dissect.target.plugins.os.windows.regf.usb

Module Contents

Classes

UsbPlugin

USB plugin.

Attributes

UsbRegistryRecord
USB_DEVICE_PROPERTY_KEYS

dissect.target.plugins.os.windows.regf.usb.UsbRegistryRecord

dissect.target.plugins.os.windows.regf.usb.USB_DEVICE_PROPERTY_KEYS

class dissect.target.plugins.os.windows.regf.usb.UsbPlugin(target: dissect.target.Target)

Bases: dissect.target.plugin.Plugin

USB plugin.

USB_STOR = 'HKLM\\SYSTEM\\CurrentControlSet\\Enum\\USBSTOR'

DEVICE_CONTAINERS = 'HKLM\\SYSTEM\\CurrentControlSet\\Control\\DeviceContainers'

USB = 'HKLM\\SYSTEM\\CurrentControlSet\\Enum\\USB'

HID = 'HKLM\\SYSTEM\\CurrentControlSet\\Enum\\HID'

SCSI = 'HKLM\\SYSTEM\\CurrentControlSet\\Enum\\SCSI'

check_compatible() → None

Perform a compatibility check with the target.

This function should return None if the plugin is compatible with the current target (self.target). For example, check if a certain file exists. Otherwise it should raise an UnsupportedPluginError.

Raises:

UnsupportedPluginError – If the plugin could not be loaded.

unpack_timestamps(usb_reg_properties)

Params:

usb_reg_properties (Regf): A registry object with USB properties

Returns:

A dict containing parsed timestamps within passed registry object

Return type:

timestamps (Dict)

parse_device_name(device_name)

usb()

Return information about attached USB devices.

Use the registry to find information about USB devices that have been attached to the system, for example the HKLMSYSTEMCurrentControlSetEnumUSBSTOR registry key.

Yields UsbRegistryRecord with fields:

hostname (string): The target hostname domain (string): The target domain type (string): Type of USB device serial (string): Serial number of USB storage device vid (string): Vendor ID of USB storage device pid (string): Product ID of the USB storage device rev (string): Version of the USB storage device containerid (string): friendlyname (string): Display name of the USB storage device first_insert (datetime): First insertion date of USB storage device first_install (datetime): First instalation date of USB storage device last_insert (datetime): Most recent insertion (arrival) date of USB storage device last_removal (datetime): Most recent removal (unplug) date of USB storage device info_origin (string): Location of info present in output