catroot.files

$ target-query <path/to/target> -f catroot.files

Details

Module	dissect.target.plugins.os.windows.catroot.CatrootPlugin
Output	records

Module documentation

Catroot plugin.

Parses catroot files for hashes and file hints.

Function documentation

Return the content of the catalog files in the CatRoot folder.

A catalog file contains a collection of cryptographic hashes, or thumbprints. These files are generally used to verify the integrity of Windows operating system files, instead of per-file authenticode signatures.

At the moment, parsing catalog files is done on best effort. asn1crypto is not able to fully parse the encap_content_info, highly likely because Microsoft uses its own format. Future research should result in a more resilient and complete implementation of the catroot.files plugin.

References:

• https://www.thewindowsclub.com/catroot-catroot2-folder-reset-windows

• https://docs.microsoft.com/en-us/windows-hardware/drivers/install/catalog-files

Yields CatrootRecords with the following fields:

hostname (string): The target hostname.
domain (string): The target domain.
digest (digest): The parsed digest.
hints (string[]): File hints, if present.
catroot_name (string): Catroot name.
source (path): Source of the catroot record.