dissect.target.plugins.os.windows.recyclebin¶
Module Contents¶
Classes¶
Recyclebin plugin. |
Attributes¶
- dissect.target.plugins.os.windows.recyclebin.RecycleBinRecord¶
- dissect.target.plugins.os.windows.recyclebin.recyclebin_def = Multiline-String¶
Show Value
""" struct header_v1 { int64 version; int64 file_size; int64 timestamp; wchar filename[260]; }; struct header_v2 { int64 version; int64 file_size; int64 timestamp; int32 filename_length; wchar filename[filename_length]; }; """
- dissect.target.plugins.os.windows.recyclebin.c_recyclebin¶
- class dissect.target.plugins.os.windows.recyclebin.RecyclebinPlugin(target: dissect.target.target.Target)¶
Bases:
dissect.target.plugin.PluginRecyclebin plugin.
- recyclebin_paths = []¶
- check_compatible() None¶
Perform a compatibility check with the target.
This function should return
Noneif the plugin is compatible with the current target (self.target). For example, check if a certain file exists. Otherwise it should raise anUnsupportedPluginError.- Raises:
UnsupportedPluginError – If the plugin could not be loaded.
- recyclebin() collections.abc.Iterator[RecycleBinRecord]¶
Return files located in the recycle bin ($Recycle.Bin).
Yields RecycleBinRecords with fields:
hostname (string): The target hostname domain (string): The target domain ts (datetime): The time of deletion path (path): The file original location before deletion filesize (filesize): Filesize of the deleted path deleted_path (path): Location of the deleted file after deletion $R file source (path): Location of $I meta file on disk user_id (string): SID of the user deleted the file, parsed from $I filepath user (string): Username matching SID, lookup using Dissect user plugin
- read_recycle_bin(bin_path: dissect.target.helpers.fsutil.TargetPath) collections.abc.Iterator[RecycleBinRecord]¶
- read_bin_file(bin_path: dissect.target.helpers.fsutil.TargetPath) collections.abc.Iterator[RecycleBinRecord]¶
- find_sid(path: dissect.target.helpers.fsutil.TargetPath) str¶