evt.py 1.69 KB
import os

import logger
import tomb
import winver
from modules.module import Module
from mount import mount,umount
from runcmd import runProcess


def getInstance():
    return RegistryModule()

class RegistryModule(Module):

    def __init__(self):
        self.name = "evt"
        self.description = "Extracts Windows Event Viewer files"
        self.requiredVars = ["winvol"]
        self.vars = {}

    def run(self):
        path = tomb.getPath() + self.name + "/"
        if(not os.path.exists(path)):
            os.mkdir(path)
        logger.msgLog("Extracting Windows Event Logs from volumes: " + repr(self.vars['winvol'].value), "evt", logger.TYPE_INFO)
        for vol in self.vars['winvol'].value:
            mntpoint = "/mnt/"
            try:
                mntid = mount("/dev/" + vol)
            except:
                raise
            mntpoint += mntid
            files = []
            windir = winver.getWindowsDirectory(mntpoint)
            if windir == None:
                raise Exception("No Windows installation present")
            version = winver.getWindowsVersion(mntpoint)

            if version < winver._WIN_2k:
                raise Exception("No EVT files in Windows versions prior to Windows 2000")
            elif version < winver._WIN_VISTA:
                files += [windir + "/System32/config/*.evt"]
                files += [windir + "/System32/config/*.Evt"]
                files += [windir + "/System32/config/*.EVT"]
            else:
                    files += [windir + "/System32/winevt/Logs" ]

            runProcess(["tar","-czvf",path + "evt_" + vol + ".tar.gz"] + files)
            try:
                umount(mntid)
            except:
                raise