RomanNum3ral
/
python-forensics-handbook
mirror of https://github.com/chapinb/python-forensics-handbook.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
python-forensics-handbook/docs/section2.html

429 lines
28 KiB
HTML
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

<!DOCTYPE html>
<!--[if IE 8]><html class="no-js lt-ie9" lang="en" > <![endif]-->
<!--[if gt IE 8]><!--> <html class="no-js" lang="en" > <!--<![endif]-->
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Section 2 - Registry Parsing &mdash; Python Forensics Handbook 20191103 documentation</title>
<script type="text/javascript" src="_static/js/modernizr.min.js"></script>
<script type="text/javascript" id="documentation_options" data-url_root="./" src="_static/documentation_options.js"></script>
<script type="text/javascript" src="_static/jquery.js"></script>
<script type="text/javascript" src="_static/underscore.js"></script>
<script type="text/javascript" src="_static/doctools.js"></script>
<script type="text/javascript" src="_static/language_data.js"></script>
<script type="text/javascript" src="_static/js/theme.js"></script>
<link rel="stylesheet" href="_static/css/theme.css" type="text/css" />
<link rel="stylesheet" href="_static/pygments.css" type="text/css" />
<link rel="index" title="Index" href="genindex.html" />
<link rel="search" title="Search" href="search.html" />
<link rel="next" title="Section 3 - Windows Event Log Parsing" href="section3.html" />
<link rel="prev" title="Section 1 - Essential Scripts" href="section1.html" />
</head>
<body class="wy-body-for-nav">
<div class="wy-grid-for-nav">
<nav data-toggle="wy-nav-shift" class="wy-nav-side">
<div class="wy-side-scroll">
<div class="wy-side-nav-search" >
<a href="index.html" class="icon icon-home"> Python Forensics Handbook
</a>
<div class="version">
20191103
</div>
<div role="search">
<form id="rtd-search-form" class="wy-form" action="search.html" method="get">
<input type="text" name="q" placeholder="Search docs" />
<input type="hidden" name="check_keywords" value="yes" />
<input type="hidden" name="area" value="default" />
</form>
</div>
</div>
<div class="wy-menu wy-menu-vertical" data-spy="affix" role="navigation" aria-label="main navigation">
<p class="caption"><span class="caption-text">Table of Contents:</span></p>
<ul class="current">
<li class="toctree-l1"><a class="reference internal" href="section1.html">Section 1 - Essential Scripts</a></li>
<li class="toctree-l1 current"><a class="current reference internal" href="#">Section 2 - Registry Parsing</a><ul>
<li class="toctree-l2"><a class="reference internal" href="#module-sections.section_02.yarp_base">Section 2.1 - Opening a Hive</a><ul>
<li class="toctree-l3"><a class="reference internal" href="#opening-a-registry-hive">Opening a Registry Hive</a></li>
<li class="toctree-l3"><a class="reference internal" href="#docstring-references">Docstring References</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="#module-sections.section_02.yarp_ntuser">Section 2.2 - Parsing Hive Values</a><ul>
<li class="toctree-l3"><a class="reference internal" href="#creating-a-hive-specific-parser">Creating a Hive Specific Parser</a></li>
<li class="toctree-l3"><a class="reference internal" href="#reading-hive-string-values">Reading Hive String Values</a></li>
<li class="toctree-l3"><a class="reference internal" href="#reading-hive-binary-values">Reading Hive Binary Values</a></li>
<li class="toctree-l3"><a class="reference internal" href="#id1">Docstring References</a></li>
</ul>
</li>
<li class="toctree-l2"><a class="reference internal" href="#indices-and-tables">Indices and tables</a></li>
</ul>
</li>
<li class="toctree-l1"><a class="reference internal" href="section3.html">Section 3 - Windows Event Log Parsing</a></li>
</ul>
</div>
</div>
</nav>
<section data-toggle="wy-nav-shift" class="wy-nav-content-wrap">
<nav class="wy-nav-top" aria-label="top navigation">
<i data-toggle="wy-nav-top" class="fa fa-bars"></i>
<a href="index.html">Python Forensics Handbook</a>
</nav>
<div class="wy-nav-content">
<div class="rst-content">
<div role="navigation" aria-label="breadcrumbs navigation">
<ul class="wy-breadcrumbs">
<li><a href="index.html">Docs</a> &raquo;</li>
<li>Section 2 - Registry Parsing</li>
<li class="wy-breadcrumbs-aside">
<a href="_sources/section2.rst.txt" rel="nofollow"> View page source</a>
</li>
</ul>
<hr/>
</div>
<div role="main" class="document" itemscope="itemscope" itemtype="http://schema.org/Article">
<div itemprop="articleBody">
<div class="section" id="section-2-registry-parsing">
<h1>Section 2 - Registry Parsing<a class="headerlink" href="#section-2-registry-parsing" title="Permalink to this headline"></a></h1>
<div class="toctree-wrapper compound">
</div>
<div class="section" id="module-sections.section_02.yarp_base">
<span id="section-2-1-opening-a-hive"></span><h2>Section 2.1 - Opening a Hive<a class="headerlink" href="#module-sections.section_02.yarp_base" title="Permalink to this headline"></a></h2>
<p>Using the <cite>yarp</cite> library to open Windows registry hives using a class
structure that is very portable and flexible.</p>
<p>Example Usage:</p>
<blockquote>
<div><p><code class="docutils literal notranslate"><span class="pre">$</span> <span class="pre">python</span> <span class="pre">yarp_base.py</span> <span class="pre">{NTUSER</span> <span class="pre">HIVE}</span></code></p>
</div></blockquote>
<p>References:</p>
<ul class="simple">
<li><p><a class="reference external" href="https://github.com/msuhanov/yarp">https://github.com/msuhanov/yarp</a></p></li>
<li><p><a class="reference external" href="https://docs.python.org/3/library/struct.html">https://docs.python.org/3/library/struct.html</a></p></li>
<li><p><a class="reference external" href="https://docs.python.org/3/library/datetime.html">https://docs.python.org/3/library/datetime.html</a></p></li>
</ul>
<div class="section" id="opening-a-registry-hive">
<h3>Opening a Registry Hive<a class="headerlink" href="#opening-a-registry-hive" title="Permalink to this headline"></a></h3>
<p>This class demonstrates how to open a registry hive file with the <cite>yarp</cite> tool.
This library not only allows us to open a single offline hive, but also
leverage any available transaction logs to include additional information
otherwise available on the Windows system. This class handles both the opening
of the primary hive and attempted recovery of the transaction logs.</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span><span class="k">class</span> <span class="nc">RegistryBase</span><span class="p">():</span>
<span class="sd">&quot;&quot;&quot;Base class containing common registry parsing code. Will open a hive</span>
<span class="sd"> and attempt recovery using available transaction logs&quot;&quot;&quot;</span>
<span class="k">def</span> <span class="nf">__init__</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">reg_file</span><span class="p">):</span>
<span class="sd">&quot;&quot;&quot;Base __init__ method, responsible for opening a hive.&quot;&quot;&quot;</span>
<span class="bp">self</span><span class="o">.</span><span class="n">reg_file</span> <span class="o">=</span> <span class="n">reg_file</span>
<span class="bp">self</span><span class="o">.</span><span class="n">tx_log_files</span> <span class="o">=</span> <span class="p">[]</span>
<span class="bp">self</span><span class="o">.</span><span class="n">hive</span> <span class="o">=</span> <span class="kc">None</span>
<span class="bp">self</span><span class="o">.</span><span class="n">_open_hive</span><span class="p">()</span>
<span class="k">def</span> <span class="nf">_open_hive</span><span class="p">(</span><span class="bp">self</span><span class="p">):</span>
<span class="sd">&quot;&quot;&quot;Open a registry hive with yarp. Must be an open file object with read</span>
<span class="sd"> permissions. Will attempt to recover the hive with transaction logs if</span>
<span class="sd"> present.</span>
<span class="sd"> &quot;&quot;&quot;</span>
<span class="bp">self</span><span class="o">.</span><span class="n">hive</span> <span class="o">=</span> <span class="n">Registry</span><span class="o">.</span><span class="n">RegistryHive</span><span class="p">(</span><span class="bp">self</span><span class="o">.</span><span class="n">reg_file</span><span class="p">)</span>
<span class="bp">self</span><span class="o">.</span><span class="n">_recover_hive</span><span class="p">()</span>
<span class="k">def</span> <span class="nf">_recover_hive</span><span class="p">(</span><span class="bp">self</span><span class="p">):</span>
<span class="sd">&quot;&quot;&quot;Search for transaction logs and attempt recovery of the hive.&quot;&quot;&quot;</span>
<span class="n">hive_path</span> <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">hive</span><span class="o">.</span><span class="n">registry_file</span><span class="o">.</span><span class="n">file_object</span><span class="o">.</span><span class="n">name</span>
<span class="n">tx_logs</span> <span class="o">=</span> <span class="n">RegistryHelpers</span><span class="o">.</span><span class="n">DiscoverLogFiles</span><span class="p">(</span><span class="n">hive_path</span><span class="p">)</span>
<span class="bp">self</span><span class="o">.</span><span class="n">tx_log_files</span> <span class="o">=</span> <span class="p">[]</span>
<span class="k">for</span> <span class="n">tx_path</span> <span class="ow">in</span> <span class="p">[</span><span class="s1">&#39;log_path&#39;</span><span class="p">,</span> <span class="s1">&#39;log1_path&#39;</span><span class="p">,</span> <span class="s1">&#39;log2_path&#39;</span><span class="p">]:</span>
<span class="n">log_obj</span> <span class="o">=</span> <span class="kc">None</span>
<span class="k">if</span> <span class="nb">getattr</span><span class="p">(</span><span class="n">tx_logs</span><span class="p">,</span> <span class="n">tx_path</span><span class="p">,</span> <span class="kc">None</span><span class="p">):</span>
<span class="n">log_obj</span> <span class="o">=</span> <span class="nb">open</span><span class="p">(</span><span class="nb">getattr</span><span class="p">(</span><span class="n">tx_logs</span><span class="p">,</span> <span class="n">tx_path</span><span class="p">),</span> <span class="s1">&#39;rb&#39;</span><span class="p">)</span>
<span class="bp">self</span><span class="o">.</span><span class="n">tx_log_files</span><span class="o">.</span><span class="n">append</span><span class="p">(</span><span class="n">log_obj</span><span class="p">)</span>
<span class="bp">self</span><span class="o">.</span><span class="n">hive</span><span class="o">.</span><span class="n">recover_auto</span><span class="p">(</span><span class="o">*</span><span class="bp">self</span><span class="o">.</span><span class="n">tx_log_files</span><span class="p">)</span>
<span class="k">def</span> <span class="nf">close</span><span class="p">(</span><span class="bp">self</span><span class="p">):</span>
<span class="sd">&quot;&quot;&quot;Properly close a hive.&quot;&quot;&quot;</span>
<span class="bp">self</span><span class="o">.</span><span class="n">hive</span> <span class="o">=</span> <span class="kc">None</span>
<span class="bp">self</span><span class="o">.</span><span class="n">reg_file</span><span class="o">.</span><span class="n">close</span><span class="p">()</span>
<span class="k">for</span> <span class="n">log</span> <span class="ow">in</span> <span class="bp">self</span><span class="o">.</span><span class="n">tx_log_files</span><span class="p">:</span>
<span class="k">if</span> <span class="n">log</span><span class="p">:</span>
<span class="n">log</span><span class="o">.</span><span class="n">close</span><span class="p">()</span>
</pre></div>
</div>
</div>
<div class="section" id="docstring-references">
<h3>Docstring References<a class="headerlink" href="#docstring-references" title="Permalink to this headline"></a></h3>
<dl class="class">
<dt id="sections.section_02.yarp_base.RegistryBase">
<em class="property">class </em><code class="descname">RegistryBase</code><span class="sig-paren">(</span><em>reg_file</em><span class="sig-paren">)</span><a class="headerlink" href="#sections.section_02.yarp_base.RegistryBase" title="Permalink to this definition"></a></dt>
<dd><p>Base class containing common registry parsing code. Will open a hive
and attempt recovery using available transaction logs</p>
<dl class="method">
<dt id="sections.section_02.yarp_base.RegistryBase.close">
<code class="descname">close</code><span class="sig-paren">(</span><span class="sig-paren">)</span><a class="headerlink" href="#sections.section_02.yarp_base.RegistryBase.close" title="Permalink to this definition"></a></dt>
<dd><p>Properly close a hive.</p>
</dd></dl>
</dd></dl>
</div>
</div>
<div class="section" id="module-sections.section_02.yarp_ntuser">
<span id="section-2-2-parsing-hive-values"></span><h2>Section 2.2 - Parsing Hive Values<a class="headerlink" href="#module-sections.section_02.yarp_ntuser" title="Permalink to this headline"></a></h2>
<p>Using the <cite>yarp</cite> library to parse NTUSER.DAT Windows registry hives
using a class structure that is very portable and flexible. Parses the
MountPoints2 and TrustRecords keys for with string and binary values.</p>
<p>Example Usage:</p>
<blockquote>
<div><p><code class="docutils literal notranslate"><span class="pre">$</span> <span class="pre">python</span> <span class="pre">yarp_ntuser.py</span> <span class="pre">{NTUSER</span> <span class="pre">HIVE}</span></code></p>
</div></blockquote>
<p>References:</p>
<ul class="simple">
<li><p><a class="reference external" href="https://github.com/msuhanov/yarp">https://github.com/msuhanov/yarp</a></p></li>
<li><p><a class="reference external" href="https://docs.python.org/3/library/struct.html">https://docs.python.org/3/library/struct.html</a></p></li>
<li><p><a class="reference external" href="https://docs.python.org/3/library/datetime.html">https://docs.python.org/3/library/datetime.html</a></p></li>
</ul>
<div class="section" id="creating-a-hive-specific-parser">
<h3>Creating a Hive Specific Parser<a class="headerlink" href="#creating-a-hive-specific-parser" title="Permalink to this headline"></a></h3>
<p>Since we have a strong base class providing functionality to open hives, we can
build hive specific parsing classes that are tailored to handle artifacts
distinct to a single hive type. In this case we set up a class to handle
NTUSER.DAT files, though could get more specific on Windows versions, etc. In
this class we store a few useful details including fixed values used by other
methods and metadata about the class.</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span> <span class="k">def</span> <span class="nf">__init__</span><span class="p">(</span><span class="bp">self</span><span class="p">,</span> <span class="n">reg_path</span><span class="p">):</span>
<span class="nb">super</span><span class="p">()</span><span class="o">.</span><span class="fm">__init__</span><span class="p">(</span><span class="n">reg_path</span><span class="p">)</span>
<span class="bp">self</span><span class="o">.</span><span class="n">hive_type</span> <span class="o">=</span> <span class="s1">&#39;NTUSER.DAT&#39;</span>
<span class="bp">self</span><span class="o">.</span><span class="n">macro_enabled_val</span> <span class="o">=</span> <span class="mi">2147483647</span>
</pre></div>
</div>
</div>
<div class="section" id="reading-hive-string-values">
<h3>Reading Hive String Values<a class="headerlink" href="#reading-hive-string-values" title="Permalink to this headline"></a></h3>
<p>With an open hive, we can begin to parse values from a known key location
within the hive. This method allows us to specify a key path and inspect each
of the subkeys. For each of the subkeys, we can then get the names and data
associated with each value in the key. Additionally we could - if needed -
continue to recurse on subkeys here. Instead we return this cursory information
for the caller to display as they wish. Since the values within MountPoints2
store string data, we dont need to perform further parsing of the record.</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span> <span class="k">def</span> <span class="nf">parse_mountpoints2</span><span class="p">(</span><span class="bp">self</span><span class="p">):</span>
<span class="sd">&quot;&quot;&quot;Demonstration of parsing values from a key by path.&quot;&quot;&quot;</span>
<span class="n">key_path</span> <span class="o">=</span> <span class="p">(</span><span class="s1">&#39;Software</span><span class="se">\\</span><span class="s1">Microsoft</span><span class="se">\\</span><span class="s1">Windows</span><span class="se">\\</span><span class="s1">CurrentVersion&#39;</span>
<span class="s1">&#39;</span><span class="se">\\</span><span class="s1">Explorer</span><span class="se">\\</span><span class="s1">MountPoints2&#39;</span><span class="p">)</span>
<span class="k">for</span> <span class="n">mp</span> <span class="ow">in</span> <span class="bp">self</span><span class="o">.</span><span class="n">hive</span><span class="o">.</span><span class="n">find_key</span><span class="p">(</span><span class="n">key_path</span><span class="p">)</span><span class="o">.</span><span class="n">subkeys</span><span class="p">():</span>
<span class="n">mp_data</span> <span class="o">=</span> <span class="p">{}</span>
<span class="n">mp_data</span><span class="p">[</span><span class="s1">&#39;name&#39;</span><span class="p">]</span> <span class="o">=</span> <span class="n">mp</span><span class="o">.</span><span class="n">name</span><span class="p">()</span><span class="o">.</span><span class="n">replace</span><span class="p">(</span><span class="s1">&#39;#&#39;</span><span class="p">,</span> <span class="s1">&#39;</span><span class="se">\\</span><span class="s1">&#39;</span><span class="p">)</span>
<span class="n">mp_data</span><span class="p">[</span><span class="s1">&#39;values&#39;</span><span class="p">]</span> <span class="o">=</span> <span class="p">{</span><span class="n">x</span><span class="o">.</span><span class="n">name</span><span class="p">():</span> <span class="n">x</span><span class="o">.</span><span class="n">data</span><span class="p">()</span> <span class="k">for</span> <span class="n">x</span> <span class="ow">in</span> <span class="n">mp</span><span class="o">.</span><span class="n">values</span><span class="p">()}</span>
<span class="n">mp_data</span><span class="p">[</span><span class="s1">&#39;last_written&#39;</span><span class="p">]</span> <span class="o">=</span> <span class="n">mp</span><span class="o">.</span><span class="n">last_written_timestamp</span><span class="p">()</span>
<span class="k">yield</span> <span class="n">mp_data</span>
</pre></div>
</div>
</div>
<div class="section" id="reading-hive-binary-values">
<h3>Reading Hive Binary Values<a class="headerlink" href="#reading-hive-binary-values" title="Permalink to this headline"></a></h3>
<p>Similarly to our prior example, we can get a key by path. In this case we dont
have a sense of what Office versions are available in the key and have elected
to iterate through each of those using the <cite>parse_office_versions()</cite> method.
Using each of the versions, we then access the respective <cite>TrustRecords</cite> key.
If found, we then parse the binary data (retrieved with the same <cite>.data()</cite>
method) using Struct to extract a timestamp and integer marking whether a
trusted macro was used. These parsed attributes are then returned to the caller
to be displayed.</p>
<div class="highlight-default notranslate"><div class="highlight"><pre><span></span> <span class="k">def</span> <span class="nf">parse_trustrecords</span><span class="p">(</span><span class="bp">self</span><span class="p">):</span>
<span class="sd">&quot;&quot;&quot;Demonstration of parsing binary values within a key.&quot;&quot;&quot;</span>
<span class="n">trust_record_path</span> <span class="o">=</span> <span class="s1">&#39;Software</span><span class="se">\\</span><span class="s1">Microsoft</span><span class="se">\\</span><span class="s1">Office</span><span class="se">\\</span><span class="si">{OFFICE_VERSION}</span><span class="s1">&#39;</span> \
<span class="s1">&#39;</span><span class="se">\\</span><span class="s1">Word</span><span class="se">\\</span><span class="s1">Security</span><span class="se">\\</span><span class="s1">Trusted Documents</span><span class="se">\\</span><span class="s1">TrustRecords&#39;</span>
<span class="k">for</span> <span class="n">office_version</span> <span class="ow">in</span> <span class="bp">self</span><span class="o">.</span><span class="n">parse_office_versions</span><span class="p">():</span>
<span class="n">trust_rec_key</span> <span class="o">=</span> <span class="bp">self</span><span class="o">.</span><span class="n">hive</span><span class="o">.</span><span class="n">find_key</span><span class="p">(</span>
<span class="n">trust_record_path</span><span class="o">.</span><span class="n">format</span><span class="p">(</span><span class="n">OFFICE_VERSION</span><span class="o">=</span><span class="n">office_version</span><span class="p">))</span>
<span class="k">if</span> <span class="ow">not</span> <span class="n">trust_rec_key</span><span class="p">:</span>
<span class="k">continue</span>
<span class="k">for</span> <span class="n">rec</span> <span class="ow">in</span> <span class="n">trust_rec_key</span><span class="o">.</span><span class="n">values</span><span class="p">():</span>
<span class="n">date_val</span><span class="p">,</span> <span class="n">macro_enabled</span> <span class="o">=</span> <span class="n">struct</span><span class="o">.</span><span class="n">unpack</span><span class="p">(</span><span class="s1">&#39;q12xI&#39;</span><span class="p">,</span> <span class="n">rec</span><span class="o">.</span><span class="n">data</span><span class="p">())</span>
<span class="n">ms</span> <span class="o">=</span> <span class="n">date_val</span><span class="o">/</span><span class="mf">10.0</span>
<span class="n">dt_date</span> <span class="o">=</span> <span class="n">datetime</span><span class="p">(</span><span class="mi">1601</span><span class="p">,</span> <span class="mi">1</span><span class="p">,</span> <span class="mi">1</span><span class="p">)</span> <span class="o">+</span> <span class="n">timedelta</span><span class="p">(</span><span class="n">microseconds</span><span class="o">=</span><span class="n">ms</span><span class="p">)</span>
<span class="k">yield</span> <span class="p">{</span>
<span class="s1">&#39;doc&#39;</span><span class="p">:</span> <span class="n">rec</span><span class="o">.</span><span class="n">name</span><span class="p">(),</span>
<span class="s1">&#39;dt&#39;</span><span class="p">:</span> <span class="n">dt_date</span><span class="o">.</span><span class="n">isoformat</span><span class="p">(),</span>
<span class="s1">&#39;macro&#39;</span><span class="p">:</span> <span class="n">macro_enabled</span> <span class="o">==</span> <span class="bp">self</span><span class="o">.</span><span class="n">macro_enabled_val</span>
<span class="p">}</span>
</pre></div>
</div>
</div>
<div class="section" id="id1">
<h3>Docstring References<a class="headerlink" href="#id1" title="Permalink to this headline"></a></h3>
<dl class="class">
<dt id="sections.section_02.yarp_ntuser.NTUSER">
<em class="property">class </em><code class="descname">NTUSER</code><span class="sig-paren">(</span><em>reg_path</em><span class="sig-paren">)</span><a class="headerlink" href="#sections.section_02.yarp_ntuser.NTUSER" title="Permalink to this definition"></a></dt>
<dd><p>Class to handle the parsing of the NTUSER.DAT hive.</p>
<dl class="method">
<dt id="sections.section_02.yarp_ntuser.NTUSER.parse_mountpoints2">
<code class="descname">parse_mountpoints2</code><span class="sig-paren">(</span><span class="sig-paren">)</span><a class="headerlink" href="#sections.section_02.yarp_ntuser.NTUSER.parse_mountpoints2" title="Permalink to this definition"></a></dt>
<dd><p>Demonstration of parsing values from a key by path.</p>
</dd></dl>
<dl class="method">
<dt id="sections.section_02.yarp_ntuser.NTUSER.parse_office_versions">
<code class="descname">parse_office_versions</code><span class="sig-paren">(</span><span class="sig-paren">)</span><a class="headerlink" href="#sections.section_02.yarp_ntuser.NTUSER.parse_office_versions" title="Permalink to this definition"></a></dt>
<dd><p>Get Office versions within an open Registry hive.</p>
<dl class="field-list simple">
<dt class="field-odd">Yields</dt>
<dd class="field-odd"><p><em>(str)</em> Office version number (ie. 15.0)</p>
</dd>
</dl>
</dd></dl>
<dl class="method">
<dt id="sections.section_02.yarp_ntuser.NTUSER.parse_trustrecords">
<code class="descname">parse_trustrecords</code><span class="sig-paren">(</span><span class="sig-paren">)</span><a class="headerlink" href="#sections.section_02.yarp_ntuser.NTUSER.parse_trustrecords" title="Permalink to this definition"></a></dt>
<dd><p>Demonstration of parsing binary values within a key.</p>
</dd></dl>
</dd></dl>
</div>
</div>
<div class="section" id="indices-and-tables">
<h2>Indices and tables<a class="headerlink" href="#indices-and-tables" title="Permalink to this headline"></a></h2>
<ul class="simple">
<li><p><a class="reference internal" href="genindex.html"><span class="std std-ref">Index</span></a></p></li>
<li><p><a class="reference internal" href="py-modindex.html"><span class="std std-ref">Module Index</span></a></p></li>
<li><p><a class="reference internal" href="search.html"><span class="std std-ref">Search Page</span></a></p></li>
</ul>
</div>
</div>
</div>
</div>
<footer>
<div class="rst-footer-buttons" role="navigation" aria-label="footer navigation">
<a href="section3.html" class="btn btn-neutral float-right" title="Section 3 - Windows Event Log Parsing" accesskey="n" rel="next">Next <span class="fa fa-arrow-circle-right"></span></a>
<a href="section1.html" class="btn btn-neutral float-left" title="Section 1 - Essential Scripts" accesskey="p" rel="prev"><span class="fa fa-arrow-circle-left"></span> Previous</a>
</div>
<hr/>
<div role="contentinfo">
<p>
&copy; Copyright 2019, Chapin Bryce
</p>
</div>
Built with <a href="http://sphinx-doc.org/">Sphinx</a> using a <a href="https://github.com/rtfd/sphinx_rtd_theme">theme</a> provided by <a href="https://readthedocs.org">Read the Docs</a>.
</footer>
</div>
</div>
</section>
</div>
<script type="text/javascript">
jQuery(function () {
SphinxRtdTheme.Navigation.enable(true);
});
</script>
</body>
</html>
Reference in New Issue View Git Blame Copy Permalink