import os import logger import tomb import winver from modules.module import Module from mount import mount,umount from runcmd import runProcess def getInstance(): return RegistryModule() class RegistryModule(Module): def __init__(self): self.name = "edb" self.description = "Extracts Windows EDB file" self.requiredVars = ["winvol"] self.vars = {} def run(self): path = tomb.getPath() + self.name + "/" if(not os.path.exists(path)): os.mkdir(path) logger.msgLog("Extracting Windows EDB from volumes: " + repr(self.vars['winvol'].value), "edb", logger.TYPE_INFO) for vol in self.vars['winvol'].value: mntpoint = "/mnt/" try: mntid = mount("/dev/" + vol) except: raise mntpoint += mntid files = [] if winver.getWindowsDirectory(mntpoint) == None: raise Exception("No Windows installation present") version = winver.getWindowsVersion(mntpoint) if version < winver._WIN_XP: raise Exception("No Windows Search EDB file in versions prior to Windows 2000") elif version < winver._WIN_VISTA: files += [mntpoint + "/Documents and Settings/All Users/Application Data/Microsoft/Search/Data/Applications/Windows/Windows.edb"] else: files += [mntpoint + "/ProgramData/Microsoft/Search/Data/Applications/Windows/Windows.edb"] runProcess(["tar","-czvf",path + "evt_" + vol + ".tar.gz"] + files) try: umount(mntid) except: raise