mirror of
https://github.com/overcuriousity/autopsy-flatpak.git
synced 2025-07-06 21:00:22 +00:00
01494b3fb2
Check for undefined values in Autopsy regripper plugins, this is for Autopsy version of regripper not full version of regripper.
76 lines
2.4 KiB
Perl
76 lines
2.4 KiB
Perl
#-----------------------------------------------------------
|
|
# shellfolders.pl
|
|
#
|
|
# Retrieve the Shell Folders values from user's hive; while
|
|
# this may not be important in every instance, it may give the
|
|
# examiner indications as to where to look for certain items;
|
|
# for example, if the user's "My Documents" folder has been redirected
|
|
# as part of configuration changes (corporate policies, etc.). Also,
|
|
# this may be important as part of data leakage exams, as XP and Vista
|
|
# allow users to drop and drag files to the CD Burner.
|
|
#
|
|
# References:
|
|
# http://support.microsoft.com/kb/279157
|
|
# http://support.microsoft.com/kb/326982
|
|
#
|
|
# copyright 2009 H. Carvey, keydet89@yahoo.com
|
|
#-----------------------------------------------------------
|
|
package autopsyshellfolders;
|
|
use strict;
|
|
|
|
my %config = (hive => "NTUSER\.DAT",
|
|
osmask => 22,
|
|
hasShortDescr => 1,
|
|
hasDescr => 0,
|
|
hasRefs => 0,
|
|
version => 20090115);
|
|
|
|
sub getConfig{return %config}
|
|
|
|
sub getShortDescr {
|
|
return "Retrieve user Shell Folders values";
|
|
}
|
|
sub getDescr{}
|
|
sub getRefs {}
|
|
sub getHive {return $config{hive};}
|
|
sub getVersion {return $config{version};}
|
|
|
|
my $VERSION = getVersion();
|
|
|
|
sub pluginmain {
|
|
my $class = shift;
|
|
my $hive = shift;
|
|
#::logMsg("Launching shellfolders v.".$VERSION);
|
|
if (defined(Parse::Win32Registry->new($hive))) {
|
|
my $reg = Parse::Win32Registry->new($hive);
|
|
|
|
my $root_key = $reg->get_root_key;
|
|
|
|
my $key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders";
|
|
my $key;
|
|
if ($key = $root_key->get_subkey($key_path)) {
|
|
::rptMsg("<shellfolders>");
|
|
::rptMsg("<mtime>".gmtime($key->get_timestamp())."</mtime>");
|
|
|
|
my @vals = $key->get_list_of_values();
|
|
::rptMsg("<artifacts>");
|
|
if (scalar(@vals) > 0) {
|
|
foreach my $v (@vals) {
|
|
my $str = sprintf "%-20s %-40s","<shell name=\"".$v->get_name()."\">",$v->get_data()."</shell>";
|
|
::rptMsg($str);
|
|
}
|
|
::rptMsg("");
|
|
}
|
|
else {
|
|
#::rptMsg($key_path." has no values.");
|
|
}
|
|
::rptMsg("</artifacts></shellfolders>");
|
|
}
|
|
else {
|
|
#::rptMsg($key_path." not found.");
|
|
#::logMsg($key_path." not found.");
|
|
}
|
|
}
|
|
}
|
|
1;
|