:py:mod:`dissect.target.plugins.os.windows.regf.shellbags` ========================================================== .. py:module:: dissect.target.plugins.os.windows.regf.shellbags Module Contents --------------- Classes ~~~~~~~ .. autoapisummary:: dissect.target.plugins.os.windows.regf.shellbags.ShellBagsPlugin dissect.target.plugins.os.windows.regf.shellbags.SHITEM dissect.target.plugins.os.windows.regf.shellbags.UNKNOWN dissect.target.plugins.os.windows.regf.shellbags.UNKNOWN0 dissect.target.plugins.os.windows.regf.shellbags.UNKNOWN1 dissect.target.plugins.os.windows.regf.shellbags.ROOT_FOLDER dissect.target.plugins.os.windows.regf.shellbags.VOLUME dissect.target.plugins.os.windows.regf.shellbags.FILE_ENTRY dissect.target.plugins.os.windows.regf.shellbags.NETWORK dissect.target.plugins.os.windows.regf.shellbags.COMPRESSED_FOLDER dissect.target.plugins.os.windows.regf.shellbags.URI dissect.target.plugins.os.windows.regf.shellbags.CONTROL_PANEL dissect.target.plugins.os.windows.regf.shellbags.CONTROL_PANEL_CATEGORY dissect.target.plugins.os.windows.regf.shellbags.CDBURN dissect.target.plugins.os.windows.regf.shellbags.GAME_FOLDER dissect.target.plugins.os.windows.regf.shellbags.CONTROL_PANEL_CPL_FILE dissect.target.plugins.os.windows.regf.shellbags.MTP_FILE_ENTRY dissect.target.plugins.os.windows.regf.shellbags.MTP_VOLUME dissect.target.plugins.os.windows.regf.shellbags.USERS_PROPERTY_VIEW dissect.target.plugins.os.windows.regf.shellbags.UNKNOWN_0x74 dissect.target.plugins.os.windows.regf.shellbags.DELEGATE dissect.target.plugins.os.windows.regf.shellbags.EXTENSION_BLOCK dissect.target.plugins.os.windows.regf.shellbags.EXTENSION_BLOCK_BEEF0004 dissect.target.plugins.os.windows.regf.shellbags.EXTENSION_BLOCK_BEEF0005 Functions ~~~~~~~~~ .. autoapisummary:: :nosignatures: dissect.target.plugins.os.windows.regf.shellbags.parse_shell_item_list Attributes ~~~~~~~~~~ .. autoapisummary:: dissect.target.plugins.os.windows.regf.shellbags.log dissect.target.plugins.os.windows.regf.shellbags.bag_def dissect.target.plugins.os.windows.regf.shellbags.c_bag dissect.target.plugins.os.windows.regf.shellbags.DELEGATE_ITEM_IDENTIFIER dissect.target.plugins.os.windows.regf.shellbags.ShellBagRecord .. py:data:: log .. py:data:: bag_def :value: Multiline-String .. raw:: html
Show Value .. code-block:: python """ enum ROOTFOLDER_ID : uint8 { INTERNET_EXPLORER = 0x00, LIBRARIES = 0x42, USERS = 0x44, MY_DOCUMENTS = 0x48, MY_COMPUTER = 0x50, NETWORK = 0x58, RECYCLE_BIN = 0x60, INTERNET_EXPLORER = 0x68, UNKNOWN = 0x70, MY_GAMES = 0x80 }; struct SHITEM_UNKNOWN0 { uint16 size; uint8 type; }; struct SHITEM_UNKNOWN1 { uint16 size; uint8 type; }; struct SHITEM_ROOT_FOLDER { uint16 size; uint8 type; ROOTFOLDER_ID folder_id; char guid[16]; }; struct SHITEM_VOLUME { uint16 size; uint8 type; }; struct SHITEM_FILE_ENTRY { uint16 size; uint8 type; uint8 unk0; uint32 file_size; uint32 modification_time; uint16 file_attribute_flags; }; struct SHITEM_NETWORK { uint16 size; uint8 type; uint8 unk0; uint8 flags; char location[]; }; struct SHITEM_COMPRESSED_FOLDER { uint16 size; uint8 type; uint8 unk0; uint16 unk1; }; struct SHITEM_URI { uint16 size; uint8 type; uint8 flags; uint16 data_size; }; struct SHITEM_CONTROL_PANEL { uint16 size; uint8 type; uint8 unk0; char unk1[10]; char guid[16]; }; struct SHITEM_CONTROL_PANEL_CATEGORY { uint16 size; uint8 type; uint8 unk0; uint32 signature; uint32 category; }; struct SHITEM_CDBURN { uint16 size; uint8 type; uint8 unk0; uint32 signature; uint32 unk1; uint32 unk2; }; struct SHITEM_GAME_FOLDER { uint16 size; uint8 type; uint8 unk0; uint32 signature; char identifier[16]; uint64 unk1; }; struct SHITEM_CONTROL_PANEL_CPL_FILE { uint16 size; uint8 type; uint8 unk0; uint32 signature; uint32 unk1; uint32 unk2; uint32 unk3; uint16 name_offset; uint16 comments_offset; wchar cpl_path[]; wchar name[]; wchar comments[]; }; struct SHITEM_MTP_PROPERTY { char format_identifier[16]; uint32 value_identifier; uint32 value_type; }; struct SHITEM_MTP_FILE_ENTRY { uint16 size; uint8 type; uint8 unk0; uint16 data_size; uint32 data_signature; uint32 unk1; uint16 unk2; uint16 unk3; uint16 unk4; uint16 unk5; uint32 unk6; uint64 modification_time; uint64 creation_time; char content_type_folder[16]; uint32 unk7; uint32 folder_name_size_1; uint32 folder_name_size_2; uint32 folder_identifier_size; wchar folder_name_1[folder_name_size_1]; wchar folder_name_2[folder_name_size_2]; uint32 unk8; char class_identifier[16]; uint32 num_properties; }; struct SHITEM_MTP_VOLUME_GUID { wchar guid[39]; }; struct SHITEM_MTP_VOLUME { uint16 size; uint8 type; uint8 unk0; uint16 data_size; uint32 data_signature; uint32 unk1; uint16 unk2; uint16 unk3; uint16 unk4; uint16 unk5; uint32 unk6; uint64 unk7; uint32 unk8; uint32 name_size; uint32 identifier_size; uint32 filesystem_size; uint32 num_guid; wchar name[name_size]; wchar identifier[identifier_size]; wchar filesystem[filesystem_size]; SHITEM_MTP_VOLUME_GUID guids[num_guid]; uint32 unk9; char class_identifier[16]; uint32 num_properties; }; struct SHITEM_USERS_PROPERTY_VIEW { uint16 size; uint8 type; uint8 unk0; uint16 data_size; uint32 data_signature; uint16 property_store_size; uint16 identifier_size; char identifier[identifier_size]; char property_store[property_store_size]; uint16 unk1; }; struct SHITEM_UNKNOWN_0x74 { uint16 size; uint8 type; uint8 unk0; uint16 data_size; uint32 data_signature; uint16 subitem_size; }; struct SHITEM_UNKNOWN_0x74_SUBITEM { uint8 type; uint8 unk1; uint32 file_size; uint32 modification_time; uint16 file_attribute_flags; char primary_name[]; }; struct SHITEM_DELEGATE { uint16 size; uint8 type; uint8 unk0; uint16 data_size; char data[data_size - 2]; char delegate_identifier[16]; char shell_identifier[16]; }; struct EXTENSION_BLOCK_HEADER { uint16 size; uint16 version; uint32 signature; }; """ .. raw:: html
.. py:data:: c_bag .. py:data:: DELEGATE_ITEM_IDENTIFIER :value: b't\x1aY^\x96\xdf\xd3H\x8dg\x173\xbc\xee(\xba' .. py:data:: ShellBagRecord .. py:class:: ShellBagsPlugin(target) Bases: :py:obj:`dissect.target.plugin.Plugin` Windows Shellbags plugin. .. rubric:: References - https://github.com/libyal/libfwsi .. py:attribute:: KEYS :value: ['HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell',... .. py:method:: check_compatible() -> None Perform a compatibility check with the target. This function should return ``None`` if the plugin is compatible with the current target (``self.target``). For example, check if a certain file exists. Otherwise it should raise an ``UnsupportedPluginError``. :raises UnsupportedPluginError: If the plugin could not be loaded. .. py:method:: shellbags() Return Windows Shellbags. Shellbags are registry keys to improve user experience when using Windows Explorer. It stores information about for example file/folder creation time and access time. .. rubric:: References - https://www.hackingarticles.in/forensic-investigation-shellbags/ .. py:function:: parse_shell_item_list(buf) .. py:class:: SHITEM(buf) .. py:property:: name .. py:property:: creation_time .. py:property:: modification_time .. py:property:: access_time .. py:property:: file_size .. py:property:: file_reference .. py:attribute:: STRUCT .. py:method:: extension(cls) .. py:method:: __repr__() Return repr(self). .. py:class:: UNKNOWN(buf) Bases: :py:obj:`SHITEM` .. py:property:: name .. py:class:: UNKNOWN0(fh) Bases: :py:obj:`SHITEM` .. py:property:: name .. py:attribute:: STRUCT .. py:class:: UNKNOWN1(buf) Bases: :py:obj:`SHITEM` .. py:property:: name .. py:attribute:: STRUCT .. py:class:: ROOT_FOLDER(fh) Bases: :py:obj:`SHITEM` .. py:property:: name .. py:attribute:: STRUCT .. py:class:: VOLUME(buf) Bases: :py:obj:`SHITEM` .. py:property:: name .. py:attribute:: STRUCT .. py:class:: FILE_ENTRY(buf) Bases: :py:obj:`SHITEM` .. py:property:: name .. py:property:: modification_time .. py:attribute:: STRUCT .. py:class:: NETWORK(buf) Bases: :py:obj:`SHITEM` .. py:property:: name .. py:attribute:: STRUCT .. py:class:: COMPRESSED_FOLDER(buf) Bases: :py:obj:`SHITEM` .. py:property:: name .. py:attribute:: STRUCT .. py:class:: URI(buf) Bases: :py:obj:`SHITEM` .. py:property:: name .. py:attribute:: STRUCT .. py:class:: CONTROL_PANEL(buf) Bases: :py:obj:`SHITEM` .. py:property:: name .. py:attribute:: STRUCT .. py:class:: CONTROL_PANEL_CATEGORY(buf) Bases: :py:obj:`SHITEM` .. py:property:: name .. py:attribute:: STRUCT .. py:attribute:: CATEGORIES .. py:class:: CDBURN(buf) Bases: :py:obj:`SHITEM` .. py:property:: name .. py:attribute:: STRUCT .. py:class:: GAME_FOLDER(buf) Bases: :py:obj:`SHITEM` .. py:property:: name .. py:attribute:: STRUCT .. py:class:: CONTROL_PANEL_CPL_FILE(buf) Bases: :py:obj:`SHITEM` .. py:property:: name .. py:attribute:: STRUCT .. py:class:: MTP_FILE_ENTRY(buf) Bases: :py:obj:`SHITEM` .. py:property:: name .. py:property:: creation_time .. py:property:: modification_time .. py:attribute:: STRUCT .. py:class:: MTP_VOLUME(buf) Bases: :py:obj:`SHITEM` .. py:property:: name .. py:attribute:: STRUCT .. py:class:: USERS_PROPERTY_VIEW(buf) Bases: :py:obj:`SHITEM` .. py:property:: name .. py:attribute:: STRUCT .. py:class:: UNKNOWN_0x74(buf) Bases: :py:obj:`SHITEM` .. py:property:: name .. py:property:: modification_time .. py:attribute:: STRUCT .. py:class:: DELEGATE(buf) Bases: :py:obj:`SHITEM` .. py:property:: name .. py:attribute:: STRUCT .. py:class:: EXTENSION_BLOCK(buf) .. py:property:: size .. py:property:: data_size .. py:property:: version .. py:property:: signature .. py:method:: __repr__() Return repr(self). .. py:class:: EXTENSION_BLOCK_BEEF0004(buf) Bases: :py:obj:`EXTENSION_BLOCK` .. py:class:: EXTENSION_BLOCK_BEEF0005(buf) Bases: :py:obj:`EXTENSION_BLOCK`