dissect.target.plugins.os.windows.regf.mru

Module Contents

Classes

MRUPlugin

Return MRU data stored at various registry keys.

Functions

parse_mru_key
parse_mru_ex_key
parse_office_mru
parse_office_mru_key
read_wstrings

Attributes

UserRegistryRecordDescriptor
RunMRURecord
RecentDocsRecord
OpenSaveMRURecord
LastVisitedMRURecord
ACMruRecord
MapNetworkDriveMRURecord
TerminalServerMRURecord
MSOfficeMRURecord

dissect.target.plugins.os.windows.regf.mru.UserRegistryRecordDescriptor

dissect.target.plugins.os.windows.regf.mru.RunMRURecord

dissect.target.plugins.os.windows.regf.mru.RecentDocsRecord

dissect.target.plugins.os.windows.regf.mru.OpenSaveMRURecord

dissect.target.plugins.os.windows.regf.mru.LastVisitedMRURecord

dissect.target.plugins.os.windows.regf.mru.ACMruRecord

dissect.target.plugins.os.windows.regf.mru.MapNetworkDriveMRURecord

dissect.target.plugins.os.windows.regf.mru.TerminalServerMRURecord

dissect.target.plugins.os.windows.regf.mru.MSOfficeMRURecord

class dissect.target.plugins.os.windows.regf.mru.MRUPlugin(target: dissect.target.target.Target)

Bases: dissect.target.plugin.Plugin

Return MRU data stored at various registry keys.

The Windows registry contains various keys about Most Recently Used (MRU) files.

References

• https://winreg-kb.readthedocs.io/en/latest/sources/explorer-keys/Most-recently-used.html

__namespace__ = 'mru'

Defines the plugin namespace.

check_compatible() → None

Perform a compatibility check with the target.

This function should return None if the plugin is compatible with the current target (self.target). For example, check if a certain file exists. Otherwise it should raise an UnsupportedPluginError.

Raises:

UnsupportedPluginError – If the plugin could not be loaded.

run() → collections.abc.Iterator[RunMRURecord]

Return the RunMRU data.

The HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RunMRU registry key contains information about the most recent commands that have been performed by the Run application

References

• https://digitalf0rensics.wordpress.com/2014/01/17/windows-registry-and-forensics-part2/

recentdocs() → collections.abc.Iterator[RecentDocsRecord]

Return the RecentDocs data.

The HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\RecentDocs registry key contains information about the last 10 documents that the currently logged on user accessed or executed via Windows Explorer.

References

• https://digitalf0rensics.wordpress.com/2014/01/17/windows-registry-and-forensics-part2/

opensave() → collections.abc.Iterator[OpenSaveMRURecord]

Return the OpenSaveMRU data.

The HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\OpenSaveMRU registry key - renamed to OpenSavePidlMRU since Windows Vista - contains information about the most recently opened or saved files.

References

• https://digitalf0rensics.wordpress.com/2014/01/17/windows-registry-and-forensics-part2/

lastvisited() → collections.abc.Iterator[LastVisitedMRURecord]

Return the LastVisitedMRU data.

The HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ComDlg32\LastVisitedMRU registry key - renamed to LastVisitedPidlMRU since Windows Vista - contains information about the executable used by an application to open the files that are documented at the OpenSaveMRU registry key. Also, each value tracks the directory location for the last file that was accessed by that application.

References

• https://digitalf0rensics.wordpress.com/2014/01/17/windows-registry-and-forensics-part2/

acmru() → collections.abc.Iterator[ACMruRecord]

Return the ACMru (Windows Search) data.

The following keys are being searched:

• HKCU\Software\Microsoft\Search Assistant\ACMru: This registry key contains the most recent search history from Windows default search.

• HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\WordWheelQuery: This registry key contains the most recent search history from Windows Explorer. (Windows >=7)

References

• https://digitalf0rensics.wordpress.com/2014/01/17/windows-registry-and-forensics-part2/

Known categories:

• 5001: Internet Search Assistant

• 5603: Windows XP files and folder search

• 5604: “Word or phrase in a file” dialog box

• 5647: “For computers or people” selection in Search Results dialog box

networkdrive() → collections.abc.Iterator[MapNetworkDriveMRURecord]

Return MRU of mapped network drives.

The HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerMap Network Drive MRU registry key contains information about the most recently used mapped network drives.

References

• https://winreg-kb.readthedocs.io/en/latest/sources/explorer-keys/Most-recently-used.html#keys-with-a-mrulist-value

mstsc() → collections.abc.Iterator[TerminalServerMRURecord]

Return Terminal Server Client MRU data.

msoffice() → collections.abc.Iterator[MSOfficeMRURecord]

Return MS Office MRU keys.

dissect.target.plugins.os.windows.regf.mru.parse_mru_key(target: dissect.target.target.Target, key: dissect.target.helpers.regutil.RegistryKey, record: dissect.target.helpers.record.TargetRecordDescriptor) → collections.abc.Iterator[flow.record.Record]

dissect.target.plugins.os.windows.regf.mru.parse_mru_ex_key(target: dissect.target.target.Target, key: dissect.target.helpers.regutil.RegistryKey, record: dissect.target.helpers.record.TargetRecordDescriptor) → collections.abc.Iterator[flow.record.Record]

dissect.target.plugins.os.windows.regf.mru.parse_office_mru(target: dissect.target.target.Target, key: dissect.target.helpers.regutil.RegistryKey, record: dissect.target.helpers.record.TargetRecordDescriptor) → collections.abc.Iterator[flow.record.Record]

dissect.target.plugins.os.windows.regf.mru.parse_office_mru_key(target: dissect.target.target.Target, key: dissect.target.helpers.regutil.RegistryKey, record: dissect.target.helpers.record.TargetRecordDescriptor) → collections.abc.Iterator[flow.record.Record]

dissect.target.plugins.os.windows.regf.mru.read_wstrings(buf: bytes) → collections.abc.Iterator[bytes]