Page Menu
Home
Phabricator
Search
Configure Global Search
Log In
Files
F4324564
No One
Temporary
Actions
View File
Edit File
Delete File
View Transforms
Subscribe
Mute Notifications
Size
4 KB
Referenced Files
None
Subscribers
None
View Options
diff --git a/trunk/report_templates/NTUSER_RecentDocs.qs b/trunk/report_templates/NTUSER_RecentDocs.qs
index d49215e..a0f9127 100644
--- a/trunk/report_templates/NTUSER_RecentDocs.qs
+++ b/trunk/report_templates/NTUSER_RecentDocs.qs
@@ -1,26 +1,23 @@
println("<html>");
println(" <head><title>Recent Documents</title></head>");
-println(" <body>");
+println(" <body style=\"font-size:12\">");
println(" <h2>Recent documents</h2>");
-println(" <p>");
+println(" <p style=\"font-size:12\">");
+println(" <table style=\"margin-left:20px; font-size:12\">");
-// Iterate over all recent docs
+// Get list of recent docs
var recent_docs=GetRegistryKeyValue("\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RecentDocs","MRUListEx");
+
+// Iterate over all recent docs
var i=0;
var runlist=RegistryKeyValueToVariant(recent_docs.value,"uint32",i);
-
-/*
-println(runlist.toString(10),"<br />");
-var entry=GetRegistryKeyValue("\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RecentDocs",runlist.toString(10));
-println(" ",RegistryKeyValueToVariant(entry.value,"utf16",0),"<br />");
-*/
-
while(Number(runlist)!=0xffffffff) {
var entry=GetRegistryKeyValue("\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RecentDocs",runlist.toString(10));
- println(" ",RegistryKeyValueToVariant(entry.value,"utf16",0),"<br />");
+ println(" <tr><td>",RegistryKeyValueToVariant(entry.value,"utf16",0),"</td></tr>");
i+=4;
runlist=RegistryKeyValueToVariant(recent_docs.value,"uint32",i);
}
+println(" </table>");
println(" </p>");
println("</html>");
diff --git a/trunk/report_templates/NTUSER_TypedUrls.qs b/trunk/report_templates/NTUSER_TypedUrls.qs
new file mode 100644
index 0000000..29ecb94
--- /dev/null
+++ b/trunk/report_templates/NTUSER_TypedUrls.qs
@@ -0,0 +1,17 @@
+println("<html>");
+println(" <head><title>Typed Urls</title></head>");
+println(" <body style=\"font-size:12\">");
+println(" <h2>Typed urls</h2>");
+println(" <p style=\"font-size:12\">");
+println(" <table style=\"margin-left:20px; font-size:12\">");
+
+// Iterate over all typed urls
+var typed_urls=GetRegistryKeys("\\Software\\Microsoft\\Internet Explorer\\TypedURLs");
+for(var i=0;i<typed_urls.length;i++) {
+ var val=GetRegistryKeyValue("\\Software\\Microsoft\\Internet Explorer\\TypedURLs",typed_urls[i]);
+ println(" <tr><td>",RegistryKeyValueToString(val.value,val.type),"</td></tr>");
+}
+
+println(" </table>");
+println(" </p>");
+println("</html>");
diff --git a/trunk/report_templates/SYSTEM_UsbStorageDevices.qs b/trunk/report_templates/SYSTEM_UsbStorageDevices.qs
new file mode 100644
index 0000000..32d7353
--- /dev/null
+++ b/trunk/report_templates/SYSTEM_UsbStorageDevices.qs
@@ -0,0 +1,43 @@
+// TODO: There is more here. Check http://www.forensicswiki.org/wiki/USB_History_Viewing
+
+function print_table_row(cell01,cell02) {
+ println(" <tr><td>",cell01,"</td><td>",cell02,"</td></tr>");
+}
+
+// Global vars
+var val;
+
+// Get current controlset
+var cur_controlset=GetRegistryKeyValue("\\Select","Current");
+cur_controlset=RegistryKeyValueToString(cur_controlset.value,cur_controlset.type);
+// Current holds a DWORD value, thus we get a string like 0x00000000, but
+// control sets are referenced only with the last 3 digits.
+cur_controlset="ControlSet"+String(cur_controlset).substr(7,3);
+
+println("<html>");
+println(" <head><title>USB Storage Devices</title></head>");
+println(" <body style=\"font-size:12\">");
+println(" <h2>USB storage devices</h2>");
+println(" <p style=\"font-size:12\">");
+
+var storage_roots=GetRegistryNodes(cur_controlset+"\\Enum\\USBSTOR");
+for(var i=0;i<storage_roots.length;i++) {
+ println(" <u>",storage_roots[i],"</u><br />");
+ var storage_subroots=GetRegistryNodes(cur_controlset+"\\Enum\\USBSTOR\\"+storage_roots[i]);
+ for(ii=0;ii<storage_subroots.length;ii++) {
+ println(" <table style=\"margin-left:20px; font-size:12\">");
+ // Note: If the second character of the unique instance ID is a '&', then the ID was
+ // generated by the system, as the device did not have a serial number.
+ print_table_row("Unique ID:",storage_subroots[ii]);
+
+ val=GetRegistryKeyValue(cur_controlset+"\\Enum\\USBSTOR\\"+storage_roots[i]+"\\"+storage_subroots[ii],"Class");
+ print_table_row("Class:",(typeof val !== 'undefined') ? RegistryKeyValueToString(val.value,val.type) : "");
+ val=GetRegistryKeyValue(cur_controlset+"\\Enum\\USBSTOR\\"+storage_roots[i]+"\\"+storage_subroots[ii],"DeviceDesc");
+ print_table_row("Device description:",(typeof val !== 'undefined') ? RegistryKeyValueToString(val.value,val.type) : "");
+ val=GetRegistryKeyValue(cur_controlset+"\\Enum\\USBSTOR\\"+storage_roots[i]+"\\"+storage_subroots[ii],"FriendlyName");
+ print_table_row("Friendly name:",(typeof val !== 'undefined') ? RegistryKeyValueToString(val.value,val.type) : "");
+ }
+}
+
+println(" </p>");
+println("</html>");
File Metadata
Details
Attached
Mime Type
text/x-diff
Expires
Tue, Dec 24, 3:05 AM (1 d, 8 h)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
1176966
Default Alt Text
(4 KB)
Attached To
Mode
rFRED fred
Attached
Detach File
Event Timeline
Log In to Comment