mirror of
https://github.com/overcuriousity/autopsy-flatpak.git
synced 2025-07-08 22:29:33 +00:00
155 lines
4.5 KiB
Perl
155 lines
4.5 KiB
Perl
#! c:\perl\bin\perl.exe
|
|
#-----------------------------------------------------------
|
|
# ie_settings.pl
|
|
# Gets IE settings
|
|
#
|
|
# Change history
|
|
# 20130731 - added check for "ClearBrowsingHistoryOnExit"
|
|
# 20130328 - added "AutoConfigURL" value info
|
|
# 20130223 - updated
|
|
# 20091016 - created
|
|
#
|
|
# References
|
|
# http://blog.digital-forensics.it/2012/05/exploring-internet-explorer-with.html
|
|
#
|
|
#
|
|
# copyright 2013 QAR, LLC
|
|
# Author: H. Carvey, keydet89@yahoo.com
|
|
#-----------------------------------------------------------
|
|
package ie_settings;
|
|
use strict;
|
|
|
|
my %config = (hive => "NTUSER\.DAT",
|
|
hasShortDescr => 1,
|
|
hasDescr => 0,
|
|
hasRefs => 1,
|
|
osmask => 22,
|
|
version => 20130731);
|
|
|
|
sub getConfig{return %config}
|
|
sub getShortDescr {
|
|
return "Gets important user IE settings";
|
|
}
|
|
sub getDescr{}
|
|
sub getHive {return $config{hive};}
|
|
sub getVersion {return $config{version};}
|
|
|
|
my $VERSION = getVersion();
|
|
|
|
sub pluginmain {
|
|
my $class = shift;
|
|
my $ntuser = shift;
|
|
::logMsg("Launching ie_settings v.".$VERSION);
|
|
::rptMsg("ie_settings v.".$VERSION); # banner
|
|
::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner
|
|
my $reg = Parse::Win32Registry->new($ntuser);
|
|
my $root_key = $reg->get_root_key;
|
|
|
|
my $key_path = 'Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings';
|
|
my $key;
|
|
if ($key = $root_key->get_subkey($key_path)) {
|
|
::rptMsg($key_path);
|
|
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
|
|
::rptMsg("");
|
|
my $ua;
|
|
eval {
|
|
$ua = $key->get_value("User Agent")->get_data();
|
|
::rptMsg("User Agent = ".$ua);
|
|
};
|
|
|
|
my $zonessecupgrade;
|
|
eval {
|
|
$zonessecupgrade = $key->get_value("ZonesSecurityUpgrade")->get_data();
|
|
my ($z0,$z1) = unpack("VV",$zonessecupgrade);
|
|
::rptMsg("ZonesSecurityUpgrade = ".gmtime(::getTime($z0,$z1))." (UTC)");
|
|
};
|
|
|
|
my $daystokeep;
|
|
eval {
|
|
$daystokeep = $key->get_subkey("Url History")->get_value("DaysToKeep")->get_data();
|
|
::rptMsg("DaysToKeep = ".$daystokeep);
|
|
};
|
|
if ($@) {
|
|
::rptMsg("DaysToKeep value not found - default is 20 days");
|
|
}
|
|
# added check for "delete history on exit" setting 20130731
|
|
my $clear;
|
|
eval {
|
|
$clear = $key->get_subkey("Privacy")->get_value("ClearBrowsingHistoryOnExit")->get_data();
|
|
::rptMsg("ClearBrowsingHistoryOnExit = ".$clear);
|
|
# 1 = enabled
|
|
};
|
|
|
|
# AutoConfigURL
|
|
# ref: http://technet.microsoft.com/en-us/library/cc736412%28v=ws.10%29.aspx
|
|
# http://blog.spiderlabs.com/2012/04/brazilian-banking-malware-pay-your-bill-slacker-.html
|
|
eval {
|
|
my $auto = $key->get_value("AutoConfigURL")->get_data();
|
|
::rptMsg("AutoConfigURL: ".$auto);
|
|
::rptMsg("**Possible malware indicator found!!");
|
|
};
|
|
|
|
}
|
|
else {
|
|
::rptMsg($key_path." not found.");
|
|
}
|
|
#-----------------------------------------------------------
|
|
# Windows Search integration into IE
|
|
# Windows Search indexes URLs for autocompletion
|
|
#
|
|
# Ref:
|
|
# http://www.ghacks.net/2011/03/17/disable-indexing-of-internet-explorer-web-history-by-windows-search/
|
|
#
|
|
#
|
|
#-----------------------------------------------------------
|
|
$key_path = 'Software\\Microsoft\\Internet Explorer\\Main\\WindowsSearch';
|
|
if ($key = $root_key->get_subkey($key_path)) {
|
|
::rptMsg("");
|
|
::rptMsg($key_path);
|
|
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
|
|
|
|
eval {
|
|
my $v = $key->get_value("Version")->get_data();
|
|
::rptMsg("Version = ".$v);
|
|
};
|
|
|
|
::rptMsg("");
|
|
# Gets information about when the IE history was last cleared by the user
|
|
my $cleared;
|
|
eval {
|
|
$cleared = $key->get_value("Cleared")->get_data();
|
|
if ($cleared == 1) {
|
|
::rptMsg("Cleared = 1");
|
|
my @t = unpack("VV",$key->get_value("Cleared_TIMESTAMP")->get_data());
|
|
my $cl_ts = ::getTime($t[0],$t[1]);
|
|
::rptMsg("Cleared_TIMESTAMP = ".gmtime($cl_ts)." UTC");
|
|
::rptMsg("Analysis Tip: The \'Cleared\' value indicates that the user account ");
|
|
::rptMsg("was used to clear the IE browser history, and the timestamp value indicates");
|
|
::rptMsg("when this occurred\.");
|
|
}
|
|
};
|
|
if ($@) {
|
|
::rptMsg("\'Cleared\' value not found\.");
|
|
}
|
|
::rptMsg("");
|
|
eval {
|
|
my @v = unpack("VV",$key->get_value("LastCrawl")->get_data());
|
|
my $crawl = ::getTime($v[0],$v[1]);
|
|
::rptMsg("LastCrawl = ".gmtime($crawl)." UTC");
|
|
};
|
|
|
|
eval {
|
|
my @v = unpack("VV",$key->get_value("UpgradeTime")->get_data());
|
|
my $up = ::getTime($v[0],$v[1]);
|
|
::rptMsg("UpgradeTime = ".gmtime($up)." UTC");
|
|
};
|
|
|
|
eval {
|
|
my $path = $key->get_value("User Favorites Path")->get_data();
|
|
::rptMsg("User Favorites Path = ".$path);
|
|
};
|
|
|
|
}
|
|
}
|
|
1;
|