コード例 #1
0
ファイル: RunKey.cs プロジェクト: WoodenshoeNL/PowerForensics
        public static RunKey[] GetInstances(string volume)
        {
            List<RunKey> list = new List<RunKey>();

            try
            {
                list.AddRange(Get(Util.GetVolumeLetter(volume) + @"\Windows\system32\config\SOFTWARE"));
            }
            catch
            {

            }

            foreach (string hivePath in RegistryHelper.GetUserHiveInstances(volume))
            {
                try
                {
                    list.AddRange(Get(hivePath));
                }
                catch
                {

                }
            }

            return list.ToArray();
        }
コード例 #2
0
        public static UserAssist[] GetInstances(string hivePath)
        {
            List<UserAssist> uaList = new List<UserAssist>();

            string Key = @"Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist";

            byte[] bytes = Registry.Helper.GetHiveBytes(hivePath);

            NamedKey[] FileSubKey = NamedKey.GetInstances(bytes, hivePath, Key);

            foreach (NamedKey key in FileSubKey)
            {
                foreach (NamedKey nk in key.GetSubKeys(bytes, key.FullName))
                {
                    if (nk.NumberOfValues != 0)
                    {
                        foreach (ValueKey vk in nk.GetValues(bytes))
                        {
                            uaList.Add(new UserAssist(vk, bytes));
                        }
                    }
                }
            }
            return uaList.ToArray();
        }
コード例 #3
0
        public static NetworkList[] GetInstances(string hivePath)
        {
            if (RegistryHeader.Get(hivePath).HivePath.Contains("SOFTWARE"))
            {
                string Key = @"Software\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures";

                byte[] bytes = Registry.Helper.GetHiveBytes(hivePath);

                NamedKey[] SignatureKey = NamedKey.GetInstances(bytes, hivePath, Key);

                List<NetworkList> nlList = new List<NetworkList>();

                foreach (NamedKey key in SignatureKey)
                {
                    if (key.NumberOfSubKeys != 0)
                    {
                        foreach (NamedKey nk in key.GetSubKeys(bytes, key.FullName))
                        {
                            nlList.Add(new NetworkList(nk, bytes));
                        }
                    }
                }
                return nlList.ToArray();
            }
            else
            {
                throw new Exception("Invalid SOFTWARE hive provided to -HivePath parameter.");
            }
        }
コード例 #4
0
        internal static List Factory(byte[] bytes, byte[] subKeyListBytes, string type)
        {
            if (type == "lf")
            {
                return new Leaf(subKeyListBytes);
            }
            else if (type == "lh")
            {
                return new HashedLeaf(subKeyListBytes);
            }
            else if (type == "li")
            {
                return new LeafItem(subKeyListBytes);
            }
            else if (type == "ri")
            {
                List ri = new ReferenceItem(subKeyListBytes);

                List[] listArray = new List[ri.Count];

                for (int i = 0; i < ri.Offset.Length; i++)
                {
                    byte[] sublistBytes = NativeMethods.GetSubArray(bytes, ri.Offset[i], (uint)Math.Abs(BitConverter.ToInt32(bytes, (int)ri.Offset[i])));
                    string subtype = Encoding.ASCII.GetString(sublistBytes, 0x04, 0x02);

                    listArray[i] = List.Factory(bytes, sublistBytes, subtype);
                }

                ushort aggCount = 0;
                foreach (List l in listArray)
                {
                    aggCount += l.Count;
                }

                uint[] aggOffset = new uint[aggCount];
                int j = 0;
                foreach (List l in listArray)
                {
                    for (int k = 0; (k < l.Count) && (j < aggCount); k++)
                    {
                        aggOffset[j] = l.Offset[k];
                        j++;
                    }
                }

                return new ReferenceItem(aggCount, aggOffset);
            }
            else
            {
                return null;
            }
        }
コード例 #5
0
ファイル: RunKey.cs プロジェクト: WoodenshoeNL/PowerForensics
        public static RunKey[] Get(string hivePath)
        {
            List<string> Keys = new List<string>();
            string AutoRunLocation = null;

            if(RegistryHelper.isCorrectHive(hivePath, "SOFTWARE"))
            {
                Keys.AddRange(new string[] { @"Microsoft\Windows\CurrentVersion\Run", @"Microsoft\Windows\CurrentVersion\RunOnce", @"Wow6432Node\Microsoft\Windows\CurrentVersion\Run" });
                AutoRunLocation = @"HKLM\SOFTWARE\";
            } 
            else if(RegistryHelper.isCorrectHive(hivePath, "NTUSER.DAT"))
            {
                Keys.AddRange(new string[] { @"Software\Microsoft\Windows\CurrentVersion\Run", @"Software\Microsoft\Windows\CurrentVersion\RunOnce" });
                AutoRunLocation = @"USER\" + RegistryHelper.GetUserHiveOwner(hivePath) + "\\";
    
            }
            else
            {
                throw new Exception("Invalid SOFTWARE or NTUSER.DAT hive provided.");
            }

            byte[] bytes = RegistryHelper.GetHiveBytes(hivePath);
            List<RunKey> runList = new List<RunKey>();

            foreach(string key in Keys)
            {
                try
                {
                    NamedKey run = NamedKey.Get(bytes, hivePath, key);
                    if (run.NumberOfValues > 0)
                    {
                        foreach (ValueKey vk in run.GetValues(bytes))
                        {
                            runList.Add(new RunKey(AutoRunLocation + key, vk));
                        }
                    }
                }
                catch
                {

                }
            }
            
            return runList.ToArray();
        }
コード例 #6
0
        public static OutlookCatalog[] GetInstances(string volume)
        {
            List<OutlookCatalog> list = new List<OutlookCatalog>();

            foreach (string hivePath in RegistryHelper.GetUserHiveInstances(volume))
            {
                try
                {
                    list.AddRange(Get(hivePath));
                }
                catch
                {

                }
            }

            return list.ToArray();
        }
コード例 #7
0
        public static TrustRecord[] GetInstances(string volume)
        {
            List<TrustRecord> list = new List<TrustRecord>();

            foreach (string hivePath in RegistryHelper.GetUserHiveInstances(volume))
            {
                try
                {
                    list.AddRange(Get(hivePath));
                }
                catch
                {

                }
            }

            return list.ToArray();
        }
コード例 #8
0
ファイル: RunMRU.cs プロジェクト: JamesHabben/PowerForensics
        public static RunMRU[] GetInstances(string volume)
        {
            Helper.getVolumeName(ref volume);

            List<RunMRU> list = new List<RunMRU>();

            foreach (string hivePath in RegistryHelper.GetUserHiveInstances(volume))
            {
                try
                {
                    list.AddRange(Get(hivePath));
                }
                catch
                {

                }
            }

            return list.ToArray();
        }
コード例 #9
0
        public static NetworkList[] GetInstances(string hivePath)
        {
            string Key = @"Software\Microsoft\Windows NT\CurrentVersion\NetworkList\Signatures";

            byte[] bytes = Registry.Helper.GetHiveBytes(hivePath);

            NamedKey[] SignatureKey = NamedKey.GetInstances(bytes, hivePath, Key);

            List<NetworkList> nlList = new List<NetworkList>();

            foreach (NamedKey key in SignatureKey)
            {
                if (key.NumberOfSubKeys != 0)
                {
                    foreach (NamedKey nk in key.GetSubKeys(bytes, key.FullName))
                    {
                        nlList.Add(new NetworkList(nk, bytes));
                    }
                }
            }
            return nlList.ToArray();
        }
コード例 #10
0
        public static OutlookCatalog[] Get(string hivePath)
        {
            if (RegistryHelper.isCorrectHive(hivePath, "NTUSER.DAT"))
            {
                byte[] hiveBytes = RegistryHelper.GetHiveBytes(hivePath);

                string user = RegistryHelper.GetUserHiveOwner(hivePath);

                string OfficeVersion = RegistryHelper.GetOfficeVersion(hiveBytes, hivePath);

                List<OutlookCatalog> list = new List<OutlookCatalog>();

                NamedKey CatalogKey = null;

                if (OfficeVersion == "12.0")
                {
                    CatalogKey = NamedKey.Get(hiveBytes, hivePath, @"Software\Microsoft\Office\" + OfficeVersion + @"\Outlook\Catalog");
                }
                else
                {
                    CatalogKey = NamedKey.Get(hiveBytes, hivePath, @"Software\Microsoft\Office\" + OfficeVersion + @"\Outlook\Search\Catalog");
                }

                if (CatalogKey.NumberOfValues > 0)
                {
                    foreach (ValueKey vk in CatalogKey.GetValues())
                    {
                        list.Add(new OutlookCatalog(user, vk));
                    }
                }

                return list.ToArray();
            }
            else
            {
                throw new Exception("Invalid NTUSER.DAT hive provided to -HivePath parameter.");
            }
        }
コード例 #11
0
        public static TrustRecord[] Get(string hivePath)
        {
            if (RegistryHelper.isCorrectHive(hivePath, "NTUSER.DAT"))
            {
                string user = RegistryHelper.GetUserHiveOwner(hivePath);
                List<TrustRecord> trList = new List<TrustRecord>();

                byte[] bytes = RegistryHelper.GetHiveBytes(hivePath);
                string OfficeVersion = RegistryHelper.GetOfficeVersion(bytes, hivePath);
                string[] applications = new string[] { "Word", "Excel", "PowerPoint"};

                for(int i = 0; i < applications.Length; i++)
                {
                    try
                    {
                        StringBuilder sb = new StringBuilder();
                        sb.Append(@"Software\Microsoft\Office\").Append(OfficeVersion).Append("\\").Append(applications[i]).Append(@"\Security\Trusted Documents\TrustRecords");
                        NamedKey nk = NamedKey.Get(bytes, hivePath, sb.ToString());

                        foreach(ValueKey vk in nk.GetValues(bytes))
                        {
                            trList.Add(new TrustRecord(bytes, user, vk));
                        }
                    }
                    catch
                    {

                    }
                }

                return trList.ToArray();
            }
            else
            {
                throw new Exception("Invalid NTUSER.DAT hive provided to -HivePath parameter.");
            }
        }
コード例 #12
0
        internal static string[] GetUserHiveInstances(string volume)
        {
            List<string> userHiveList = new List<string>();

            IndexEntry[] entries = null;

            try
            {
                entries = IndexEntry.GetInstances(Util.GetVolumeLetter(volume) + @"\Users");
            }
            catch
            {
                try
                {
                    entries = IndexEntry.GetInstances(Util.GetVolumeLetter(volume) + @"\Documents and Settings");
                }
                catch
                {
                    throw new Exception("Could not locate User Registry Hives.");
                }
            }

            foreach (IndexEntry e in entries)
            {
                try
                {
                    userHiveList.Add(IndexEntry.Get(e.FullName + @"\NTUSER.DAT").FullName);
                }
                catch
                {

                }
            }

            return userHiveList.ToArray();
        }
コード例 #13
0
ファイル: FileMRU.cs プロジェクト: JamesHabben/PowerForensics
        public static FileMRU[] Get(string hivePath)
        {
            if (RegistryHelper.isCorrectHive(hivePath, "NTUSER.DAT"))
            {
                string user = RegistryHelper.GetUserHiveOwner(hivePath);
                List<FileMRU> fileList = new List<FileMRU>();

                byte[] bytes = RegistryHelper.GetHiveBytes(hivePath);
                NamedKey OfficeKey = RegistryHelper.GetOfficeKey(bytes, hivePath);

                foreach (NamedKey nk in OfficeKey.GetSubKeys(bytes))
                {
                    if (nk.Name == "Word" || nk.Name == "Excel" || nk.Name == "PowerPoint")
                    {
                        foreach (NamedKey k in nk.GetSubKeys(bytes))
                        {
                            if (k.Name == "File MRU")
                            {
                                foreach (ValueKey vk in k.GetValues(bytes))
                                {
                                    if (vk.Name != "Max Display")
                                    {
                                        fileList.Add(new FileMRU(user, (string)vk.GetData(bytes)));
                                    }
                                }
                            }
                        }
                    }
                }
                return fileList.ToArray();
            }
            else
            {
                throw new Exception("Invalid NTUSER.DAT hive provided to -HivePath parameter.");
            }
}
コード例 #14
0
 public static ForensicTimeline[] GetInstances(Amcache[] input)
 {
     List<ForensicTimeline> list = new List<ForensicTimeline>();
     foreach (Amcache a in input)
     {
         list.Add(Get(a));
     }
     return list.ToArray();
 }
コード例 #15
0
        public static ForensicTimeline[] Get(FileRecord input)
        {
            List<ForensicTimeline> macs = new List<ForensicTimeline>();
            if (input.SequenceNumber != 0)
            {
                #region DetermineTime

                Dictionary<DateTime, ACTIVITY_TYPE> dictionary = new Dictionary<DateTime, ACTIVITY_TYPE>();

                // Modified Time
                dictionary[input.ModifiedTime] = ACTIVITY_TYPE.m;

                // Access Time
                if (dictionary.ContainsKey(input.AccessedTime))
                {
                    dictionary[input.AccessedTime] = dictionary[input.AccessedTime] | ACTIVITY_TYPE.a;
                }
                else
                {
                    dictionary.Add(input.AccessedTime, ACTIVITY_TYPE.a);
                }

                // MFT Changed Time
                if (dictionary.ContainsKey(input.ChangedTime))
                {
                    dictionary[input.ChangedTime] = dictionary[input.ChangedTime] | ACTIVITY_TYPE.c;
                }
                else
                {
                    dictionary.Add(input.ChangedTime, ACTIVITY_TYPE.c);
                }

                // Born Time
                if (dictionary.ContainsKey(input.BornTime))
                {
                    dictionary[input.BornTime] = dictionary[input.BornTime] | ACTIVITY_TYPE.b;
                }
                else
                {
                    dictionary.Add(input.BornTime, ACTIVITY_TYPE.b);
                }

                #endregion DetermineTime

                foreach (var time in dictionary)
                {
                    string activity = ToFriendlyString(time.Value);
                    macs.Add(new ForensicTimeline(time.Key, activity, "MFT", "", input.FullName, input.ToString()));
                }

                return macs.ToArray();
            }
            else
            {
                macs.Add(new ForensicTimeline(new DateTime(1), "MACB", "MFT", "", "", ""));
                return macs.ToArray();
            }
        }
コード例 #16
0
 public static ForensicTimeline[] GetInstances(Prefetch[] input)
 {
     List<ForensicTimeline> list = new List<ForensicTimeline>();
     foreach (Prefetch pf in input)
     {
         foreach (ForensicTimeline t in Get(pf))
         {
             list.Add(t);
         }
     }
     return list.ToArray();
 }
コード例 #17
0
        public static ForensicTimeline[] Get(Prefetch input)
        {
            List<ForensicTimeline> mactimeList = new List<ForensicTimeline>();

            foreach (DateTime time in input.PrefetchAccessTime)
            {
                mactimeList.Add(new ForensicTimeline(time, "MACB", "PREFETCH", "", input.Path, input.ToString()));
            }

            return mactimeList.ToArray();
        }
コード例 #18
0
        public static ForensicTimeline[] Get(ShellLink input)
        {
            List<ForensicTimeline> macs = new List<ForensicTimeline>();

            #region DetermineTime

            Dictionary<DateTime, ACTIVITY_TYPE> dictionary = new Dictionary<DateTime, ACTIVITY_TYPE>();

            // Creation Time
            dictionary[input.CreationTime] = ACTIVITY_TYPE.b;

            // Access Time
            if (dictionary.ContainsKey(input.AccessTime))
            {
                dictionary[input.AccessTime] = dictionary[input.AccessTime] | ACTIVITY_TYPE.a;
            }
            else
            {
                dictionary.Add(input.AccessTime, ACTIVITY_TYPE.a);
            }

            // Modified Time
            if (dictionary.ContainsKey(input.WriteTime))
            {
                dictionary[input.WriteTime] = dictionary[input.WriteTime] | ACTIVITY_TYPE.m;
            }
            else
            {
                dictionary.Add(input.WriteTime, ACTIVITY_TYPE.m);
            }

            #endregion DetermineTime

            foreach (var time in dictionary)
            {
                string activity = ToFriendlyString(time.Value);
                macs.Add(new ForensicTimeline(time.Key, activity, "ShellLink", "", input.LocalBasePath, input.ToString()));
            }

            return macs.ToArray();
        }
コード例 #19
0
 public static ForensicTimeline[] GetInstances(ScheduledJob[] input)
 {
     List<ForensicTimeline> list = new List<ForensicTimeline>();
     foreach (ScheduledJob s in input)
     {
         list.Add(Get(s));
     }
     return list.ToArray();
 }
コード例 #20
0
        public static UserAssist[] Get(string hivePath)
        {
            if (RegistryHelper.isCorrectHive(hivePath, "NTUSER.DAT"))
            {
                List<UserAssist> uaList = new List<UserAssist>();

                string Key = @"Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist";

                byte[] bytes = Registry.RegistryHelper.GetHiveBytes(hivePath);

                NamedKey[] FileSubKey = NamedKey.GetInstances(bytes, hivePath, Key);

                foreach (NamedKey key in FileSubKey)
                {
                    foreach (NamedKey nk in key.GetSubKeys(bytes))
                    {
                        if (nk.NumberOfValues != 0)
                        {
                            foreach (ValueKey vk in nk.GetValues(bytes))
                            {
                                uaList.Add(new UserAssist(RegistryHelper.GetUserHiveOwner(hivePath), vk, bytes));
                            }
                        }
                    }
                }
                return uaList.ToArray();
            }
            else
            {
                throw new Exception("Invalid NTUSER.DAT hive provided to -HivePath parameter.");
            }
        }
コード例 #21
0
        public static Amcache[] GetInstancesByPath(string hivePath)
        {
            string Key = @"Root\File";

            byte[] bytes = Registry.Helper.GetHiveBytes(hivePath);

            NamedKey[] FileSubKey = NamedKey.GetInstances(bytes, hivePath, Key);

            List<Amcache> amcacheList = new List<Amcache>();

            foreach (NamedKey key in FileSubKey)
            {
                foreach (NamedKey nk in key.GetSubKeys(bytes, key.FullName))
                {
                    amcacheList.Add(new Amcache(nk, bytes));
                }
            }
            return amcacheList.ToArray();
        }
コード例 #22
0
        internal static byte[] Get(byte[] bytes, ValueKey vk)
        {
            List<byte> contents = new List<byte>();
            
            byte[] dataBytes = PowerForensics.Helper.GetSubArray(bytes, (int)vk.DataOffset, Math.Abs(BitConverter.ToInt32(bytes, (int)vk.DataOffset)));

            short offsetCount = BitConverter.ToInt16(dataBytes, 0x06);
            uint offsetOffset = BitConverter.ToUInt32(dataBytes, 0x08) + RegistryHeader.HBINOFFSET;

            byte[] offsetBytes = Helper.GetSubArray(bytes, (int)offsetOffset, Math.Abs(BitConverter.ToInt32(bytes, (int)offsetOffset)));

            for (short i = 1; i <= offsetCount; i++)
            {
                uint segmentOffset = BitConverter.ToUInt32(offsetBytes, i * 0x04) + RegistryHeader.HBINOFFSET;
                contents.AddRange(Helper.GetSubArray(bytes, (int)segmentOffset + 0x04, Math.Abs(BitConverter.ToInt32(bytes, (int)segmentOffset)) - 0x08));
            }

            byte[] b = contents.ToArray();
            return Helper.GetSubArray(b, 0x00, b.Length);
        }
コード例 #23
0
 public static ForensicTimeline[] GetInstances(NamedKey[] input)
 {
     List<ForensicTimeline> list = new List<ForensicTimeline>();
     foreach (NamedKey nk in input)
     {
         list.Add(Get(nk));
     }
     return list.ToArray();
 }
コード例 #24
0
 public static ForensicTimeline[] GetInstances(ShellLink[] input)
 {
     List<ForensicTimeline> list = new List<ForensicTimeline>();
     foreach (ShellLink s in input)
     {
         foreach (ForensicTimeline t in Get(s))
         {
             list.Add(t);
         }
     }
     return list.ToArray();
 }
コード例 #25
0
 public static ForensicTimeline[] GetInstances(EventRecord[] input)
 {
     List<ForensicTimeline> list = new List<ForensicTimeline>();
     foreach (EventRecord er in input)
     {
         list.Add(Get(er));
     }
     return list.ToArray();
 }
コード例 #26
0
        public static Amcache[] GetInstancesByPath(string hivePath)
        {
            if (RegistryHeader.Get(hivePath).HivePath.Contains("Amcache.hve"))
            {
                string Key = @"Root\File";

                byte[] bytes = Registry.RegistryHelper.GetHiveBytes(hivePath);

                NamedKey[] FileSubKey = NamedKey.GetInstances(bytes, hivePath, Key);

                List<Amcache> amcacheList = new List<Amcache>();

                foreach (NamedKey key in FileSubKey)
                {
                    if(key.NumberOfSubKeys != 0)
                    {
                        foreach (NamedKey nk in key.GetSubKeys(bytes))
                        {
                            amcacheList.Add(new Amcache(nk, bytes));
                        }
                    }
                }
                return amcacheList.ToArray();
            }
            else
            {
                throw new Exception("Invalid Amcache.hve hive provided to -HivePath parameter.");
            }

        }
コード例 #27
0
        private static NamedKey[] GetInstances(byte[] bytes, NamedKey nk, bool recurse)
        {
            List<NamedKey> keyList = new List<NamedKey>();

            foreach(NamedKey subkey in nk.GetSubKeys(bytes, nk.FullName))
            {
                keyList.Add(subkey);

                if (subkey.NumberOfSubKeys > 0)
                {
                    keyList.AddRange(GetInstances(bytes, subkey, true));
                }
            }

            return keyList.ToArray();
        }
コード例 #28
0
 public static ForensicTimeline[] GetInstances(FileRecord[] input)
 {
     List<ForensicTimeline> list = new List<ForensicTimeline>();
     foreach (FileRecord r in input)
     {
         foreach (ForensicTimeline t in Get(r))
         {
             list.Add(t);
         }
     }
     return list.ToArray();
 }
コード例 #29
0
        private static Shimcache[] Get00000030(byte[] bytes)
        {
            int offset = BitConverter.ToInt32(bytes, 0x00);
            List<Shimcache> shimList = new List<Shimcache>();

            while (offset < bytes.Length)
            {
                if (Encoding.ASCII.GetString(bytes, offset, 0x04) == "10ts")
                {
                    int pathoffset = offset + 0x0E;
                    int pathlength = BitConverter.ToInt16(bytes, offset + 0x0C);
                    string path = Encoding.Unicode.GetString(bytes, pathoffset, pathlength);
                    DateTime lastModifiedTime = DateTime.FromFileTimeUtc(BitConverter.ToInt64(bytes, pathoffset + pathlength));

                    shimList.Add(new Shimcache(path, lastModifiedTime, 0, new DateTime(0)));

                    offset += (BitConverter.ToInt32(bytes, offset + 0x08) + 0x0C);
                }
                else
                {
                    break;
                }
            }

            return shimList.ToArray();
        }
コード例 #30
0
 public static ForensicTimeline[] GetInstances(UsnJrnl[] input)
 {
     List<ForensicTimeline> list = new List<ForensicTimeline>();
     foreach (UsnJrnl u in input)
     {
         list.Add(Get(u));
     } 
     return list.ToArray();
 }