diff --git a/trunk/report_templates/NTUSER_RecentDocs.qs b/trunk/report_templates/NTUSER_RecentDocs.qs
index d49215e..a0f9127 100644
--- a/trunk/report_templates/NTUSER_RecentDocs.qs
+++ b/trunk/report_templates/NTUSER_RecentDocs.qs
@@ -1,26 +1,23 @@
println("");
println(" Recent Documents");
-println(" ");
+println(" ");
println(" Recent documents
");
-println(" ");
+println("
");
+println("
");
-// Iterate over all recent docs
+// Get list of recent docs
var recent_docs=GetRegistryKeyValue("\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RecentDocs","MRUListEx");
+
+// Iterate over all recent docs
var i=0;
var runlist=RegistryKeyValueToVariant(recent_docs.value,"uint32",i);
-
-/*
-println(runlist.toString(10),"
");
-var entry=GetRegistryKeyValue("\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RecentDocs",runlist.toString(10));
-println(" ",RegistryKeyValueToVariant(entry.value,"utf16",0),"
");
-*/
-
while(Number(runlist)!=0xffffffff) {
var entry=GetRegistryKeyValue("\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RecentDocs",runlist.toString(10));
- println(" ",RegistryKeyValueToVariant(entry.value,"utf16",0),"
");
+ println(" | ",RegistryKeyValueToVariant(entry.value,"utf16",0)," |
");
i+=4;
runlist=RegistryKeyValueToVariant(recent_docs.value,"uint32",i);
}
+println("
");
println(" ");
println("");
diff --git a/trunk/report_templates/NTUSER_TypedUrls.qs b/trunk/report_templates/NTUSER_TypedUrls.qs
new file mode 100644
index 0000000..29ecb94
--- /dev/null
+++ b/trunk/report_templates/NTUSER_TypedUrls.qs
@@ -0,0 +1,17 @@
+println("");
+println(" Typed Urls");
+println(" ");
+println(" Typed urls
");
+println(" ");
+println("
");
+
+// Iterate over all typed urls
+var typed_urls=GetRegistryKeys("\\Software\\Microsoft\\Internet Explorer\\TypedURLs");
+for(var i=0;i| ",RegistryKeyValueToString(val.value,val.type)," | ");
+}
+
+println("
");
+println(" ");
+println("");
diff --git a/trunk/report_templates/SYSTEM_UsbStorageDevices.qs b/trunk/report_templates/SYSTEM_UsbStorageDevices.qs
new file mode 100644
index 0000000..32d7353
--- /dev/null
+++ b/trunk/report_templates/SYSTEM_UsbStorageDevices.qs
@@ -0,0 +1,43 @@
+// TODO: There is more here. Check http://www.forensicswiki.org/wiki/USB_History_Viewing
+
+function print_table_row(cell01,cell02) {
+ println(" | ",cell01," | ",cell02," |
");
+}
+
+// Global vars
+var val;
+
+// Get current controlset
+var cur_controlset=GetRegistryKeyValue("\\Select","Current");
+cur_controlset=RegistryKeyValueToString(cur_controlset.value,cur_controlset.type);
+// Current holds a DWORD value, thus we get a string like 0x00000000, but
+// control sets are referenced only with the last 3 digits.
+cur_controlset="ControlSet"+String(cur_controlset).substr(7,3);
+
+println("");
+println(" USB Storage Devices");
+println(" ");
+println(" USB storage devices
");
+println(" ");
+
+var storage_roots=GetRegistryNodes(cur_controlset+"\\Enum\\USBSTOR");
+for(var i=0;i",storage_roots[i],"
");
+ var storage_subroots=GetRegistryNodes(cur_controlset+"\\Enum\\USBSTOR\\"+storage_roots[i]);
+ for(ii=0;ii");
+ // Note: If the second character of the unique instance ID is a '&', then the ID was
+ // generated by the system, as the device did not have a serial number.
+ print_table_row("Unique ID:",storage_subroots[ii]);
+
+ val=GetRegistryKeyValue(cur_controlset+"\\Enum\\USBSTOR\\"+storage_roots[i]+"\\"+storage_subroots[ii],"Class");
+ print_table_row("Class:",(typeof val !== 'undefined') ? RegistryKeyValueToString(val.value,val.type) : "");
+ val=GetRegistryKeyValue(cur_controlset+"\\Enum\\USBSTOR\\"+storage_roots[i]+"\\"+storage_subroots[ii],"DeviceDesc");
+ print_table_row("Device description:",(typeof val !== 'undefined') ? RegistryKeyValueToString(val.value,val.type) : "");
+ val=GetRegistryKeyValue(cur_controlset+"\\Enum\\USBSTOR\\"+storage_roots[i]+"\\"+storage_subroots[ii],"FriendlyName");
+ print_table_row("Friendly name:",(typeof val !== 'undefined') ? RegistryKeyValueToString(val.value,val.type) : "");
+ }
+}
+
+println("
");
+println("");