User Autoruns

diff --git a/trunk/mainwindow.cpp b/trunk/mainwindow.cpp index d56ebc2..63f9d54 100644 --- a/trunk/mainwindow.cpp +++ b/trunk/mainwindow.cpp @@ -1,576 +1,584 @@ /******************************************************************************* * fred Copyright (c) 2011-2013 by Gillen Daniel * * * * Forensic Registry EDitor (fred) is a cross-platform M$ registry hive editor * * with special feautures useful during forensic analysis. * * * * This program is free software: you can redistribute it and/or modify it * * under the terms of the GNU General Public License as published by the Free * * Software Foundation, either version 3 of the License, or (at your option) * * any later version. * * * * This program is distributed in the hope that it will be useful, but WITHOUT * * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or * * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for * * more details. * * * * You should have received a copy of the GNU General Public License along with * * this program. If not, see . * *******************************************************************************/ #ifndef FRED_REPORT_TEMPLATE_DIR #ifndef __MINGW32__ #define FRED_REPORT_TEMPLATE_DIR "/usr/share/fred/report_templates/" #else #define FRED_REPORT_TEMPLATE_DIR ".\\report_templates\\" #endif #endif #include #include #include #include #include #include #include #include "mainwindow.h" #include "ui_mainwindow.h" #include "dlgabout.h" #include "dlgkeydetails.h" #include "dlgreportchooser.h" #include "dlgreportviewer.h" #include "dlgsearch.h" #include "compileinfo.h" /******************************************************************************* * Public ******************************************************************************/ MainWindow::MainWindow(ArgParser *p_arg_parser) : QMainWindow(0), ui(new Ui::MainWindow) { ui->setupUi(this); // Initialize private vars this->p_args=p_arg_parser; this->p_hive=new RegistryHive(this); this->is_hive_open=false; this->p_reg_node_tree_model=NULL; this->p_reg_node_tree_model_proxy=NULL; this->p_reg_key_table_model=NULL; this->p_search_thread=NULL; this->search_result_widgets.clear(); // Check for ~/.fred config dir this->CheckUserConfigDir(); // Set main window size int cur_screen=QApplication::desktop()->screenNumber(this); int window_width= QApplication::desktop()->availableGeometry(cur_screen).width()*0.5; int window_height= QApplication::desktop()->availableGeometry(cur_screen).height()*0.5; int window_x= (QApplication::desktop()->availableGeometry(cur_screen).width()/2)- (window_width/2); int window_y= (QApplication::desktop()->availableGeometry(cur_screen).height()/2)- (window_height/2); this->setGeometry(window_x, window_y, window_width, window_height); // Create widgets this->p_horizontal_splitter=new QSplitter(); this->p_horizontal_splitter->setOrientation(Qt::Horizontal); this->p_node_tree=new RegistryNodeTree(this->p_horizontal_splitter); this->p_vertical_splitter=new QSplitter(this->p_horizontal_splitter); this->p_vertical_splitter->setOrientation(Qt::Vertical); this->p_key_table=new RegistryKeyTable(this->p_vertical_splitter); this->p_tab_widget=new TabWidget(this->p_vertical_splitter); this->p_hex_edit_widget=new HexEditWidget(); // Add hexedit page to tab_widget this->p_tab_widget->addTab(this->p_hex_edit_widget,tr("Hex viewer")); // Add widgets to their splitters this->p_vertical_splitter->addWidget(this->p_key_table); this->p_vertical_splitter->addWidget(this->p_tab_widget); this->p_horizontal_splitter->addWidget(this->p_node_tree); this->p_horizontal_splitter->addWidget(this->p_vertical_splitter); // Set stretch factors QSizePolicy node_tree_policy=this->p_node_tree->sizePolicy(); node_tree_policy.setHorizontalStretch(1); node_tree_policy.setVerticalStretch(100); this->p_node_tree->setSizePolicy(node_tree_policy); QSizePolicy vertical_splitter_policy=this->p_vertical_splitter->sizePolicy(); vertical_splitter_policy.setHorizontalStretch(4); vertical_splitter_policy.setVerticalStretch(100); this->p_vertical_splitter->setSizePolicy(vertical_splitter_policy); QSizePolicy key_table_policy=this->p_key_table->sizePolicy(); key_table_policy.setVerticalStretch(5); key_table_policy.setHorizontalStretch(100); this->p_key_table->setSizePolicy(key_table_policy); QSizePolicy tab_widget_policy=this->p_tab_widget->sizePolicy(); tab_widget_policy.setVerticalStretch(2); tab_widget_policy.setHorizontalStretch(200); this->p_tab_widget->setSizePolicy(tab_widget_policy); // Connect signals this->connect(this->p_node_tree, SIGNAL(clicked(QModelIndex)), this, SLOT(SlotNodeTreeClicked(QModelIndex))); this->connect(this->p_node_tree, SIGNAL(activated(QModelIndex)), this, SLOT(SlotNodeTreeClicked(QModelIndex))); this->connect(this->p_node_tree, SIGNAL(CurrentItemChanged(QModelIndex)), this, SLOT(SlotNodeTreeClicked(QModelIndex))); this->connect(this->p_key_table, SIGNAL(clicked(QModelIndex)), this, SLOT(SlotKeyTableClicked(QModelIndex))); this->connect(this->p_key_table, SIGNAL(doubleClicked(QModelIndex)), this, SLOT(SlotKeyTableDoubleClicked(QModelIndex))); this->connect(this->p_key_table, SIGNAL(CurrentItemChanged(QModelIndex)), this, SLOT(SlotKeyTableClicked(QModelIndex))); this->connect(this->p_tab_widget, SIGNAL(tabCloseRequested(int)), this, SLOT(SlotTabCloseButtonClicked(int))); // Add central widget this->setCentralWidget(this->p_horizontal_splitter); this->centralWidget()->setContentsMargins(4,4,4,0); // Set window title this->UpdateWindowTitle(); // Set last open location to home dir this->last_open_location=QDir::homePath(); // Load report templates this->p_reports=new Reports(); - // Load reports from system wide include dir - this->p_reports->LoadReportTemplates(FRED_REPORT_TEMPLATE_DIR); - // Load user's report templates - this->p_reports->LoadReportTemplates(QDir::homePath() - .append(QDir::separator()) - .append(".fred") - .append(QDir::separator()) - .append("report_templates")); + this->ReloadReportTemplates(); // Finally, react on some command line arguments if(this->p_args->IsSet("maximized")) { this->setWindowState(Qt::WindowMaximized); } if(this->p_args->IsSet("fullscreen")) { this->setWindowState(Qt::WindowFullScreen); } if(this->p_args->IsSet("hive-file")) { this->OpenHive(this->p_args->GetArgVal("hive-file")); } } MainWindow::~MainWindow() { if(this->is_hive_open) { this->p_hive->Close(); } delete ui; } /******************************************************************************* * Private slots ******************************************************************************/ void MainWindow::on_action_Quit_triggered() { qApp->exit(); } void MainWindow::on_action_Open_hive_triggered() { QString hive_file=""; hive_file=QFileDialog::getOpenFileName(this, tr("Open registry hive"), this->last_open_location, tr("All files (*)")); if(hive_file=="") return; this->OpenHive(hive_file); } void MainWindow::on_action_Close_hive_triggered() { if(this->is_hive_open) { // Remove search results while(this->p_tab_widget->count()>1) { this->p_tab_widget->removeTab(this->p_tab_widget->count()-1); delete this->search_result_widgets.at(this->p_tab_widget->count()-1); this->search_result_widgets.removeLast(); } // Delete models if(this->p_reg_node_tree_model!=NULL) { this->p_node_tree->setModel(NULL); delete this->p_reg_node_tree_model_proxy; delete this->p_reg_node_tree_model; this->p_reg_node_tree_model_proxy=NULL; this->p_reg_node_tree_model=NULL; } if(this->p_reg_key_table_model!=NULL) { this->p_key_table->setModel(NULL); delete this->p_reg_key_table_model; this->p_reg_key_table_model=NULL; } // Remove any data from hex edit and data interpreter this->p_hex_edit_widget->SetData(QByteArray()); this->p_hex_edit_widget->setEnabled(false); // Close hive this->p_hive->Close(); this->is_hive_open=false; this->ui->action_Close_hive->setEnabled(false); this->ui->ActionSearch->setEnabled(false); this->ui->MenuReports->setEnabled(false); this->UpdateWindowTitle(); } } void MainWindow::on_actionAbout_Qt_triggered() { QMessageBox::aboutQt(this,tr("About Qt")); } void MainWindow::on_actionAbout_fred_triggered() { DlgAbout dlg_about(this); dlg_about.exec(); } void MainWindow::on_ActionSearch_triggered() { DlgSearch dlg_search(this); if(dlg_search.exec()==QDialog::Accepted) { // Create search thread and connect needed signals/slots this->p_search_thread=new ThreadSearch(this); // Add new search widget to tabwidget and to internal widget list SearchResultWidget *p_search_widget= new SearchResultWidget(this->p_tab_widget); p_search_widget->setEnabled(false); this->search_result_widgets.append(p_search_widget); this->connect(p_search_widget, SIGNAL(doubleClicked(QModelIndex)), this, SLOT(SlotSearchResultWidgetDoubleClicked(QModelIndex))); this->p_tab_widget->addTab(p_search_widget,tr("Search results"),true); this->p_tab_widget->setCurrentIndex(this->p_tab_widget->count()-1); // Connect search thread to result widget this->connect(this->p_search_thread, SIGNAL(SignalFoundMatch(ThreadSearch::eMatchType, QString,QString,QString)), p_search_widget, SLOT(SlotFoundMatch(ThreadSearch::eMatchType, QString,QString,QString))); this->connect(this->p_search_thread, SIGNAL(finished()), this, SLOT(SlotSearchFinished())); this->connect(this->p_search_thread, SIGNAL(finished()), p_search_widget, SLOT(SlotSearchFinished())); // Start searching this->ui->ActionSearch->setEnabled(false); p_search_thread->Search(this->p_hive->Filename(), dlg_search.Keywords(), dlg_search.SearchNodeNames(), dlg_search.SearchKeyNames(), dlg_search.SearchKeyValues()); } } void MainWindow::on_ActionGenerateReport_triggered() { DlgReportChooser dlg_repchooser(this->p_reports, this->p_hive->HiveTypeToString( this->p_hive->HiveType()), this); if(dlg_repchooser.exec()==QDialog::Accepted) { QList selected_reports; // Get selected report selected_reports=dlg_repchooser.GetSelectedReports(); if(selected_reports.isEmpty()) return; // Generate report(s) QString report_result=""; if(this->p_reports->GenerateReport(this->p_hive, selected_reports, report_result, false)) { // Report generation was successfull, show reports DlgReportViewer *p_dlg_report_view=new DlgReportViewer(report_result, this); p_dlg_report_view->exec(); delete p_dlg_report_view; } else { // TODO: Inform user qDebug()<<"ERROR: "<p_reg_node_tree_model_proxy->mapToSource(index); // Built node path node_path=this->p_reg_node_tree_model->GetNodePath(index); // Create table model and attach it to the table view if(this->p_reg_key_table_model!=NULL) { // If a previous model was set, delete it and clear hexedit etc... this->p_key_table->setModel(NULL); delete this->p_reg_key_table_model; this->p_hex_edit_widget->SetData(QByteArray()); } this->p_reg_key_table_model=new RegistryKeyTableModel(this->p_hive,node_path); this->p_key_table->setModel(this->p_reg_key_table_model); // Set focus back to nodetree to be able to navigate with keyboard this->p_node_tree->setFocus(); } void MainWindow::SlotKeyTableClicked(QModelIndex index) { if(!index.isValid()) return; this->selected_key_value= this->p_reg_key_table_model->data(this->p_reg_key_table_model-> index(index.row(),2), RegistryKeyTableModel:: AdditionalRoles_GetRawData) .toByteArray(); this->p_hex_edit_widget->SetData(this->selected_key_value); // Set focus back to nodetree to be able to navigate with keyboard this->p_key_table->setFocus(); } void MainWindow::SlotKeyTableDoubleClicked(QModelIndex index) { Q_UNUSED(index); /* QModelIndex key_index; QModelIndex node_index; QStringList nodes; QString key_name; QString key_type; QByteArray key_value; if(!index.isValid()) return; // Get key name, type and value key_index=this->p_reg_key_table_model->index(index.row(),0); key_name=this->p_reg_key_table_model->data(key_index,Qt::DisplayRole) .toString(); key_index=this->p_reg_key_table_model->index(index.row(),1); key_type=this->p_reg_key_table_model->data(key_index,Qt::DisplayRole) .toString();ThreadSearch key_index=this->p_reg_key_table_model->index(index.row(),2); key_value=this->p_reg_key_table_model->data(key_index, RegistryKeyTableModel:: AdditionalRoles_GetRawData) .toByteArray(); // Get current node node_index=this->p_node_tree->currentIndex(); //Built node path nodes.clear(); nodes.append(this->p_reg_node_tree_model-> data(node_index,Qt::DisplayRole).toString()); while(this->p_reg_node_tree_model->parent(node_index)!=QModelIndex()) { // Prepend all parent nodes node_index=this->p_reg_node_tree_model->parent(node_index); nodes.prepend(this->p_reg_node_tree_model-> data(node_index,Qt::DisplayRole).toString()); } DlgKeyDetails dlg_key_details(this); dlg_key_details.SetValues(nodes,key_name,key_type,key_value); dlg_key_details.exec(); */ } void MainWindow::SlotSearchFinished() { delete this->p_search_thread; this->p_search_thread=NULL; this->ui->ActionSearch->setEnabled(true); // Enable result widget this->search_result_widgets.last()->setEnabled(true); } void MainWindow::SlotSearchResultWidgetDoubleClicked(QModelIndex index) { SearchResultWidget *p_sender; QString path; QString match_type; QString value; QString key=""; int i; if(!index.isValid()) return; // Get pointer to sender p_sender=(SearchResultWidget*)QObject::sender(); // Get path and matchtype path=p_sender->item(index.row(),0)->text(); match_type=p_sender->item(index.row(),1)->text(); value=p_sender->item(index.row(),2)->text(); if(match_type==tr("Node name")) { // Node name is not part of path. Add it if(path=="\\") path.append(value); else path.append("\\").append(value); } else if(match_type==tr("Key name")) { // Key name is stored in value key=value; } else if(match_type==tr("Key value")) { // Key name is part of path. Save and remove it QStringList nodes=path.split("\\",QString::SkipEmptyParts); key=nodes.at(nodes.count()-1); // Remove \ from path path.chop(key.length()+1); } // Expand treeview to correct node QList indexes= this->p_reg_node_tree_model->GetIndexListOf(path); for(i=0;ip_reg_node_tree_model_proxy-> mapFromSource(indexes.at(i))); this->p_node_tree->expand(indexes.at(i)); } if(indexes.count()>0) { // Scroll to last expanded node, select it and update widgets this->p_node_tree->scrollTo(indexes.at(indexes.count()-1), QAbstractItemView::PositionAtCenter); this->p_node_tree->selectionModel()->clear(); this->p_node_tree->selectionModel()-> select(indexes.at(indexes.count()-1), QItemSelectionModel::Select); // TODO: This does not work!! this->SlotNodeTreeClicked(indexes.at(indexes.count()-1)); } // Select correct key if search matched on keay name / value if(key!="") { int row=this->p_reg_key_table_model->GetKeyRow(key); this->p_key_table->clearSelection(); this->p_key_table->scrollTo(this->p_reg_key_table_model->index(row,0), QAbstractItemView::PositionAtCenter); this->p_key_table->selectRow(row); this->SlotKeyTableClicked(this->p_reg_key_table_model->index(row,0)); } } void MainWindow::SlotTabCloseButtonClicked(int index) { // Delete tab widget and remove tab this->p_tab_widget->removeTab(index); delete this->search_result_widgets.at(index-1); this->search_result_widgets.removeAt(index-1); } /******************************************************************************* * Private ******************************************************************************/ void MainWindow::CheckUserConfigDir() { QString user_config_dir=QDir::homePath() .append(QDir::separator()) .append(".fred"); if(!QDir(user_config_dir).exists()) { // User config dir does not exists, try to create it if(!QDir().mkpath(user_config_dir)) { // TODO: Maybe warn user return; } user_config_dir.append(QDir::separator()).append("report_templates"); if(!QDir().mkpath(user_config_dir)) { // TODO: Maybe warn user return; } } } void MainWindow::UpdateWindowTitle(QString filename) { if(filename=="") { this->setWindowTitle(QString("%1 v%2").arg(APP_TITLE,APP_VERSION)); } else { this->setWindowTitle(QString("%1 v%2 - %3").arg(APP_TITLE, APP_VERSION, filename.toLocal8Bit() .constData())); } } void MainWindow::OpenHive(QString hive_file) { // Update last open location this->last_open_location=hive_file.left(hive_file. lastIndexOf(QDir::separator())); // If another hive is currently open, close it if(this->is_hive_open) this->on_action_Close_hive_triggered(); // Try to open hive if(!this->p_hive->Open(hive_file)) { QMessageBox::critical(this, tr("Error opening hive file"), tr("Unable to open file '%1'").arg(hive_file)); return; } // Create tree model & proxy this->p_reg_node_tree_model=new RegistryNodeTreeModel(this->p_hive); this->p_reg_node_tree_model_proxy=new RegistryNodeTreeModelProxy(this); //this->p_reg_node_tree_model_proxy->setDynamicSortFilter(true); this->p_reg_node_tree_model_proxy-> setSourceModel(this->p_reg_node_tree_model); this->p_node_tree->setModel(this->p_reg_node_tree_model_proxy); this->is_hive_open=true; this->ui->action_Close_hive->setEnabled(true); this->ui->ActionSearch->setEnabled(true); this->ui->MenuReports->setEnabled(true); // Enable data interpreter this->p_hex_edit_widget->setEnabled(true); this->UpdateWindowTitle(hive_file); } + +void MainWindow::ReloadReportTemplates() { + // Load reports from system wide include dir + this->p_reports->LoadReportTemplates(FRED_REPORT_TEMPLATE_DIR); + // Load user's report templates + this->p_reports->LoadReportTemplates(QDir::homePath() + .append(QDir::separator()) + .append(".fred") + .append(QDir::separator()) + .append("report_templates")); +} + +void MainWindow::on_ActionReloadReportTemplates_triggered() { + this->ReloadReportTemplates(); +} diff --git a/trunk/mainwindow.h b/trunk/mainwindow.h index 7e6f779..370f819 100644 --- a/trunk/mainwindow.h +++ b/trunk/mainwindow.h @@ -1,122 +1,125 @@ /******************************************************************************* * fred Copyright (c) 2011-2013 by Gillen Daniel * * * * Forensic Registry EDitor (fred) is a cross-platform M$ registry hive editor * * with special feautures useful during forensic analysis. * * * * This program is free software: you can redistribute it and/or modify it * * under the terms of the GNU General Public License as published by the Free * * Software Foundation, either version 3 of the License, or (at your option) * * any later version. * * * * This program is distributed in the hope that it will be useful, but WITHOUT * * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or * * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for * * more details. * * * * You should have received a copy of the GNU General Public License along with * * this program. If not, see . * *******************************************************************************/ #ifndef MAINWINDOW_H #define MAINWINDOW_H #include #include #include #include #include #include #include #include #include #include "argparser.h" #include "registryhive.h" #include "registrynodetree.h" #include "registrynodetreemodel.h" #include "registrynodetreemodelproxy.h" #include "registrykeytable.h" #include "registrykeytablemodel.h" #include "hexeditwidget.h" #include "reports.h" #include "threadsearch.h" #include "searchresultwidget.h" #include "tabwidget.h" namespace Ui { class MainWindow; } class MainWindow : public QMainWindow { Q_OBJECT public: explicit MainWindow(ArgParser *p_arg_parser); ~MainWindow(); private slots: void on_action_Quit_triggered(); void on_action_Open_hive_triggered(); void on_action_Close_hive_triggered(); void on_actionAbout_Qt_triggered(); void on_actionAbout_fred_triggered(); void on_ActionSearch_triggered(); void on_ActionGenerateReport_triggered(); void SlotNodeTreeClicked(QModelIndex index); void SlotKeyTableClicked(QModelIndex index); void SlotKeyTableDoubleClicked(QModelIndex index); void SlotSearchFinished(); void SlotSearchResultWidgetDoubleClicked(QModelIndex index); void SlotTabCloseButtonClicked(int index); + void on_ActionReloadReportTemplates_triggered(); + private: Ui::MainWindow *ui; ArgParser *p_args; QString last_open_location; RegistryHive *p_hive; bool is_hive_open; QByteArray selected_key_value; QList search_result_widgets; // Models RegistryNodeTreeModel *p_reg_node_tree_model; RegistryNodeTreeModelProxy *p_reg_node_tree_model_proxy; RegistryKeyTableModel *p_reg_key_table_model; // Widgets etc... RegistryNodeTree *p_node_tree; RegistryKeyTable *p_key_table; TabWidget *p_tab_widget; HexEditWidget *p_hex_edit_widget; QSplitter *p_horizontal_splitter; QSplitter *p_vertical_splitter; Reports *p_reports; // Threads ThreadSearch *p_search_thread; /* * CheckUserConfigDir * * Checks for and possibly creates the ~/.fred directory */ void CheckUserConfigDir(); /* * UpdateWindowTitle * * Updates the window title */ void UpdateWindowTitle(QString filename=""); /* * OpenHive * * Open a registry hive */ void OpenHive(QString hive_file); + void ReloadReportTemplates(); }; #endif // MAINWINDOW_H diff --git a/trunk/manual/ECMAScript_additions_reference.odt b/trunk/manual/ECMAScript_additions_reference.odt index 47011e8..a4473c4 100644 Binary files a/trunk/manual/ECMAScript_additions_reference.odt and b/trunk/manual/ECMAScript_additions_reference.odt differ diff --git a/trunk/registrykeytable.cpp b/trunk/registrykeytable.cpp index d028496..ae4acc2 100644 --- a/trunk/registrykeytable.cpp +++ b/trunk/registrykeytable.cpp @@ -1,146 +1,145 @@ /******************************************************************************* * fred Copyright (c) 2011-2013 by Gillen Daniel * * * * Forensic Registry EDitor (fred) is a cross-platform M$ registry hive editor * * with special feautures useful during forensic analysis. * * * * This program is free software: you can redistribute it and/or modify it * * under the terms of the GNU General Public License as published by the Free * * Software Foundation, either version 3 of the License, or (at your option) * * any later version. * * * * This program is distributed in the hope that it will be useful, but WITHOUT * * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or * * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for * * more details. * * * * You should have received a copy of the GNU General Public License along with * * this program. If not, see . * *******************************************************************************/ #include "registrykeytable.h" #include #include #include RegistryKeyTable::RegistryKeyTable(QWidget *p_parent) : QTableView(p_parent) { // Configure widget this->setSelectionMode(QAbstractItemView::SingleSelection); this->setSelectionBehavior(QAbstractItemView::SelectRows); this->setAutoScroll(false); this->setHorizontalScrollMode(QAbstractItemView::ScrollPerPixel); this->verticalHeader()->setHidden(true); this->setTextElideMode(Qt::ElideNone); // Create context menu this->p_menu_copy=new QMenu(tr("Copy"),this); this->p_action_copy_key_name=new QAction(tr("Key name"), this->p_menu_copy); this->p_menu_copy->addAction(this->p_action_copy_key_name); this->connect(this->p_action_copy_key_name, SIGNAL(triggered()), this, SLOT(SlotCopyKeyName())); this->p_action_copy_key_value=new QAction(tr("Key value"), this->p_menu_copy); this->p_menu_copy->addAction(this->p_action_copy_key_value); this->connect(this->p_action_copy_key_value, SIGNAL(triggered()), this, SLOT(SlotCopyKeyValue())); } RegistryKeyTable::~RegistryKeyTable() { // Delete context menu delete this->p_action_copy_key_name; delete this->p_action_copy_key_value; delete this->p_menu_copy; } void RegistryKeyTable::setModel(QAbstractItemModel *p_model) { QTableView::setModel(p_model); // Resize table rows / columns to fit data this->resizeColumnsToContents(); this->resizeRowsToContents(); this->horizontalHeader()->stretchLastSection(); if(p_model!=NULL && p_model->rowCount()>0) { // Select first table item this->selectRow(0); } } /* void RegistryKeyTable::selectRow(QString key_name) { int i; this->clearSelection(); for(i=0;imodel()->rowCount();i++) { if(this->model()) } } */ int RegistryKeyTable::sizeHintForColumn(int column) const { int size_hint=-1; int i=0; int item_width=0; QFontMetrics fm(this->fontMetrics()); QModelIndex idx; if(this->model()==NULL) return -1; // Find string that needs the most amount of space idx=this->model()->index(i,column); while(idx.isValid()) { item_width=fm.width(this->model()->data(idx).toString())+10; if(item_width>size_hint) size_hint=item_width; idx=this->model()->index(++i,column); } return size_hint; } void RegistryKeyTable::contextMenuEvent(QContextMenuEvent *p_event) { // Only show context menu when a row is selected - if(this->selectedIndexes().count()!=4) return; + if(this->selectedIndexes().count()!=3) return; // Only show context menu when user clicked on selected row if(!(this->indexAt(p_event->pos())==this->selectedIndexes().at(0) || this->indexAt(p_event->pos())==this->selectedIndexes().at(1) || - this->indexAt(p_event->pos())==this->selectedIndexes().at(2) || - this->indexAt(p_event->pos())==this->selectedIndexes().at(3))) + this->indexAt(p_event->pos())==this->selectedIndexes().at(2))) { return; } // Emit a click signal emit(this->clicked(this->indexAt(p_event->pos()))); // Create context menu and add actions QMenu context_menu(this); context_menu.addMenu(this->p_menu_copy); context_menu.exec(p_event->globalPos()); } void RegistryKeyTable::currentChanged(const QModelIndex ¤t, const QModelIndex &previous) { // Call parent class's currentChanged first QTableView::currentChanged(current,previous); // Now emit our signal QModelIndex current_item=QModelIndex(current); emit(RegistryKeyTable::CurrentItemChanged(current_item)); } void RegistryKeyTable::SlotCopyKeyName() { QApplication::clipboard()-> setText(this->selectedIndexes().at(0).data().toString(), QClipboard::Clipboard); } void RegistryKeyTable::SlotCopyKeyValue() { QApplication::clipboard()-> setText(this->selectedIndexes().at(2).data().toString(), QClipboard::Clipboard); } diff --git a/trunk/registrynodetree.cpp b/trunk/registrynodetree.cpp index aa8277b..9b4723a 100644 --- a/trunk/registrynodetree.cpp +++ b/trunk/registrynodetree.cpp @@ -1,134 +1,135 @@ /******************************************************************************* * fred Copyright (c) 2011-2013 by Gillen Daniel * * * * Forensic Registry EDitor (fred) is a cross-platform M$ registry hive editor * * with special feautures useful during forensic analysis. * * * * This program is free software: you can redistribute it and/or modify it * * under the terms of the GNU General Public License as published by the Free * * Software Foundation, either version 3 of the License, or (at your option) * * any later version. * * * * This program is distributed in the hope that it will be useful, but WITHOUT * * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or * * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for * * more details. * * * * You should have received a copy of the GNU General Public License along with * * this program. If not, see . * *******************************************************************************/ #include "registrynodetree.h" #include "registrynodetreemodel.h" #include #include #include RegistryNodeTree::RegistryNodeTree(QWidget *p_parent) : QTreeView(p_parent) { // Configure widget this->setTextElideMode(Qt::ElideNone); this->setSelectionMode(QAbstractItemView::SingleSelection); this->setSelectionBehavior(QAbstractItemView::SelectRows); this->sortByColumn(0,Qt::AscendingOrder); this->setSortingEnabled(true); // Create context menu this->p_menu_copy=new QMenu(tr("Copy"),this); this->p_action_copy_node_name=new QAction(tr("Node name"), this->p_menu_copy); this->p_menu_copy->addAction(this->p_action_copy_node_name); this->connect(this->p_action_copy_node_name, SIGNAL(triggered()), this, SLOT(SlotCopyNodeName())); this->p_action_copy_node_path=new QAction(tr("Node path"), this->p_menu_copy); this->p_menu_copy->addAction(this->p_action_copy_node_path); this->connect(this->p_action_copy_node_path, SIGNAL(triggered()), this, SLOT(SlotCopyNodePath())); } RegistryNodeTree::~RegistryNodeTree() { // Delete context menu delete this->p_action_copy_node_name; delete this->p_action_copy_node_path; delete this->p_menu_copy; } void RegistryNodeTree::setModel(QAbstractItemModel *p_model) { // Assign model to view QTreeView::setModel(p_model); this->header()->setResizeMode(0,QHeaderView::ResizeToContents); this->header()->setStretchLastSection(true); if(p_model!=NULL && p_model->index(0,0).isValid()) { // Select first tree item this->setCurrentIndex(p_model->index(0,0)); } } void RegistryNodeTree::contextMenuEvent(QContextMenuEvent *p_event) { // Only show context menu when a node is selected - if(this->selectedIndexes().count()!=1) return; + if(this->selectedIndexes().count()!=2) return; // Only show context menu when user clicked on selected row + // TODO: Does not work when clicking on column 2 if(this->indexAt(p_event->pos())!=this->selectedIndexes().at(0)) return; // Emit a click signal emit(this->clicked(this->indexAt(p_event->pos()))); // Create context menu and add actions QMenu context_menu(this); context_menu.addMenu(this->p_menu_copy); context_menu.exec(p_event->globalPos()); } void RegistryNodeTree::keyPressEvent(QKeyEvent *p_event) { // Only react if a node is selected and user pressed Key_Left if(this->selectedIndexes().count()==1 && p_event->key()==Qt::Key_Left) { QModelIndex cur_index=this->selectedIndexes().at(0); if(this->model()->hasChildren(cur_index) && this->isExpanded(cur_index)) { // Current node is expanded. Only collapse this one this->collapse(cur_index); return; } if(!cur_index.parent().isValid()) { // Do no try to collapse anything above root node return; } this->collapse(cur_index.parent()); this->setCurrentIndex(cur_index.parent()); return; } // If we didn't handle the key event, let our parent handle it QTreeView::keyPressEvent(p_event); } void RegistryNodeTree::currentChanged(const QModelIndex ¤t, const QModelIndex &previous) { // Call parent class's currentChanged first QTreeView::currentChanged(current,previous); // Now emit our signal QModelIndex current_item=QModelIndex(current); emit(RegistryNodeTree::CurrentItemChanged(current_item)); } void RegistryNodeTree::SlotCopyNodeName() { QApplication::clipboard()-> setText(this->selectedIndexes().at(0).data().toString(), QClipboard::Clipboard); } void RegistryNodeTree::SlotCopyNodePath() { QString path=((RegistryNodeTreeModel*)(this->model()))-> GetNodePath(this->selectedIndexes().at(0)); QApplication::clipboard()->setText(path,QClipboard::Clipboard); } diff --git a/trunk/registrynodetreemodel.cpp b/trunk/registrynodetreemodel.cpp index b6a0e8a..6f429d1 100644 --- a/trunk/registrynodetreemodel.cpp +++ b/trunk/registrynodetreemodel.cpp @@ -1,226 +1,229 @@ /******************************************************************************* * fred Copyright (c) 2011-2013 by Gillen Daniel * * * * Forensic Registry EDitor (fred) is a cross-platform M$ registry hive editor * * with special feautures useful during forensic analysis. * * * * This program is free software: you can redistribute it and/or modify it * * under the terms of the GNU General Public License as published by the Free * * Software Foundation, either version 3 of the License, or (at your option) * * any later version. * * * * This program is distributed in the hope that it will be useful, but WITHOUT * * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or * * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for * * more details. * * * * You should have received a copy of the GNU General Public License along with * * this program. If not, see . * *******************************************************************************/ #include "registrynodetreemodel.h" #include #include #include #include #include RegistryNodeTreeModel::RegistryNodeTreeModel(RegistryHive *p_hive, QObject *p_parent) : QAbstractItemModel(p_parent) { // Create root node. It's values will be used as header values. this->p_root_node=new RegistryNode(QList()<SetupModelData(p_hive,this->p_root_node); } RegistryNodeTreeModel::~RegistryNodeTreeModel() { delete this->p_root_node; } QVariant RegistryNodeTreeModel::data(const QModelIndex &index, int role) const { if(!index.isValid()) return QVariant(); if(role!=Qt::DisplayRole) return QVariant(); RegistryNode *p_node=static_cast(index.internalPointer()); switch(role) { case Qt::DisplayRole: { switch(index.column()) { case RegistryNodeTreeModel::ColumnContent_NodeName: { return p_node->Data(index.column()); break; } case RegistryNodeTreeModel::ColumnContent_NodeModTime: { QDateTime date_time; bool ok=false; date_time.setTimeSpec(Qt::UTC); date_time.setTime_t(RegistryHive::FiletimeToUnixtime( p_node->Data(index.column()).toLongLong(&ok))); if(ok) return date_time.toString("yyyy/MM/dd hh:mm:ss"); else return tr("Unknown"); break; } default: { return QVariant(); } } break; } default: { return QVariant(); } } + + // Control will never reach this, but in order to stop g++ complaining... + return QVariant(); } Qt::ItemFlags RegistryNodeTreeModel::flags(const QModelIndex &index) const { if(!index.isValid()) return 0; return Qt::ItemIsEnabled | Qt::ItemIsSelectable; } QVariant RegistryNodeTreeModel::headerData(int section, Qt::Orientation orientation, int role) const { // Only horizontal header is supported if(orientation!=Qt::Horizontal) return QVariant(); switch(role) { case Qt::TextAlignmentRole: // Handle text alignment return Qt::AlignCenter; break; case Qt::DisplayRole: // Header text return this->p_root_node->Data(section); break; default: return QVariant(); } } QModelIndex RegistryNodeTreeModel::index(int row, int column, const QModelIndex &parent) const { if(!this->hasIndex(row,column,parent)) return QModelIndex(); RegistryNode *p_parent_node; if(!parent.isValid()) { p_parent_node=this->p_root_node; } else { p_parent_node=static_cast(parent.internalPointer()); } RegistryNode *p_child_node=p_parent_node->Child(row); if(p_child_node) { return this->createIndex(row,column,p_child_node); } else { return QModelIndex(); } } QModelIndex RegistryNodeTreeModel::parent(const QModelIndex &index) const { if(!index.isValid()) return QModelIndex(); RegistryNode *p_child_node= static_cast(index.internalPointer()); RegistryNode *p_parent_node=p_child_node->Parent(); if(p_parent_node==this->p_root_node) { return QModelIndex(); } else { return this->createIndex(p_parent_node->Row(),0,p_parent_node); } } int RegistryNodeTreeModel::rowCount(const QModelIndex &parent) const { if(parent.column()>0) return 0; RegistryNode *p_parent_node; if(!parent.isValid()) { p_parent_node=this->p_root_node; } else { p_parent_node=static_cast(parent.internalPointer()); } return p_parent_node->ChildCount(); } int RegistryNodeTreeModel::columnCount(const QModelIndex &parent) const { Q_UNUSED(parent); return 2; } QList RegistryNodeTreeModel::GetIndexListOf(QString path) const { RegistryNode *p_parent_node=this->p_root_node; QList ret; QStringList nodes=path.split("\\",QString::SkipEmptyParts); bool found=false; // Create a list of all index's that form the supplied path ret.clear(); for(int i=0;iChildCount();ii++) { if(p_parent_node->Child(ii)->Data(0)==nodes.at(i)) { ret.append(this->createIndex(ii,0,p_parent_node->Child(ii))); p_parent_node=p_parent_node->Child(ii); found=true; break; } } // Break when last child node was found if(found && i==nodes.count()-1) break; // Return an empty list when a child node wasn't found else if(!found) return QList(); } return ret; } QString RegistryNodeTreeModel::GetNodePath(QModelIndex child_index) const { QString path; // Get current node name path=this->data(child_index,Qt::DisplayRole).toString().prepend("\\"); // Build node path by prepending all parent nodes names while(this->parent(child_index)!=QModelIndex()) { child_index=this->parent(child_index); path.prepend(this->data(child_index, Qt::DisplayRole).toString().prepend("\\")); } return path; } void RegistryNodeTreeModel::SetupModelData(RegistryHive *p_hive, RegistryNode *p_parent, int hive_node) { QMap hive_children; RegistryNode *p_node; int64_t key_mod_time; // Get all sub nodes of current hive node if(hive_node) hive_children=p_hive->GetNodes(hive_node); else hive_children=p_hive->GetNodes("\\"); if(hive_children.isEmpty()) return; // Recursivly iterate over all sub nodes QMapIterator i(hive_children); while(i.hasNext()) { i.next(); key_mod_time=p_hive->GetNodeModTime(i.value()); // TODO: Maybe we have to call GetErrorMsg in case an error occured p_node=new RegistryNode(QList()<AppendChild(p_node); this->SetupModelData(p_hive,p_node,i.value()); } } diff --git a/trunk/report_templates/NTUSER_Autoruns.qs b/trunk/report_templates/NTUSER_Autoruns.qs index 5ac0949..f0a40a0 100644 --- a/trunk/report_templates/NTUSER_Autoruns.qs +++ b/trunk/report_templates/NTUSER_Autoruns.qs @@ -1,61 +1,61 @@ function fred_report_info() { var info={report_cat : "NTUSER", report_name : "Autoruns", report_author : "Gillen Daniel", report_desc : "Dump autorun keys", fred_api : 2, hive : "NTUSER" }; return info; } function IsValid(val) { if(typeof val !== 'undefined') return true; else return false; } function print_table_row(cell01,cell02) { println(" ",cell01,"",cell02,""); } function ListAutoruns(autorun_path,autorun_key) { println("

"); println(" "+autorun_key+"
"); var run_keys=GetRegistryKeys(autorun_path+autorun_key); if(IsValid(run_keys) && run_keys.length>0) { println(" "); print_table_row("Name","Executable"); for(var i=0;i"); } else { println(" None"); } println("
"); } function fred_report_html() { var val; - println(""); - println(" User Autoruns"); - println(" "); +// println(""); +// println(" User Autoruns"); +// println(" "); println("
User Autoruns
"); // Run ListAutoruns("\\Microsoft\\Windows\\CurrentVersion\\","Run"); // RunOnce ListAutoruns("\\Microsoft\\Windows\\CurrentVersion\\","RunOnce"); // RunOnceEx ListAutoruns("\\Microsoft\\Windows\\CurrentVersion\\","RunOnceEx"); // TODO: There might be a Run under WindowsNT\CurrentVersion\Run too! - println(""); +// println(""); } diff --git a/trunk/report_templates/NTUSER_LaunchedApplications.qs b/trunk/report_templates/NTUSER_LaunchedApplications.qs index b90bdf8..1e4bb61 100644 --- a/trunk/report_templates/NTUSER_LaunchedApplications.qs +++ b/trunk/report_templates/NTUSER_LaunchedApplications.qs @@ -1,111 +1,111 @@ function fred_report_info() { var info={report_cat : "NTUSER", report_name : "Launched applications", report_author : "Gillen Daniel", report_desc : "Dump IE launched applications", fred_api : 2, hive : "NTUSER" }; return info; } function IsValid(val) { if(typeof val !== 'undefined') return true; else return false; } function PrintTableRow(cell01,cell02,cell03) { println(" "); } function Rot13Decode(val) { var ret=""; for(var i=0;i64 && decoded<91) || (decoded>96 && decoded<123)) { if((decoded-13)<65 || (decoded>96 && (decoded-13)<97)) { decoded=(decoded-13)+26; } else { if(decoded>96 && (decoded-13)<97) { decoded+=13; } else { decoded-=13; } } ret+=String.fromCharCode(decoded); } else { ret+=val[i]; } } return ret; } function PrintUserAssistEntry(key,val,os) { var run_count; var last_run; switch(os) { case "winxp": run_count=RegistryKeyValueToVariant(val.value,"uint32",4); break; case "win7": run_count=RegistryKeyValueToVariant(val.value,"uint32",4,0,1); last_run=RegistryKeyValueToVariant(val.value,"filetime",60); break; } PrintTableRow(key,run_count,last_run); } function fred_report_html() { - println(""); - println(" Launched Applications"); - println(" "); +// println(""); +// println(" Launched Applications"); +// println(" "); println("
Launched applications
"); // First, we need to find the correct GUID for the current Windows version var path; var apps; var os; // Windows XP os="winxp"; path="\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{5E6AB780-7743-11CF-A12B-00AA004AE837}\\Count"; apps=GetRegistryKeys(path); // TODO: Determine GUIDs for Vista / Win8 if(!IsValid(apps)) { // Windows 7 os="win7"; path="\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}\\Count"; apps=GetRegistryKeys(path); } if(IsValid(apps)) { if(apps.length!=0) { println("
"); println("
",cell01," ",cell02," ",cell03,"
"); println(" "); for(var i=0;i"); println("
"); } else { println("
"); println(" The list of launched applications is empty."); println("
"); } } else { println("
"); println(" This registry hive does not contain a list of launched applications!"); println("
"); } } diff --git a/trunk/report_templates/NTUSER_RecentDocs.qs b/trunk/report_templates/NTUSER_RecentDocs.qs index bcac514..32228fe 100644 --- a/trunk/report_templates/NTUSER_RecentDocs.qs +++ b/trunk/report_templates/NTUSER_RecentDocs.qs @@ -1,54 +1,54 @@ function fred_report_info() { var info={report_cat : "NTUSER", report_name : "Recent documents", report_author : "Gillen Daniel", report_desc : "Dump recent docs", fred_api : 2, hive : "NTUSER" }; return info; } function IsValid(val) { if(typeof val !== 'undefined') return true; else return false; } function fred_report_html() { - println(""); - println(" Recent Documents"); - println(" "); +// println(""); +// println(" Recent Documents"); +// println(" "); println("
Recent documents
"); // Get list of recent docs var recent_docs=GetRegistryKeyValue("\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RecentDocs","MRUListEx"); if(IsValid(recent_docs)) { // Iterate over all recent docs var i=0; var runlist=RegistryKeyValueToVariant(recent_docs.value,"uint32",i); if(Number(runlist)!=0xffffffff) { println("
"); println("
Application Run count Last run
"); while(Number(runlist)!=0xffffffff) { var entry=GetRegistryKeyValue("\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RecentDocs",runlist.toString(10)); println(" "); i+=4; runlist=RegistryKeyValueToVariant(recent_docs.value,"uint32",i); } println("
",RegistryKeyValueToVariant(entry.value,"utf16",0),"
"); println("

"); } else { println("

"); println(" The list of recent documents is empty."); println("

"); } } else { println("

"); println(" This registry hive does not contain a list of recent documents!"); println("

"); } - println(""); +// println(""); } diff --git a/trunk/report_templates/NTUSER_TypedUrls.qs b/trunk/report_templates/NTUSER_TypedUrls.qs index bbd6b51..f5c4e1c 100644 --- a/trunk/report_templates/NTUSER_TypedUrls.qs +++ b/trunk/report_templates/NTUSER_TypedUrls.qs @@ -1,49 +1,49 @@ function fred_report_info() { var info={report_cat : "NTUSER", report_name : "Typed URLs", report_author : "Gillen Daniel", report_desc : "Dump typed URLs", fred_api : 2, hive : "NTUSER" }; return info; } function IsValid(val) { if(typeof val !== 'undefined') return true; else return false; } function fred_report_html() { - println(""); - println(" Typed Urls"); - println(" "); +// println(""); +// println(" Typed Urls"); +// println(" "); println("

Typed urls

"); // Iterate over all typed urls var typed_urls=GetRegistryKeys("\\Software\\Microsoft\\Internet Explorer\\TypedURLs"); if(IsValid(typed_urls)) { if(typed_urls.length!=0) { println("

"); println(" "); for(var i=0;i"); } println("
",RegistryKeyValueToString(val.value,val.type),"
"); println("

"); } else { println("

"); println(" The list of typed urls is empty."); println("

"); } } else { println("

"); println(" This registry hive does not contain a list of typed urls!"); println("

"); } - println(""); +// println(""); } diff --git a/trunk/report_templates/NTUSER_Windows7_SearchKeywords.qs b/trunk/report_templates/NTUSER_Windows7_SearchKeywords.qs index 68614b7..fe97c28 100644 --- a/trunk/report_templates/NTUSER_Windows7_SearchKeywords.qs +++ b/trunk/report_templates/NTUSER_Windows7_SearchKeywords.qs @@ -1,54 +1,54 @@ function fred_report_info() { var info={report_cat : "NTUSER", report_name : "Windows 7 search keywords", report_author : "Gillen Daniel", report_desc : "Dump Windows 7 search keywords", fred_api : 2, hive : "NTUSER" }; return info; } function IsValid(val) { if(typeof val !== 'undefined') return true; else return false; } function fred_report_html() { - println(""); - println(" Document And Folder Search Keywords"); - println(" "); +// println(""); +// println(" Document And Folder Search Keywords"); +// println(" "); println("

Document and folder search keywords

"); // Get list of search keys var mrulist=GetRegistryKeyValue("\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\WordWheelQuery","MRUListEx"); if(IsValid(mrulist)) { // Iterate over all items var i=0; var runlist=RegistryKeyValueToVariant(mrulist.value,"uint32",i); if(Number(runlist)!=0xffffffff) { println("

"); println(" "); while(Number(runlist)!=0xffffffff) { var entry=GetRegistryKeyValue("\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\WordWheelQuery",runlist.toString(10)); println(" "); i+=4; runlist=RegistryKeyValueToVariant(mrulist.value,"uint32",i); } println("
",RegistryKeyValueToVariant(entry.value,"utf16",0),"
"); println("

"); } else { println("

"); println(" The list of document and search keywords is empty."); println("

"); } } else { println("

"); println(" This registry hive does not contain a list of document and folder search keywords!"); println("

"); } - println(""); +// println(""); } diff --git a/trunk/report_templates/NTUSER_Windows7_TypedPaths.qs b/trunk/report_templates/NTUSER_Windows7_TypedPaths.qs index 864b46f..947a9c6 100644 --- a/trunk/report_templates/NTUSER_Windows7_TypedPaths.qs +++ b/trunk/report_templates/NTUSER_Windows7_TypedPaths.qs @@ -1,49 +1,49 @@ function fred_report_info() { var info={report_cat : "NTUSER", report_name : "Windows 7 typed paths", report_author : "Gillen Daniel", report_desc : "Dump Windows 7 typed paths", fred_api : 2, hive : "NTUSER" }; return info; } function IsValid(val) { if(typeof val !== 'undefined') return true; else return false; } function fred_report_html() { - println(""); - println(" Typed Paths"); - println(" "); +// println(""); +// println(" Typed Paths"); +// println(" "); println("

Typed paths

"); // Iterate over all typed paths var urls=GetRegistryKeys("\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\TypedPaths"); if(IsValid(urls)) { if(urls.length!=0) { println("

"); println(" "); for(var i=0;i"); } println("
",RegistryKeyValueToString(val.value,val.type),"
"); println("

"); } else { println("

"); println(" The list of typed paths is empty."); println("

"); } } else { println("

"); println(" This registry hive does not contain a list of typed paths!"); println("

"); } - println(""); +// println(""); } diff --git a/trunk/report_templates/NTUSER_WindowsLiveAccounts.qs b/trunk/report_templates/NTUSER_WindowsLiveAccounts.qs index ac9bb6b..c52547b 100644 --- a/trunk/report_templates/NTUSER_WindowsLiveAccounts.qs +++ b/trunk/report_templates/NTUSER_WindowsLiveAccounts.qs @@ -1,48 +1,48 @@ function fred_report_info() { var info={report_cat : "NTUSER", report_name : "Windows Live accounts", report_author : "Gillen Daniel", report_desc : "Dump Windows Live accounts", fred_api : 2, hive : "NTUSER" }; return info; } function IsValid(val) { if(typeof val !== 'undefined') return true; else return false; } function fred_report_html() { - println(""); - println(" Windows Live Accounts"); - println(" "); +// println(""); +// println(" Windows Live Accounts"); +// println(" "); println("

Windows live accounts

"); // Iterate over all contacts var accounts=GetRegistryKeys("\\Software\\Microsoft\\Windows Live Contacts\\Database"); if(IsValid(accounts)) { println("

"); println(" "); for(var i=0;i"); } accounts=GetRegistryKeys("\\Software\\Microsoft\\Windows Live Contacts\\Me"); for(var i=0;i"); } println("
",accounts[i]," ",RegistryKeyValueToString(val.value,val.type),"
",accounts[i]," ",RegistryKeyValueToString(val.value,val.type),"
"); println("

"); } else { println("

"); println(" This registry hive does not contain a list of Windows Live Accounts!"); println("

"); } - println(""); +// println(""); } diff --git a/trunk/report_templates/SAM_UserAccounts.qs b/trunk/report_templates/SAM_UserAccounts.qs index a78ec0c..f3ee71c 100644 --- a/trunk/report_templates/SAM_UserAccounts.qs +++ b/trunk/report_templates/SAM_UserAccounts.qs @@ -1,109 +1,109 @@ function fred_report_info() { var info={report_cat : "SAM", report_name : "User accounts", report_author : "Gillen Daniel", report_desc : "Dump Windows user accounts", fred_api : 2, hive : "SAM" }; return info; } function IsValid(val) { if(typeof val !== 'undefined') return true; else return false; } function print_table_row(cell01,cell02) { println(" ",cell01,"",cell02,""); } function print_v_info(v_key_value,info_name,str_off) { var offset=Number(RegistryKeyValueToVariant(v_key_value,"uint16",str_off))+0x0cc; var len=Number(RegistryKeyValueToVariant(v_key_value,"uint16",str_off+4))/2; if(len>0) print_table_row(info_name,RegistryKeyValueToVariant(v_key_value,"utf16",offset,len)); } function fred_report_html() { // See http://windowsir.blogspot.com/2006/08/getting-user-info-from-image.html - println(""); - println(" User Accounts"); - println(" "); +// println(""); +// println(" User Accounts"); +// println(" "); println("

User accounts

"); // Iterate over all user names var user_names=GetRegistryNodes("\\SAM\\Domains\\Account\\Users\\Names"); if(IsValid(user_names)) { for(var i=0;i"); // Print user name println(" ",user_names[i],"
"); println(" "); // Get user rid stored in "default" key var user_rid=GetRegistryKeyValue(String().concat("\\SAM\\Domains\\Account\\Users\\Names\\",user_names[i]),""); user_rid=RegistryKeyTypeToString(user_rid.type); println(" "); // RegistryKeyTypeToString returns the rid prepended with "0x". We have to remove that for further processing user_rid=String(user_rid).substr(2); // Get user's V key and print various infos var v_key=GetRegistryKeyValue(String().concat("\\SAM\\Domains\\Account\\Users\\",user_rid),"V"); print_v_info(v_key.value,"Full name:",0x18); print_v_info(v_key.value,"Comment:",0x24); print_v_info(v_key.value,"Home directory:",0x48); print_v_info(v_key.value,"Home directory drive:",0x54); print_v_info(v_key.value,"Logon script path:",0x60); print_v_info(v_key.value,"Profile path:",0x6c); // Get user's F key and print various infos var f_key=GetRegistryKeyValue(String().concat("\\SAM\\Domains\\Account\\Users\\",user_rid),"F"); print_table_row("Last login time:",RegistryKeyValueToVariant(f_key.value,"filetime",8)); print_table_row("Last pw change:",RegistryKeyValueToVariant(f_key.value,"filetime",24)); print_table_row("Last failed login:",RegistryKeyValueToVariant(f_key.value,"filetime",40)); print_table_row("Account expires:",RegistryKeyValueToVariant(f_key.value,"filetime",32)); print_table_row("Total logins:",RegistryKeyValueToVariant(f_key.value,"uint16",66)); print_table_row("Failed logins:",RegistryKeyValueToVariant(f_key.value,"uint16",64)); var acc_flags=Number(RegistryKeyValueToVariant(f_key.value,"uint16",56)); print(" "); // Get password hint if available var hint=GetRegistryKeyValue(String().concat("\\SAM\\Domains\\Account\\Users\\",user_rid),"UserPasswordHint"); if(typeof hint !== 'undefined') { // Append missing trailing utf16 zero byte hint.value.appendByte(0); hint.value.appendByte(0); print_table_row("Password hint:",RegistryKeyValueToVariant(hint.value,"utf16")); } // TODO: User group membership println("

RID:

",Number(user_rid).toString(10)," (",user_rid,")","

Account flags:

"); if(acc_flags&0x0001) print("Disabled "); if(acc_flags&0x0002) print("HomeDirReq "); if(acc_flags&0x0004) print("PwNotReq "); if(acc_flags&0x0008) print("TempDupAcc "); // I don't think this would be useful to show //if(acc_flags&0x0010) print("NormUserAcc "); if(acc_flags&0x0020) print("MnsAcc "); if(acc_flags&0x0040) print("DomTrustAcc "); if(acc_flags&0x0080) print("WksTrustAcc "); if(acc_flags&0x0100) print("SrvTrustAcc "); if(acc_flags&0x0200) print("NoPwExpiry "); if(acc_flags&0x0400) print("AccAutoLock "); print(" (",acc_flags,")"); println("

"); println("

"); } } else { println("

"); println(" Unable to enumerate users!
"); println(" Are you sure you are running this report against the correct registry hive?"); println("

"); } - println(""); +// println(""); } diff --git a/trunk/report_templates/SOFTWARE_Autoruns.qs b/trunk/report_templates/SOFTWARE_Autoruns.qs index 20661b8..d335d70 100644 --- a/trunk/report_templates/SOFTWARE_Autoruns.qs +++ b/trunk/report_templates/SOFTWARE_Autoruns.qs @@ -1,61 +1,61 @@ function fred_report_info() { var info={report_cat : "SOFTWARE", report_name : "Autoruns", report_author : "Gillen Daniel", report_desc : "Dump autoruns", fred_api : 2, hive : "SOFTWARE" }; return info; } function IsValid(val) { if(typeof val !== 'undefined') return true; else return false; } function print_table_row(cell01,cell02) { println(" ",cell01,"",cell02,""); } function ListAutoruns(autorun_path,autorun_key) { println("

"); } println(" "); } else { println(" None"); } - println(""); +// println(""); } diff --git a/trunk/report_templates/SOFTWARE_WindowsVersion.qs b/trunk/report_templates/SOFTWARE_WindowsVersion.qs index 0871460..0a06fb3 100644 --- a/trunk/report_templates/SOFTWARE_WindowsVersion.qs +++ b/trunk/report_templates/SOFTWARE_WindowsVersion.qs @@ -1,109 +1,109 @@ function fred_report_info() { var info={report_cat : "SOFTWARE", report_name : "Windows version", report_author : "Gillen Daniel", report_desc : "Dump Windows version info", fred_api : 2, hive : "SOFTWARE" }; return info; } function IsValid(val) { if(typeof val !== 'undefined') return true; else return false; } function print_table_row(cell01,cell02) { println(" ",cell01,"",cell02,""); } function DecodeProductKey(arr) { //ProductKey is base24 encoded var keychars=new Array("B","C","D","F","G","H","J","K","M","P","Q","R","T","V","W","X","Y","2","3","4","6","7","8","9"); var key=new Array(30); var ret=""; var ncur; if(arr.length<66) return ret; arr=arr.mid(52,15); for(var ilbyte=24;ilbyte>=0;ilbyte--) { ncur=0; for(var ilkeybyte=14;ilkeybyte>=0;ilkeybyte--) { ncur=ncur*256^arr[ilkeybyte]; arr[ilkeybyte]=ncur/24; ncur%=24; } ret=keychars[ncur]+ret; if(ilbyte%5==0 && ilbyte!=0) ret="-"+ret; } return ret; } function fred_report_html() { - println(""); - println(" Windows version info"); - println(" "); +// println(""); +// println(" Windows version info"); +// println(" "); println("

Windows version info

"); // Windows version sp and build info var val=GetRegistryKeyValue("\\Microsoft\\Windows NT\\CurrentVersion","ProductName"); if(IsValid(val)) { println("

"); println(" "); print(" "); // Build string var val=GetRegistryKeyValue("\\Microsoft\\Windows NT\\CurrentVersion","BuildLab"); print_table_row("Build string:",(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : "n/a"); // Extended build string var val=GetRegistryKeyValue("\\Microsoft\\Windows NT\\CurrentVersion","BuildLabEx"); print_table_row("Extended build string:",(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : "n/a"); // Install date var val=GetRegistryKeyValue("\\Microsoft\\Windows NT\\CurrentVersion","InstallDate"); print_table_row("Install date:",(IsValid(val)) ? RegistryKeyValueToVariant(val.value,"unixtime") : "n/a"); // Owner and Organization info var val=GetRegistryKeyValue("\\Microsoft\\Windows NT\\CurrentVersion","RegisteredOwner"); print_table_row("Registered owner:",(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : "n/a"); var val=GetRegistryKeyValue("\\Microsoft\\Windows NT\\CurrentVersion","RegisteredOrganization"); print_table_row("Registered organization:",(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : "n/a"); // Windows ID / Key var val=GetRegistryKeyValue("\\Microsoft\\Windows NT\\CurrentVersion","ProductId"); print_table_row("Product ID:",(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : "n/a"); var val=GetRegistryKeyValue("\\Microsoft\\Windows NT\\CurrentVersion","DigitalProductId"); if(IsValid(val)) { var key=DecodeProductKey(val.value); if(key!="BBBBB-BBBBB-BBBBB-BBBBB-BBBBB") print_table_row("Product Key:",key); else print_table_row("Product Key:","n/a (Probably a volume license key was used)"); } else print_table_row("Product Key:","n/a"); // Install directory / Source directory var val=GetRegistryKeyValue("\\Microsoft\\Windows NT\\CurrentVersion","PathName"); print_table_row("Install path:",(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : "n/a"); var val=GetRegistryKeyValue("\\Microsoft\\Windows NT\\CurrentVersion","SourcePath"); print_table_row("Source path:",(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : "n/a"); println("
Windows version: ",RegistryKeyValueToString(val.value,val.type)); var val=GetRegistryKeyValue("\\Microsoft\\Windows NT\\CurrentVersion","CSDVersion"); if(IsValid(val)) { print(" ",RegistryKeyValueToString(val.value,val.type)); } var val=GetRegistryKeyValue("\\Microsoft\\Windows NT\\CurrentVersion","CurrentBuildNumber"); if(IsValid(val)) { print(" build ",RegistryKeyValueToString(val.value,val.type)); } println("
"); println("

"); } else { println("

"); println(" Unable to get product name!
"); println(" Are you sure you are running this report against the correct registry hive?"); println("

"); } - println(""); +// println(""); } diff --git a/trunk/report_templates/SYSTEM_ShutdownTime.qs b/trunk/report_templates/SYSTEM_BackupRestore.qs similarity index 54% copy from trunk/report_templates/SYSTEM_ShutdownTime.qs copy to trunk/report_templates/SYSTEM_BackupRestore.qs index 4a3ecf1..9501ff2 100644 --- a/trunk/report_templates/SYSTEM_ShutdownTime.qs +++ b/trunk/report_templates/SYSTEM_BackupRestore.qs @@ -1,57 +1,65 @@ function fred_report_info() { var info={report_cat : "SYSTEM", - report_name : "Shutdown time", + report_name : "Backup / Restore settings", report_author : "Gillen Daniel", - report_desc : "Dump last known shutdown time", + report_desc : "Dump files / directories not to snapshot / backup and registry keys not to restore", fred_api : 2, hive : "SYSTEM" }; return info; } function IsValid(val) { if(typeof val !== 'undefined') return true; else return false; } function print_table_row(cell01,cell02) { println(" ",cell01,"",cell02,""); } +function ListValues(root_key) { + var values=GetRegistryKeys(root_key); + if(IsValid(values)) { + println("

"); + println(" "); + for(var i=0;i"); + println("
"); + } else { + println(" None"); + } +} + function fred_report_html() { var val; - println(""); - println(" Last known shutdown time"); - println(" "); - println("
Last known shutdown time
"); + println("
Backup / Restore settings
"); // Get current controlset var cur_controlset=GetRegistryKeyValue("\\Select","Current"); if(IsValid(cur_controlset)) { cur_controlset=RegistryKeyValueToString(cur_controlset.value,cur_controlset.type); // Current holds a DWORD value, thus we get a string like 0x00000000, but // control sets are referenced only with the last 3 digits. cur_controlset="ControlSet"+String(cur_controlset).substr(7,3); - - println("
"); - println("
"); - - print_table_row("Active control set:",cur_controlset); - - // Shutdown time - val=GetRegistryKeyValue(cur_controlset+"\\Control\\Windows","ShutdownTime"); - print_table_row("Shutdown time:",(IsValid(val)) ? RegistryKeyValueToVariant(val.value,"filetime") : "Unknown"); - - println("
"); - println("
"); - println("

"); + + println(" Directories / files not to back up in Volume Shadow Copies"); + ListValues(cur_controlset+"\\Control\\BackupRestore\\FilesNotToSnapshot"); + println(" Directories / files not to back up or restore by backup apps"); + ListValues(cur_controlset+"\\Control\\BackupRestore\\FilesNotToBackup"); + println(" Registry nodes or values not to restore by backup apps"); + ListValues(cur_controlset+"\\Control\\BackupRestore\\KeysNotToRestore"); } else { println("

"); println(" Unable to determine current control set!
"); println(" Are you sure you are running this report against the correct registry hive?"); println("

"); } - - println(""); } diff --git a/trunk/report_templates/SYSTEM_CurrentNetworkSettings.qs b/trunk/report_templates/SYSTEM_CurrentNetworkSettings.qs index 5943e14..7a6dac4 100644 --- a/trunk/report_templates/SYSTEM_CurrentNetworkSettings.qs +++ b/trunk/report_templates/SYSTEM_CurrentNetworkSettings.qs @@ -1,141 +1,141 @@ function fred_report_info() { var info={report_cat : "SYSTEM", report_name : "Current network settings", report_author : "Gillen Daniel", report_desc : "Dump current network settings", fred_api : 2, hive : "SYSTEM" }; return info; } function IsValid(val) { if(typeof val !== 'undefined') return true; else return false; } function print_table_row(cell01,cell02) { println(" ",cell01,"",cell02,""); } function ZeroPad(number,padlen) { var ret=number.toString(10); if(!padlen || ret.length>=padlen) return ret; return Math.pow(10,padlen-ret.length).toString().slice(1)+ret; } function fred_report_html() { // See Appendix A: TCP/IP Configuration Parameters: // http://technet.microsoft.com/de-de/library/cc739819%28v=WS.10%29.aspx var val; - println(""); - println(" Current Network Settings (Tcp/Ip)"); - println(" "); +// println(""); +// println(" Current Network Settings (Tcp/Ip)"); +// println(" "); println("

Current network settings (Tcp/Ip)

"); // Get current controlset var cur_controlset=GetRegistryKeyValue("\\Select","Current"); if(IsValid(cur_controlset)) { cur_controlset=RegistryKeyValueToString(cur_controlset.value,cur_controlset.type); // Current holds a DWORD value, thus we get a string like 0x00000000, but // control sets are referenced by its decimal representation. cur_controlset="ControlSet"+ZeroPad(parseInt(String(cur_controlset).substr(2,8),16),3) println("

"); println(" "); print_table_row("Active control set:",cur_controlset); // Computer name val=GetRegistryKeyValue(cur_controlset+"\\Control\\ComputerName\\ComputerName","ComputerName"); print_table_row("Computer name:",(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : ""); println("
"); println("
"); // Iterate over all available network adapters var adapters=GetRegistryNodes(cur_controlset+"\\Services\\Tcpip\\Parameters\\Adapters"); for(var i=0;i",RegistryKeyValueToString(val.value,val.type),""); } else { - println(" ",adapters[i]); + println(" ",adapters[i],""); } // Get settings node var adapter_settings_node=GetRegistryKeyValue(cur_controlset+"\\Services\\Tcpip\\Parameters\\Adapters\\"+adapters[i],"IpConfig"); adapter_settings_node=RegistryKeyValueToVariant(adapter_settings_node.value,"utf16",0); println(" "); //print_table_row("Adapter id:",adapters[i]); // Get configuration mode val=GetRegistryKeyValue(cur_controlset+"\\Services\\"+adapter_settings_node,"EnableDHCP"); val=Number(RegistryKeyValueToString(val.value,val.type)); if(val) { // DHCP enabled print_table_row("Configuration mode:","DHCP"); // DHCP server val=GetRegistryKeyValue(cur_controlset+"\\Services\\"+adapter_settings_node,"DhcpServer"); print_table_row("Last used DHCP server:",(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : ""); // IP address val=GetRegistryKeyValue(cur_controlset+"\\Services\\"+adapter_settings_node,"DhcpIPAddress"); print_table_row("IP address:",(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : ""); // Subnet mask val=GetRegistryKeyValue(cur_controlset+"\\Services\\"+adapter_settings_node,"DhcpSubnetMask"); print_table_row("Subnet mask:",(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : ""); // Nameserver(s) val=GetRegistryKeyValue(cur_controlset+"\\Services\\"+adapter_settings_node,"DhcpNameServer"); print_table_row("Nameserver(s):",(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : ""); // Domain val=GetRegistryKeyValue(cur_controlset+"\\Services\\"+adapter_settings_node,"DhcpDomain"); print_table_row("Domain:",(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : ""); // Default gw val=GetRegistryKeyValue(cur_controlset+"\\Services\\"+adapter_settings_node,"DhcpDefaultGateway"); print_table_row("Default gateway:",(IsValid(val)) ? RegistryKeyValueToVariant(val.value,"utf16",0) : ""); // Lease obtained val=GetRegistryKeyValue(cur_controlset+"\\Services\\"+adapter_settings_node,"LeaseObtainedTime"); print_table_row("Lease obtained:",(IsValid(val)) ? RegistryKeyValueToVariant(val.value,"unixtime",0) : ""); // Lease valid until val=GetRegistryKeyValue(cur_controlset+"\\Services\\"+adapter_settings_node,"LeaseTerminatesTime"); print_table_row("Lease terminates:",(IsValid(val)) ? RegistryKeyValueToVariant(val.value,"unixtime",0) : ""); } else { print_table_row("Configuration mode:","Manual"); // IP address val=GetRegistryKeyValue(cur_controlset+"\\Services\\"+adapter_settings_node,"IPAddress"); print_table_row("IP address:",(IsValid(val)) ? RegistryKeyValueToVariant(val.value,"utf16",0) : ""); // Subnet mask val=GetRegistryKeyValue(cur_controlset+"\\Services\\"+adapter_settings_node,"SubnetMask"); print_table_row("Subnet mask:",(IsValid(val)) ? RegistryKeyValueToVariant(val.value,"utf16",0) : ""); // Nameserver val=GetRegistryKeyValue(cur_controlset+"\\Services\\"+adapter_settings_node,"NameServer"); print_table_row("Nameserver:",(IsValid(val)) ? RegistryKeyValueToVariant(val.value,"utf16",0) : ""); // Domain val=GetRegistryKeyValue(cur_controlset+"\\Services\\"+adapter_settings_node,"Domain"); print_table_row("Domain:",(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : ""); // Default gw val=GetRegistryKeyValue(cur_controlset+"\\Services\\"+adapter_settings_node,"DefaultGateway"); print_table_row("Default gateway:",(IsValid(val)) ? RegistryKeyValueToVariant(val.value,"utf16",0) : ""); } // TODO: Check for EnableSecurityFilters, TCPAllowedPorts and UDPAllowedPorts to get firewall status. println("
"); println("
"); // TODO: Get persistent routes from \ControlSet001\Services\Tcpip\Parameters\PersistentRoutes } println("

"); } else { println("

"); println(" Unable to determine current control set!
"); println(" Are you sure you are running this report against the correct registry hive?"); println("

"); } - println(""); +// println(""); } diff --git a/trunk/report_templates/SYSTEM_Services.qs b/trunk/report_templates/SYSTEM_Services.qs index 54e85c7..4344e66 100644 --- a/trunk/report_templates/SYSTEM_Services.qs +++ b/trunk/report_templates/SYSTEM_Services.qs @@ -1,111 +1,111 @@ function fred_report_info() { var info={report_cat : "SYSTEM", report_name : "Services", report_author : "Gillen Daniel", report_desc : "Dump services", fred_api : 2, hive : "SYSTEM" }; return info; } function IsValid(val) { if(typeof val !== 'undefined') return true; else return false; } function ZeroPad(number,padlen) { var ret=number.toString(10); if(!padlen || ret.length>=padlen) return ret; return Math.pow(10,padlen-ret.length).toString().slice(1)+ret; } function PrintTableRow(cell01,cell02,cell03,cell04,cell05) { println(" ",cell01,"",cell02,"",cell03,"",cell04,"",cell05,""); } function ListService(service_node) { // Service name var name=GetRegistryKeyValue(service_node,"DisplayName"); name=(IsValid(name)) ? RegistryKeyValueToString(name.value,name.type) : "Unknwon"; // Service group var group=GetRegistryKeyValue(service_node,"Group"); group=(IsValid(group)) ? RegistryKeyValueToString(group.value,group.type) : ""; // Service exe var image=GetRegistryKeyValue(service_node,"ImagePath"); image=(IsValid(image)) ? RegistryKeyValueToString(image.value,image.type) : "Unknwon"; // Start var start=GetRegistryKeyValue(service_node,"Start"); start=(IsValid(start)) ? RegistryKeyValueToString(start.value,start.type) : -1; switch(Number(start)) { case 0: start="Boot"; break; case 1: start="System"; break; case 2: start="Automatic"; break; case 3: start="Manual"; break; case 4: start="Disabled"; break; default: start="Unknown"; } // Description var desc=GetRegistryKeyValue(service_node,"Description"); desc=(IsValid(desc)) ? RegistryKeyValueToString(desc.value,desc.type) : ""; PrintTableRow(name,group,start,image,desc) } function fred_report_html() { var val; - println(""); - println(" Services"); - println(" "); +// println(""); +// println(" Services"); +// println(" "); println("

Services

"); println(" "); println(" "); for(var i=0;i"); println("
"); } else { println("
"); println(" This registry hive does not contain any services!
"); println("
"); } } else { println("
"); println(" Unable to determine current control set!
"); println(" Are you sure you are running this report against the correct registry hive?"); println("
"); } - println(""); +// println(""); } diff --git a/trunk/report_templates/SYSTEM_ShutdownTime.qs b/trunk/report_templates/SYSTEM_ShutdownTime.qs index 4a3ecf1..443552b 100644 --- a/trunk/report_templates/SYSTEM_ShutdownTime.qs +++ b/trunk/report_templates/SYSTEM_ShutdownTime.qs @@ -1,57 +1,57 @@ function fred_report_info() { var info={report_cat : "SYSTEM", report_name : "Shutdown time", report_author : "Gillen Daniel", report_desc : "Dump last known shutdown time", fred_api : 2, hive : "SYSTEM" }; return info; } function IsValid(val) { if(typeof val !== 'undefined') return true; else return false; } function print_table_row(cell01,cell02) { println(" "); } function fred_report_html() { var val; - println(""); - println(" Last known shutdown time"); - println(" "); +// println(""); +// println(" Last known shutdown time"); +// println(" "); println("
Last known shutdown time
"); // Get current controlset var cur_controlset=GetRegistryKeyValue("\\Select","Current"); if(IsValid(cur_controlset)) { cur_controlset=RegistryKeyValueToString(cur_controlset.value,cur_controlset.type); // Current holds a DWORD value, thus we get a string like 0x00000000, but // control sets are referenced only with the last 3 digits. cur_controlset="ControlSet"+String(cur_controlset).substr(7,3); println("
"); println("
Name Group Startup Image path Description
",cell01," ",cell02,"
"); print_table_row("Active control set:",cur_controlset); // Shutdown time val=GetRegistryKeyValue(cur_controlset+"\\Control\\Windows","ShutdownTime"); print_table_row("Shutdown time:",(IsValid(val)) ? RegistryKeyValueToVariant(val.value,"filetime") : "Unknown"); println("
"); println("
"); println("

"); } else { println("

"); println(" Unable to determine current control set!
"); println(" Are you sure you are running this report against the correct registry hive?"); println("

"); } - println(""); +// println(""); } diff --git a/trunk/report_templates/SYSTEM_SystemTimeInfo.qs b/trunk/report_templates/SYSTEM_SystemTimeInfo.qs index 17b166f..588a14a 100644 --- a/trunk/report_templates/SYSTEM_SystemTimeInfo.qs +++ b/trunk/report_templates/SYSTEM_SystemTimeInfo.qs @@ -1,122 +1,122 @@ function fred_report_info() { var info={report_cat : "SYSTEM", report_name : "System time info", report_author : "Gillen Daniel", report_desc : "Dump system time info", fred_api : 2, hive : "SYSTEM" }; return info; } function IsValid(val) { if(typeof val !== 'undefined') return true; else return false; } function print_table_row(cell01,cell02) { println(" ",cell01,"",cell02,""); } function ToUTC(num) { var retnum=new Number(num); if(retnum&0x80000000) { retnum=((0xFFFFFFFF-retnum)+1)/60; return "UTC+"+Number(retnum).toString(10); } else { retnum=retnum/60; if(retnum!=0) return "UTC-"+Number(retnum).toString(10); else return "UTC+"+Number(retnum).toString(10); } } function ZeroPad(number,padlen) { var ret=number.toString(10); if(!padlen || ret.length>=padlen) return ret; return Math.pow(10,padlen-ret.length).toString().slice(1)+ret; } function fred_report_html() { var val; - println(""); - println(" System Time Info"); - println(" "); - println("

System time info (",cur_controlset,")

"); +// println(""); +// println(" System Time Info"); +// println(" "); + println("

System time info

"); println(" Time zone info"); println(" "); // Active time bias val=GetRegistryKeyValue(cur_controlset+"\\Control\\TimeZoneInformation","ActiveTimeBias"); print_table_row("Active time bias:",(IsValid(val)) ? ToUTC(RegistryKeyValueToString(val.value,val.type)) : "n/a"); // Std. tz name and bias val=GetRegistryKeyValue(cur_controlset+"\\Control\\TimeZoneInformation","StandardName"); print_table_row("Std. time zone name:",(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : "n/a"); val=GetRegistryKeyValue(cur_controlset+"\\Control\\TimeZoneInformation","StandardBias"); print_table_row("Std. time bias:",(IsValid(val)) ? ToUTC(RegistryKeyValueToString(val.value,val.type)) : "n/a"); // Daylight tz name and bias val=GetRegistryKeyValue(cur_controlset+"\\Control\\TimeZoneInformation","DaylightName"); print_table_row("Daylight time zone name:",(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : "n/a"); val=GetRegistryKeyValue(cur_controlset+"\\Control\\TimeZoneInformation","DaylightBias"); print_table_row("Daylight time bias:",(IsValid(val)) ? ToUTC(RegistryKeyValueToString(val.value,val.type)) : "n/a"); println("
"); println("
"); println(" W32Time service info"); println(" "); // Get W32Time service settings val=GetRegistryKeyValue(cur_controlset+"\\Services\\W32Time","Start"); if(IsValid(val)) { print(" "); // If service is enabled, get ntp server if(Number(val)<4) { val=GetRegistryKeyValue(cur_controlset+"\\Services\\W32Time\\Parameters","NtpServer"); print_table_row("NTP server(s):",(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : "n/a"); } } else print_table_row("Startup method:","n/a"); println("
Startup method: "); val=RegistryKeyValueToString(val.value,val.type); switch(Number(val)) { case 0: print("Boot"); break; case 1: print("System"); break; case 2: print("Automatic"); break; case 3: print("Manual"); break; case 4: print("Disabled"); break; default: print("Unknown"); } println("
"); println("

"); } else { println("

"); println(" Unable to determine current control set!
"); println(" Are you sure you are running this report against the correct registry hive?"); println("

"); } - println(""); +// println(""); } diff --git a/trunk/report_templates/SYSTEM_UsbStorageDevices.qs b/trunk/report_templates/SYSTEM_UsbStorageDevices.qs index 3ed2517..e7cded4 100644 --- a/trunk/report_templates/SYSTEM_UsbStorageDevices.qs +++ b/trunk/report_templates/SYSTEM_UsbStorageDevices.qs @@ -1,150 +1,150 @@ function fred_report_info() { var info={report_cat : "SYSTEM", report_name : "USB storage devices", report_author : "Gillen Daniel", report_desc : "Dump USB storage devices", fred_api : 2, hive : "SYSTEM" }; return info; } function IsValid(val) { if(typeof val !== 'undefined') return true; else return false; } function print_table_row(cell01,cell02) { println(" ",cell01,"",cell02,""); } function ZeroPad(number,padlen) { var ret=number.toString(10); if(!padlen || ret.length>=padlen) return ret; return Math.pow(10,padlen-ret.length).toString().slice(1)+ret; } function fred_report_html() { // TODO: There is more here. Check http://www.forensicswiki.org/wiki/USB_History_Viewing var val; - println(""); - println(" USB Storage Devices"); - println(" "); +// println(""); +// println(" USB Storage Devices"); +// println(" "); println("

USB storage devices

"); // Preload MountedDevices to possibly identify mount points of USB storage devices var mnt_keys=GetRegistryKeys("\\MountedDevices"); var mnt_values=new Array(); if(IsValid(mnt_keys)) { for(var i=0;i"); println(" Settings
"); println(" "); // Are USB storage devices enabled? // http://www.forensicmag.com/article/windows-7-registry-forensics-part-5 // Is this true for WinXP etc.. ??? var val=GetRegistryKeyValue(cur_controlset+"\\services\\USBSTOR","Start"); if(IsValid(val)) { val=RegistryKeyValueToString(val.value,val.type); val=parseInt(String(val).substr(2,8),10); switch(val) { case 3: print_table_row("Storage driver enabled:","Yes"); break; case 4: print_table_row("Storage driver enabled:","No"); break; default: print_table_row("Storage driver enabled:","Unknown"); } } else { print_table_row("Storage driver enabled:","Unknown"); } println("

"); println("

"); println(" Devices
"); var storage_roots=GetRegistryNodes(cur_controlset+"\\Enum\\USBSTOR"); if(IsValid(storage_roots)) { for(var i=0;i",storage_roots[i],"
"); + println(" ",storage_roots[i],"
"); var storage_subroots=GetRegistryNodes(cur_controlset+"\\Enum\\USBSTOR\\"+storage_roots[i]); for(ii=0;ii"); // If the second character of the unique instance ID is a '&', then the ID was // generated by the system, as the device did not have a serial number. if(String(storage_subroots[ii]).charAt(1)=="&") print_table_row("Unique ID:",storage_subroots[ii]+" (Generated by system)"); else print_table_row("Unique ID:",storage_subroots[ii]); val=GetRegistryKeyValue(cur_controlset+"\\Enum\\USBSTOR\\"+storage_roots[i]+"\\"+storage_subroots[ii],"Class"); print_table_row("Class:",(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : ""); val=GetRegistryKeyValue(cur_controlset+"\\Enum\\USBSTOR\\"+storage_roots[i]+"\\"+storage_subroots[ii],"DeviceDesc"); print_table_row("Device description:",(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : ""); val=GetRegistryKeyValue(cur_controlset+"\\Enum\\USBSTOR\\"+storage_roots[i]+"\\"+storage_subroots[ii],"FriendlyName"); print_table_row("Friendly name:",(IsValid(val)) ? RegistryKeyValueToString(val.value,val.type) : ""); val=GetRegistryKeyValue(cur_controlset+"\\Enum\\USBSTOR\\"+storage_roots[i]+"\\"+storage_subroots[ii],"ParentIdPrefix"); if(IsValid(val)) { // Windows XP uses the ParentId to link to MountedDevices var parent_id=RegistryKeyValueToString(val.value,val.type); print_table_row("Parent ID prefix:",parent_id); // Find mount point(s) print(" Mount point(s):"); var br=0; for(var iii=0;iii"); else br=1; print(mnt_keys[iii]); } } if(br==0) print("n/a"); println(""); } else { // Since Vista, Unique IDs are used // Find mount point(s) print(" Mount point(s):"); var br=0; for(var iii=0;iii"); else br=1; print(mnt_keys[iii]); } } if(br==0) print("n/a"); println(""); } println(" "); println("
"); } } } else { println(" This registry hive does not contain a list of attached USB storage devices!"); } println("

"); } else { println("

"); println(" Unable to determine current control set!
"); println(" Are you sure you are running this report against the correct registry hive?"); println("

"); } - println(""); +// println(""); }

User Autoruns

Launched applications

Recent documents

Typed urls

Document and folder search keywords

Typed paths

Windows live accounts

User accounts

System Autoruns

Profile List

Windows version info

Last known shutdown time

Backup / Restore settings

Current network settings (Tcp/Ip)

Services

Last known shutdown time

System time info (",cur_controlset,")

System time info

USB storage devices

",accounts[i],"	",RegistryKeyValueToString(val.value,val.type),"
",accounts[i],"	",RegistryKeyValueToString(val.value,val.type),"

Name	Group	Startup	Image path	Description
",cell01,"	",cell02,"