 |
The Volatility Framework
|
|
|
The Volatility Framework
|
|
A wrapper several highly used Registry functions. More...
Public Member Functions | |
| def | __init__ (self, config) |
| def | print_offsets (self) |
| this is just in case we want to check our offsets and which hive(s) was/were chosen | |
| def | populate_offsets (self) |
| get all hive offsets so we don't have to scan again... | |
| def | reg_get_currentcontrolset |
| get the CurrentControlSet If fullname is not specified, we only get the number like "1" or "2" etc The default is ControlSet00{#} so we can append it to the desired key path We return None if it fails, so you need to verify before using. | |
| def | set_current |
| if we find a hive that fits the given criteria, save its offset so we don't have to scan again. More... | |
| def | reset_current (self) |
| this is in case we switch to a different hive/user/context | |
| def | reg_get_key |
| Returns a key from a requested hive; assumes this is from a single hive if more than one hive is specified, the hive/key found is returned. | |
| def | reg_get_key_path (self, key) |
| Takes in a key object and traverses back through its family to build the path. | |
| def | reg_yield_key |
| Use this function if you are collecting keys from more than one hive. | |
| def | reg_enum_key |
| This function enumerates the requested key. | |
| def | reg_get_all_subkeys |
| This function enumerates the subkeys of the requested key. | |
| def | reg_yield_values |
| This function yields all values for a requested registry key. | |
| def | reg_get_value |
| This function returns the requested value of a registry key. | |
| def | reg_get_all_keys |
| This function enumerates all keys in specified hives and collects lastwrite times. | |
| def | reg_get_last_modified |
| Wrapper function using reg_get_all_keys. More... | |
Public Attributes | |
| addr_space | |
| all_offsets | |
| current_offsets | |
A wrapper several highly used Registry functions.
| def volatility.plugins.registry.registryapi.RegistryApi.reg_get_last_modified | ( | self, | |
| hive_name, | |||
count = 1, |
|||
user = None, |
|||
start = None, |
|||
end = None, |
|||
reg = False |
|||
| ) |
Wrapper function using reg_get_all_keys.
These functions can take a WHILE since all subkeys have to be collected before you can compare lastwrite times.
| def volatility.plugins.registry.registryapi.RegistryApi.set_current | ( | self, | |
hive_name = None, |
|||
user = None |
|||
| ) |
if we find a hive that fits the given criteria, save its offset so we don't have to scan again.
this can be reset using reset_current if context changes
1.8.9.1