By default, rip.pl continues to use a default tempate
In subsequent examples, the template name is "legacy".
» perl rip.pl -r samples/XP/system -p appcompatcache
Launching appcompatcache v.20130425
appcompatcache v.20130425
(System) Parse files from System hive Shim Cache
| #!/usr/bin/env python | |
| from __future__ import with_statement | |
| import datetime | |
| from errno import EACCES | |
| from os.path import realpath | |
| from sys import argv, exit | |
| from threading import Lock |
| """ | |
| mutablenamedtuple is like collections.namedtuple, but the fields | |
| may be modified. This makes it basically a record type. | |
| Desired usage: | |
| F = mutablenamedtuple("F", ["foo", "bar", "baz"]) | |
| f = F(1, bar=2, baz=3) | |
| f.baz = 9 | |
| print(f) | |
| --> "F(foo=1, bar=2, baz=9)" |
| # from: http://www.seehuhn.de/blog/52 | |
| class Timezone(datetime.tzinfo): | |
| def __init__(self, name="+0000"): | |
| self.name = name | |
| seconds = int(name[:-2])*3600+int(name[-2:])*60 | |
| self.offset = datetime.timedelta(seconds=seconds) | |
| def utcoffset(self, dt): | |
| return self.offset |
| import synapse.link as s_link | |
| import synapse.daemon as s_daemon | |
| import synapse.telepath as s_tele | |
| def log(*args, **kwargs): | |
| print("log %s %s" % (args, kwargs)) | |
| def main(): |
| #!/bin/bash | |
| # debian dependencies | |
| sudo apt-get install python3 python3-pip qt5-default python3-pyqt5 git | |
| # get virtualenv package for python3 | |
| sudo pip3 install virtualenv | |
| # prepare a clean Python environment | |
| mkdir env; virtualenv -p python3 env |
| #!/bin/bash | |
| # arch dependencies | |
| sudo pacman -S python3 python-pyqt5 git | |
| sudo pip3 install virtualenv | |
| # prepare a clean Python environment | |
| mkdir env; virtualenv -p python3 env |
| def parse_windows_timestamp(hex_str): | |
| """ | |
| @type hex_str: str | |
| @param hex_str: A string that contains a hex encoded QWORD (8 bytes) that are a Windows timestamp. | |
| @rtype: str | |
| @return: A string that contains an ISO formatted timestamp. | |
| """ | |
| import struct, binascii | |
| from datetime import datetime | |
| return datetime.utcfromtimestamp(float(struct.unpack_from("<Q", binascii.unhexlify(hex_str.replace(" ", "")))[0]) * 1e-7 - 11644473600).isoformat("T") |
| 0000 2A 2A 00 00 D0 09 00 00 19 68 00 00 00 00 00 00 **.......h...... | |
| 0010 64 82 38 8A FA 88 CC 01 0F 01 01 00 0C 01 84 30 d.8............0 | |
| 0020 7C 5E 26 02 00 00 00 00 00 00 84 30 7C 5E 67 73 |^&........0|^gs | |
| 0030 6B 9F C7 6D 8C BB A4 C5 45 C8 96 04 00 00 0F 01 k..m....E....... | |
| 0040 01 00 41 11 00 8A 04 00 00 4D 02 00 00 00 00 00 ..A......M...... | |
| 0050 00 BA 0C 05 00 45 00 76 00 65 00 6E 00 74 00 00 .....E.v.e.n.t.. | |
| 0060 00 87 00 00 00 06 6A 02 00 00 00 00 00 00 BC 0F ......j......... | |
| 0070 05 00 78 00 6D 00 6C 00 6E 00 73 00 00 00 05 01 ..x.m.l.n.s..... | |
| 0080 35 00 68 00 74 00 74 00 70 00 3A 00 2F 00 2F 00 5.h.t.t.p.:././. | |
| 0090 73 00 63 00 68 00 65 00 6D 00 61 00 73 00 2E 00 s.c.h.e.m.a.s... |
| python-registry/samples - [master●] » python timeline.py --bodyfile /tmp/NTUSER.DAT | |
| 0|[Registry NTUSER] $$$PROTO.HIV|0|0|0|0|0|1307730644|0|0|0 | |
| 0|[Registry NTUSER] $$$PROTO.HIV\AppEvents|0|0|0|0|0|1281972745|0|0|0 | |
| 0|[Registry NTUSER] $$$PROTO.HIV\AppEvents\EventLabels|0|0|0|0|0|1289599433|0|0|0 | |
| 0|[Registry NTUSER] $$$PROTO.HIV\AppEvents\EventLabels\.Default|0|0|0|0|0|1281972745|0|0|0 | |
| 0|[Registry NTUSER] $$$PROTO.HIV\AppEvents\EventLabels\ActivatingDocument|0|0|0|0|0|1281981027|0|0|0 | |
| 0|[Registry NTUSER] $$$PROTO.HIV\AppEvents\EventLabels\AppGPFault|0|0|0|0|0|1281972745|0|0|0 | |
| 0|[Registry NTUSER] $$$PROTO.HIV\AppEvents\EventLabels\BlockedPopup|0|0|0|0|0|1281981027|0|0|0 | |
| 0|[Registry NTUSER] $$$PROTO.HIV\AppEvents\EventLabels\CCSelect|0|0|0|0|0|1281981027|0|0|0 | |
| 0|[Registry NTUSER] $$$PROTO.HIV\AppEvents\EventLabels\Close|0|0|0|0|0|1281972745|0|0|0 |