:py:mod:`dissect.target.plugins.os.windows.regf.trusteddocs` ============================================================ .. py:module:: dissect.target.plugins.os.windows.regf.trusteddocs Module Contents --------------- Classes ~~~~~~~ .. autoapisummary:: dissect.target.plugins.os.windows.regf.trusteddocs.TrustedDocumentsPlugin Attributes ~~~~~~~~~~ .. autoapisummary:: dissect.target.plugins.os.windows.regf.trusteddocs.TrustedDocumentsRecord .. py:data:: TrustedDocumentsRecord .. py:class:: TrustedDocumentsPlugin(target: dissect.target.Target) Bases: :py:obj:`dissect.target.plugin.Plugin` Plugin to obtain Microsoft Office Trusted Document registry keys. .. py:attribute:: KEY :value: 'HKEY_CURRENT_USER\\Software\\Microsoft\\Office' .. py:method:: check_compatible() -> None Perform a compatibility check with the target. This function should return ``None`` if the plugin is compatible with the current target (``self.target``). For example, check if a certain file exists. Otherwise it should raise an ``UnsupportedPluginError``. :raises UnsupportedPluginError: If the plugin could not be loaded. .. py:method:: trusteddocs() -> Iterator[TrustedDocumentsRecord] Return Microsoft Office TrustRecords registry keys for all Office applications. Microsoft uses Trusted Documents to cache whether the user enabled the editing and/or macros for that document. Therefore, this may reveal if macros have been enabled for a malicious Office document. Yields records based on the values within the TrustRecords registry keys. At least contains the following fields: application (string): Application name of the Office product that produced the TrustRecords registry key. document_path (path): Path to the document for which a TrustRecords entry is created. ts (datetime): The created time of the TrustRecord registry key. type (varint): Type of the value within the TrustRecords registry key. value (bytes): Value of the TrustRecords entry, which contains the information whether macros are enabled.