Page Menu
Home
Phabricator
Search
Configure Global Search
Log In
Files
F4324615
No One
Temporary
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Size
53 KB
Referenced Files
None
Subscribers
None
View Options
diff --git a/trunk/debian/fred-reports.install b/trunk/debian/fred-reports.install
index d406d30..42ea7c5 100644
--- a/trunk/debian/fred-reports.install
+++ b/trunk/debian/fred-reports.install
@@ -1,7 +1,17 @@
+report_templates/NTUSER_Autoruns.qs usr/share/fred/report_templates/
+report_templates/NTUSER_LaunchedApplications.qs usr/share/fred/report_templates/
report_templates/NTUSER_RecentDocs.qs usr/share/fred/report_templates/
report_templates/NTUSER_TypedUrls.qs usr/share/fred/report_templates/
+report_templates/NTUSER_Windows7_SearchKeywords.qs usr/share/fred/report_templates/
+report_templates/NTUSER_Windows7_TypedPaths.qs usr/share/fred/report_templates/
+report_templates/NTUSER_WindowsLiveAccounts.qs usr/share/fred/report_templates/
report_templates/SAM_UserAccounts.qs usr/share/fred/report_templates/
+report_templates/SOFTWARE_Autoruns.qs usr/share/fred/report_templates/
+report_templates/SOFTWARE_ProfileList.qs usr/share/fred/report_templates/
report_templates/SOFTWARE_WindowsVersion.qs usr/share/fred/report_templates/
+report_templates/SYSTEM_BackupRestore.qs usr/share/fred/report_templates/
report_templates/SYSTEM_CurrentNetworkSettings.qs usr/share/fred/report_templates/
+report_templates/SYSTEM_Services.qs usr/share/fred/report_templates/
+report_templates/SYSTEM_ShutdownTime.qs usr/share/fred/report_templates/
report_templates/SYSTEM_SystemTimeInfo.qs usr/share/fred/report_templates/
report_templates/SYSTEM_UsbStorageDevices.qs usr/share/fred/report_templates/
diff --git a/trunk/report_templates/SAM_UserAccounts.qs b/trunk/report_templates/SAM_UserAccounts.qs
index a94c21b..677cf37 100644
--- a/trunk/report_templates/SAM_UserAccounts.qs
+++ b/trunk/report_templates/SAM_UserAccounts.qs
@@ -1,104 +1,144 @@
function fred_report_info() {
var info={report_cat : "SAM",
report_name : "User accounts",
- report_author : "Gillen Daniel",
+ report_author : "Gillen Daniel, Voncken Guy",
report_desc : "Dump Windows user accounts",
fred_api : 2,
hive : "SAM"
};
return info;
}
+var table_style = "border-collapse:collapse; margin-left:20px; font-family:arial; font-size:12;";
+var cell_style = "border:1px solid #888888; padding:5; white-space:nowrap;";
+
function IsValid(val) {
- if(typeof val !== 'undefined') return true;
- else return false;
+ return (typeof val!=='undefined');
+}
+
+function PrintTableHeaderCell(str) {
+ println(" <th style=\"",cell_style,"\">",str,"</th>");
}
-function print_table_row(cell01,cell02) {
- println(" <tr><td>",cell01,"</td><td>",cell02,"</td></tr>");
+function PrintTableDataCell(alignment,str) {
+ var style=cell_style+" text-align:"+alignment+";";
+ println(" <td style=\"",style,"\">",str,"</td>");
}
-function print_v_info(v_key_value,info_name,str_off) {
+
+function Get_v_info(v_key_value,str_off) {
+ var ret_str="";
var offset=Number(RegistryKeyValueToVariant(v_key_value,"uint16",str_off))+0x0cc;
var len=Number(RegistryKeyValueToVariant(v_key_value,"uint16",str_off+4));
- if(len>0) print_table_row(info_name,RegistryKeyValueToVariant(v_key_value,"utf16",offset,len));
+ if(len>0) ret_str=RegistryKeyValueToVariant(v_key_value,"utf16",offset,len)
+
+ return ret_str;
}
function fred_report_html() {
// See http://windowsir.blogspot.com/2006/08/getting-user-info-from-image.html
println(" <h2>User accounts</h2>");
// Iterate over all user names
var user_names=GetRegistryNodes("\\SAM\\Domains\\Account\\Users\\Names");
if(IsValid(user_names)) {
- for(var i=0;i<user_names.length;i++) {
- println(" <p style=\"font-size:12; white-space:nowrap\">");
+ println(" <table style=\""+table_style+"\">");
- // Print user name
- println(" <u>",user_names[i],"</u><br />");
-
- println(" <table style=\"margin-left:20px; font-size:12\">");
+ println(" <tr>");
+ PrintTableHeaderCell("Name");
+ PrintTableHeaderCell("RID");
+ PrintTableHeaderCell("Full<br>name");
+ PrintTableHeaderCell("Last<br>login");
+ PrintTableHeaderCell("Last PW<br>change");
+ PrintTableHeaderCell("Last failed<br>login");
+ PrintTableHeaderCell("Account<br>expiry");
+ PrintTableHeaderCell("Total<br>logins");
+ PrintTableHeaderCell("Failed<br>logins");
+ PrintTableHeaderCell("Flags");
+ PrintTableHeaderCell("Password<br>hint");
+ PrintTableHeaderCell("Home drive<br>and dir");
+ PrintTableHeaderCell("Logon<br>script path");
+ PrintTableHeaderCell("Profile<br>path");
+ PrintTableHeaderCell("Comment");
+ println(" </tr>");
+ for(var i=0;i<user_names.length;i++) {
// Get user rid stored in "default" key
- var user_rid=GetRegistryKeyValue(String().concat("\\SAM\\Domains\\Account\\Users\\Names\\",user_names[i]),"");
+ var user_rid=GetRegistryKeyValue(String().concat("\\SAM\\Domains\\Account\\Users\\Names\\",user_names[i]),"");
user_rid=RegistryKeyTypeToString(user_rid.type);
- println(" <tr><td>RID:</td><td>",Number(user_rid).toString(10)," (",user_rid,")","</td></tr>");
-
- // RegistryKeyTypeToString returns the rid prepended with "0x". We have to remove that for further processing
- user_rid=String(user_rid).substr(2);
+ user_rid_dec=Number(user_rid).toString(10);
// Get user's V key and print various infos
+ user_rid=String(user_rid).substr(2); // Remove "0x"
var v_key=GetRegistryKeyValue(String().concat("\\SAM\\Domains\\Account\\Users\\",user_rid),"V");
- print_v_info(v_key.value,"Full name:",0x18);
- print_v_info(v_key.value,"Comment:",0x24);
- print_v_info(v_key.value,"Home directory:",0x48);
- print_v_info(v_key.value,"Home directory drive:",0x54);
- print_v_info(v_key.value,"Logon script path:",0x60);
- print_v_info(v_key.value,"Profile path:",0x6c);
+ var full_name=Get_v_info(v_key.value,0x18);
+ var comment=Get_v_info(v_key.value,0x24);
+ var home_dir=Get_v_info(v_key.value,0x48);
+ var home_dir_drive=Get_v_info(v_key.value,0x54);
+ var logon_script_path=Get_v_info(v_key.value,0x60);
+ var profile_path=Get_v_info(v_key.value,0x6c);
// Get user's F key and print various infos
var f_key=GetRegistryKeyValue(String().concat("\\SAM\\Domains\\Account\\Users\\",user_rid),"F");
- print_table_row("Last login time:",RegistryKeyValueToVariant(f_key.value,"filetime",8));
- print_table_row("Last pw change:",RegistryKeyValueToVariant(f_key.value,"filetime",24));
- print_table_row("Last failed login:",RegistryKeyValueToVariant(f_key.value,"filetime",40));
- print_table_row("Account expires:",RegistryKeyValueToVariant(f_key.value,"filetime",32));
- print_table_row("Total logins:",RegistryKeyValueToVariant(f_key.value,"uint16",66));
- print_table_row("Failed logins:",RegistryKeyValueToVariant(f_key.value,"uint16",64));
+ var last_login_time=RegistryKeyValueToVariant(f_key.value,"filetime",8);
+ var last_pw_change=RegistryKeyValueToVariant(f_key.value,"filetime",24);
+ var last_failed_login=RegistryKeyValueToVariant(f_key.value,"filetime",40);
+ var account_expires=RegistryKeyValueToVariant(f_key.value,"filetime",32);
+ var total_logins=RegistryKeyValueToVariant(f_key.value,"uint16",66);
+ var failed_logins=RegistryKeyValueToVariant(f_key.value,"uint16",64);
+
var acc_flags=Number(RegistryKeyValueToVariant(f_key.value,"uint16",56));
- print(" <tr><td>Account flags:</td><td>");
- if(acc_flags&0x0001) print("Disabled ");
- if(acc_flags&0x0002) print("HomeDirReq ");
- if(acc_flags&0x0004) print("PwNotReq ");
- if(acc_flags&0x0008) print("TempDupAcc ");
- // I don't think this would be useful to show
- //if(acc_flags&0x0010) print("NormUserAcc ");
- if(acc_flags&0x0020) print("MnsAcc ");
- if(acc_flags&0x0040) print("DomTrustAcc ");
- if(acc_flags&0x0080) print("WksTrustAcc ");
- if(acc_flags&0x0100) print("SrvTrustAcc ");
- if(acc_flags&0x0200) print("NoPwExpiry ");
- if(acc_flags&0x0400) print("AccAutoLock ");
- print(" (",acc_flags,")");
- println("</td></tr>");
+ var acc_flags_str="";
+ if(acc_flags&0x0200) acc_flags_str+="NoPwExpiry ";
+ if(acc_flags&0x0001) acc_flags_str+="Disabled ";
+ if(acc_flags&0x0004) acc_flags_str+="PwNotReq ";
+ if(acc_flags&0x0002) acc_flags_str+="HomeDirReq ";
+ if(acc_flags&0x0008) acc_flags_str+="TempDupAcc ";
+// if(acc_flags&0x0010) acc_flags_str+="NormUserAcc "; // I don't think this would be useful to show
+ if(acc_flags&0x0020) acc_flags_str+="MnsAcc ";
+ if(acc_flags&0x0040) acc_flags_str+="DomTrustAcc ";
+ if(acc_flags&0x0080) acc_flags_str+="WksTrustAcc ";
+ if(acc_flags&0x0100) acc_flags_str+="SrvTrustAcc ";
+ if(acc_flags&0x0400) acc_flags_str+="AccAutoLock ";
// Get password hint if available
var hint=GetRegistryKeyValue(String().concat("\\SAM\\Domains\\Account\\Users\\",user_rid),"UserPasswordHint");
- if(typeof hint !== 'undefined') {
+ if(IsValid(hint)) {
// Append missing trailing utf16 zero byte
hint.value.appendByte(0);
hint.value.appendByte(0);
- print_table_row("Password hint:",RegistryKeyValueToVariant(hint.value,"utf16"));
+ hint=RegistryKeyValueToVariant(hint.value,"utf16");
+ } else {
+ hint="";
}
// TODO: User group membership
- println(" </table>");
- println(" </p>");
+ println (" <tr>");
+ PrintTableDataCell("left",user_names[i]);
+ PrintTableDataCell("right",String(user_rid_dec)+" (0x"+user_rid+")");
+ PrintTableDataCell("left",full_name);
+ PrintTableDataCell("right",last_login_time);
+ PrintTableDataCell("right",last_pw_change);
+ PrintTableDataCell("right",last_failed_login);
+ PrintTableDataCell("left",account_expires);
+ PrintTableDataCell("right",total_logins);
+ PrintTableDataCell("right",failed_logins);
+ PrintTableDataCell("left",acc_flags_str);
+ PrintTableDataCell("left",hint);
+ PrintTableDataCell("left",home_dir_drive+" "+home_dir);
+ PrintTableDataCell("left",logon_script_path);
+ PrintTableDataCell("left",profile_path);
+ PrintTableDataCell("left",comment);
+
+ println (" </tr>")
}
+ println(" </table>");
+ println("</p>");
} else {
- println(" <p><font color='red'>");
- println(" Unable to enumerate users!<br />");
- println(" Are you sure you are running this report against the correct registry hive?");
- println(" </font></p>");
+ println("<p><font color='red'>");
+ println(" Unable to enumerate users!<br />");
+ println(" Are you sure you are running this report against the correct registry hive?");
+ println("</font></p>");
}
}
diff --git a/trunk/report_templates/SAM_UserAccounts2.qs b/trunk/report_templates/SAM_UserAccounts2.qs
deleted file mode 100644
index e06da1e..0000000
--- a/trunk/report_templates/SAM_UserAccounts2.qs
+++ /dev/null
@@ -1,144 +0,0 @@
-function fred_report_info() {
- var info={report_cat : "SAM",
- report_name : "User accounts as table",
- report_author : "Gillen Daniel, Voncken Guy",
- report_desc : "Dump Windows user accounts",
- fred_api : 2,
- hive : "SAM"
- };
- return info;
-}
-
-var table_style = "border-collapse:collapse; margin-left:20px; font-family:arial; font-size:12;";
-var cell_style = "border:1px solid #888888; padding:5; white-space:nowrap;";
-
-function IsValid(val) {
- return (typeof val!=='undefined');
-}
-
-function PrintTableHeaderCell(str) {
- println(" <th style=\"",cell_style,"\">",str,"</th>");
-}
-
-function PrintTableDataCell(alignment,str) {
- var style=cell_style+" text-align:"+alignment+";";
- println(" <td style=\"",style,"\">",str,"</td>");
-}
-
-
-function Get_v_info(v_key_value,str_off) {
- var ret_str="";
- var offset=Number(RegistryKeyValueToVariant(v_key_value,"uint16",str_off))+0x0cc;
- var len=Number(RegistryKeyValueToVariant(v_key_value,"uint16",str_off+4));
- if(len>0) ret_str=RegistryKeyValueToVariant(v_key_value,"utf16",offset,len)
-
- return ret_str;
-}
-
-function fred_report_html() {
- // See http://windowsir.blogspot.com/2006/08/getting-user-info-from-image.html
- println(" <h2>User accounts</h2>");
-
- // Iterate over all user names
- var user_names=GetRegistryNodes("\\SAM\\Domains\\Account\\Users\\Names");
- if(IsValid(user_names)) {
- println(" <table style=\""+table_style+"\">");
-
- println(" <tr>");
- PrintTableHeaderCell("Name");
- PrintTableHeaderCell("RID");
- PrintTableHeaderCell("Full<br>name");
- PrintTableHeaderCell("Last<br>login");
- PrintTableHeaderCell("Last PW<br>change");
- PrintTableHeaderCell("Last failed<br>login");
- PrintTableHeaderCell("Account<br>expiry");
- PrintTableHeaderCell("Total<br>logins");
- PrintTableHeaderCell("Failed<br>logins");
- PrintTableHeaderCell("Flags");
- PrintTableHeaderCell("Password<br>hint");
- PrintTableHeaderCell("Home drive<br>and dir");
- PrintTableHeaderCell("Logon<br>script path");
- PrintTableHeaderCell("Profile<br>path");
- PrintTableHeaderCell("Comment");
- println(" </tr>");
-
- for(var i=0;i<user_names.length;i++) {
- // Get user rid stored in "default" key
- var user_rid=GetRegistryKeyValue(String().concat("\\SAM\\Domains\\Account\\Users\\Names\\",user_names[i]),"");
- user_rid=RegistryKeyTypeToString(user_rid.type);
- user_rid_dec=Number(user_rid).toString(10);
-
- // Get user's V key and print various infos
- user_rid=String(user_rid).substr(2); // Remove "0x"
- var v_key=GetRegistryKeyValue(String().concat("\\SAM\\Domains\\Account\\Users\\",user_rid),"V");
- var full_name=Get_v_info(v_key.value,0x18);
- var comment=Get_v_info(v_key.value,0x24);
- var home_dir=Get_v_info(v_key.value,0x48);
- var home_dir_drive=Get_v_info(v_key.value,0x54);
- var logon_script_path=Get_v_info(v_key.value,0x60);
- var profile_path=Get_v_info(v_key.value,0x6c);
-
- // Get user's F key and print various infos
- var f_key=GetRegistryKeyValue(String().concat("\\SAM\\Domains\\Account\\Users\\",user_rid),"F");
- var last_login_time=RegistryKeyValueToVariant(f_key.value,"filetime",8);
- var last_pw_change=RegistryKeyValueToVariant(f_key.value,"filetime",24);
- var last_failed_login=RegistryKeyValueToVariant(f_key.value,"filetime",40);
- var account_expires=RegistryKeyValueToVariant(f_key.value,"filetime",32);
- var total_logins=RegistryKeyValueToVariant(f_key.value,"uint16",66);
- var failed_logins=RegistryKeyValueToVariant(f_key.value,"uint16",64);
-
- var acc_flags=Number(RegistryKeyValueToVariant(f_key.value,"uint16",56));
- var acc_flags_str="";
- if(acc_flags&0x0200) acc_flags_str+="NoPwExpiry ";
- if(acc_flags&0x0001) acc_flags_str+="Disabled ";
- if(acc_flags&0x0004) acc_flags_str+="PwNotReq ";
- if(acc_flags&0x0002) acc_flags_str+="HomeDirReq ";
- if(acc_flags&0x0008) acc_flags_str+="TempDupAcc ";
-// if(acc_flags&0x0010) acc_flags_str+="NormUserAcc "; // I don't think this would be useful to show
- if(acc_flags&0x0020) acc_flags_str+="MnsAcc ";
- if(acc_flags&0x0040) acc_flags_str+="DomTrustAcc ";
- if(acc_flags&0x0080) acc_flags_str+="WksTrustAcc ";
- if(acc_flags&0x0100) acc_flags_str+="SrvTrustAcc ";
- if(acc_flags&0x0400) acc_flags_str+="AccAutoLock ";
-
- // Get password hint if available
- var hint=GetRegistryKeyValue(String().concat("\\SAM\\Domains\\Account\\Users\\",user_rid),"UserPasswordHint");
- if(IsValid(hint)) {
- // Append missing trailing utf16 zero byte
- hint.value.appendByte(0);
- hint.value.appendByte(0);
- hint=RegistryKeyValueToVariant(hint.value,"utf16");
- } else {
- hint="";
- }
-
- // TODO: User group membership
-
- println (" <tr>");
- PrintTableDataCell("left",user_names[i]);
- PrintTableDataCell("right",String(user_rid_dec)+" (0x"+user_rid+")");
- PrintTableDataCell("left",full_name);
- PrintTableDataCell("right",last_login_time);
- PrintTableDataCell("right",last_pw_change);
- PrintTableDataCell("right",last_failed_login);
- PrintTableDataCell("left",account_expires);
- PrintTableDataCell("right",total_logins);
- PrintTableDataCell("right",failed_logins);
- PrintTableDataCell("left",acc_flags_str);
- PrintTableDataCell("left",hint);
- PrintTableDataCell("left",home_dir_drive+" "+home_dir);
- PrintTableDataCell("left",logon_script_path);
- PrintTableDataCell("left",profile_path);
- PrintTableDataCell("left",comment);
-
- println (" </tr>")
- }
- println(" </table>");
- println("</p>");
- } else {
- println("<p><font color='red'>");
- println(" Unable to enumerate users!<br />");
- println(" Are you sure you are running this report against the correct registry hive?");
- println("</font></p>");
- }
-}
diff --git a/trunk/report_templates/SAM_UserAccounts.qs b/trunk/report_templates/SAM_UserAccounts_old.qs
similarity index 98%
copy from trunk/report_templates/SAM_UserAccounts.qs
copy to trunk/report_templates/SAM_UserAccounts_old.qs
index a94c21b..c9be641 100644
--- a/trunk/report_templates/SAM_UserAccounts.qs
+++ b/trunk/report_templates/SAM_UserAccounts_old.qs
@@ -1,104 +1,104 @@
function fred_report_info() {
var info={report_cat : "SAM",
- report_name : "User accounts",
+ report_name : "OLD - User accounts",
report_author : "Gillen Daniel",
report_desc : "Dump Windows user accounts",
fred_api : 2,
hive : "SAM"
};
return info;
}
function IsValid(val) {
if(typeof val !== 'undefined') return true;
else return false;
}
function print_table_row(cell01,cell02) {
println(" <tr><td>",cell01,"</td><td>",cell02,"</td></tr>");
}
function print_v_info(v_key_value,info_name,str_off) {
var offset=Number(RegistryKeyValueToVariant(v_key_value,"uint16",str_off))+0x0cc;
var len=Number(RegistryKeyValueToVariant(v_key_value,"uint16",str_off+4));
if(len>0) print_table_row(info_name,RegistryKeyValueToVariant(v_key_value,"utf16",offset,len));
}
function fred_report_html() {
// See http://windowsir.blogspot.com/2006/08/getting-user-info-from-image.html
println(" <h2>User accounts</h2>");
// Iterate over all user names
var user_names=GetRegistryNodes("\\SAM\\Domains\\Account\\Users\\Names");
if(IsValid(user_names)) {
for(var i=0;i<user_names.length;i++) {
println(" <p style=\"font-size:12; white-space:nowrap\">");
// Print user name
println(" <u>",user_names[i],"</u><br />");
println(" <table style=\"margin-left:20px; font-size:12\">");
// Get user rid stored in "default" key
var user_rid=GetRegistryKeyValue(String().concat("\\SAM\\Domains\\Account\\Users\\Names\\",user_names[i]),"");
user_rid=RegistryKeyTypeToString(user_rid.type);
println(" <tr><td>RID:</td><td>",Number(user_rid).toString(10)," (",user_rid,")","</td></tr>");
// RegistryKeyTypeToString returns the rid prepended with "0x". We have to remove that for further processing
user_rid=String(user_rid).substr(2);
// Get user's V key and print various infos
var v_key=GetRegistryKeyValue(String().concat("\\SAM\\Domains\\Account\\Users\\",user_rid),"V");
print_v_info(v_key.value,"Full name:",0x18);
print_v_info(v_key.value,"Comment:",0x24);
print_v_info(v_key.value,"Home directory:",0x48);
print_v_info(v_key.value,"Home directory drive:",0x54);
print_v_info(v_key.value,"Logon script path:",0x60);
print_v_info(v_key.value,"Profile path:",0x6c);
// Get user's F key and print various infos
var f_key=GetRegistryKeyValue(String().concat("\\SAM\\Domains\\Account\\Users\\",user_rid),"F");
print_table_row("Last login time:",RegistryKeyValueToVariant(f_key.value,"filetime",8));
print_table_row("Last pw change:",RegistryKeyValueToVariant(f_key.value,"filetime",24));
print_table_row("Last failed login:",RegistryKeyValueToVariant(f_key.value,"filetime",40));
print_table_row("Account expires:",RegistryKeyValueToVariant(f_key.value,"filetime",32));
print_table_row("Total logins:",RegistryKeyValueToVariant(f_key.value,"uint16",66));
print_table_row("Failed logins:",RegistryKeyValueToVariant(f_key.value,"uint16",64));
var acc_flags=Number(RegistryKeyValueToVariant(f_key.value,"uint16",56));
print(" <tr><td>Account flags:</td><td>");
if(acc_flags&0x0001) print("Disabled ");
if(acc_flags&0x0002) print("HomeDirReq ");
if(acc_flags&0x0004) print("PwNotReq ");
if(acc_flags&0x0008) print("TempDupAcc ");
// I don't think this would be useful to show
//if(acc_flags&0x0010) print("NormUserAcc ");
if(acc_flags&0x0020) print("MnsAcc ");
if(acc_flags&0x0040) print("DomTrustAcc ");
if(acc_flags&0x0080) print("WksTrustAcc ");
if(acc_flags&0x0100) print("SrvTrustAcc ");
if(acc_flags&0x0200) print("NoPwExpiry ");
if(acc_flags&0x0400) print("AccAutoLock ");
print(" (",acc_flags,")");
println("</td></tr>");
// Get password hint if available
var hint=GetRegistryKeyValue(String().concat("\\SAM\\Domains\\Account\\Users\\",user_rid),"UserPasswordHint");
if(typeof hint !== 'undefined') {
// Append missing trailing utf16 zero byte
hint.value.appendByte(0);
hint.value.appendByte(0);
print_table_row("Password hint:",RegistryKeyValueToVariant(hint.value,"utf16"));
}
// TODO: User group membership
println(" </table>");
println(" </p>");
}
} else {
println(" <p><font color='red'>");
println(" Unable to enumerate users!<br />");
println(" Are you sure you are running this report against the correct registry hive?");
println(" </font></p>");
}
}
diff --git a/trunk/report_templates/SYSTEM_SystemTimeInfo.qs b/trunk/report_templates/SYSTEM_SystemTimeInfo.qs
index b9880ec..9f7c3cb 100644
--- a/trunk/report_templates/SYSTEM_SystemTimeInfo.qs
+++ b/trunk/report_templates/SYSTEM_SystemTimeInfo.qs
@@ -1,141 +1,141 @@
function fred_report_info() {
var info={report_cat : "SYSTEM",
report_name : "System time info",
report_author : "Gillen Daniel",
report_desc : "Dump system time info",
fred_api : 2,
hive : "SYSTEM"
};
return info;
}
var table_style = "border-collapse:collapse; margin-left:20px; font-family:arial; font-size:12";
var cell_style = "border:1px solid #888888; padding:5; white-space:nowrap;";
function IsValid(val) {
return (typeof val!=='undefined');
}
function PrintTableHeaderCell(str) {
println(" <th style=\"",cell_style,"\">",str,"</th>");
}
function PrintTableDataCell(alignment,str) {
var style=cell_style+" text-align:"+alignment+";";
println(" <td style=\"",style,"\">",str,"</td>");
}
function ToUTC(num) {
var retnum=new Number(num);
if(retnum&0x80000000) {
retnum=((0xFFFFFFFF-retnum)+1)/60;
return "UTC+"+Number(retnum).toString(10);
} else {
retnum=retnum/60;
if(retnum!=0) return "UTC-"+Number(retnum).toString(10);
else return "UTC+"+Number(retnum).toString(10);
}
}
function ZeroPad(number,padlen) {
var ret=number.toString(10);
if(!padlen || ret.length>=padlen) return ret;
return Math.pow(10,padlen-ret.length).toString().slice(1)+ret;
}
function fred_report_html() {
var val;
println(" <h2>System time info</h2>");
// Get current controlset
var cur_controlset=GetRegistryKeyValue("\\Select","Current");
if(IsValid(cur_controlset)) {
cur_controlset=RegistryKeyValueToString(cur_controlset.value,cur_controlset.type);
// Current holds a DWORD value, thus we get a string like 0x00000000, but
// control sets are referenced by its decimal representation.
cur_controlset="ControlSet"+ZeroPad(parseInt(String(cur_controlset).substr(2,8),16),3)
// Get W32Time service settings
var w32time_startup_method="n/a";
var w32time_time_servers="n/a";
val=GetRegistryKeyValue(cur_controlset+"\\Services\\W32Time","Start");
if(IsValid(val)) {
val=RegistryKeyValueToString(val.value,val.type);
switch(Number(val)) {
case 0:
w32time_startup_method="Boot";
break;
case 1:
w32time_startup_method="System";
break;
case 2:
w32time_startup_method="Automatic";
break;
case 3:
w32time_startup_method="Manual";
break;
case 4:
w32time_startup_method="Disabled";
break;
default:
w32time_startup_method="Unknown";
}
// If service is enabled, get ntp server
if(Number(val)<4) {
val=GetRegistryKeyValue(cur_controlset+"\\Services\\W32Time\\Parameters","NtpServer");
if(IsValid(val)) w32time_time_servers=RegistryKeyValueToString(val.value,val.type);
}
}
println(" <p style=\"font-size:12; white-space:nowrap\">");
println(" <table style=\""+table_style+"\">");
println(" <tr><td>Active control set:</td><td>",cur_controlset,"</td></tr>");
println(" <tr><td>W32Time startup method:</td><td>",w32time_startup_method,"</td></tr>");
println(" <tr><td>W32Time NTP servers:</td><td>",w32time_time_servers,"</td></tr>");
println(" </table>");
println(" <br />");
println(" <table style=\""+table_style+"\">");
println(" <tr>");
- PrintTableHeaderCell("XXX");
+ PrintTableHeaderCell("Setting name");
PrintTableHeaderCell("Time zone");
println(" </tr>");
// Active time bias
val=GetRegistryKeyValue(cur_controlset+"\\Control\\TimeZoneInformation","ActiveTimeBias");
var active_bias=(IsValid(val)) ? ToUTC(RegistryKeyValueToString(val.value,val.type)) : "n/a"
// Std. tz name and bias
val=GetRegistryKeyValue(cur_controlset+"\\Control\\TimeZoneInformation","StandardName");
var std_name=(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : "n/a";
val=GetRegistryKeyValue(cur_controlset+"\\Control\\TimeZoneInformation","StandardBias");
var std_bias=(IsValid(val)) ? ToUTC(RegistryKeyValueToString(val.value,val.type)) : "n/a";
// Daylight tz name and bias
val=GetRegistryKeyValue(cur_controlset+"\\Control\\TimeZoneInformation","DaylightName");
var daylight_name=(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : "n/a";
val=GetRegistryKeyValue(cur_controlset+"\\Control\\TimeZoneInformation","DaylightBias");
var daylight_bias=(IsValid(val)) ? ToUTC(RegistryKeyValueToString(val.value,val.type)) : "n/a";
println(" <tr>");
PrintTableDataCell("left","Active");
PrintTableDataCell("left",active_bias);
println(" </tr>");
println(" <tr>");
PrintTableDataCell("left","Standard");
PrintTableDataCell("left",std_bias+" ("+std_name+")");
println(" </tr>");
println(" <tr>");
PrintTableDataCell("left","Daylight");
PrintTableDataCell("left",daylight_bias+" ("+daylight_name+")");
println(" </tr>");
println(" </table>");
println(" </p>");
} else {
println(" <p><font color='red'>");
println(" Unable to determine current control set!<br />");
println(" Are you sure you are running this report against the correct registry hive?");
println(" </font></p>");
}
}
diff --git a/trunk/report_templates/SYSTEM_UsbStorageDevices.qs b/trunk/report_templates/SYSTEM_UsbStorageDevices.qs
index 20667d0..3c13418 100644
--- a/trunk/report_templates/SYSTEM_UsbStorageDevices.qs
+++ b/trunk/report_templates/SYSTEM_UsbStorageDevices.qs
@@ -1,145 +1,190 @@
function fred_report_info() {
var info={report_cat : "SYSTEM",
report_name : "USB storage devices",
- report_author : "Gillen Daniel",
+ report_author : "Gillen Daniel, Voncken Guy",
report_desc : "Dump USB storage devices",
fred_api : 2,
hive : "SYSTEM"
};
return info;
}
+var table_style = "border-collapse:collapse; margin-left:20px; font-family:arial; font-size:12";
+var cell_style = "border:1px solid #888888; padding:5; white-space:nowrap;";
+
function IsValid(val) {
- if(typeof val !== 'undefined') return true;
- else return false;
+ return (typeof val!=='undefined');
+}
+
+function PrintTableHeaderCell(str) {
+ println(" <th style=\"",cell_style,"\">",str,"</th>");
+}
+
+function PrintTableDataCell(alignment,str) {
+ var style=cell_style+" text-align:"+alignment+";";
+ println(" <td style=\"",style,"\">",str,"</td>");
}
-function print_table_row(cell01,cell02) {
- println(" <tr><td>",cell01,"</td><td>",cell02,"</td></tr>");
+function PrintTableDataRowSpanCell(alignment,rows,str) {
+ var style=cell_style+" text-align: "+alignment+";";
+ println(" <td rowspan=\"",rows,"\" style=\"",style,"\">",str,"</td>");
}
function ZeroPad(number,padlen) {
var ret=number.toString(10);
if(!padlen || ret.length>=padlen) return ret;
return Math.pow(10,padlen-ret.length).toString().slice(1)+ret;
}
+function GetKeyVal(path, key) {
+ var val=GetRegistryKeyValue(path, key);
+ return (IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : "";
+}
+
function fred_report_html() {
- // TODO: There is more here. Check http://www.forensicswiki.org/wiki/USB_History_Viewing
+ // TODO: There is more here.
+ // Check http://www.forensicswiki.org/wiki/USB_History_Viewing
var val;
println(" <h2>USB storage devices</h2>");
- // Preload MountedDevices to possibly identify mount points of USB storage devices
+ // Preload MountedDevices to possibly identify mount points of USB storage
+ // devices
var mnt_keys=GetRegistryKeys("\\MountedDevices");
var mnt_values=new Array();
if(IsValid(mnt_keys)) {
for(var i=0;i<mnt_keys.length;i++) {
val=GetRegistryKeyValue("\\MountedDevices",mnt_keys[i]);
mnt_values[i]=RegistryKeyValueToVariant(val.value,"utf16");
}
}
// Get current controlset
var cur_controlset=GetRegistryKeyValue("\\Select","Current");
if(IsValid(cur_controlset)) {
- cur_controlset=RegistryKeyValueToString(cur_controlset.value,cur_controlset.type);
+ cur_controlset=RegistryKeyValueToString(cur_controlset.value,
+ cur_controlset.type);
// Current holds a DWORD value, thus we get a string like 0x00000000, but
// control sets are referenced by its decimal representation.
- cur_controlset="ControlSet"+ZeroPad(parseInt(String(cur_controlset).substr(2,8),16),3)
+ cur_controlset="ControlSet"+
+ ZeroPad(parseInt(String(cur_controlset).substr(2,8),16),3);
println(" <p style=\"font-size:12; white-space:nowrap\">");
- println(" <u>Settings</u><br />");
- println(" <table style=\"margin-left:20px; font-size:12; white-space:nowrap\">");
+ println(" <table style=\""+table_style+"\">");
// Are USB storage devices enabled?
// http://www.forensicmag.com/article/windows-7-registry-forensics-part-5
// Is this true for WinXP etc.. ???
var val=GetRegistryKeyValue(cur_controlset+"\\services\\USBSTOR","Start");
if(IsValid(val)) {
val=RegistryKeyValueToString(val.value,val.type);
val=parseInt(String(val).substr(2,8),10);
switch(val) {
case 3:
- print_table_row("Storage driver enabled:","Yes");
+ println(" <tr><td>Storage driver enabled:</td><td>Yes</td></tr>");
break;
case 4:
- print_table_row("Storage driver enabled:","No");
+ println(" <tr><td>Storage driver enabled:</td><td>No</td></tr>");
break;
default:
- print_table_row("Storage driver enabled:","Unknown");
+ println(" <tr><td>Storage driver enabled:</td><td>Unknown</td></tr>");
}
} else {
- print_table_row("Storage driver enabled:","Unknown");
+ println(" <tr><td>Storage driver enabled:</td><td>Unknown</td></tr>");
}
println(" </table>");
println(" </p>");
println(" <p style=\"font-size:12; white-space:nowrap\">");
- println(" <u>Devices</u><br />");
var storage_roots=GetRegistryNodes(cur_controlset+"\\Enum\\USBSTOR");
if(IsValid(storage_roots)) {
+ println(" <table style=\""+table_style+"\">");
+ println(" <tr>");
+ PrintTableHeaderCell("Vendor Name");
+ PrintTableHeaderCell("Unique ID");
+ PrintTableHeaderCell("Class");
+ PrintTableHeaderCell("Friendly name");
+ PrintTableHeaderCell("Mount point(s)");
+ PrintTableHeaderCell("Parent ID");
+ PrintTableHeaderCell("Device description");
+ println(" </tr>");
+
for(var i=0;i<storage_roots.length;i++) {
- println(" <u style=\"margin-left:20px; font-size:12; white-space:nowrap\">",storage_roots[i],"</u><br />");
var storage_subroots=GetRegistryNodes(cur_controlset+"\\Enum\\USBSTOR\\"+storage_roots[i]);
- for(ii=0;ii<storage_subroots.length;ii++) {
- println(" <table style=\"margin-left:20px; font-size:12; white-space:nowrap\">");
- // If the second character of the unique instance ID is a '&', then the ID was
- // generated by the system, as the device did not have a serial number.
- if(String(storage_subroots[ii]).charAt(1)=="&") print_table_row("Unique ID:",storage_subroots[ii]+" (Generated by system)");
- else print_table_row("Unique ID:",storage_subroots[ii]);
-
- val=GetRegistryKeyValue(cur_controlset+"\\Enum\\USBSTOR\\"+storage_roots[i]+"\\"+storage_subroots[ii],"Class");
- print_table_row("Class:",(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : "");
- val=GetRegistryKeyValue(cur_controlset+"\\Enum\\USBSTOR\\"+storage_roots[i]+"\\"+storage_subroots[ii],"DeviceDesc");
- print_table_row("Device description:",(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : "");
- val=GetRegistryKeyValue(cur_controlset+"\\Enum\\USBSTOR\\"+storage_roots[i]+"\\"+storage_subroots[ii],"FriendlyName");
- print_table_row("Friendly name:",(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : "");
- val=GetRegistryKeyValue(cur_controlset+"\\Enum\\USBSTOR\\"+storage_roots[i]+"\\"+storage_subroots[ii],"ParentIdPrefix");
- if(IsValid(val)) {
+ for(var ii=0;ii<storage_subroots.length;ii++) {
+ var device_id=storage_subroots[ii];
+ if(String(device_id).charAt(1)=="&") {
+ // If the second character of the unique instance ID is a '&', then
+ // the ID was generated by the system, as the device did not have a
+ // serial number.
+ device_id=device_id+" (Generated by system)";
+ }
+ var device_key=cur_controlset+"\\Enum\\USBSTOR\\"+storage_roots[i]+"\\"+storage_subroots[ii];
+ var device_class=GetKeyVal(device_key,"Class");
+ var device_desc=GetKeyVal(device_key,"DeviceDesc");
+ var device_friendly_name=GetKeyVal(device_key,"FriendlyName");
+ var device_parent_id=GetKeyVal(device_key,"ParentIdPrefix");
+
+ var search_string="";
+ var device_mount_points=Array();
+ if(device_parent_id != "") {
// Windows XP uses the ParentId to link to MountedDevices
- var parent_id=RegistryKeyValueToString(val.value,val.type);
- print_table_row("Parent ID prefix:",parent_id);
- // Find mount point(s)
- print(" <tr><td>Mount point(s):</td><td>");
- var br=0;
- for(var iii=0;iii<mnt_keys.length;iii++) {
- if(String(mnt_values[iii]).indexOf("#"+parent_id+"&")!=-1) {
- if(br==1) print("<br />");
- else br=1;
- print(mnt_keys[iii]);
- }
- }
- if(br==0) print("n/a");
- println("</td></tr>");
+ search_string="#"+device_parent_id+"&";
} else {
// Since Vista, Unique IDs are used
- // Find mount point(s)
- print(" <tr><td>Mount point(s):</td><td>");
- var br=0;
- for(var iii=0;iii<mnt_keys.length;iii++) {
- if(String(mnt_values[iii]).indexOf("#"+storage_subroots[ii]+"#")!=-1) {
- if(br==1) print("<br />");
- else br=1;
- print(mnt_keys[iii]);
- }
+ search_string="#"+storage_subroots[ii]+"#";
+ }
+ for(var iii=0; iii<mnt_keys.length; iii++) {
+ if(String(mnt_values[iii]).indexOf(search_string)!=-1) {
+ device_mount_points.push(mnt_keys[iii]);
}
- if(br==0) print("n/a");
- println("</td></tr>");
}
- println(" </table>");
- println(" <br />");
+
+ var mount_points=device_mount_points.length;
+ if(mount_points>1) {
+ println(" <tr>");
+ PrintTableDataRowSpanCell("left",mount_points,storage_roots[i]);
+ PrintTableDataRowSpanCell("left",mount_points,device_id);
+ PrintTableDataRowSpanCell("left",mount_points,device_class);
+ PrintTableDataRowSpanCell("left",mount_points,device_friendly_name);
+ PrintTableDataCell("left",device_mount_points[0]);
+ PrintTableDataRowSpanCell("left",mount_points,device_parent_id);
+ PrintTableDataRowSpanCell("left",mount_points,device_desc);
+ println(" </tr>");
+ for(var iii=1;iii<device_mount_points.length;iii++) {
+ println(" <tr>");
+ PrintTableDataCell("left",device_mount_points[iii]);
+ println(" </tr>");
+ }
+ } else {
+ println(" <tr>");
+ PrintTableDataCell("left",storage_roots[i]);
+ PrintTableDataCell("left",device_id);
+ PrintTableDataCell("left",device_class);
+ PrintTableDataCell("left",device_friendly_name);
+ if(mount_points!=0) {
+ PrintTableDataCell("left",device_mount_points[0]);
+ } else {
+ PrintTableDataCell("left","n/a");
+ }
+ PrintTableDataCell("left",device_parent_id);
+ PrintTableDataCell("left",device_desc);
+ println(" </tr>");
+ }
}
}
+ println(" </table>");
+ println(" <br />");
} else {
- println(" <font color='red'>This registry hive does not contain a list of attached USB storage devices!</font>");
+ println(" <font color=\"red\">This registry hive does not contain a list of attached USB storage devices!</font>");
}
println(" </p>");
} else {
- println(" <p><font color='red'>");
+ println(" <p><font color=\"red\">");
println(" Unable to determine current control set!<br />");
println(" Are you sure you are running this report against the correct registry hive?");
println(" </font></p>");
}
}
+
diff --git a/trunk/report_templates/SYSTEM_UsbStorageDevices2.qs b/trunk/report_templates/SYSTEM_UsbStorageDevices2.qs
deleted file mode 100644
index 8fe3652..0000000
--- a/trunk/report_templates/SYSTEM_UsbStorageDevices2.qs
+++ /dev/null
@@ -1,190 +0,0 @@
-function fred_report_info() {
- var info={report_cat : "SYSTEM",
- report_name : "USB storage devices as table",
- report_author : "Gillen Daniel, Voncken Guy",
- report_desc : "Dump USB storage devices",
- fred_api : 2,
- hive : "SYSTEM"
- };
- return info;
-}
-
-var table_style = "border-collapse:collapse; margin-left:20px; font-family:arial; font-size:12";
-var cell_style = "border:1px solid #888888; padding:5; white-space:nowrap;";
-
-function IsValid(val) {
- return (typeof val!=='undefined');
-}
-
-function PrintTableHeaderCell(str) {
- println(" <th style=\"",cell_style,"\">",str,"</th>");
-}
-
-function PrintTableDataCell(alignment,str) {
- var style=cell_style+" text-align:"+alignment+";";
- println(" <td style=\"",style,"\">",str,"</td>");
-}
-
-function PrintTableDataRowSpanCell(alignment,rows,str) {
- var style=cell_style+" text-align: "+alignment+";";
- println(" <td rowspan=\"",rows,"\" style=\"",style,"\">",str,"</td>");
-}
-
-function ZeroPad(number,padlen) {
- var ret=number.toString(10);
- if(!padlen || ret.length>=padlen) return ret;
- return Math.pow(10,padlen-ret.length).toString().slice(1)+ret;
-}
-
-function GetKeyVal(path, key) {
- var val=GetRegistryKeyValue(path, key);
- return (IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : "";
-}
-
-function fred_report_html() {
- // TODO: There is more here.
- // Check http://www.forensicswiki.org/wiki/USB_History_Viewing
- var val;
-
- println(" <h2>USB storage devices</h2>");
-
- // Preload MountedDevices to possibly identify mount points of USB storage
- // devices
- var mnt_keys=GetRegistryKeys("\\MountedDevices");
- var mnt_values=new Array();
- if(IsValid(mnt_keys)) {
- for(var i=0;i<mnt_keys.length;i++) {
- val=GetRegistryKeyValue("\\MountedDevices",mnt_keys[i]);
- mnt_values[i]=RegistryKeyValueToVariant(val.value,"utf16");
- }
- }
-
- // Get current controlset
- var cur_controlset=GetRegistryKeyValue("\\Select","Current");
- if(IsValid(cur_controlset)) {
- cur_controlset=RegistryKeyValueToString(cur_controlset.value,
- cur_controlset.type);
- // Current holds a DWORD value, thus we get a string like 0x00000000, but
- // control sets are referenced by its decimal representation.
- cur_controlset="ControlSet"+
- ZeroPad(parseInt(String(cur_controlset).substr(2,8),16),3);
-
- println(" <p style=\"font-size:12; white-space:nowrap\">");
- println(" <table style=\""+table_style+"\">");
-
- // Are USB storage devices enabled?
- // http://www.forensicmag.com/article/windows-7-registry-forensics-part-5
- // Is this true for WinXP etc.. ???
- var val=GetRegistryKeyValue(cur_controlset+"\\services\\USBSTOR","Start");
- if(IsValid(val)) {
- val=RegistryKeyValueToString(val.value,val.type);
- val=parseInt(String(val).substr(2,8),10);
- switch(val) {
- case 3:
- println(" <tr><td>Storage driver enabled:</td><td>Yes</td></tr>");
- break;
- case 4:
- println(" <tr><td>Storage driver enabled:</td><td>No</td></tr>");
- break;
- default:
- println(" <tr><td>Storage driver enabled:</td><td>Unknown</td></tr>");
- }
- } else {
- println(" <tr><td>Storage driver enabled:</td><td>Unknown</td></tr>");
- }
-
- println(" </table>");
- println(" </p>");
- println(" <p style=\"font-size:12; white-space:nowrap\">");
-
- var storage_roots=GetRegistryNodes(cur_controlset+"\\Enum\\USBSTOR");
- if(IsValid(storage_roots)) {
- println(" <table style=\""+table_style+"\">");
- println(" <tr>");
- PrintTableHeaderCell("Vendor Name");
- PrintTableHeaderCell("Unique ID");
- PrintTableHeaderCell("Class");
- PrintTableHeaderCell("Friendly name");
- PrintTableHeaderCell("Mount point(s)");
- PrintTableHeaderCell("Parent ID");
- PrintTableHeaderCell("Device description");
- println(" </tr>");
-
- for(var i=0;i<storage_roots.length;i++) {
- var storage_subroots=GetRegistryNodes(cur_controlset+"\\Enum\\USBSTOR\\"+storage_roots[i]);
- for(var ii=0;ii<storage_subroots.length;ii++) {
- var device_id=storage_subroots[ii];
- if(String(device_id).charAt(1)=="&") {
- // If the second character of the unique instance ID is a '&', then
- // the ID was generated by the system, as the device did not have a
- // serial number.
- device_id=device_id+" (Generated by system)";
- }
- var device_key=cur_controlset+"\\Enum\\USBSTOR\\"+storage_roots[i]+"\\"+storage_subroots[ii];
- var device_class=GetKeyVal(device_key,"Class");
- var device_desc=GetKeyVal(device_key,"DeviceDesc");
- var device_friendly_name=GetKeyVal(device_key,"FriendlyName");
- var device_parent_id=GetKeyVal(device_key,"ParentIdPrefix");
-
- var search_string="";
- var device_mount_points=Array();
- if(device_parent_id != "") {
- // Windows XP uses the ParentId to link to MountedDevices
- search_string="#"+device_parent_id+"&";
- } else {
- // Since Vista, Unique IDs are used
- search_string="#"+storage_subroots[ii]+"#";
- }
- for(var iii=0; iii<mnt_keys.length; iii++) {
- if(String(mnt_values[iii]).indexOf(search_string)!=-1) {
- device_mount_points.push(mnt_keys[iii]);
- }
- }
-
- var mount_points=device_mount_points.length;
- if(mount_points>1) {
- println(" <tr>");
- PrintTableDataRowSpanCell("left",mount_points,storage_roots[i]);
- PrintTableDataRowSpanCell("left",mount_points,device_id);
- PrintTableDataRowSpanCell("left",mount_points,device_class);
- PrintTableDataRowSpanCell("left",mount_points,device_friendly_name);
- PrintTableDataCell("left",device_mount_points[0]);
- PrintTableDataRowSpanCell("left",mount_points,device_parent_id);
- PrintTableDataRowSpanCell("left",mount_points,device_desc);
- println(" </tr>");
- for(var iii=1;iii<device_mount_points.length;iii++) {
- println(" <tr>");
- PrintTableDataCell("left",device_mount_points[iii]);
- println(" </tr>");
- }
- } else {
- println(" <tr>");
- PrintTableDataCell("left",storage_roots[i]);
- PrintTableDataCell("left",device_id);
- PrintTableDataCell("left",device_class);
- PrintTableDataCell("left",device_friendly_name);
- if(mount_points!=0) {
- PrintTableDataCell("left",device_mount_points[0]);
- } else {
- PrintTableDataCell("left","n/a");
- }
- PrintTableDataCell("left",device_parent_id);
- PrintTableDataCell("left",device_desc);
- println(" </tr>");
- }
- }
- }
- println(" </table>");
- println(" <br />");
- } else {
- println(" <font color=\"red\">This registry hive does not contain a list of attached USB storage devices!</font>");
- }
- println(" </p>");
- } else {
- println(" <p><font color=\"red\">");
- println(" Unable to determine current control set!<br />");
- println(" Are you sure you are running this report against the correct registry hive?");
- println(" </font></p>");
- }
-}
-
diff --git a/trunk/report_templates/SYSTEM_UsbStorageDevices.qs b/trunk/report_templates/SYSTEM_UsbStorageDevices_old.qs
similarity index 99%
copy from trunk/report_templates/SYSTEM_UsbStorageDevices.qs
copy to trunk/report_templates/SYSTEM_UsbStorageDevices_old.qs
index 20667d0..a36c041 100644
--- a/trunk/report_templates/SYSTEM_UsbStorageDevices.qs
+++ b/trunk/report_templates/SYSTEM_UsbStorageDevices_old.qs
@@ -1,145 +1,145 @@
function fred_report_info() {
var info={report_cat : "SYSTEM",
- report_name : "USB storage devices",
+ report_name : "OLD - USB storage devices",
report_author : "Gillen Daniel",
report_desc : "Dump USB storage devices",
fred_api : 2,
hive : "SYSTEM"
};
return info;
}
function IsValid(val) {
if(typeof val !== 'undefined') return true;
else return false;
}
function print_table_row(cell01,cell02) {
println(" <tr><td>",cell01,"</td><td>",cell02,"</td></tr>");
}
function ZeroPad(number,padlen) {
var ret=number.toString(10);
if(!padlen || ret.length>=padlen) return ret;
return Math.pow(10,padlen-ret.length).toString().slice(1)+ret;
}
function fred_report_html() {
// TODO: There is more here. Check http://www.forensicswiki.org/wiki/USB_History_Viewing
var val;
println(" <h2>USB storage devices</h2>");
// Preload MountedDevices to possibly identify mount points of USB storage devices
var mnt_keys=GetRegistryKeys("\\MountedDevices");
var mnt_values=new Array();
if(IsValid(mnt_keys)) {
for(var i=0;i<mnt_keys.length;i++) {
val=GetRegistryKeyValue("\\MountedDevices",mnt_keys[i]);
mnt_values[i]=RegistryKeyValueToVariant(val.value,"utf16");
}
}
// Get current controlset
var cur_controlset=GetRegistryKeyValue("\\Select","Current");
if(IsValid(cur_controlset)) {
cur_controlset=RegistryKeyValueToString(cur_controlset.value,cur_controlset.type);
// Current holds a DWORD value, thus we get a string like 0x00000000, but
// control sets are referenced by its decimal representation.
cur_controlset="ControlSet"+ZeroPad(parseInt(String(cur_controlset).substr(2,8),16),3)
println(" <p style=\"font-size:12; white-space:nowrap\">");
println(" <u>Settings</u><br />");
println(" <table style=\"margin-left:20px; font-size:12; white-space:nowrap\">");
// Are USB storage devices enabled?
// http://www.forensicmag.com/article/windows-7-registry-forensics-part-5
// Is this true for WinXP etc.. ???
var val=GetRegistryKeyValue(cur_controlset+"\\services\\USBSTOR","Start");
if(IsValid(val)) {
val=RegistryKeyValueToString(val.value,val.type);
val=parseInt(String(val).substr(2,8),10);
switch(val) {
case 3:
print_table_row("Storage driver enabled:","Yes");
break;
case 4:
print_table_row("Storage driver enabled:","No");
break;
default:
print_table_row("Storage driver enabled:","Unknown");
}
} else {
print_table_row("Storage driver enabled:","Unknown");
}
println(" </table>");
println(" </p>");
println(" <p style=\"font-size:12; white-space:nowrap\">");
println(" <u>Devices</u><br />");
var storage_roots=GetRegistryNodes(cur_controlset+"\\Enum\\USBSTOR");
if(IsValid(storage_roots)) {
for(var i=0;i<storage_roots.length;i++) {
println(" <u style=\"margin-left:20px; font-size:12; white-space:nowrap\">",storage_roots[i],"</u><br />");
var storage_subroots=GetRegistryNodes(cur_controlset+"\\Enum\\USBSTOR\\"+storage_roots[i]);
for(ii=0;ii<storage_subroots.length;ii++) {
println(" <table style=\"margin-left:20px; font-size:12; white-space:nowrap\">");
// If the second character of the unique instance ID is a '&', then the ID was
// generated by the system, as the device did not have a serial number.
if(String(storage_subroots[ii]).charAt(1)=="&") print_table_row("Unique ID:",storage_subroots[ii]+" (Generated by system)");
else print_table_row("Unique ID:",storage_subroots[ii]);
val=GetRegistryKeyValue(cur_controlset+"\\Enum\\USBSTOR\\"+storage_roots[i]+"\\"+storage_subroots[ii],"Class");
print_table_row("Class:",(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : "");
val=GetRegistryKeyValue(cur_controlset+"\\Enum\\USBSTOR\\"+storage_roots[i]+"\\"+storage_subroots[ii],"DeviceDesc");
print_table_row("Device description:",(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : "");
val=GetRegistryKeyValue(cur_controlset+"\\Enum\\USBSTOR\\"+storage_roots[i]+"\\"+storage_subroots[ii],"FriendlyName");
print_table_row("Friendly name:",(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : "");
val=GetRegistryKeyValue(cur_controlset+"\\Enum\\USBSTOR\\"+storage_roots[i]+"\\"+storage_subroots[ii],"ParentIdPrefix");
if(IsValid(val)) {
// Windows XP uses the ParentId to link to MountedDevices
var parent_id=RegistryKeyValueToString(val.value,val.type);
print_table_row("Parent ID prefix:",parent_id);
// Find mount point(s)
print(" <tr><td>Mount point(s):</td><td>");
var br=0;
for(var iii=0;iii<mnt_keys.length;iii++) {
if(String(mnt_values[iii]).indexOf("#"+parent_id+"&")!=-1) {
if(br==1) print("<br />");
else br=1;
print(mnt_keys[iii]);
}
}
if(br==0) print("n/a");
println("</td></tr>");
} else {
// Since Vista, Unique IDs are used
// Find mount point(s)
print(" <tr><td>Mount point(s):</td><td>");
var br=0;
for(var iii=0;iii<mnt_keys.length;iii++) {
if(String(mnt_values[iii]).indexOf("#"+storage_subroots[ii]+"#")!=-1) {
if(br==1) print("<br />");
else br=1;
print(mnt_keys[iii]);
}
}
if(br==0) print("n/a");
println("</td></tr>");
}
println(" </table>");
println(" <br />");
}
}
} else {
println(" <font color='red'>This registry hive does not contain a list of attached USB storage devices!</font>");
}
println(" </p>");
} else {
println(" <p><font color='red'>");
println(" Unable to determine current control set!<br />");
println(" Are you sure you are running this report against the correct registry hive?");
println(" </font></p>");
}
}
File Metadata
Details
Attached
Mime Type
text/x-diff
Expires
Tue, Dec 24, 3:13 AM (1 d, 8 h)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
1176834
Default Alt Text
(53 KB)
Attached To
Mode
rFRED fred
Attached
Detach File
Event Timeline
Log In to Comment