Page Menu
Home
Phabricator
Search
Configure Global Search
Log In
Files
F353898
No One
Temporary
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Subscribers
None
File Metadata
Details
File Info
Storage
Attached
Created
Wed, Jan 22, 2:47 AM
Size
4 KB
Mime Type
text/x-diff
Expires
Fri, Jan 24, 2:47 AM (14 h, 5 m)
Engine
blob
Format
Raw Data
Handle
137303
Attached To
rFRED fred
View Options
diff --git a/trunk/report_templates/NTUSER_RecentDocs.qs b/trunk/report_templates/NTUSER_RecentDocs.qs
index d49215e..a0f9127 100644
--- a/trunk/report_templates/NTUSER_RecentDocs.qs
+++ b/trunk/report_templates/NTUSER_RecentDocs.qs
@@ -1,26 +1,23 @@
println("<html>");
println(" <head><title>Recent Documents</title></head>");
-println(" <body>");
+println(" <body style=\"font-size:12\">");
println(" <h2>Recent documents</h2>");
-println(" <p>");
+println(" <p style=\"font-size:12\">");
+println(" <table style=\"margin-left:20px; font-size:12\">");
-// Iterate over all recent docs
+// Get list of recent docs
var recent_docs=GetRegistryKeyValue("\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RecentDocs","MRUListEx");
+
+// Iterate over all recent docs
var i=0;
var runlist=RegistryKeyValueToVariant(recent_docs.value,"uint32",i);
-
-/*
-println(runlist.toString(10),"<br />");
-var entry=GetRegistryKeyValue("\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RecentDocs",runlist.toString(10));
-println(" ",RegistryKeyValueToVariant(entry.value,"utf16",0),"<br />");
-*/
-
while(Number(runlist)!=0xffffffff) {
var entry=GetRegistryKeyValue("\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RecentDocs",runlist.toString(10));
- println(" ",RegistryKeyValueToVariant(entry.value,"utf16",0),"<br />");
+ println(" <tr><td>",RegistryKeyValueToVariant(entry.value,"utf16",0),"</td></tr>");
i+=4;
runlist=RegistryKeyValueToVariant(recent_docs.value,"uint32",i);
}
+println(" </table>");
println(" </p>");
println("</html>");
diff --git a/trunk/report_templates/NTUSER_TypedUrls.qs b/trunk/report_templates/NTUSER_TypedUrls.qs
new file mode 100644
index 0000000..29ecb94
--- /dev/null
+++ b/trunk/report_templates/NTUSER_TypedUrls.qs
@@ -0,0 +1,17 @@
+println("<html>");
+println(" <head><title>Typed Urls</title></head>");
+println(" <body style=\"font-size:12\">");
+println(" <h2>Typed urls</h2>");
+println(" <p style=\"font-size:12\">");
+println(" <table style=\"margin-left:20px; font-size:12\">");
+
+// Iterate over all typed urls
+var typed_urls=GetRegistryKeys("\\Software\\Microsoft\\Internet Explorer\\TypedURLs");
+for(var i=0;i<typed_urls.length;i++) {
+ var val=GetRegistryKeyValue("\\Software\\Microsoft\\Internet Explorer\\TypedURLs",typed_urls[i]);
+ println(" <tr><td>",RegistryKeyValueToString(val.value,val.type),"</td></tr>");
+}
+
+println(" </table>");
+println(" </p>");
+println("</html>");
diff --git a/trunk/report_templates/SYSTEM_UsbStorageDevices.qs b/trunk/report_templates/SYSTEM_UsbStorageDevices.qs
new file mode 100644
index 0000000..32d7353
--- /dev/null
+++ b/trunk/report_templates/SYSTEM_UsbStorageDevices.qs
@@ -0,0 +1,43 @@
+// TODO: There is more here. Check http://www.forensicswiki.org/wiki/USB_History_Viewing
+
+function print_table_row(cell01,cell02) {
+ println(" <tr><td>",cell01,"</td><td>",cell02,"</td></tr>");
+}
+
+// Global vars
+var val;
+
+// Get current controlset
+var cur_controlset=GetRegistryKeyValue("\\Select","Current");
+cur_controlset=RegistryKeyValueToString(cur_controlset.value,cur_controlset.type);
+// Current holds a DWORD value, thus we get a string like 0x00000000, but
+// control sets are referenced only with the last 3 digits.
+cur_controlset="ControlSet"+String(cur_controlset).substr(7,3);
+
+println("<html>");
+println(" <head><title>USB Storage Devices</title></head>");
+println(" <body style=\"font-size:12\">");
+println(" <h2>USB storage devices</h2>");
+println(" <p style=\"font-size:12\">");
+
+var storage_roots=GetRegistryNodes(cur_controlset+"\\Enum\\USBSTOR");
+for(var i=0;i<storage_roots.length;i++) {
+ println(" <u>",storage_roots[i],"</u><br />");
+ var storage_subroots=GetRegistryNodes(cur_controlset+"\\Enum\\USBSTOR\\"+storage_roots[i]);
+ for(ii=0;ii<storage_subroots.length;ii++) {
+ println(" <table style=\"margin-left:20px; font-size:12\">");
+ // Note: If the second character of the unique instance ID is a '&', then the ID was
+ // generated by the system, as the device did not have a serial number.
+ print_table_row("Unique ID:",storage_subroots[ii]);
+
+ val=GetRegistryKeyValue(cur_controlset+"\\Enum\\USBSTOR\\"+storage_roots[i]+"\\"+storage_subroots[ii],"Class");
+ print_table_row("Class:",(typeof val !== 'undefined') ? RegistryKeyValueToString(val.value,val.type) : "");
+ val=GetRegistryKeyValue(cur_controlset+"\\Enum\\USBSTOR\\"+storage_roots[i]+"\\"+storage_subroots[ii],"DeviceDesc");
+ print_table_row("Device description:",(typeof val !== 'undefined') ? RegistryKeyValueToString(val.value,val.type) : "");
+ val=GetRegistryKeyValue(cur_controlset+"\\Enum\\USBSTOR\\"+storage_roots[i]+"\\"+storage_subroots[ii],"FriendlyName");
+ print_table_row("Friendly name:",(typeof val !== 'undefined') ? RegistryKeyValueToString(val.value,val.type) : "");
+ }
+}
+
+println(" </p>");
+println("</html>");
Event Timeline
Log In to Comment