dissect.target.plugins.os.windows.regf.trusteddocs

Module Contents

Classes

TrustedDocumentsPlugin

Plugin to obtain Microsoft Office Trusted Document registry keys.

Functions

convert_time

Return minute precision timestamp from DWORD time integer.

Attributes

TrustedDocumentsRecord
trustrecord_def
c_trustrecord

dissect.target.plugins.os.windows.regf.trusteddocs.TrustedDocumentsRecord

dissect.target.plugins.os.windows.regf.trusteddocs.trustrecord_def = Multiline-String

Show Value

"""
typedef QWORD FILETIME;

enum TRFLAG {
    EDITING_ENABLED     = 0x00000001
    MACROS_ENABLED      = 0x7fffffff
};

struct TrustRecordEntry {
    FILETIME            ts_created;
    QWORD               timezone_offset;
    DWORD               ts_enabled;
    TRFLAG              flag;
};
"""

dissect.target.plugins.os.windows.regf.trusteddocs.c_trustrecord

dissect.target.plugins.os.windows.regf.trusteddocs.convert_time(time: int) → float

Return minute precision timestamp from DWORD time integer.

class dissect.target.plugins.os.windows.regf.trusteddocs.TrustedDocumentsPlugin(target: dissect.target.target.Target)

Bases: dissect.target.plugin.Plugin

Plugin to obtain Microsoft Office Trusted Document registry keys.

KEY = 'HKEY_CURRENT_USER\\Software\\Microsoft\\Office'

check_compatible() → None

Perform a compatibility check with the target.

This function should return None if the plugin is compatible with the current target (self.target). For example, check if a certain file exists. Otherwise it should raise an UnsupportedPluginError.

Raises:

UnsupportedPluginError – If the plugin could not be loaded.

trusteddocs() → collections.abc.Iterator[TrustedDocumentsRecord]

Return Microsoft Office TrustRecords registry keys for all Office applications.

Microsoft uses Trusted Documents to cache whether the user enabled the editing and/or macros for that document. Therefore, this may reveal if macros have been enabled for a malicious Office document.

Yields records based on the values within the TrustRecords registry keys. At least contains the following fields:

application (string): Application name of the Office product that produced the TrustRecords registry key.
document (path): Path to the document for which a TrustRecords entry is created.
ts (datetime): The created time of the TrustRecord registry key.
type (varint): Type of the value within the TrustRecords registry key.
value (bytes): Value of the TrustRecords entry, which contains the information whether macros are enabled.

References

• https://az4n6.blogspot.com/2016/02/more-on-trust-records-macros-and.html

• https://github.com/DissectMalware/OfficeForensicTools/blob/master/trusted_documents.py

• https://github.com/nmantani/PS-TrustedDocuments