evt.py
1.69 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
import os
import logger
import tomb
import winver
from modules.module import Module
from mount import mount,umount
from runcmd import runProcess
def getInstance():
return RegistryModule()
class RegistryModule(Module):
def __init__(self):
self.name = "evt"
self.description = "Extracts Windows Event Viewer files"
self.requiredVars = ["winvol"]
self.vars = {}
def execute(self):
path = tomb.getPath() + self.name + "/"
if(not os.path.exists(path)):
os.mkdir(path)
logger.msgLog("Extracting Windows Event Logs from volumes: " + repr(self.vars['winvol'].value), "evt", logger.TYPE_INFO)
for vol in self.vars['winvol'].value:
mntpoint = "/mnt/"
try:
mntid = mount("/dev/" + vol)
except:
raise
mntpoint += mntid
files = []
windir = winver.getWindowsDirectory(mntpoint)
if windir == None:
raise Exception("No Windows installation present")
version = winver.getWindowsVersion(mntpoint)
if version < winver._WIN_2k:
raise Exception("No EVT files in Windows versions prior to Windows 2000")
elif version < winver._WIN_VISTA:
files += [windir + "/System32/config/*.evt"]
files += [windir + "/System32/config/*.Evt"]
files += [windir + "/System32/config/*.EVT"]
else:
files += [windir + "/System32/winevt/Logs" ]
runProcess(["tar","-czvf",path + "evt_" + vol + ".tar.gz"] + files)
try:
umount(mntid)
except:
raise