mirror of
https://github.com/overcuriousity/autopsy-flatpak.git
synced 2025-07-14 08:56:15 +00:00
fe62624541
Added additional RegRipper modules to support STIX data. Stopped RecentActivity IE parser from generating empty user accounts.
161 lines
4.8 KiB
Perl
Executable File
161 lines
4.8 KiB
Perl
Executable File
#-----------------------------------------------------------
|
|
# backuprestore.pl
|
|
# Access System hive file to get the contents of the FilesNotToSnapshot, KeysNotToRestore, and FilesNotToBackup keys
|
|
#
|
|
# Change history
|
|
# 20130904: cleaned up code
|
|
# 9/14/2012: retired the filesnottosnapshot.pl plugin since BackupRestore checks the same key
|
|
#
|
|
# References
|
|
# Troy Larson's Windows 7 presentation slide deck http://computer-forensics.sans.org/summit-archives/2010/files/12-larson-windows7-foreniscs.pdf
|
|
# QCCIS white paper Reliably recovering evidential data from Volume Shadow Copies http://www.qccis.com/downloads/whitepapers/QCC%20VSS
|
|
# http://msdn.microsoft.com/en-us/library/windows/desktop/bb891959(v=vs.85).aspx
|
|
#
|
|
# copyright 2012 Corey Harrell (Journey Into Incident Response)
|
|
#-----------------------------------------------------------
|
|
package backuprestore;
|
|
use strict;
|
|
|
|
my %config = (hive => "System",
|
|
hasShortDescr => 1,
|
|
hasDescr => 0,
|
|
hasRefs => 0,
|
|
osmask => 22,
|
|
version => 20130904);
|
|
|
|
sub getConfig{return %config}
|
|
sub getShortDescr {
|
|
return "Gets the contents of the FilesNotToSnapshot, KeysNotToRestore, and FilesNotToBackup keys";
|
|
}
|
|
sub getDescr{}
|
|
sub getRefs {}
|
|
sub getHive {return $config{hive};}
|
|
sub getVersion {return $config{version};}
|
|
|
|
my $VERSION = getVersion();
|
|
|
|
sub pluginmain {
|
|
my $class = shift;
|
|
my $hive = shift;
|
|
::logMsg("Launching backuprestore v.".$VERSION);
|
|
::rptMsg("backuprestore v.".$VERSION);
|
|
::rptMsg("(".$config{hive}.") ".getShortDescr()."\n");
|
|
|
|
my $reg = Parse::Win32Registry->new($hive);
|
|
my $root_key = $reg->get_root_key;
|
|
# First thing to do is get the ControlSet00x marked current...this is
|
|
# going to be used over and over again in plugins that access the system
|
|
# file
|
|
my ($current,$ccs);
|
|
my $key_path = 'Select';
|
|
my $key;
|
|
if ($key = $root_key->get_subkey($key_path)) {
|
|
$current = $key->get_value("Current")->get_data();
|
|
$ccs = "ControlSet00".$current;
|
|
|
|
my $fns_path = $ccs."\\Control\\BackupRestore\\FilesNotToSnapshot";
|
|
my $fns;
|
|
if ($fns = $root_key->get_subkey($fns_path)) {
|
|
# ::rptMsg("FilesNotToSnapshot key");
|
|
::rptMsg($fns_path);
|
|
::rptMsg("LastWrite Time ".gmtime($fns->get_timestamp())." (UTC)");
|
|
::rptMsg("The listed directories/files are not backed up in Volume Shadow Copies");
|
|
::rptMsg("");
|
|
|
|
my %cv;
|
|
my @valfns = $fns->get_list_of_values();
|
|
if (scalar(@valfns) > 0) {
|
|
foreach my $v (@valfns) {
|
|
my $name = $v->get_name();
|
|
my $data = $v->get_data();
|
|
my $len = length($data);
|
|
next if ($name eq "");
|
|
push(@{$cv{$len}},$name." : ".$data);
|
|
}
|
|
|
|
foreach my $t (sort {$a <=> $b} keys %cv) {
|
|
foreach my $item (@{$cv{$t}}) {
|
|
::rptMsg(" $item");
|
|
}
|
|
}
|
|
}
|
|
else {
|
|
::rptMsg($fns_path." has no values.");
|
|
}
|
|
}
|
|
else {
|
|
::rptMsg($fns_path." not found.");
|
|
}
|
|
::rptMsg("");
|
|
my $fnb_path = $ccs."\\Control\\BackupRestore\\FilesNotToBackup";
|
|
my $fnb;
|
|
if ($fnb = $root_key->get_subkey($fnb_path)) {
|
|
::rptMsg("FilesNotToBackup key");
|
|
::rptMsg($fnb_path);
|
|
::rptMsg("LastWrite Time ".gmtime($fnb->get_timestamp())." (UTC)");
|
|
::rptMsg("Specifies the directories and files that backup applications should not backup or restore");
|
|
::rptMsg("");
|
|
|
|
my %cq;
|
|
my @valfnb = $fnb->get_list_of_values();;
|
|
if (scalar(@valfnb) > 0) {
|
|
foreach my $v (@valfnb) {
|
|
my $name = $v->get_name();
|
|
my $data = $v->get_data();
|
|
my $len = length($data);
|
|
next if ($name eq "");
|
|
push(@{$cq{$len}},$name." : ".$data);
|
|
}
|
|
|
|
foreach my $t (sort {$a <=> $b} keys %cq) {
|
|
foreach my $item (@{$cq{$t}}) {
|
|
::rptMsg(" $item");
|
|
}
|
|
}
|
|
}
|
|
else {
|
|
::rptMsg($fnb_path." has no values.");
|
|
}
|
|
}
|
|
else {
|
|
::rptMsg($fnb_path." not found.");
|
|
}
|
|
::rptMsg("");
|
|
my $knr_path = $ccs."\\Control\\BackupRestore\\KeysNotToRestore";
|
|
my $knr;
|
|
if ($knr = $root_key->get_subkey($knr_path)) {
|
|
::rptMsg("KeysNotToRestore key");
|
|
::rptMsg($knr_path);
|
|
::rptMsg("LastWrite Time ".gmtime($knr->get_timestamp())." (UTC)");
|
|
::rptMsg("");
|
|
::rptMsg("Specifies the names of the registry subkeys and values that backup applications should not restore");
|
|
::rptMsg("");
|
|
|
|
my %cw;
|
|
my @valknr = $knr->get_list_of_values();;
|
|
if (scalar(@valknr) > 0) {
|
|
foreach my $v (@valknr) {
|
|
my $name = $v->get_name();
|
|
my $data = $v->get_data();
|
|
my $len = length($data);
|
|
next if ($name eq "");
|
|
push(@{$cw{$len}},$name." : ".$data);
|
|
}
|
|
|
|
foreach my $t (sort {$a <=> $b} keys %cw) {
|
|
foreach my $item (@{$cw{$t}}) {
|
|
::rptMsg(" $item");
|
|
}
|
|
}
|
|
}
|
|
else {
|
|
::rptMsg($knr_path." has no values.");
|
|
}
|
|
}
|
|
else {
|
|
::rptMsg($knr_path." not found.");
|
|
}
|
|
}
|
|
}
|
|
|
|
1; |