Log2timeline.py(Plaso)によるタイムラインの作成(18)
Log2timeline(Plaso)の WinRegistryParser 後半部分のプラグインになります。Plaso のプラグインが確認していないレジストリ内のアーティファクトについては、Regripper など別ツールでパースしていく必要があります。
MsieTypedURLsPlugin : Gathers the MSIE TypedURLs key for the User hive.
NTUSER⇒ \\Software\\Microsoft\\Internet Explorer\\TypedURLs
IEのTypedURLキーをパース(URL欄に直接入力した値)
MsieZoneSettingsSoftwareLockdownZonesPlugin : Parses the Lockdown Zones key in the Software hive.
SOFTWARE⇒ \\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Lockdown_Zones
Lockdown_Zonesキー内容のパースを行う
MsieZoneSettingsSoftwareZonesPlugin : Parses the Zones key in the Software hive.
SOFTWRE⇒ \\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones
Zonesキー内容のパースを行う
MsieZoneSettingsUserLockdownZonesPlugin : Parses the Lockdown Zones key in the User hive.
NTUSER⇒ \\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Lockdown_Zones
MsieZoneSettingsUserZonesPlugin : Parses the Zones key in the User hive.
NTUSER⇒ \\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones
MsieZoneSettingsWow64SoftwareLockdownZonesPlugin : Parses the Lockdown Zones key in the Wow6432Node key the Software hive.
SOFTWRE⇒ \\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Lockdown_Zones
MsieZoneSettingsWow64SoftwareZonesPlugin : Parses the Zones key in the Wow6432Node key the Software hive.
SOFTWRE⇒ \\Wow6432Node\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones
RDPDRTerminalServerClientPlugin : Gathers the RDPDR key for the User hive.
NTUSER⇒ \\Software\\Microsoft\\Terminal Server Client\\Default\\AddIns\\RDPDR
RDP経由でリダイレクトされるプリンタ関連?
RunNtuserPlugin : Gathers the Run Keys for User hive.
NTUSER⇒ \\Software\\Microsoft\\Windows\\CurrentVersion\\Run
RunOnceNtuserPlugin : Gathers the RunOnce key for the User hive.
NTUSER⇒ \\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce
RunOnceSoftwarePlugin : Gathers the RunOnce key for the Software hive.
SOFTWRE⇒ \\Microsoft\\Windows\\CurrentVersion\\Run
RunServicesOnceSoftwarePlugin : Gathers the RunServicesOnce Key for Software hive.
SOFTWRE⇒ \\Microsoft\\Windows\\CurrentVersion\\RunServicesOnce
RunServicesSoftwarePlugin : Gathers the RunServices Key for Software hive.
SOFTWRE⇒ \\Microsoft\\Windows\\CurrentVersion\\RunServices
RunSoftwarePlugin : Gathers the Run Key for Software hive.
SOFTWRE⇒ \\Microsoft\\Windows\\CurrentVersion\\Run
ServersTerminalServerClientPlugin : Gathers the Servers key for the User hive.
NTUSER⇒ \\Software\\Microsoft\\Terminal Server Client\\Servers
RDPクライアントで接続したサーバのキー値をパース
ServicesPlugin : Plug-in to format the Services and Drivers keys having Type and Start.
SYSTEM⇒ Type と Start
参照されているURL:http://support.microsoft.com/kb/103000
SetupRunOnceSoftwarePlugin : Gathers the RunOnce\Setup key for the Software hive.
SOFTWRE⇒ \\Microsoft\\Windows\\CurrentVersion\\RunOnce\\Setup
TypedPathsPlugin : Gathers the TypedPaths key for the User hive.
NTUSER⇒ \\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\TypedPaths
エクスプローラーのアドレスバー履歴をパース
USBStorPlugin : USBStor key plugin.
SYSTEM⇒ \\{current_control_set}\\Enum\\USBSTOR
USBSTORキー値の内容をパース
UserAssistPlugin1 : Plugin that parses an UserAssist key.
NTUSER⇒ \\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{{0D6D4F41-2994-4BA0-8FEF-620E43CD2812}}
UserAssistPlugin2 : Plugin that parses the Microsoft Internet Toolbar UserAssist key.
NTUSER⇒ \\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{{5E6AB780-7743-11CF-A12B-00AA004AE837}}
UserAssistPlugin3 : Plugin that parses the ActiveDesktop UserAssist key.
NTUSER⇒ \\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{{75048700-EF1F-11D0-9888-006097DEACF9}}
UserAssistPlugin4 : Plugin that parses an UserAssist key.
NTUSER⇒ \\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{{9E04CAB2-CC14-11DF-BB8C-A2F1DED72085}}
UserAssistPlugin5 : Plugin that parses an UserAssist key.
NTUSER⇒ \\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{{A3D53349-6E61-4557-8FC7-0028EDCEEBF6}}
UserAssistPlugin6 : Plugin that parses an UserAssist key.
NTUSER⇒ \\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{{B267E3AD-A825-4A09-82B9-EEC22AA3B847}}
UserAssistPlugin7 : Plugin that parses an UserAssist key.
NTUSER⇒ \\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{{CAA59E3C-4792-41A5-9909-6A6A8D32490E}}
UserAssistPlugin8 : Plugin that parses an UserAssist key.
NTUSER⇒ \\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{{CEBFF5CD-ACE2-4F4F-9178-9926F41749EA}}
UserAssistPlugin9 : Plugin that parses an UserAssist key.
NTUSER⇒ \\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{{F2A1CB5A-E3CC-4A2E-AF9D-505A7009D442}}
UserAssistPlugin10 : Plugin that parses an UserAssist key.
NTUSER⇒ \\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}}
UserAssistPlugin11 : Plugin that parses an UserAssist key.
NTUSER⇒ \\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{{FA99DFC7-6AC2-453A-A5E2-5E2AFF4507BD}}
WinRarArcHistoryPlugin : Gathers WinRAR ArcHistory from the User hive.
NTUSER⇒ \\Software\\WinRAR\\ArcHistory
WinRarArcNamePlugin : Gathers WinRAR ArcName from the User hive.
NTUSER⇒ \\Software\\WinRAR\\DialogEditHistory\\ArcName
WinRarExtrPathPlugin : Gathers WinRAR ExtrPath from the User hive.
NTUSER⇒ \\Software\\WinRAR\\DialogEditHistory\\ExtrPath
WinVerPlugin : Plug-in to collect information about the Windows version.
SOFTWRE⇒ \\Microsoft\\Windows NT\\CurrentVersion
システムインストール日を含む最小情報のパース
★Runキー関連:
https://googledrive.com/host/0B30H7z4S52Fla2ZwMzFoQTFiU2s/namespaceplaso_1_1registry_1_1run.html
★ターミナルサーバ関連
