Could not access ".$key_path);
}
}
1;

81
RecentActivity/release/rr/plugins/load.pl
View File

@ -1,81 +0,0 @@
#-----------------------------------------------------------
# load.pl
# The load and run values in the Windows NT\CurrentVersion\Windows
# key are throw-backs to the old win.ini file, and can be/are used
# by malware.
#
# Change history
# 20100811 - created
#
# References
# http://support.microsoft.com/kb/103865
# http://security.fnal.gov/cookbook/WinStartup.html
#
# copyright 2010 Quantum Analytics Research, LLC
#-----------------------------------------------------------
package load;
use strict;
my %config = (hive => "NTUSER\.DAT",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
osmask => 22,
version => 20100811);
sub getConfig{return %config}
sub getShortDescr {
return "Gets load and run values from user hive";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $ntuser = shift;
::logMsg("Launching load v.".$VERSION);
my $reg = Parse::Win32Registry->new($ntuser);
my $root_key = $reg->get_root_key;
my $key_path = 'Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows';
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg("load");
::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
my @vals = $key->get_list_of_values();
if (scalar(@vals) > 0) {
::rptMsg("");
my %win;
foreach my $v (@vals) {
$win{$v->get_name()} = $v->get_data();
}
if (exists $win{"load"}) {
::rptMsg("load = ".$win{"load"});
}
else {
::rptMsg("load value not found.");
}
if (exists $win{"run"}) {
::rptMsg("run = ".$win{"run"});
}
else {
::rptMsg("run value not found.");
}
}
else {
::rptMsg($key_path." has no values.");
}
}
else {
::rptMsg($key_path." not found.");
}
}
1;

98
RecentActivity/release/rr/plugins/logon_xp_run.pl
View File

@ -1,98 +0,0 @@
#-----------------------------------------------------------
# logon_xp_run
# Get contents of Run key from Software hive
#
# References:
# http://support.microsoft.com/kb/314488
#
# Note: Needs testing to see if it applies beyond XP/XP-64
#
# copyright 2008 H. Carvey, keydet89@yahoo.com
#-----------------------------------------------------------
package logon_xp_run;
use strict;
my %config = (hive => "NTUSER\.DAT",
osmask => 12,
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
version => 20080328);
sub getConfig{return %config}
sub getShortDescr {
return "Autostart - Get XP user logon Run key contents from NTUSER\.DAT hive";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching user_xp_run v.".$VERSION);
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
my $key_path = "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\policies\\Explorer\\Run";
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
my %vals = getKeyValues($key);
if (scalar(keys %vals) > 0) {
foreach my $v (keys %vals) {
::rptMsg("\t".$v." -> ".$vals{$v});
}
}
else {
::rptMsg($key_path." has no values.");
}
# my @sk = $key->get_list_of_subkeys();
# if (scalar(@sk) > 0) {
# foreach my $s (@sk) {
# ::rptMsg("");
# ::rptMsg($key_path."\\".$s->get_name());
# ::rptMsg("LastWrite Time ".gmtime($s->get_timestamp())." (UTC)");
# my %vals = getKeyValues($s);
# foreach my $v (keys %vals) {
# ::rptMsg("\t".$v." -> ".$vals{$v});
# }
# }
# }
# else {
# ::rptMsg("");
# ::rptMsg($key_path." has no subkeys.");
# }
}
else {
::rptMsg($key_path." not found.");
::logMsg($key_path." not found.");
}
}
sub getKeyValues {
my $key = shift;
my %vals;
my @vk = $key->get_list_of_values();
if (scalar(@vk) > 0) {
foreach my $v (@vk) {
next if ($v->get_name() eq "" && $v->get_data() eq "");
$vals{$v->get_name()} = $v->get_data();
}
}
else {
# do nothing
}
return %vals;
}
1;

68
RecentActivity/release/rr/plugins/logonusername.pl
View File

@ -1,68 +0,0 @@
#! c:\perl\bin\perl.exe
#-----------------------------------------------------------
# logonusername.pl
# Plugin for Registry Ripper, NTUSER.DAT edition - gets the
# "Logon User Name" value
#
# Change history
#
#
#
# copyright 2008 H. Carvey
#-----------------------------------------------------------
package logonusername;
use strict;
my %config = (hive => "NTUSER\.DAT",
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
osmask => 22,
version => 20080324);
sub getConfig{return %config}
sub getShortDescr {
return "Get user's Logon User Name value";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $ntuser = shift;
::logMsg("Launching logonusername v.".$VERSION);
my $reg = Parse::Win32Registry->new($ntuser);
my $root_key = $reg->get_root_key;
my $logon_name = "Logon User Name";
my $key_path = 'Software\\Microsoft\\Windows\\CurrentVersion\\Explorer';
my $key;
if ($key = $root_key->get_subkey($key_path)) {
my @vals = $key->get_list_of_values();
if (scalar(@vals) > 0) {
::rptMsg("Logon User Name");
::rptMsg($key_path);
::rptMsg("LastWrite Time [".gmtime($key->get_timestamp())." (UTC)]");
foreach my $v (@vals) {
if ($v->get_name() eq $logon_name) {
::rptMsg($logon_name." = ".$v->get_data());
}
}
}
else {
::rptMsg($key_path." has no values.");
::logMsg($key_path." has no values.");
}
}
else {
::rptMsg($key_path." not found.");
::logMsg($key_path." not found.");
}
}
1;

Some files were not shown because too many files have changed in this diff Show More