-
Notifications
You must be signed in to change notification settings - Fork 1
/
onedriveforbusiness.pl
127 lines (117 loc) · 3.46 KB
/
onedriveforbusiness.pl
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
#-----------------------------------------------------------
# onedriveforbusiness.pl
# Plugin for RegRipper 2.8/3.0
#
# This plugin parses the following keys:
# - HKCU\Software\Microsoft\OneDrive\Accounts\Business1
# - HKCU\Software\SyncEngines\Providers\OneDrive
#
# Change history
# 20200601 - First release
#
#
# Author : Gabriele Zambelli
# Email : forensenellanebbia at gmail.com
# Blog : https://forensenellanebbia.blogspot.it
# Twitter: @gazambelli
#-----------------------------------------------------------
package onedriveforbusiness;
use strict;
my %config = (hive => "NTUSER\.DAT",
osmask => 22,
hasShortDescr => 1,
hasDescr => 0,
hasRefs => 0,
version => 20200601);
sub getShortDescr { return "Extracts OneDrive for Business entries"; }
sub getDescr {}
sub getRefs {}
sub getHive {return $config{hive};}
sub getVersion {return $config{version};}
my $VERSION = getVersion();
sub pluginmain {
my $class = shift;
my $hive = shift;
::rptMsg("onedriveforbusiness v.".$VERSION);
::rptMsg("(".getHive().") ".getShortDescr()."\n");
my $reg = Parse::Win32Registry->new($hive);
my $root_key = $reg->get_root_key;
# Check if OneDrive for Business is used
my $version;
my $tag = 0;
my @globalitems = ();
my $key_path = "Software\\Microsoft\\OneDrive\\Accounts\\Business1";
if (defined($root_key->get_subkey($key_path))) {
$tag = 1;
}
else {
::rptMsg($key_path." not found.");
}
if ($tag) {
::rptMsg("** Account and settings **");
my $key;
if ($key = $root_key->get_subkey($key_path)) {
::rptMsg($key_path);
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
my %vals = getKeyValues($key);
if (scalar(keys %vals) > 0) {
foreach my $v (keys %vals) {
if ($v =~ m/^ClientFirstSignInTimestamp/
|| $v =~ m/^NextMigrationScan/
|| $v =~ m/^SPOLastUpdate/
|| $v =~ m/^ECSConfigurationExpires/
|| $v =~ m/^ShareTimeStamp/
|| $v =~ m/^LastSignInTime/
|| $v =~ m/^NextOneRmUpdateTime/) {
my $ts = unpack("VV", $key->get_value($v)->get_data());
::rptMsg("\t".$v." -> ".gmtime($ts)." (UTC)");
}
else {
::rptMsg("\t".$v." -> ".$vals{$v});
}
}
}
}
if ($key = $root_key->get_subkey($key_path."\\ScopeIdToMountPointPathCache")) {
::rptMsg("");
::rptMsg("** OneDrive folders synced to the computer (Personal and 'Shared with me' folders) **");
::rptMsg($key_path."\\ScopeIdToMountPointPathCache");
::rptMsg("LastWrite Time ".gmtime($key->get_timestamp())." (UTC)");
my %vals = getKeyValues($key);
if (scalar(keys %vals) > 0) {
foreach my $v (keys %vals) {
::rptMsg("\t".$v." -> ".$vals{$v});
}
}
}
my $key_path = "Software\\SyncEngines\\Providers\\OneDrive";
my $key = $root_key->get_subkey($key_path);
my @sk = $key->get_list_of_subkeys();
if (scalar(@sk) > 0) {
foreach my $s (@sk) {
::rptMsg("");
::rptMsg($key_path."\\".$s->get_name());
::rptMsg("LastWrite Time ".gmtime($s->get_timestamp())." (UTC)");
my %vals = getKeyValues($s);
foreach my $v (keys %vals) {
::rptMsg("\t".$v." -> ".$vals{$v});
}
}
}
}
}
sub getKeyValues {
my $key = shift;
my %vals;
my @vk = $key->get_list_of_values();
if (scalar(@vk) > 0) {
foreach my $v (@vk) {
next if ($v->get_name() eq "" && $v->get_data() eq "");
$vals{$v->get_name()} = $v->get_data();
}
}
else {
}
return %vals;
}
1;