New feature:

- includes executed programs in timeline

Author: ericw317

CustomLibs/NTUSER_parsing.py

@@ -0,0 +1,102 @@
+from CustomLibs import ShadowCopies
+from CustomLibs import time_conversion as TC
+import os
+import shutil
+from Registry import Registry
+import codecs
+
+def decode_rot13(string):
+    return codecs.decode(string, 'rot13')
+
+
+# copy locked NTUSER.DAT file
+def copy_locked_NTUSER(user):
+    try:
+        ShadowCopies.create_shadow_copy()  # create shadow copy
+        shadow_copy_path = ShadowCopies.get_latest_shadow_copy()  # get latest shadow copy
+        NTUSER_source = os.path.join(shadow_copy_path, "Users", str(user), "NTUSER.DAT")  # NTUSER.DAT source path
+        destination_path = os.path.join(os.getcwd(), "NTUSER_copy")  # destination to copy NTUSER to
+
+        shutil.copy(NTUSER_source, destination_path)  # copy the NTUSER.DAT file
+
+        # delete shadow copy
+        shadow_ID = ShadowCopies.get_latest_shadow_copy_id()  # get shadow copy ID
+        ShadowCopies.delete_shadow_copy(shadow_ID)  # delete shadow copy
+    except Exception as e:
+        print("Error: Make sure you are running as administrator.")
+
+# copy NTUSER.DAT file from mounted drive
+def copy_mounted_NTUSER(drive, user):
+    NTUSER_path = f"{drive}[root]\\Users\\{user}\\NTUSER.DAT"
+    destination_path = os.path.join(os.getcwd(), "NTUSER_copy")
+    shutil.copy(NTUSER_path, destination_path)
+
+def find_lnk_guid_path(user_assist_key):
+    # Search for the GUID containing LNK files (".yax" in ROT13)
+    for GUID in user_assist_key.subkeys():
+        for Count in GUID.subkeys():
+            for value in Count.values():
+                if value.name().endswith(".yax"):
+                    clean_path = (user_assist_key.path()).split("Software", 1)[-1]
+                    return f"Software{clean_path}\\{GUID.name()}\\Count"
+    return None
+
+def decode_data(data):
+    if len(data) >= 12:
+        last_executed_filetime = int.from_bytes(data[60:68], byteorder="little")
+        return last_executed_filetime
+    return None
+
+
+def sanitize_name(name):
+    if "{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}" in name:
+        return name.replace("{0139D44E-6AFE-49F2-8690-3DAFCAE6FFB8}", "{Common Programs}")
+    elif "{9E3995AB-1F9C-4F13-B827-48B24B6C7174}" in name:
+        return name.replace("{9E3995AB-1F9C-4F13-B827-48B24B6C7174}", "{User Pinned}")
+    elif "{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}" in name:
+        return name.replace("{A77F5D77-2E2B-44C3-A6A2-ABA601054A51}", "{Programs}")
+    else:
+        return name
+
+
+# parse NTUSER.DAT information
+def get_user_assist(drive, user):
+    lnk_guid_list = []
+
+    # create NTUSER.DAT copy
+    if drive == "C:\\":
+        if not os.path.exists("NTUSER_copy"):
+            copy_locked_NTUSER(user)
+    else:
+        if not os.path.exists("NTUSER_copy"):
+            copy_mounted_NTUSER(drive, user)
+
+    # open registry file and access user assist key
+    reg = Registry.Registry("NTUSER_copy")
+    user_assist_key_path = "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist"
+    user_assist_key = reg.open(user_assist_key_path)
+
+    # get path with lnk files
+    lnk_guid = find_lnk_guid_path(user_assist_key)
+    if lnk_guid is None:
+        return 0
+
+    # collect contents of LNK GUID folder
+    lnk_guid = reg.open(lnk_guid)
+    for value in lnk_guid.values():
+        if (value.name()).endswith(".yax"):
+            # name full path of program
+            path = decode_rot13(value.name())
+
+            # sanitize names
+            path = sanitize_name(path)
+
+            last_execution = TC.filetime_convert(decode_data(value.value()))  # last execution date
+
+            # add data to list
+            if path.endswith(".lnk"):
+                path = path[:-4]
+            lnk_guid_list.append(["Executed Program", path, last_execution])
+
+    os.remove("NTUSER_copy")
+    return lnk_guid_list

CustomLibs/ShadowCopies.py

@@ -0,0 +1,46 @@
+import subprocess
+import re
+
+# create shadow copy
+def create_shadow_copy():
+    # Create a shadow copy
+    result = subprocess.run("wmic shadowcopy call create Volume='C:\\'", shell=True, capture_output=True, text=True)
+
+# get latest shadow copy
+def get_latest_shadow_copy():
+    # run "vssadmin list shadows" command to list all shadow copies
+    result = subprocess.run(['vssadmin', 'list', 'shadows'], stdout=subprocess.PIPE, text=True)
+
+    # find all 'Shadow Copy Volume' paths
+    shadow_copy_paths = re.findall(r'Shadow Copy Volume: (\\\\\?\\GLOBALROOT\\Device\\HarddiskVolumeShadowCopy\d+)',
+                                   result.stdout)
+
+    if shadow_copy_paths:
+        latest_shadow_copy = shadow_copy_paths[-1]
+        return latest_shadow_copy
+    else:
+        return None
+
+# get latest_shadow_copy_id
+def get_latest_shadow_copy_id():
+    # Run "vssadmin list shadows" to list all shadow copies
+    result = subprocess.run(['vssadmin', 'list', 'shadows'], stdout=subprocess.PIPE, text=True)
+
+    # Find all 'Shadow Copy ID' entries
+    shadow_copy_ids = re.findall(r'Shadow Copy ID: ({[a-f0-9\-]+})', result.stdout)
+
+    if shadow_copy_ids:
+        latest_shadow_copy_id = shadow_copy_ids[-1]  # Get the last (most recent) Shadow Copy ID
+        return latest_shadow_copy_id
+    else:
+        raise Exception("No shadow copies found.")
+
+# delete shadow copy
+def delete_shadow_copy(shadow_copy_ID):
+    # Run vssadmin delete shadows with the specific shadow copy path
+    result = subprocess.run(
+        ['vssadmin', 'delete', 'shadows', '/Shadow=' + shadow_copy_ID, "/Quiet"],
+        stdout=subprocess.PIPE,
+        stderr=subprocess.PIPE,
+        text=True
+    )

CustomLibs/recent_parsing.py

@@ -1,6 +1,7 @@
 from CustomLibs import time_conversion as TC
 import os
 from construct import Struct, Int32ul, Int16ul, Int32sl, Bytes
+import shutil
 
 # Define the LNK header structure, which includes file attributes at offset 0x18
 LNK_HEADER = Struct(
@@ -36,7 +37,7 @@ def get_recent_logs(drive, user):
     for file in os.listdir(recent_path):
         file_path = os.path.join(recent_path, file)
         m_time = TC.convert_unix_epoch_seconds(os.path.getmtime(file_path))
-        # original_path = parse_lnk_path(file_path)
+
         if os.path.isfile(file_path):
             if is_lnk_directory(file_path):
                 recent_logs.append([f"Opened directory:", file, m_time])
@@ -56,6 +57,8 @@ def is_lnk_directory(lnk_path):
 
         return is_directory
 
+
+'''
 def parse_lnk_path(lnk_path):
     with open(lnk_path, "rb") as f:
         lnk = LNK_HEADER.parse(f.read(76))  # Read and parse the header
@@ -69,3 +72,4 @@ def parse_lnk_path(lnk_path):
         original_path = path_bytes.decode("utf-16le", errors="ignore").rstrip("\x00")
 
         return original_path
+'''

CustomLibs/recycle_bin_parsing.py

@@ -29,6 +29,11 @@ def parse_i_file(file_path):
         metadata = [file_name, original_path, deletion_timestamp]
         return metadata
 
+# Function to check if a string is mostly readable (ASCII characters only)
+def is_readable(s):
+    # Check if all characters are ASCII and printable
+    return all(32 <= ord(char) <= 126 for char in s)
+
 # get $Recycle.Bin logs
 def get_recycle_logs(drive, user):
     RID = SAM_parsing.get_RID(drive, user)
@@ -51,4 +56,9 @@ def get_recycle_logs(drive, user):
             file_name, original_path, deletion_date = file_metadata
             recycle_logs.append(["Deleted file", original_path, deletion_date])
 
+    # remove unreadable content
+    for log in recycle_logs:
+        if not is_readable(log[1]):
+            recycle_logs.remove(log)
+
     return recycle_logs

config.py

@@ -1 +1 @@
-timezone = None
+timezone = "America/New_York"

main.py

@@ -2,6 +2,7 @@
 from CustomLibs import list_functions as LF
 from CustomLibs import recent_parsing
 from CustomLibs import recycle_bin_parsing
+from CustomLibs import NTUSER_parsing
 import config
 import psutil
 import os
@@ -86,12 +87,25 @@ def main():
     drive_list = list_drives()
     drive = get_drive(drive_list)
     user = get_users(drive)
-    recent_logs = recent_parsing.get_recent_logs(drive, user)
-    recycle_logs = recycle_bin_parsing.get_recycle_logs(drive, user)
+
+    # gather logs
+    try:
+        recent_logs = recent_parsing.get_recent_logs(drive, user)
+    except Exception:
+        recent_logs = []
+    try:
+        recycle_logs = recycle_bin_parsing.get_recycle_logs(drive, user)
+    except Exception:
+        recycle_logs = []
+    try:
+        user_assist_logs = NTUSER_parsing.get_user_assist(drive, user)
+    except Exception:
+        user_assist_logs = []
 
     # combine logs and sort
     all_logs = combine_logs(all_logs, recent_logs)
     all_logs = combine_logs(all_logs, recycle_logs)
+    all_logs = combine_logs(all_logs, user_assist_logs)
     all_logs = sorted(all_logs, key=lambda x: x[2])
 
     # get spacing
@@ -100,13 +114,23 @@ def main():
     for log in all_logs:
         if len(log[1]) > spacing:
             spacing = len(log[1])
+    spacing += 10
+
+    # output logs to a file
+    with open(f"{user} Activity Log.txt", 'w') as file:
+        file.write(f"{'Activity':<{activity_spacing}}{'File':<{spacing}}Timestamp\n")
+        file.write("-" * (activity_spacing + spacing + 25) + "\n")
+        for log in all_logs:
+            file.write(f"{log[0]:<{activity_spacing}}{log[1]:<{spacing}}{log[2]}\n")
 
     # print logs
-    print(f"{'Activity':<{spacing}}Timestamp")
-    print("-" * (spacing + 25))
+    print(f"{'Activity':<{activity_spacing}}{'File':<{spacing}}Timestamp")
+    print("-" * (activity_spacing + spacing + 25))
     for log in all_logs:
         print(f"{log[0]:<{activity_spacing}}{log[1]:<{spacing}}{log[2]}")
 
+    print(f"\nLogs saved to '{user} Activity Log.txt'")
+
 
 if __name__ == "__main__":
     main()