edb.py
1.66 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
import os
import logger
import tomb
import winver
from modules.module import Module
from mount import mount,umount
from runcmd import runProcess
def getInstance():
return RegistryModule()
class RegistryModule(Module):
def __init__(self):
self.name = "edb"
self.description = "Extracts Windows EDB file"
self.requiredVars = ["winvol"]
self.vars = {}
def execute(self):
path = tomb.getPath() + self.name + "/"
if(not os.path.exists(path)):
os.mkdir(path)
logger.msgLog("Extracting Windows EDB from volumes: " + repr(self.vars['winvol'].value), "edb", logger.TYPE_INFO)
for vol in self.vars['winvol'].value:
mntpoint = "/mnt/"
try:
mntid = mount("/dev/" + vol)
except:
raise
mntpoint += mntid
files = []
if winver.getWindowsDirectory(mntpoint) == None:
raise Exception("No Windows installation present")
version = winver.getWindowsVersion(mntpoint)
if version < winver._WIN_XP:
raise Exception("No Windows Search EDB file in versions prior to Windows 2000")
elif version < winver._WIN_VISTA:
files += [mntpoint + "/Documents and Settings/All Users/Application Data/Microsoft/Search/Data/Applications/Windows/Windows.edb"]
else:
files += [mntpoint + "/ProgramData/Microsoft/Search/Data/Applications/Windows/Windows.edb"]
runProcess(["tar","-czvf",path + "evt_" + vol + ".tar.gz"] + files)
try:
umount(mntid)
except:
raise