:py:mod:`dissect.target.plugins.os.windows.cam` =============================================== .. py:module:: dissect.target.plugins.os.windows.cam Module Contents --------------- Classes ~~~~~~~ .. autoapisummary:: dissect.target.plugins.os.windows.cam.CamPlugin Attributes ~~~~~~~~~~ .. autoapisummary:: dissect.target.plugins.os.windows.cam.CamRegistryRecord dissect.target.plugins.os.windows.cam.CamUsageHistoryRecord dissect.target.plugins.os.windows.cam.CamIdentityRelationshipHistoryRecord dissect.target.plugins.os.windows.cam.CamGlobalPromptHistoryRecord .. py:data:: CamRegistryRecord .. py:data:: CamUsageHistoryRecord .. py:data:: CamIdentityRelationshipHistoryRecord .. py:data:: CamGlobalPromptHistoryRecord .. py:class:: CamPlugin(target: dissect.target.target.Target) Bases: :py:obj:`dissect.target.plugin.Plugin` Plugin that iterates various Capability Access Manager registry key locations. .. py:attribute:: __namespace__ :value: 'cam' Defines the plugin namespace. .. py:attribute:: CONSENT_STORES :value: ('HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\ConsentStore',... .. py:attribute:: CAP_DB_REG_PATH :value: 'HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\CapabilityUsageHistory' .. py:attribute:: CONTENT_TABLES :value: ('NonPackagedUsageHistory', 'PackagedUsageHistory', 'NonPackagedIdentityRelationship',... .. py:attribute:: CONTEXT_TABLES :value: ('Capabilities', 'PackageFamilyNames', 'BinaryFullPaths', 'Users', 'FileIDs', 'ProgramIDs',... .. py:attribute:: app_regf_keys .. py:attribute:: camdb_path .. py:attribute:: camdb :type: dissect.database.sqlite3.SQLite3 | None :value: None .. py:method:: check_compatible() -> None Perform a compatibility check with the target. This function should return ``None`` if the plugin is compatible with the current target (``self.target``). For example, check if a certain file exists. Otherwise it should raise an :class:`UnsupportedPluginError`. :raises UnsupportedPluginError: If the plugin could not be loaded. .. py:method:: yield_apps() -> collections.abc.Iterator[dissect.target.helpers.regutil.RegistryKey] .. py:method:: history() -> collections.abc.Iterator[CamUsageHistoryRecord | CamIdentityRelationshipHistoryRecord | CamGlobalPromptHistoryRecord] Iterate Capability Access Manager History entries. The Capability Access Manager keeps track of processes that access I/O devices, like the webcam or microphone. Applications are divided into packaged and non-packaged applications meaning Microsoft or non-Microsoft applications. Additional historical entries are since Windows 11 available in a SQL database. Records are created from the following tables: - NonPackagedUsageHistory - PackagedUsageHistory - NonPackagedIdentityRelationship - NonPackagedGlobalPromptHistory .. rubric:: References - https://medium.com/@cyber.sundae.dfir/capability-access-manager-forensics-in-windows-11-f586ef8aac79 Yields ``CamUsageHistoryRecord``, ``CamIdentityRelationshipHistoryRecord`` or ``CamGlobalPromptHistoryRecord``: Record CamUsageHistoryRecord: .. code-block:: text last_used_time_stop (datetime): When the application last stopped using the capability. last_used_time_start (datetime): When the application last started using the capability. duration (varint): How long the application used the capability. package_type (string): The application type of the record, originates from the table name. capability (string): The capability being used; microphone, camera, location etc. file_id (string): The sha1 hash of the application making use of the capability. file_id_hash (digest): Digest version of the file_id field. access_blocked (string): If capability usage was allowed, 0 = Not blocked and 1 = blocked. program_id (string): Program ID of application, unclear what this value means. package_family_name (string): Package name of application using capability. access_guid (string): Unclear what the value of this is. label (string): Unclear what the value of this is, no joinable table with this ID. app_name (string): Name of the application using capability. binary_full_path (path): Path of the application using capability. service_name (string): Name of the service using capability. Record CamIdentityRelationshipHistoryRecord: .. code-block:: text last_observed_time (datetime): Last time capability was observed. package_type (string): The application type of the record, originates from the table name. file_id (string): The sha1 hash of the application making use of the capability. file_id_hash (digest): Digest version of the file_id field. program_id (string): Program ID of application, unclear what this value means. binary_full_path (path): Path of the application using capability. Record CamGlobalPromptHistoryRecord .. code-block:: text shown_time (datetime): Last time capability was observed. package_type (string): The application type of the record, originates from the table name. capability (string): The capability being used; microphone, camera, location etc. file_id (string): The sha1 hash of the application making use of the capability. file_id_hash (digest): Digest version of the file_id field. program_id (string): Program ID of application, unclear what this value means. .. py:method:: registry() -> collections.abc.Iterator[CamRegistryRecord] Iterate Capability Access Manager key locations. The Capability Access Manager keeps track of processes that access I/O devices, like the webcam or microphone. Applications are divided into packaged and non-packaged applications meaning Microsoft or non-Microsoft applications. .. rubric:: References - https://docs.velociraptor.app/exchange/artifacts/pages/windows.registry.capabilityaccessmanager/ - https://svch0st.medium.com/can-you-track-processes-accessing-the-camera-and-microphone-7e6885b37072 Yields ``CamRegistryRecord`` with the following fields: .. code-block:: text hostname (string): The target hostname. domain (string): The target domain. ts (datetime): The modification timestamp of the registry key. device (string): Name of the device privacy permission where asked for. app_name (string): The name of the application. path (path): The possible path to the application. last_started (datetime): When the application last started using the device. last_stopped (datetime): When the application last stopped using the device. duration (varint): How long the application used the device (seconds).