plugins.windows package¶

Submodules¶

plugins.windows.RVT_I30 module¶

class plugins.windows.RVT_I30.Block(buf, offset, parent=False, inode_fls=None, dir_inode=None, **kwargs)¶

Bases: object

Base class for structure blocks in the NTFS INDX format. A block is associated with an offset into a byte-string.

absolute_offset(offset)¶: Get the absolute offset from an offset relative to this block

static align(offset, alignment)¶: Return the offset aligned to the nearest greater given alignment Arguments: - offset: An integer - alignment: An integer

blk_offset()¶: Get the block offset respective to the beggining of the partition.

offset()¶: Equivalent to self.absolute_offset(0x0), which is the starting offset of this block.

pack_integer(offset, us_integer)¶: Inserts the little-endian unsigned short ‘us_integer’ to the relative ‘offset’.

parent()¶: Get the parent block. See the class documentation for what the parent link is.

unpack_bytestring(offset, length)¶: Returns a byte-string from the relative ‘offset’ with the given ‘length’.

unpack_integer(offset=0, format='<B')¶

Returns an integer from the buffer at ‘offset’, extracting in the specified ‘format’.

Arguments: - offset: The relative offset from the start of the block. - format: Struct format string. Throws: - OverrunBufferException

class plugins.windows.RVT_I30.NTATTR_DIRECTORY_INDEX_ENTRY(buf, offset, parent, *args, **kwargs)¶

Bases: plugins.windows.RVT_I30.NTATTR_STANDARD_INDEX_ENTRY

Main class for individual entries related to directory INDX records.

accessed_time(safe=True)¶

annotation()¶: Text for marking unreliable complete names of different sort.

attributes = {'MFTRecordChangeTime': (40, '<Q'), 'creationTime': (24, '<Q'), 'filenameLength': (80, '<B'), 'flags': (12, '<H'), 'lastAccessTime': (48, '<Q'), 'lastModifiedTime': (32, '<Q'), 'logicalSizeOfFile': (64, '<Q'), 'mftReference': (0, '<I'), 'padding': (14, '<B'), 'physicalSizeOfFile': (56, '<Q'), 'refParentDirectory': (16, '<I'), 'sizeOfIndexEntry': (8, '<H'), 'sizeOfStream': (10, '<H')}¶

changed_time(safe=True)¶

complete_name()¶: Compare full path from MFTName attribute with join(refParentDirectory, filename). Return a complete path if there is a match. Otherwise, mark the entries.

created_time(safe=True)¶

end_offset()¶: Return the first address (offset) not a part of this entry.

entry_inode()¶

filename()¶: Get filename from FILE_NAME attribute. Mark short format Windows filenames.

flags()¶

get_inode(attr)¶: For inode associated attributes, extract and return the inode number.

is_valid()¶: Check whether entry got the minimum significant info right.

logical_size()¶

mft_name()¶: Return the list of files associated with the entry inode. ‘NO FILENAME ASSOCIATED WITH INODE’ is returned if inode have no names associated.

modified_time(safe=True)¶

parent_directory()¶: Return the list of directories associated with the entry parent inode. Mark unreliable directories.

parent_inode()¶

parse_time(timestamp, safe=True)¶: Return a datetime object from a Windows timestamp Arguments: - timestamp: Windows timestamp value - safe: if True return the date of the UNIX epoch if there is an exception parsing the date

physical_size()¶

class plugins.windows.RVT_I30.NTATTR_DIRECTORY_INDEX_SLACK_ENTRY(buf, offset, parent, *args, **kwargs)¶

Bases: plugins.windows.RVT_I30.NTATTR_DIRECTORY_INDEX_ENTRY

Specific methods related to INDX entries in the slack space of blocks.

is_empty()¶

is_valid()¶: Check whether entry got the minimum significant info right.

class plugins.windows.RVT_I30.NTATTR_INDEX_ROOT_HEADER(buf, offset=0, parent=False, *args, **kwargs)¶

Bases: plugins.windows.RVT_I30.Block

INDX_ROOT block header fields. Methods to generate entry instances for the block.

entries()¶: Gnerator of INDX entries in INDX_ROOT data

entries_allocated_size()¶: Get the offset at which all entries end. Relative to node header.

entries_size()¶: Get the offset at which assigned entries end. Relative to node header.

entry_offset()¶: Get the offset of the first entry in this record. Relative to node header.

root_header_attr = {'EntryAllocatedSizeOffset': (24, '<I'), 'EntrySizeOffset': (20, '<I'), 'EntryStartOffset': (16, '<I'), 'IndexRecordSizeInBytes': (8, '<I'), 'TypeOfAttributeInIndex': (0, '<I'), 'flags': (28, '<B')}¶

class plugins.windows.RVT_I30.NTATTR_SDH_INDEX_ENTRY(buf, offset, parent, *args, **kwargs)¶: Bases: plugins.windows.RVT_I30.NTATTR_STANDARD_INDEX_ENTRY

class plugins.windows.RVT_I30.NTATTR_SII_INDEX_ENTRY(buf, offset, parent, *args, **kwargs)¶: Bases: plugins.windows.RVT_I30.NTATTR_STANDARD_INDEX_ENTRY

class plugins.windows.RVT_I30.NTATTR_STANDARD_INDEX_ENTRY(buf, offset, parent, *args, **kwargs)¶

Bases: plugins.windows.RVT_I30.Block

Generic index entry block node fields.

end_offset()¶: Return the first address (offset) not a part of this entry.

generic_attr = {'flags': (12, '<H'), 'sizeOfIndexEntry': (8, '<H'), 'sizeOfStream': (10, '<H')}¶

has_next()¶: True if the end offset of the entry does not overrun the total entries size.

next()¶: Return an instance of NTATTR_STANDARD_INDEX_ENTRY, which is the next entry after this one

size()¶: Get the size of the index entry.

class plugins.windows.RVT_I30.NTATTR_STANDARD_INDEX_HEADER(buf, offset, parent, *args, **kwargs)¶

Bases: plugins.windows.RVT_I30.Block

INDX_ALLOC block header fields. Methods to generate entry instances for the block.

block_end_offset()¶: Return the first address (offset) not a part of this block.

entries(indext='dir')¶: A generator that returns each INDX entry associated with this header.

entries_allocated_size()¶: Get the offset at which all entries end. Relative to node header.

entries_size()¶: Get the offset at which assigned entries end. Relative to node header.

entry_offset()¶: Get the offset of the first entry in this record. Relative to node header.

first_entry(indext='dir')¶: Return the first entry in the allocated space, if it’s a valid one.

header_attr = {'EntryAllocatedSizeOffset': (32, '<I'), 'EntrySizeOffset': (28, '<I'), 'NumFixupsOffset': (6, '<H'), 'fixupValueOffset': (40, '<H')}¶

set_directory_inode(first_entry=None)¶: Return the inode of the directory associated with this block. Arguments: - entry: the first entry of the block, to be taken as reference

slack_entries(indexdt='dir')¶: A generator that yields INDX entries found in the slack space associated with this header.

exception plugins.windows.RVT_I30.OverrunBufferException(readOffs, bufLen)¶: Bases: Exception

class plugins.windows.RVT_I30.ParseINDX(config, section=None, local_config=None, from_module=None)¶

Bases: base.job.BaseModule

Parse INDX records in a disk through carving.

Configuration:

root: If True, parse also INDX_ROOT attributes.
skip_short: If True, do not output Windows short format filenames.
only_slack: If True, parse only the slack space in INDX_ALLOC blocks.
use_localstore: If True, store information about last parsed block in case execution is interrupted

get_INDX_ALLOC_files(partition)¶

Yields INDX_ALLOC records (single clusters), parsing the partition block by block. Only blocks starting with “INDX(” signature header are returned to be parsed.

Parameters: partition – Partition object.

get_INDX_ROOT_files(partition, deleted=0)¶

Yields INDX_ROOT attribute records, scanning each directory recursively in MFT.

Arguments partition: Partition object. deleted: Get only deleted (True) or undeleted (False) directories

parse_INDX(partition=None)¶: Main function to parse I30 files. Parse and yield INDX records for both ROOT and ALLOC entries in a partition.

parse_INDX_ALLOC_records(partition=None)¶: Yield dicts of parsed INDX_ALLOC entries for a partition.

parse_INDX_ROOT_records(partition=None)¶: Yield dicts of parsed INDX_ROOT entries for a partition.

read_config()¶

Read options from the configuration section.

This method should set default values for all available configuration options. The other module function will safely assume these options have correct values.

run(path='')¶: Generator of INDX entries as dictionaries. Also writes to csv files

plugins.windows.RVT_I30.datetime_to_windows_timestamp(dt)¶

plugins.windows.RVT_I30.entry_as_dict(entry, filename=False)¶: Return a dictionary with the relevant information for a parsed INDX entry.

plugins.windows.RVT_I30.parse_windows_timestamp(timestamp)¶: Return a datetime object from a windows timestamp (only up to the second precission, strips nanoseconds).

plugins.windows.RVT_UsnJrnl module¶

class plugins.windows.RVT_UsnJrnl.Usn(infile)¶

Bases: object

convertAttributes(fileAttributes)¶: Return the USN file attributes in a human-readable format

convertFileReference(buf)¶

convertReason(reason)¶: Return the USN reasons attribute in a human-readable format

convertTimestamp(timestamp)¶: Return a Win32 FILETIME value in a human-readable format

usn(infile)¶

class plugins.windows.RVT_UsnJrnl.UsnJrnl(config, section=None, local_config=None, from_module=None)¶

Bases: base.job.BaseModule

complete_dir(folders, partition)¶

Reconstructs absolutepaths of inodes from information of UsnJrnl. If it’s not possible to reach root folder (inode 5), it uses $MFT entry. Such files are marked as unreliable

Parameters

folders (list) – folders
partition (str) – partiton name

static findFirstRecord(infile)¶

Returns a pointer to the first USN record found

Modified version of Dave Lassalle’s “parseusn.py” https://github.com/sans-dfir/sift-files/blob/master/scripts/parseusn.py

Parameters: infile (str) – filename

static findNextRecord(infile, journalSize)¶

Often there are runs of null bytes between USN records

This function reads through them and returns a pointer to the start of the next USN record

Parameters

infile (str) – filename
journalSize (int) – size of journal file

parseUsn(infile, partition)¶

Generator that returns a dictionary for every parsed record in UsnJrnl file.

Parameters

input_file (str) – path to UsnJrnl file
partition (str) – partition name

run(path='')¶: Parse UsnJrnl files of a disk

summaryUsn(infile, partition)¶: Return the relevant records from the UsnJrnl, adding full_path to filename

plugins.windows.RVT_activity_cache module¶

class plugins.windows.RVT_activity_cache.ActivitiesCache(config, section=None, local_config=None, from_module=None)¶

Bases: base.job.BaseModule

run(path='')¶: Parses activities cache

plugins.windows.RVT_autorip module¶

class plugins.windows.RVT_autorip.Autorip(config, section=None, local_config=None, from_module=None)¶

Bases: base.job.BaseModule

Uses multiple regripper plugins to parse the Windows registry and create a series of reports organized by theme.

Configuration:

outdir: output directory for generated files
voutdir: output directory for generated files in case of Volume Snapshots (vss)
errorfile: path to log file to register regripper errors
ripplugins: path to json file containing the organixed list of regripper plugins to run
pluginshives: path to json file associating each regripper plugin with a list of hives

generate_registry_output(p, regfiles)¶

Generates registry output files for a partition

Parameters: p (str) – partition number. Ex: ‘p03’

get_hives(p)¶

Obtain the paths to registry hives

Parameters: p (str) – partition number. Ex: ‘p03’

read_config()¶

Read options from the configuration section.

This method should set default values for all available configuration options. The other module function will safely assume these options have correct values.

run(path='')¶: Main function to generate report files

plugins.windows.RVT_autorip.write_registry_file(filename, pluginlist, hivedict, title, regfiles, rip='/opt/regripper/rip.pl', logger=<module 'logging' from '/usr/lib/python3.7/logging/__init__.py'>, logfile=None)¶

Generates a report file for a group of related regripper plugins.

Parameters

filename (str) – report filename
pluginlist (list) – list of plugins to execute
hivedict (dict) – relates plugin to hive files
title (str) – title of report file
regfiles (list) – list of hive files paths
rip (str) – path to rip.pl executable
logger (logging) – logging instance
logfile (file) – stream related to logfile

plugins.windows.RVT_bits module¶

plugins.windows.RVT_deleted module¶

plugins.windows.RVT_eventartifacts module¶

class plugins.windows.RVT_eventartifacts.Filter_Events(config, section=None, local_config=None, from_module=None)¶

Bases: base.job.BaseModule

Filters events for generating a csv file

run(path=None)¶

Run the job on a path

Parameters: path (str) – the path to check.
Yields: If any, an iterable of elements with the output.

class plugins.windows.RVT_eventartifacts.Logon_rdp(config, section=None, local_config=None, from_module=None)¶

Bases: base.job.BaseModule

Extracts logon and rdp artifacts

extractLogon(logID)¶

extractRDP(actID)¶

relateIDs(ev, actID)¶

relates events 4778 and 4779 with RDP events :param ev: event 4778 or 4779 to relate :type ev: dict :param actID: dict with list of RDP events with key ActivityID and values a list of events :type actID: dict

Returns: activityID closer to ev
Return type: str

run(path=None)¶

Attrs:: path (str): Absolute path to the parsed Security.xml

class plugins.windows.RVT_eventartifacts.Network(config, section=None, local_config=None, from_module=None)¶

Bases: base.job.BaseModule

Extracts events related with wireless networking

Events should be sorted

run(path=None)¶

Attrs:: path (str): Absolute path to the parsed Security.xml

class plugins.windows.RVT_eventartifacts.Poweron(config, section=None, local_config=None, from_module=None)¶

Bases: base.job.BaseModule

Extracts events of parsed Security.evtx

Events should be sorted

extractPower(events)¶

run(path=None)¶

Attrs:: path (str): Absolute path to the parsed Security.xml

class plugins.windows.RVT_eventartifacts.USB(config, section=None, local_config=None, from_module=None)¶

Bases: base.job.BaseModule

Extracts events related with usb plugs

Events should be sorted

check(e, flag, plugins, plugoffs)¶: usb_main auxiliary function

run(path=None)¶: Extracts USB sticks’ plugins and plugoffs data

plugins.windows.RVT_eventartifacts.writemd(outfile, fields, eventlist, sorted=True)¶: writes md table sorting by first item and removing repeated rows :param outfile: output filename :type outfile: str :param fields: list of fields :type fields: list :param eventlist: list of rows of table :type eventlist: list of lists

plugins.windows.RVT_events module¶

class plugins.windows.RVT_events.EventJob(config, section=None, local_config=None, from_module=None)¶

Bases: base.job.BaseModule

Base class to parse event log sources

get_evtx(path, regex_search)¶

Retrieve the evtx file to parse. Take ‘path’ if is defined and exists. Otherwise take first coincidence of the corresponding evtx file in the filesystem

Attrs:: path: path to evtx as defined in job regex_search: regex expression to search in file system allocated files

class plugins.windows.RVT_events.GetEvents(eventfile, config_file)¶

Bases: object

Extracts relevant event logs

Parameters: vss_dir (str) – vss folder or empty for normal allocated file

get_xpath_data(path, item, event, data)¶

parse()¶

class plugins.windows.RVT_events.OAlerts(config, section=None, local_config=None, from_module=None)¶

Bases: plugins.windows.RVT_events.EventJob

Extracts events of parsed OAlerts.evtx

run(path=None)¶

Attrs:: path (str): Absolute path to Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx

class plugins.windows.RVT_events.ParseEvents(config, section=None, local_config=None, from_module=None)¶

Bases: plugins.windows.RVT_events.EventJob

Extracts events of default evtx logs

run(path=None)¶

Attrs:: path (str): Absolute path to evtx file

class plugins.windows.RVT_events.RDPClient(config, section=None, local_config=None, from_module=None)¶

Bases: plugins.windows.RVT_events.EventJob

Extracts events of Microsoft-Windows-TerminalServices-RDPClient%4Operational.evtx

run(path=None)¶

Attrs:: path (str): Absolute path to Microsoft-Windows-TerminalServices-RDPClient%4Operational.evtx

class plugins.windows.RVT_events.RDPLocal(config, section=None, local_config=None, from_module=None)¶

Bases: plugins.windows.RVT_events.EventJob

Extracts events of parsed Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx

run(path=None)¶

Attrs:: path (str): Absolute path to Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx

class plugins.windows.RVT_events.Security(config, section=None, local_config=None, from_module=None)¶

Bases: plugins.windows.RVT_events.EventJob

Extracts events of Security.evtx

run(path=None)¶

Attrs:: path (str): Path to Security.evtx

class plugins.windows.RVT_events.System(config, section=None, local_config=None, from_module=None)¶

Bases: plugins.windows.RVT_events.EventJob

Extracts events of System.evtx

run(path=None)¶

Attrs:: path (str): Path to System.evtx

plugins.windows.RVT_exec module¶

class plugins.windows.RVT_exec.BAM(config, section=None, local_config=None, from_module=None)¶

Bases: base.job.BaseModule

parse_BAM()¶

run(path='')¶

Run the job on a path

Parameters: path (str) – the path to check.
Yields: If any, an iterable of elements with the output.

class plugins.windows.RVT_exec.Prefetch(config, section=None, local_config=None, from_module=None)¶

Bases: base.job.BaseModule

Parse prefetch

parse_Prefetch()¶

run(path='')¶

Run the job on a path

Parameters: path (str) – the path to check.
Yields: If any, an iterable of elements with the output.

class plugins.windows.RVT_exec.RFC(config, section=None, local_config=None, from_module=None)¶

Bases: base.job.BaseModule

Parses RecentFileCache.bcf

parse_RFC()¶

run(path='')¶

Run the job on a path

Parameters: path (str) – the path to check.
Yields: If any, an iterable of elements with the output.

plugins.windows.RVT_exec.parse_RFC_file(fname)¶

Parses RecentFileCache.bcf

Parameters: fname (str) – file path

plugins.windows.RVT_exec.parse_prefetch_file(pf_file)¶

Parse individual file. Output is placed in ‘output’ dictionary

Parameters: pf_file (str) – list of filenames
Returns: dict with prefetch file information
Return type: dict

plugins.windows.RVT_hiberfil module¶

class plugins.windows.RVT_hiberfil.Hiberfil(config, section=None, local_config=None, from_module=None)¶

Bases: base.job.BaseModule

get_win_profile(partition)¶

Gets volatility profile and windows version from reg_Info file

Parameters: partition (str) – partition number to get volatility profile
Returns: tuple of volatility profile and windows version
Return type: tuple

run(path='')¶: Get information of hiberfil.sys

vol_extract(archive, profile, version)¶

Extracts data from decompressed hiberfil files

Parameters

archive (str) – file to extract information
profile (str) – volatility profile
version (str) – windows version

plugins.windows.RVT_hives module¶

class plugins.windows.RVT_hives.AmCache(config, section=None, local_config=None, from_module=None)¶

Bases: base.job.BaseModule

Parses Amcache.hve registry hive.

parse_amcache_entries(registry)¶

Return a generator of dictionaries describing each entry in the hive.

Fields:

KeyLastWrite: Possible application first executed time (must be tested)
AppPath: application path inside the volume
AppName: friendly name for application, if any
Sha1Hash: binary file SHA-1 hash value
GUID: Volume GUID the application was executed from

run(path='')¶

Run the job on a path

Parameters: path (str) – the path to check.
Yields: If any, an iterable of elements with the output.

class plugins.windows.RVT_hives.ScheduledTasks(config, section=None, local_config=None, from_module=None)¶

Bases: base.job.BaseModule

Parses job files and schedlgu.txt.

parse_Task()¶

parse_schedlgu()¶

run(path='')¶

Run the job on a path

Parameters: path (str) – the path to check.
Yields: If any, an iterable of elements with the output.

class plugins.windows.RVT_hives.ShimCache(config, section=None, local_config=None, from_module=None)¶

Bases: base.job.BaseModule

Extracts ShimCache information from registry hives.

parse_ShimCache_hive(sysfile)¶: Launch shimcache regripper plugin and parse results

run(path='')¶

Run the job on a path

Parameters: path (str) – the path to check.
Yields: If any, an iterable of elements with the output.

class plugins.windows.RVT_hives.SysCache(config, section=None, local_config=None, from_module=None)¶

Bases: base.job.BaseModule

parse_SysCache_hive()¶

parse_syscache_csv(partition, text)¶

run(path='')¶

Run the job on a path

Parameters: path (str) – the path to check.
Yields: If any, an iterable of elements with the output.

class plugins.windows.RVT_hives.TaskFolder(config, section=None, local_config=None, from_module=None)¶

Bases: base.job.BaseModule

run(path='')¶: Prints prefetch info from folder

plugins.windows.RVT_hives.parse_windows_timestamp(value)¶

plugins.windows.RVT_lnk module¶

class plugins.windows.RVT_lnk.Lnk(infile, encoding='cp1252', logger='')¶

Bases: object

Class to parse information from an lnk file. :param : infile (str): absolute path to lnk file :param : encoding (str): lnk file encoding

convertAttributes(fileAttributes)¶: Returns the file attributes in a human-readable format

convertFileReference(buf)¶

get_lnk_info()¶

gets information about lnk file

Output fields:: drive_type; drive_sn; machine_id; path; network_path; size; atributes; description; command line arguments; file_id; volume_id; birth_file_id; birth_volume_id; f_mtime; f_atime; f_ctime

class plugins.windows.RVT_lnk.LnkExtract(*args, **kwargs)¶

Bases: base.job.BaseModule

automaticDest_parser(files_list)¶

Parses automaticDest files

Parameters: files_list (list) – list of automaticDestinations-ms files to parse

customDest_parser(files_list)¶

Parses customDest files

Parameters: files_list (list) – list of customDestinations-ms files to parse

lnk_parser(files_list)¶

Parses all ‘.lnk’ files found for a user.

Parameters: files_list (list) – list of automaticDestinations-ms files to parse (relative to casedir)

read_config()¶

Read options from the configuration section.

This method should set default values for all available configuration options. The other module function will safely assume these options have correct values.

run(path='')¶: Parses lnk files, jumlists and customdestinations

class plugins.windows.RVT_lnk.LnkExtractAnalysis(config, section=None, local_config=None, from_module=None)¶

Bases: base.job.BaseModule

report_recent(path)¶: Create a unique csv combining output from lnk and jumplists

run(path='')¶: Creates a report based on the output of LnkExtract.

class plugins.windows.RVT_lnk.LnkExtractFolder(config, section=None, local_config=None, from_module=None)¶

Bases: base.job.BaseModule

run(path)¶

Parses lnk files from a folder

Parameters: path (string) – path with lnk files

plugins.windows.RVT_lnk.getFileTime(data0, data1)¶

plugins.windows.RVT_lnk.get_user_list(mount_path, vss=False)¶

plugins.windows.RVT_lnk.load_appID(myconfig=None)¶: Return a dictionary associating JumpList ID with applications.

plugins.windows.RVT_recycle module¶

class plugins.windows.RVT_recycle.Recycle(*args, **kwargs)¶

Bases: base.job.BaseModule

Obtain a summary of all files found in the Recycle Bin

Output file fields description:

Date: original file deletion date
Size: original deleted file size in bytes
File: path to file in Recycle Bin
OriginalName: original deleted file path
Inode: Inode number of the deleted file (it may not be allocated)
Status: allocation status of the Recycle Bin file.
User: user the recycle bin belongs to. If not found a SID is shown

generate_SID_user(partition)¶

static get_bin_name(fname, I_file=True)¶: Extract the 6 characters name assigned by the Recycle Bin

get_data(file, filepath, status='allocated', inode=0, user='')¶

Return a new record parsing file’s metadata. :param file: $I url or byte-string containing the data :type file: str or bytes :param filepath: name of the mount path to $I file :type filepath: str :param status: allocated, deleted, realloc :type status: str :param inode: inode of the $R file :type inode: int

Returns: keys = [Date, Size, File, OriginalName, Inode, Status, User]
Return type: dict

get_metadata(f, filepath)¶

Parse $I file and obtain metadata :param f: $I file_object :type f: str :param filepath: name of the mount path to $I file :type filepath: str

Returns: keys = [Date, Size, File, OriginalName]
Return type: dict

get_user_from_SID(SID, partition)¶: Return the user associated with a SID. Search in other partitions and vss for a user with same SID if not found in current partition.

locate_hives(partition)¶: Return the path to the main hives, as a dictionary.

parse_RecycleBin(partition=None)¶: Search all Recycle.Bin files found on the timeline. Both allocated and deleted.

run(path='')¶: Main function to extract $Recycle.bin files.

save_recycle_files(output_file, partition=None, sorting=True)¶: Sort recycle bin files by date and save to ‘output_file’ csv.

update_inode(inode, bin_code, file_status)¶

plugins.windows.RVT_recycle.filter_deleted_ending(path)¶: Strips ‘ (deleted)’ or ‘ (deleted-realloc)’ from the end of a path as given by ‘fls’.

plugins.windows.RVT_recycle.ms_time_to_unix(windows_time)¶

plugins.windows.RVT_registry module¶

class plugins.windows.RVT_registry.RegistryDump(config, section=None, local_config=None, from_module=None)¶

Bases: base.job.BaseModule

get_hive_files(path)¶

Retrieves all hives found in source if path is not specified.

Attrs:: path: path to registry hive

parse_hive(hive_file, hive_name, user='')¶

run(path='')¶: Dumps all registry in json format

plugins.windows.RVT_srum module¶

class plugins.windows.RVT_srum.Srum(config, section=None, local_config=None, from_module=None)¶

Bases: base.job.BaseModule

convert_to_csv(folder, partition, sheets='')¶: Convert xlsx sheets to multiple csv’s.

run(path='')¶: Extracts SRUM artifacts of a disk

plugins.windows.RVT_usb module¶

class plugins.windows.RVT_usb.USBAnalysis(config, section=None, local_config=None, from_module=None)¶: Bases: base.job.BaseModule

class plugins.windows.RVT_usb.USBSetupAPI(config, section=None, local_config=None, from_module=None)¶

Bases: base.job.BaseModule

parse_setupapi(setupapi_file, partition)¶

Extracts USB sticks’ data about drivers installation

Parameters

setupapi_file (str) – path to setupapi.dev.log file
partition (str) – partition identifier (ex: ‘p05’)

run(path='')¶

Run the job on a path

Parameters: path (str) – the path to check.
Yields: If any, an iterable of elements with the output.