:py:mod:`dissect.target.plugins.os.windows.regf.trusteddocs`
============================================================

.. py:module:: dissect.target.plugins.os.windows.regf.trusteddocs




Module Contents
---------------

Classes
~~~~~~~

.. autoapisummary::

   dissect.target.plugins.os.windows.regf.trusteddocs.TrustedDocumentsPlugin



Functions
~~~~~~~~~

.. autoapisummary::
   :nosignatures:

   dissect.target.plugins.os.windows.regf.trusteddocs.convert_time



Attributes
~~~~~~~~~~

.. autoapisummary::

   dissect.target.plugins.os.windows.regf.trusteddocs.TrustedDocumentsRecord
   dissect.target.plugins.os.windows.regf.trusteddocs.trustrecord_def
   dissect.target.plugins.os.windows.regf.trusteddocs.c_trustrecord


.. py:data:: TrustedDocumentsRecord

.. py:data:: trustrecord_def
   :value: Multiline-String

   .. raw:: html

      <details><summary>Show Value</summary>

   .. code-block:: python

      """
      typedef QWORD FILETIME;
      
      enum TRFLAG {
          EDITING_ENABLED     = 0x00000001
          MACROS_ENABLED      = 0x7fffffff
      };
      
      struct TrustRecordEntry {
          FILETIME            ts_created;
          QWORD               timezone_offset;
          DWORD               ts_enabled;
          TRFLAG              flag;
      };
      """

   .. raw:: html

      </details>



.. py:data:: c_trustrecord

.. py:function:: convert_time(time: int) -> float

   Return minute precision timestamp from DWORD time integer.


.. py:class:: TrustedDocumentsPlugin(target: dissect.target.target.Target)

   Bases: :py:obj:`dissect.target.plugin.Plugin`


   Plugin to obtain Microsoft Office Trusted Document registry keys.


   .. py:attribute:: KEY
      :value: 'HKEY_CURRENT_USER\\Software\\Microsoft\\Office'



   .. py:method:: check_compatible() -> None

      Perform a compatibility check with the target.

      This function should return ``None`` if the plugin is compatible with the current target (``self.target``).
      For example, check if a certain file exists. Otherwise it should raise an
      :class:`UnsupportedPluginError`.

      :raises UnsupportedPluginError: If the plugin could not be loaded.



   .. py:method:: trusteddocs() -> collections.abc.Iterator[TrustedDocumentsRecord]

      Return Microsoft Office TrustRecords registry keys for all Office applications.

      Microsoft uses Trusted Documents to cache whether the user enabled the editing and/or macros for that document.
      Therefore, this may reveal if macros have been enabled for a malicious Office document.

      Yields records based on the values within the TrustRecords registry keys.
      At least contains the following fields:

      .. code-block:: text

          application (string): Application name of the Office product that produced the TrustRecords registry key.
          document (path): Path to the document for which a TrustRecords entry is created.
          ts (datetime): The created time of the TrustRecord registry key.
          type (varint): Type of the value within the TrustRecords registry key.
          value (bytes): Value of the TrustRecords entry, which contains the information whether macros are enabled.

      .. rubric:: References

      - https://az4n6.blogspot.com/2016/02/more-on-trust-records-macros-and.html
      - https://github.com/DissectMalware/OfficeForensicTools/blob/master/trusted_documents.py
      - https://github.com/nmantani/PS-TrustedDocuments