Page MenuHomePhabricator

No OneTemporary

Size
6 KB
Referenced Files
None
Subscribers
None
diff --git a/trunk/report_templates/SYSTEM_UsbStorageDevices2.qs b/trunk/report_templates/SYSTEM_UsbStorageDevices2.qs
new file mode 100644
index 0000000..0b11e6a
--- /dev/null
+++ b/trunk/report_templates/SYSTEM_UsbStorageDevices2.qs
@@ -0,0 +1,181 @@
+function fred_report_info() {
+ var info={report_cat : "SYSTEM",
+ report_name : "USB storage devices as table",
+ report_author : "Gillen Daniel, Voncken Guy",
+ report_desc : "Dump USB storage devices",
+ fred_api : 2,
+ hive : "SYSTEM"
+ };
+ return info;
+}
+
+function IsValid(val) {
+ if(typeof val !== 'undefined') return true;
+ else return false;
+}
+
+function print_table_row(cell01,cell02) {
+ println(" <tr><td>",cell01,"</td><td>",cell02,"</td></tr>");
+}
+
+function print_dev_table_row(VendorProd,
+ ID,
+ Class,
+ Name,
+ MountPoint,
+ ParentId,
+ Desc)
+{
+ println(" <tr>");
+ println(" <td>",VendorProd,"</td>");
+ println(" <td>",ID,"</td>");
+ println(" <td>",Class,"</td>");
+ println(" <td>",Name,"</td>");
+ println(" <td>",MountPoint,"</td>");
+ println(" <td>",ParentId,"</td>");
+ println(" <td>",Desc,"</td>");
+ println(" </tr>");
+}
+
+function ZeroPad(number,padlen) {
+ var ret=number.toString(10);
+ if(!padlen || ret.length>=padlen) return ret;
+ return Math.pow(10,padlen-ret.length).toString().slice(1)+ret;
+}
+
+function GetKeyVal(path, key) {
+ var val=GetRegistryKeyValue(path, key);
+ return (IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : "";
+}
+
+function fred_report_html() {
+ // TODO: There is more here.
+ // Check http://www.forensicswiki.org/wiki/USB_History_Viewing
+ var val;
+
+ println(" <h2>USB storage devices</h2>");
+
+ // Preload MountedDevices to possibly identify mount points of USB storage
+ // devices
+ var mnt_keys=GetRegistryKeys("\\MountedDevices");
+ var mnt_values=new Array();
+ if(IsValid(mnt_keys)) {
+ for(var i=0;i<mnt_keys.length;i++) {
+ val=GetRegistryKeyValue("\\MountedDevices",mnt_keys[i]);
+ mnt_values[i]=RegistryKeyValueToVariant(val.value,"utf16");
+ }
+ }
+
+ // Get current controlset
+ var cur_controlset=GetRegistryKeyValue("\\Select","Current");
+ if(IsValid(cur_controlset)) {
+ cur_controlset=RegistryKeyValueToString(cur_controlset.value,
+ cur_controlset.type);
+ // Current holds a DWORD value, thus we get a string like 0x00000000, but
+ // control sets are referenced by its decimal representation.
+ cur_controlset="ControlSet"+
+ ZeroPad(parseInt(String(cur_controlset).substr(2,8),16),3);
+
+ println(" <p style=\"font-size:12; white-space:nowrap\">");
+ println(" <u>Settings</u><br />");
+ println(" <table style=\"margin-left:20px; ",
+ "font-size:12; white-space:nowrap\">");
+
+ // Are USB storage devices enabled?
+ // http://www.forensicmag.com/article/windows-7-registry-forensics-part-5
+ // Is this true for WinXP etc.. ???
+ var val=GetRegistryKeyValue(cur_controlset+"\\services\\USBSTOR","Start");
+ if(IsValid(val)) {
+ val=RegistryKeyValueToString(val.value,val.type);
+ val=parseInt(String(val).substr(2,8),10);
+ switch(val) {
+ case 3:
+ print_table_row("Storage driver enabled:","Yes");
+ break;
+ case 4:
+ print_table_row("Storage driver enabled:","No");
+ break;
+ default:
+ print_table_row("Storage driver enabled:","Unknown");
+ }
+ } else {
+ print_table_row("Storage driver enabled:","Unknown");
+ }
+
+ println(" </table>");
+ println(" </p>");
+ println(" <p style=\"font-size:12; white-space:nowrap\">");
+ println(" <u>Devices</u><br />");
+
+ var storage_roots=GetRegistryNodes(cur_controlset+"\\Enum\\USBSTOR");
+ if(IsValid(storage_roots)) {
+ println(" <table style=\"margin-left:20px; font-size:12; ",
+ "white-space:nowrap\">");
+ print_dev_table_row("<b>Vendor Name</b>",
+ "<b>Unique ID</b>",
+ "<b>Class</b>",
+ "<b>Friendly name</b>",
+ "<b>Mount point(s)</b>",
+ "<b>Parent ID</b>",
+ "<b>Device description</b>");
+ for(var i=0; i<storage_roots.length; i++) {
+ var storage_subroots=
+ GetRegistryNodes(cur_controlset+"\\Enum\\USBSTOR\\"+storage_roots[i]);
+ for(var ii=0;ii<storage_subroots.length;ii++) {
+ ID = storage_subroots[ii];
+ if(String(ID).charAt(1)=="&") {
+ // If the second character of the unique instance ID is a '&', then
+ // the ID was generated by the system, as the device did not have a
+ // serial number.
+ ID = ID + " (Generated by system)";
+ }
+ Key = cur_controlset+"\\Enum\\USBSTOR\\"+storage_roots[i]+
+ "\\"+storage_subroots[ii];
+ Class = GetKeyVal (Key,"Class");
+ DeviceDesc = GetKeyVal (Key,"DeviceDesc");
+ FriendlyName = GetKeyVal (Key,"FriendlyName");
+ ParentID = GetKeyVal (Key,"ParentIdPrefix");
+ MountPoints = ""
+
+ var br=0;
+ if(ParentID != "") {
+ // Windows XP uses the ParentId to link to MountedDevices
+ SearchString = "#"+ParentID+"&";
+ } else {
+ // Since Vista, Unique IDs are used
+ SearchString = "#"+storage_subroots[ii]+"#";
+ }
+ for(var iii=0; iii<mnt_keys.length; iii++) {
+ if(String(mnt_values[iii]).indexOf(SearchString)!=-1) {
+ if(br==1) MountPoints = MountPoints + "<br />";
+ else br=1;
+ MountPoints = MountPoints + mnt_keys[iii];
+ }
+ }
+ if(br==0) MountPoints = MountPoints + "n/a";
+
+ print_dev_table_row(storage_roots[i],
+ ID,
+ Class,
+ FriendlyName,
+ MountPoints,
+ ParentID,
+ DeviceDesc);
+ }
+ }
+ println(" </table>");
+ println(" <br />");
+ } else {
+ println(" <font color=\"red\">This registry hive does not contain a ",
+ "list of attached USB storage devices!</font>");
+ }
+ println(" </p>");
+ } else {
+ println(" <p><font color=\"red\">");
+ println(" Unable to determine current control set!<br />");
+ println(" Are you sure you are running this report against the correct ",
+ "registry hive?");
+ println(" </font></p>");
+ }
+}
+

File Metadata

Mime Type
text/x-diff
Expires
Sat, Nov 23, 11:07 PM (1 d, 12 h)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
1163077
Default Alt Text
(6 KB)

Event Timeline