Skip to content

File mru #148

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
barbyfernicola wants to merge 2 commits into
base: master
Choose a base branch
from
Open

File mru #148

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
36c0f27
Support Multiple Version
barbyfernicola Jul 17, 2017
1433334
Updated FileMRU.cs to support multiple Office Version Registry Keys a…
barbyfernicola Jul 18, 2017
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Binary file modified Modules/PowerForensics/lib/PSv2/PowerForensics.dll
View file
Open in desktop
Binary file not shown.
66 changes: 57 additions & 9 deletions src/PowerForensicsCore/src/PowerForensics.Windows.Artifacts.MicrosoftOffice/FileMRU.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -55,21 +55,69 @@ public static FileMRU[] Get(string hivePath)
List<FileMRU> fileList = new List<FileMRU>();

byte[] bytes = RegistryHelper.GetHiveBytes(hivePath);
NamedKey OfficeKey = RegistryHelper.GetOfficeKey(bytes, hivePath);
string key = @"Software\Microsoft\Office";

foreach (NamedKey nk in OfficeKey.GetSubKeys(bytes))
NamedKey OfficeKey = null;

try
{
OfficeKey = NamedKey.Get(bytes, hivePath, key);
}
catch
{
if (nk.Name == "Word" || nk.Name == "Excel" || nk.Name == "PowerPoint")
throw new Exception(String.Format("Microsoft Office is not installed on this system or has not been opened by this User"));
}

foreach (NamedKey ov in OfficeKey.GetSubKeys(bytes))
{
if (ov.Name.Contains(@".0"))
{
foreach (NamedKey k in nk.GetSubKeys(bytes))
if (ov.Name != "8.0")
{
if (k.Name == "File MRU")
if(ov.GetSubKeys(bytes) != null)
{
foreach (ValueKey vk in k.GetValues(bytes))
foreach (NamedKey nk in ov.GetSubKeys(bytes))
{
if (vk.Name != "Max Display")
if ((nk.Name == "Word" || nk.Name == "Excel" || nk.Name == "PowerPoint") && nk.Name != null)
{
fileList.Add(new FileMRU(user, (string)vk.GetData(bytes)));
foreach (NamedKey k in nk.GetSubKeys(bytes))
{
if (k.Name == "File MRU")
{
foreach (ValueKey vk in k.GetValues(bytes))
{
if(null == vk)
{
continue;
}else
{
if (vk.Name.StartsWith("Item"))
{
fileList.Add(new FileMRU(user, (string)vk.GetData(bytes)));
}
}
}
}
else if(k.Name == "User MRU")
{
foreach (NamedKey sk in k.GetSubKeys(bytes))
{
foreach (NamedKey ssk in sk.GetSubKeys(bytes))
{
if (ssk.Name == "File MRU")
{
foreach (ValueKey vk in ssk.GetValues(bytes))
{
if (vk.Name.StartsWith("Item"))
{
fileList.Add(new FileMRU(user, (string)vk.GetData(bytes)));
}
}
}
}
}
}
}
}
}
}
Expand All @@ -82,7 +130,7 @@ public static FileMRU[] Get(string hivePath)
{
throw new Exception("Invalid NTUSER.DAT hive provided to -HivePath parameter.");
}
}
}

/// <summary>
///
Expand Down