cam

$ target-query <path/to/target> -f cam

Details

Module	dissect.target.plugins.os.windows.regf.cam.CamPlugin
Output	records

Module documentation

Plugin that iterates various Capability Access Manager registry key locations.

Function documentation

Iterate Capability Access Manager key locations.

The Capability Access Manager keeps track of processes that access I/O devices, like the webcam or microphone. Applications are divided into packaged and non-packaged applications meaning Microsoft or non-Microsoft applications.

References:

• https://docs.velociraptor.app/exchange/artifacts/pages/windows.registry.capabilityaccessmanager/

• https://svch0st.medium.com/can-you-track-processes-accessing-the-camera-and-microphone-7e6885b37072

Yields CamRecord with the following fields:

hostname (string): The target hostname.
domain (string): The target domain.
ts (datetime): The modification timestamp of the registry key.
device (string): Name of the device privacy permission where asked for.
app_name (string): The name of the application.
path (path): The possible path to the application.
last_started (datetime): When the application last started using the device.
last_stopped (datetime): When the application last stopped using the device.
duration (datetime): How long the application used the device (seconds).