winreg-artifacts 0.1.0

Forensic artifact decoders for Windows Registry
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133

//! Amcache registry artifact extractor.
//!
//! Amcache.hve records application execution evidence. This module decodes
//! entries from `Root\InventoryApplicationFile`, each subkey representing a
//! file that was executed or installed on the system.

use std::io::Cursor;

use winreg_core::hive::Hive;
use winreg_core::key::filetime_to_datetime;

// ---------------------------------------------------------------------------
// Output type
// ---------------------------------------------------------------------------

/// A single file entry from `Root\InventoryApplicationFile`.
#[derive(Debug, Clone, serde::Serialize)]
pub struct AmcacheEntry {
    /// Full lowercase file path (`LowerCaseLongPath`).
    pub file_path: String,
    /// SHA-1 hash: the `FileId` value with the leading `0000` prefix stripped.
    /// Empty string if the value is absent.
    pub sha1: String,
    /// File size in bytes (`Size` as `REG_DWORD`).
    pub size: u64,
    /// PE link timestamp string, e.g. `"01/15/2023 10:30:00"` (`LinkDate`).
    pub link_date: Option<String>,
    /// Publisher name (`Publisher`).
    pub publisher: String,
    /// Product name (`ProductName`).
    pub product_name: String,
    /// Product version string (`ProductVersion`).
    pub product_version: String,
    /// Binary file version string (`BinFileVersion`).
    pub bin_file_version: String,
    /// The subkey name (hash identifier for this entry).
    pub key_name: String,
    /// Key `LastWriteTime` as ISO 8601, or `None` if unavailable.
    pub last_written: Option<String>,
}

// ---------------------------------------------------------------------------
// Key paths
// ---------------------------------------------------------------------------

/// Path to the InventoryApplicationFile container key (relative to hive root).
const INVENTORY_APP_FILE: &str = "Root\\InventoryApplicationFile";

// ---------------------------------------------------------------------------
// Public parse function
// ---------------------------------------------------------------------------

/// Extract all `InventoryApplicationFile` entries from an Amcache hive.
///
/// Navigates `Root\InventoryApplicationFile`, iterates each subkey, and
/// extracts the forensically relevant values. Missing values produce empty
/// strings or zero rather than errors.
///
/// Returns an empty `Vec` if the key is not present.
pub fn parse(hive: &Hive<Cursor<Vec<u8>>>) -> Vec<AmcacheEntry> {
    let container = match hive.open_key(INVENTORY_APP_FILE) {
        Ok(Some(k)) => k,
        _ => return Vec::new(),
    };

    let subkeys = match container.subkeys() {
        Ok(s) => s,
        Err(_) => return Vec::new(),
    };

    let mut entries = Vec::with_capacity(subkeys.len());

    for subkey in subkeys {
        let key_name = subkey.name();

        let last_written = filetime_to_datetime(subkey.last_written_raw())
            .map(|dt| dt.format("%Y-%m-%dT%H:%M:%SZ").to_string());

        // Helper: read a REG_SZ value, returning empty string on any error.
        let read_sz = |name: &str| -> String {
            subkey
                .value(name)
                .ok()
                .flatten()
                .and_then(|v| v.as_string().ok())
                .unwrap_or_default()
        };

        let file_path = read_sz("LowerCaseLongPath");

        // FileId: strip the leading "0000" prefix if present.
        let file_id_raw = read_sz("FileId");
        let sha1 = if file_id_raw.starts_with("0000") {
            file_id_raw[4..].to_string()
        } else {
            file_id_raw
        };

        let size = subkey
            .value("Size")
            .ok()
            .flatten()
            .and_then(|v| v.as_u32().ok())
            .unwrap_or(0) as u64;

        let link_date_raw = read_sz("LinkDate");
        let link_date = if link_date_raw.is_empty() {
            None
        } else {
            Some(link_date_raw)
        };

        let publisher = read_sz("Publisher");
        let product_name = read_sz("ProductName");
        let product_version = read_sz("ProductVersion");
        let bin_file_version = read_sz("BinFileVersion");

        entries.push(AmcacheEntry {
            file_path,
            sha1,
            size,
            link_date,
            publisher,
            product_name,
            product_version,
            bin_file_version,
            key_name,
            last_written,
        });
    }

    entries
}