I am going over this code https://github.com/markmckinnon/Autopsy-Plugins/blob/52e60781f2cbbb725de00f2f5e13c97c1672e262/Bam_Key/bam_key.py
I notice this files = fileManager.findFiles(dataSource, fileName, “Windows/System32/Config”)
Searching for registries. I want to return all registry values. Not just search for ones in /windows/System32/Config
How can I search for this below registry, and return all its results?
HKEY_CLASSES_ROOT.skype
That line that you are mentioning will only return the hive file it will not search in the hive. If you want to return all hive files then you will need to specify the hive file name you want and possibly the directory where it resides (though the directory is not a requirement). Once you have the hive files then you can search each one.
Hi, can You specify if i have this input " HKEY_CURRENT_USER\SOFTWARE\Microsoft\ProtectedStorageSystemProvider"
How can I search for it?
files = fileManager.findFiles(dataSource, “HKEY_CURRENT_USER”, “/SOFTWARE\Microsoft\ProtectedStorageSystemProvider”)
??? that’s how?
No, the fileManager.findFiles is used to find files within the datasource that you are running the ingest on. In order to search the registry hives you first need to find the registry hives you are searching for ie: ntuser.dat. Once you have the AbstractFile you need to write the file to the temp directory with ContentUtils.writeToFile. From there you can start to search for the hive based on the key you want using the methods/functions found in the following libraries:
from com.williballenthin.rejistry import RegistryHiveFile
from com.williballenthin.rejistry import RegistryKey
from com.williballenthin.rejistry import RegistryParseException
from com.williballenthin.rejistry import RegistryValue
the whole code i am trying is below quoted.
I am trying to do , based on what you have done in recycle bin module
files = fileManager.findFiles(dataSource, “ntuser.dat”, “”)
First that is returning 0 files???
Then am writing it
lclDbPath = os.path.join(temp_dir, file.getName())
ContentUtils.writeToFile(file, File(lclDbPath))
And then searching for the key
samRegFile = RegistryHiveFile(File(lclDbPath))
currentKey = self.findRegistryKey(samRegFile, self.registryKeyToFind)
message3 = IngestMessage.createMessage(IngestMessage.MessageType.DATA, “Key Found” , str(currentKey), str(currentKey))
IngestServices.getInstance().postMessage(message3)
Posting the key found to messages. I will modify that to return the file .However the issue is i am getting 0 files for ntuser.dat ??? Also please check below for my logic. I want to find registry for key HKLM\System\MountedDevices ( currently only this key, but the list of keys will be 1000 …i am just trying one key for now).
class RecBin2IngestModuleFactory(IngestModuleFactoryAdapter): def __init__(self): self.settings = None moduleName = "Recycle Bin Module" def getModuleDisplayName(self): return self.moduleName def getModuleDescription(self): return "Parse Recycle Bin Information for Vista and beyond" def getModuleVersionNumber(self): return "1.2" def hasIngestJobSettingsPanel(self): return False def isDataSourceIngestModuleFactory(self): return True def createDataSourceIngestModule(self, ingestOptions): return RecBin2IngestModule(self.settings) class RecBin2IngestModule(DataSourceIngestModule): _logger = Logger.getLogger(RecBin2IngestModuleFactory.moduleName) def log(self, level, msg): self._logger.logp(level, self.__class__.__name__, inspect.stack()[1][3], msg) def __init__(self, settings): self.context = None def startUp(self, context): self.context = context self.registryKeyToFind = 'HKLM\System\MountedDevices' def process(self, dataSource, progressBar): progressBar.switchToIndeterminate() skCase = Case.getCurrentCase().getSleuthkitCase(); fileManager = Case.getCurrentCase().getServices().getFileManager() Temp_Dir = Case.getCurrentCase().getTempDirectory() temp_dir = os.path.join(Temp_Dir, "recyclebin") self.log(Level.INFO, "create Directory " + temp_dir) try: os.mkdir(temp_dir) except: self.log(Level.INFO, "recyclebin Directory already exists " + temp_dir) systemAbsFile = [] files = fileManager.findFiles(dataSource, "ntuser.dat", "") numFiles = len(files) self.log(Level.INFO, "Number of Files found ==> " + str(numFiles)) message2 = IngestMessage.createMessage(IngestMessage.MessageType.DATA, "files found" , str(numFiles), str(numFiles)) IngestServices.getInstance().postMessage(message2) for file in files: if self.context.isJobCancelled(): return IngestModule.ProcessResult.OK if true: lclDbPath = os.path.join(temp_dir, file.getName()) ContentUtils.writeToFile(file, File(lclDbPath)) samRegFile = RegistryHiveFile(File(lclDbPath)) currentKey = self.findRegistryKey(samRegFile, self.registryKeyToFind) message3 = IngestMessage.createMessage(IngestMessage.MessageType.DATA, "Key Found" , str(currentKey), str(currentKey)) IngestServices.getInstance().postMessage(message3) else: self.log(Level.INFO, "Skipping File " + file.getName() + " In Path " + file.getParentPath()) try: shutil.rmtree(temp_dir) except: self.log(Level.INFO, "removal of directory tree failed " + temp_dir) message = IngestMessage.createMessage(IngestMessage.MessageType.DATA, "RecycleBin", " Recycle Bin Files Have Been Analyzed " ) IngestServices.getInstance().postMessage(message) return IngestModule.ProcessResult.OK def findRegistryKey(self, registryHiveFile, registryKey): rootKey = registryHiveFile.getRoot() regKeyList = registryKey.split('/') currentKey = rootKey for key in regKeyList: self.log(Level.INFO, "Key value is ==> " + key) self.log(Level.INFO, "Current Key is ==> " + str(currentKey)) currentKey = currentKey.getSubkey(key) return currentKey def utf16decode(self, bytes): bytes = binascii.hexlify(bytes) bytes = [bytes[i:i+2] for i in range(0, len(bytes), 2)] bytes = (''.join(filter(lambda a: a !='00', bytes))) bytes = codecs.decode(bytes, 'hex') return(bytes)
You can check above post code here too https://tinyurl.com/y5nvsv5d
just with the difference of imports.
Does the ntuser.dat actually exist in the data source? If not the autopsy log file how many files were found? In the code there is a log message set to show number of files. Also in the findFiles you can got rid of third argument “” as you do not need it.
oKEY. I am getting 7 files found.
But If I modify self.registryKeyToFind = ‘SAM/Domains/Account/Users’ I am getting java.util.NoSuchElementException: Cannot find subkey with name SAM
What is a key that I can definitely find?
I am getting this error below http://krikautopsy.atwebpages.com/recyclebin.json that’s the code
Since I put this 4 lines in try and except
try:
samRegFile = RegistryHiveFile(File(lclDbPath))
currentKey = self.findRegistryKey(samRegFile, self.registryKeyToFind)
message3 = IngestMessage.createMessage(IngestMessage.MessageType.DATA, “Key Found” , str(currentKey), str(currentKey))
IngestServices.getInstance().postMessage(message3)
except:
self.log(Level.INFO, "key not found ")
When key not found, I am getting below error in next loop.
SEVERE: Recycle Bin Module experienced an error during analysis (data source = nps-2009-domexusers.E01, objId = 1, pipeline id = 1, ingest job id = 9)
at java.io.FileOutputStream.open0(Native Method)
at java.io.FileOutputStream.open(FileOutputStream.java:270)
at java.io.FileOutputStream.<init>(FileOutputStream.java:213)
at org.sleuthkit.autopsy.datamodel.ContentUtils.writeToFile(ContentUtils.java:218)
at org.sleuthkit.autopsy.datamodel.ContentUtils.writeToFile(ContentUtils.java:254)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
java.io.FileNotFoundException: java.io.FileNotFoundException: C:\Users\forensics\Downloads\Case Registry Testing\Temp\recyclebin\NTUSER.DAT (The requested operation cannot be performed on a file with a user-mapped section open)
org.python.core.Py.JavaError(Py.java:546)
org.python.core.PyObject._jthrow(PyObject.java:3653)
org.python.core.PyObject._jcall(PyObject.java:3660)
org.python.proxies.Recycle_Bin$RecBin2IngestModule$569.process(Unknown Source)
org.sleuthkit.autopsy.ingest.DataSourceIngestPipeline$PipelineModule.process(DataSourceIngestPipeline.java:198)
org.sleuthkit.autopsy.ingest.DataSourceIngestPipeline.process(DataSourceIngestPipeline.java:111)
org.sleuthkit.autopsy.ingest.IngestJobPipeline.process(IngestJobPipeline.java:943)
org.sleuthkit.autopsy.ingest.DataSourceIngestTask.execute(DataSourceIngestTask.java:30)
org.sleuthkit.autopsy.ingest.IngestManager$ExecuteIngestJobTasksTask.run(IngestManager.java:961)
java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
java.util.concurrent.FutureTask.run(FutureTask.java:266)
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
java.lang.Thread.run(Thread.java:748)
java.io.FileNotFoundException: C:\Users\forensics\Downloads\Case Registry Testing\Temp\recyclebin\NTUSER.DAT (The requested operation cannot be performed on a file with a user-mapped section open)
org.python.core.Py.JavaError(Py.java:546)
org.python.core.PyObject._jthrow(PyObject.java:3653)
org.python.core.PyObject._jcall(PyObject.java:3660)
org.python.proxies.Recycle_Bin$RecBin2IngestModule$569.process(Unknown Source)
org.sleuthkit.autopsy.ingest.DataSourceIngestPipeline$PipelineModule.process(DataSourceIngestPipeline.java:198)
org.sleuthkit.autopsy.ingest.DataSourceIngestPipeline.process(DataSourceIngestPipeline.java:111)
org.sleuthkit.autopsy.ingest.IngestJobPipeline.process(IngestJobPipeline.java:943)
org.sleuthkit.autopsy.ingest.DataSourceIngestTask.execute(DataSourceIngestTask.java:30)
org.sleuthkit.autopsy.ingest.IngestManager$ExecuteIngestJobTasksTask.run(IngestManager.java:961)
java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
java.util.concurrent.FutureTask.run(FutureTask.java:266)
java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
java.lang.Thread.run(Thread.java:748)
2020-11-01 13:57:55.257 org.sleuthkit.autopsy.ingest.IngestJobPipeline logInfoMessage
INFO: Finished first stage analysis (data source = nps-2009-domexusers.E01, objId = 1, pipeline id = 1, ingest job id = 9)
2020-11-01 13:57:55.257 org.sleuthkit.autopsy.ingest.IngestJobPipeline logInfoMessage
INFO: Finished analysis (data source = nps-2009-domexusers.E01, objId = 1, pipeline id = 1, ingest job id = 9)
2020-11-01 13:57:55.261 org.sleuthkit.autopsy.ingest.IngestManager finishIngestJob
INFO: Ingest job 1 completedThat is an image of a Mac not Windows. The ntuser.dat file can only be found on a Windows os.
Yes, But I keep getting key not found.
http://krikautopsy.atwebpages.com/recyclebin.json that’s the code.
Whatever I search , it seems self.log(Level.INFO, "Current Key is ==> " + str(currentKey.getName())) always prints $$$PROTO.HIV
I try SAM, OR SAM/Domains/Account/Users but nthg.
Yes but the SAM is a Windows only file as well so you would not find it in that image. You might want to try the Narcos, Owl or Lone Wolf images where you got the DC National Gallery image which tracy image is part of.
I am using this image https://digitalcorpora.org/corpora/disk-images
nps-2009-domexusers — This is a disk image of a Windows XP SP3 system that has two users, domexuser1 and domexuser2, who communicate with a third user (domexuser3) via IM and email. Two versions of this disk image will be provided:
which is not finding sam.
http://krikautopsy.atwebpages.com/recyclebin.json
when I do to getKeySubList after rootKey = registryHiveFile.getRoot()
regKeyList = registryKey.split(’/’)
currentKey = rootKey . I always get
AppEvents, Console, Control Panel, Environment, EUDC, keyboard Layout, Microsoft, Network, Printer, Software, System
No Sam.
rootKey = registryHiveFile.getRoot()
so my rootkey is $$$PROTO.HIV , and it subkey list is always AppEvents, Console, Control Panel, Environment, EUDC, keyboard Layout, Microsoft, Network, Printer, Software, System
where do I get to search for ‘SAM/Domains/Account/Users’ or ‘HKLM\System\MountedDevices’
The SAM hive is not found in NTUSER.DAT. It is stored in a file named SAM which can be found under WINDOWS/system32/config.
Autopsy has a built-in registry file viewer. You should use that to confirm the locations of the keys you are interested in. You might also find the output of RegRipper (which is run as part of the Recent Activity module) interesting.
thank you, am going in that direction. am also reading usrclass.dat
