modules/edb.py

import os
import logger
import tomb
import winver
from modules.module import Module
from mount import mount,umount
from runcmd import runProcess
import time
def getInstance():
    return RegistryModule()
class RegistryModule(Module):
    def __init__(self):
        self.name = "edb"
        self.description = "Extracts Windows EDB file"
        self.requiredVars = ["winvol"]
        self.vars = {}
    def execute(self):
        path = tomb.getPath() + self.name + "/"
        if(not os.path.exists(path)):
            os.mkdir(path)
        logger.msgLog("Extracting Windows EDB from volumes: " + repr(self.vars['winvol'].value), "edb", logger.TYPE_INFO)
        for vol in self.vars['winvol'].value:
            mntpoint = "/mnt/"
            try:
                mntid = mount("/dev/" + vol)
            except:
                raise
            mntpoint += mntid
            files = []
            if winver.getWindowsDirectory(mntpoint) == None:
                raise Exception("No Windows installation present")
            version = winver.getWindowsVersion(mntpoint)
            if version < winver._WIN_XP:
                raise Exception("No Windows Search EDB file in versions prior to Windows 2000")
            elif version < winver._WIN_VISTA:
                files += [mntpoint + "/Documents and Settings/All Users/Application Data/Microsoft/Search/Data/Applications/Windows/Windows.edb"]
            else:
                files += [mntpoint + "/ProgramData/Microsoft/Search/Data/Applications/Windows/Windows.edb"]
            runProcess(["tar","-czvf",path + "evt_" + vol + "_" + str(int(time.time())) + ".tar.gz"] + files)
            try:
                umount(mntid)
            except:
                raise