mstoeck3/autopsy-flatpak
1
0
Fork 0
mirror of https://github.com/overcuriousity/autopsy-flatpak.git synced 2025-07-17 10:17:41 +00:00
Code Issues Packages Projects Releases Wiki Activity
autopsy-flatpak/RecentActivity/release/rr-full/plugins/usbstor.pl
APriestman fe62624541 Updated RecentActivity to use RegRipper 2.8. 
Added additional RegRipper modules to support STIX data.
Stopped RecentActivity IE parser from generating empty user accounts.
2014-12-03 14:21:14 -05:00

124 lines
3.7 KiB
Perl
Executable File
Raw Blame History

#-----------------------------------------------------------
# usbstor
#
# History:
# 20141111 - updated check for key LastWrite times
# 20141015 - added subkey LastWrite times
# 20130630 - added FirstInstallDate, InstallDate query
# 20080418 - created
#
# Ref:
# http://studioshorts.com/blog/2012/10/windows-8-device-property-ids-device-enumeration-pnpobject/
#
# copyright 2014 QAR, LLC
# Author: H. Carvey, keydet89@yahoo.com
#-----------------------------------------------------------
package usbstor;
use strict;
my %config = (hive => "System",
osmask => 22,
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
version => 20141111);
sub getConfig{return %config}
sub getShortDescr {
return "Get USBStor key info";
}
sub getDescr{}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $hive = shift;
::logMsg("Launching usbstor v.".$VERSION);
::rptMsg("usbstor v.".$VERSION); # banner
::rptMsg("(".getHive().") ".getShortDescr()."\n"); # banner
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
# Code for System file, getting CurrentControlSet
my $current;
my $ccs;
my $key_path = 'Select';
my $key;
if ($key = $root_key->get_subkey($key_path)) {
$current = $key->get_value("Current")->get_data();
$ccs = "ControlSet00".$current;
}
else {
::rptMsg($key_path." not found.");
return;
}
my $key_path = $ccs."\\Enum\\USBStor";
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg("USBStor");
::rptMsg($key_path);
::rptMsg("");
my @subkeys = $key->get_list_of_subkeys();
if (scalar(@subkeys) > 0) {
foreach my $s (@subkeys) {
::rptMsg($s->get_name()." [".gmtime($s->get_timestamp())."]");
my @sk = $s->get_list_of_subkeys();
if (scalar(@sk) > 0) {
foreach my $k (@sk) {
my $serial = $k->get_name();
::rptMsg(" S/N: ".$serial." [".gmtime($k->get_timestamp())."]");
# added 20141015; updated 20141111
eval {
::rptMsg(" Device Parameters LastWrite: [".gmtime($k->get_subkey("Device Parameters")->get_timestamp())."]");
};
eval {
::rptMsg(" LogConf LastWrite : [".gmtime($k->get_subkey("LogConf")->get_timestamp())."]");
};
eval {
::rptMsg(" Properties LastWrite : [".gmtime($k->get_subkey("Properties")->get_timestamp())."]");
};
my $friendly;
eval {
$friendly = $k->get_value("FriendlyName")->get_data();
};
::rptMsg(" FriendlyName : ".$friendly) if ($friendly ne "");
my $parent;
eval {
$parent = $k->get_value("ParentIdPrefix")->get_data();
};
::rptMsg(" ParentIdPrefix: ".$parent) if ($parent ne "");
# Attempt to retrieve InstallDate/FirstInstallDate from Properties subkeys
# http://studioshorts.com/blog/2012/10/windows-8-device-property-ids-device-enumeration-pnpobject/
eval {
my $t = $k->get_subkey("Properties\\{83da6326-97a6-4088-9453-a1923f573b29}\\00000064\\00000000")->get_value("Data")->get_data();
my ($t0,$t1) = unpack("VV",$t);
::rptMsg(" InstallDate : ".gmtime(::getTime($t0,$t1))." UTC");
$t = $k->get_subkey("Properties\\{83da6326-97a6-4088-9453-a1923f573b29}\\00000065\\00000000")->get_value("Data")->get_data();
($t0,$t1) = unpack("VV",$t);
::rptMsg(" FirstInstallDate: ".gmtime(::getTime($t0,$t1))." UTC");
};
}
}
::rptMsg("");
}
}
else {
::rptMsg($key_path." has no subkeys.");
}
}
else {
::rptMsg($key_path." not found.");
}
}
1;
Reference in New Issue View Git Blame Copy Permalink