janstarke · April 25, 2022 11:44
diff --git a/mounteddevices.pl b/mounteddevices.pl
 #!/usr/bin/perl -w

 use strict;
 use warnings;
 use DateTime;

 -r "mounted_devices.txt" or die "unable to read 'mounted_devices.txt'";

 my %devices = ();

 sub bodyfile() {
    my $timestamp = shift;
    my $message = shift;

    my $md5 = "0";
    my $name = "$message";
    my $inode = "";
    my $mode_as_string = "";
    my $uid = "";
    my $gid = "";
    my $size = "";
    my $atime = "-1";
    my $mtime = $timestamp;
    my $ctime = "-1";
    my $crtime = "-1";

    return "$md5|$name|$inode|$mode_as_string|$uid|$gid|$size|$atime|$mtime|$ctime|$crtime\n";
 }

 open my $fh, "<mounted_devices.txt" or die $!;
 while (my $line = <$fh>) {
    if ($line =~ m/^Device: _\?\?_USBSTOR#([^&]*?)&([^&]*?)&([^&]*?)&([^&]*?)#([^&]*?)&.*/) {
        my $type = $1;
        my $vendor = $2;
        my $product = $3;
        my $revision = $4;
        my $serial = $5;

        $vendor  = $vendor =~ m/Ven_(.+)/   ? $1 : "EMPTY";
        $product = $product =~ m/Prod_(.+)/ ? $1 : "EMPTY";
        $revision = $revision =~ m/Rev_(.+)/ ? $1 : "EMPTY";

        $line = <$fh>;
        defined($line) or die $!;
        chomp $line;
        my $drive_letter = undef;
        if ($line =~ m/\\DosDevices\\(.*)/) {
            $drive_letter = $1;
            $line = <$fh>;
            defined($line) or die $!;
            chomp $line;
        }
        
        my $volume_id = undef;
        if ($line =~ m/\\\?\?\\Volume\{(.*)\}/) {
            $volume_id = $1;
        }

        defined($volume_id) or die "missing volume_id";

        my $device = {
            TYPE            => $type,
            VENDOR          => $vendor,
            PRODUCT         => $product,
            REVISION        => $revision,
            DRIVE_LETTER    => $drive_letter,
            VOLUME_ID       => $volume_id,
            SERIAL_NUMBER   => $serial
        };

        if (defined $devices{$volume_id}) {
            die "volume id $volume_id defined multiple times";
        }
        $devices{$volume_id} = $device;
    }
 }
 close $fh;

 foreach my $file (glob ("tln_*_ntuser.txt")) {
    $file =~ m/tln_(.*)_ntuser.txt/ or die "unexpected mismatch";
    my $user = $1;

    open my $fh, "<$file" or die $!;
    while (my $line = <$fh>) {
        if ($line =~ m/^([0-9]+)\|.*\{(.*?)\} Volume MP2 key LastWrite/) {
            my $dt = DateTime->from_epoch(
                epoch     => $1,
                time_zone => 'UTC'
            );
            my $timestamp = $dt->iso8601;
            my $volume_id = $2;
            my $device = $devices{$volume_id};
            
            if (defined $device) {
                my $device_name = "$device->{VENDOR} $device->{PRODUCT} ($device->{REVISION})";
                $device_name =~ s/_+/ /g;
                print "$timestamp|$user|$device_name|$device->{SERIAL_NUMBER}\n";
            } else {
                print "$timestamp|$user|unknown device: $volume_id\n";
            }
        }
    }

    close $fh;
 }
	#!/usr/bin/perl -w

	use strict;
	use warnings;
	use DateTime;

	-r "mounted_devices.txt" or die "unable to read 'mounted_devices.txt'";

	my %devices = ();

	sub bodyfile() {
	my $timestamp = shift;
	my $message = shift;

	my $md5 = "0";
	my $name = "$message";
	my $inode = "";
	my $mode_as_string = "";
	my $uid = "";
	my $gid = "";
	my $size = "";
	my $atime = "-1";
	my $mtime = $timestamp;
	my $ctime = "-1";
	my $crtime = "-1";

	return "$md5\|$name\|$inode\|$mode_as_string\|$uid\|$gid\|$size\|$atime\|$mtime\|$ctime\|$crtime\n";
	}

	open my $fh, "<mounted_devices.txt" or die $!;
	while (my $line = <$fh>) {
	if ($line =~ m/^Device: _\?\?_USBSTOR#([^&]?)&([^&]?)&([^&]?)&([^&]?)#([^&]?)&./) {
	my $type = $1;
	my $vendor = $2;
	my $product = $3;
	my $revision = $4;
	my $serial = $5;

	$vendor = $vendor =~ m/Ven_(.+)/ ? $1 : "EMPTY";
	$product = $product =~ m/Prod_(.+)/ ? $1 : "EMPTY";
	$revision = $revision =~ m/Rev_(.+)/ ? $1 : "EMPTY";

	$line = <$fh>;
	defined($line) or die $!;
	chomp $line;
	my $drive_letter = undef;
	if ($line =~ m/\\DosDevices\\(.*)/) {
	$drive_letter = $1;
	$line = <$fh>;
	defined($line) or die $!;
	chomp $line;
	}

	my $volume_id = undef;
	if ($line =~ m/\\\?\?\\Volume\{(.*)\}/) {
	$volume_id = $1;
	}

	defined($volume_id) or die "missing volume_id";

	my $device = {
	TYPE => $type,
	VENDOR => $vendor,
	PRODUCT => $product,
	REVISION => $revision,
	DRIVE_LETTER => $drive_letter,
	VOLUME_ID => $volume_id,
	SERIAL_NUMBER => $serial
	};

	if (defined $devices{$volume_id}) {
	die "volume id $volume_id defined multiple times";
	}
	$devices{$volume_id} = $device;
	}
	}
	close $fh;

	foreach my $file (glob ("tln_*_ntuser.txt")) {
	$file =~ m/tln_(.*)_ntuser.txt/ or die "unexpected mismatch";
	my $user = $1;

	open my $fh, "<$file" or die $!;
	while (my $line = <$fh>) {
	if ($line =~ m/^([0-9]+)\\|.\{(.?)\} Volume MP2 key LastWrite/) {
	my $dt = DateTime->from_epoch(
	epoch => $1,
	time_zone => 'UTC'
	);
	my $timestamp = $dt->iso8601;
	my $volume_id = $2;
	my $device = $devices{$volume_id};

	if (defined $device) {
	my $device_name = "$device->{VENDOR} $device->{PRODUCT} ($device->{REVISION})";
	$device_name =~ s/_+/ /g;
	print "$timestamp\|$user\|$device_name\|$device->{SERIAL_NUMBER}\n";
	} else {
	print "$timestamp\|$user\|unknown device: $volume_id\n";
	}
	}
	}

	close $fh;
	}