dissect.target 3.13.dev16__py3-none-any.whl → 3.13.dev18__py3-none-any.whl

dissect/target/plugins/os/windows/regf/runkeys.py

@@ -1,5 +1,3 @@
-from flow.record.fieldtypes import path
-
 from dissect.target.exceptions import UnsupportedPluginError
 from dissect.target.helpers.descriptor_extensions import (
     RegistryRecordDescriptorExtension,
@@ -13,7 +11,7 @@ RunKeyRecord = create_extended_descriptor([RegistryRecordDescriptorExtension, Us
     [
         ("datetime", "ts"),
         ("wstring", "name"),
-        ("path", "path"),
+        ("string", "path"),
         ("string", "key"),
     ],
 )
@@ -75,7 +73,7 @@ class RunKeysPlugin(Plugin):
                     yield RunKeyRecord(
                         ts=r.ts,
                         name=entry.name,
-                        path=path.from_windows(entry.value),
+                        path=entry.value,
                         key=key,
                         _target=self.target,
                         _key=r,

dissect/target/target.py

@@ -15,6 +15,7 @@ from dissect.target.exceptions import (
     PluginNotFoundError,
     TargetError,
     UnsupportedPluginError,
+    VolumeSystemError,
 )
 from dissect.target.helpers import config
 from dissect.target.helpers.loaderutil import extract_path_info
@@ -693,11 +694,16 @@ class DiskCollection(Collection[container.Container]):
                         disk.vs = volume.open(disk)
                         self.target.log.debug("Opened volume system: %s on %s", disk.vs, disk)
 
+                    if not len(disk.vs.volumes):
+                        raise VolumeSystemError("Volume system has no volumes")
+
                     for vol in disk.vs.volumes:
                         self.target.volumes.add(vol)
                     continue
                 except Exception as e:
-                    self.target.log.warning("Can't identify volume system, adding as raw volume instead: %s", disk)
+                    self.target.log.warning(
+                        "Can't identify volume system or no volumes found, adding as raw volume instead: %s", disk
+                    )
                     self.target.log.debug("", exc_info=e)
 
             # Fallthrough case for error and if we're part of a logical volume set
@@ -730,7 +736,25 @@ class VolumeCollection(Collection[volume.Volume]):
                 elif volume.is_encrypted(vol):
                     encrypted_volumes.append(vol)
                 else:
-                    self.open(vol)
+                    # We could be getting "regular" volume systems out of LVM or encrypted volumes
+                    # Try to open each volume as a regular volume system, or add as a filesystem if it fails
+                    try:
+                        vs = volume.open(vol)
+                    except Exception:
+                        # If opening a volume system fails, there's likely none, so open as a filesystem instead
+                        self.open(vol)
+                        continue
+
+                    if not len(vs.volumes):
+                        self.open(vol)
+                        continue
+
+                    for new_vol in vs.volumes:
+                        if new_vol.offset == 0:
+                            self.target.log.info("Found volume with offset 0, opening as raw volume instead")
+                            self.open(new_vol)
+                            continue
+                        new_volumes.append(new_vol)
 
             self.target.log.debug("LVM volumes found: %s", lvm_volumes)
             self.target.log.debug("Encrypted volumes found: %s", encrypted_volumes)

dissect/target/volume.py

@@ -22,6 +22,8 @@ vmfs = import_lazy("dissect.target.volumes.vmfs")
 """A lazy import of :mod:`dissect.target.volumes.vmfs`."""
 md = import_lazy("dissect.target.volumes.md")
 """A lazy import of :mod:`dissect.target.volumes.md`."""
+ddf = import_lazy("dissect.target.volumes.ddf")
+"""A lazy import of :mod:`dissect.target.volumes.ddf`."""
 bde = import_lazy("dissect.target.volumes.bde")
 """A lazy import of :mod:`dissect.target.volumes.bde`."""
 luks = import_lazy("dissect.target.volumes.luks")
@@ -34,6 +36,7 @@ LOGICAL_VOLUME_MANAGERS: list[type[LogicalVolumeSystem]] = [
     lvm.LvmVolumeSystem,
     vmfs.VmfsVolumeSystem,
     md.MdVolumeSystem,
+    ddf.DdfVolumeSystem,
 ]
 """All available :class:`LogicalVolumeSystem` classes."""
 ENCRYPTED_VOLUME_MANAGERS: list[type[EncryptedVolumeSystem]] = [bde.BitlockerVolumeSystem, luks.LUKSVolumeSystem]

dissect/target/volumes/ddf.py

@@ -0,0 +1,51 @@
+import io
+from collections import defaultdict
+from typing import BinaryIO, Iterator, Union
+
+from dissect.volume.ddf.ddf import DDF, DEFAULT_SECTOR_SIZE, DDFPhysicalDisk
+
+from dissect.target.volume import LogicalVolumeSystem, Volume
+
+
+class DdfVolumeSystem(LogicalVolumeSystem):
+    def __init__(self, fh: Union[BinaryIO, list[BinaryIO]], *args, **kwargs):
+        self.ddf = DDF(fh)
+        super().__init__(fh, *args, **kwargs)
+
+    @classmethod
+    def open_all(cls, volumes: list[BinaryIO]) -> Iterator[LogicalVolumeSystem]:
+        sets = defaultdict(list)
+
+        for vol in volumes:
+            if not cls.detect_volume(vol):
+                continue
+
+            disk = DDFPhysicalDisk(vol)
+            sets[disk.anchor.DDF_Header_GUID].append(disk)
+
+        for devs in sets.values():
+            try:
+                yield cls(devs)
+            except Exception:
+                continue
+
+    @staticmethod
+    def _detect(fh: BinaryIO) -> bool:
+        vols = [fh] if not isinstance(fh, list) else fh
+        for vol in vols:
+            if DdfVolumeSystem.detect_volume(vol):
+                return True
+        return False
+
+    @staticmethod
+    def _detect_volume(fh: BinaryIO) -> bool:
+        fh.seek(-DEFAULT_SECTOR_SIZE, io.SEEK_END)
+        return int.from_bytes(fh.read(4), "big") == 0xDE11DE11
+
+    def _volumes(self) -> Iterator[Volume]:
+        # MD only supports one configuration and virtual disk but doing this as a loop
+        # makes it automatically safe for empty configurations
+        for conf in self.ddf.configurations:
+            for vd in conf.virtual_disks:
+                fh = vd.open()
+                yield Volume(fh, 1, None, vd.size, None, vd.name, vd.uuid, raw=self.ddf, vs=self)

{dissect.target-3.13.dev16.dist-info → dissect.target-3.13.dev18.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: dissect.target
-Version: 3.13.dev16
+Version: 3.13.dev18
 Summary: This module ties all other Dissect modules together, it provides a programming API and command line tools which allow easy access to various data sources inside disk images or file collections (a.k.a. targets)
 Author-email: Dissect Team <dissect@fox-it.com>
 License: Affero General Public License v3

{dissect.target-3.13.dev16.dist-info → dissect.target-3.13.dev18.dist-info}/RECORD

@@ -5,8 +5,8 @@ dissect/target/filesystem.py,sha256=A_KZbBBrj-aAjVkAvjreSsk0uX7MkJYMt9pHJjC3aw4,
 dissect/target/loader.py,sha256=4ZdX-QJY83NPswTyNG31LUwYXdV1tuByrR2vKKg7d5k,7214
 dissect/target/plugin.py,sha256=7Gss9pofcWKemwwfeAJ7E6nmJSNnZkBkxTcxUY2wzmk,40526
 dissect/target/report.py,sha256=06uiP4MbNI8cWMVrC1SasNS-Yg6ptjVjckwj8Yhe0Js,7958
-dissect/target/target.py,sha256=83RapSMII5god0iSrADohFEZ7zgIdovBLi64AY0Skm0,29359
-dissect/target/volume.py,sha256=YE4AK8oiqgN-SsAm7vOG2U8KIToZvxbuGlcAR5y3N3Y,15381
+dissect/target/target.py,sha256=FVCQYMgb0fo4R6x5O3lSPuDJzVQxnIcWCqFtdQMdgTg,30504
+dissect/target/volume.py,sha256=WuwT6AvGJPrlA-r5-oLHjBI4OuyFyv_2aSnUK_1q5DA,15512
 dissect/target/containers/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 dissect/target/containers/asdf.py,sha256=g8omgyCvXBPd6ZZ1TKmaHNfzfs7W1HqmAsEAdDaXYLk,1398
 dissect/target/containers/ewf.py,sha256=waG6_VOXFis8d9bxyHJCBXFbLWUfkTshHRAEqoiQEqo,1425
@@ -270,7 +270,7 @@ dissect/target/plugins/os/windows/regf/muicache.py,sha256=kE9oo-1FkUj559nvAO9MeJ
 dissect/target/plugins/os/windows/regf/nethist.py,sha256=QHbG9fmZNmjSVhrgqMvMo12YBaQedzeToS7ZD9eIJ28,3111
 dissect/target/plugins/os/windows/regf/recentfilecache.py,sha256=3nLwg8_7bjSrFJXU9ddpWbWm0lZXcE61dnz-alQdmcI,1876
 dissect/target/plugins/os/windows/regf/regf.py,sha256=IbLnOurtlprXAo12iYRdw6fv5J45SuMAqt-mXVYaZi4,3357
-dissect/target/plugins/os/windows/regf/runkeys.py,sha256=Zi94ODnv5nA7Lo-am6ajP52TsfBhLXBsyxy_y0tUfjI,4236
+dissect/target/plugins/os/windows/regf/runkeys.py,sha256=qX-6xOrgBq7_B00C1BoQtI0Ovzou6Sx3XemV0Ra4JMs,4178
 dissect/target/plugins/os/windows/regf/shellbags.py,sha256=EKBWBjxvSfxc7WFKmICZs8QUJnjhsCKesjl_NHEnSUo,25621
 dissect/target/plugins/os/windows/regf/shimcache.py,sha256=dWI9zwRzpM-329znMDjtwH8b0CD2kUgmR0vmWnEwew0,10031
 dissect/target/plugins/os/windows/regf/trusteddocs.py,sha256=4g4m1FYljOpYqGG-7NGyj738Tfnz0uEaN2is2YzkMgg,3669
@@ -297,15 +297,16 @@ dissect/target/tools/dump/state.py,sha256=ZBNz4ou2Xk20K1H8R83S1gq6qcqPvPPVAaPWzp
 dissect/target/tools/dump/utils.py,sha256=nYcLQvPpDgzckM62hokGBh4z32DNH6d6oA8KelvoPMU,7564
 dissect/target/volumes/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 dissect/target/volumes/bde.py,sha256=wUdFtzr55vLm6biDxOa65byh7zJxgXdqHaey7B_jVKw,3659
+dissect/target/volumes/ddf.py,sha256=E4K1iLOXh7cUqyT9VJqHGu7aSQjzNPxonb9RmZZ-ct0,1727
 dissect/target/volumes/disk.py,sha256=95grSsPt1BLVpKwTclwQYzPFGKTkFFqapIk0RoGWf38,968
 dissect/target/volumes/luks.py,sha256=mgxZPDrryMZlhq1jiEWtft8rFjESq5_3HLYNsM84dT4,4110
 dissect/target/volumes/lvm.py,sha256=Yj54NlD4dExkSupY56F_K3nNuleqj87phy-V09GR3QU,2247
 dissect/target/volumes/md.py,sha256=N-rxdAeTWR-f5LpwnP4RQZSHP4rzZSo45JMHn8F6Cp8,1652
 dissect/target/volumes/vmfs.py,sha256=mlAJ8278tYaoRjk1u6tFFlCaDQUrVu5ZZE4ikiFvxi8,1707
-dissect.target-3.13.dev16.dist-info/COPYRIGHT,sha256=m-9ih2RVhMiXHI2bf_oNSSgHgkeIvaYRVfKTwFbnJPA,301
-dissect.target-3.13.dev16.dist-info/LICENSE,sha256=DZak_2itbUtvHzD3E7GNUYSRK6jdOJ-GqncQ2weavLA,34523
-dissect.target-3.13.dev16.dist-info/METADATA,sha256=f_ThEGthOp4q-jCqLQr2HJuPL7hTzRl6L_WExTQ-k8U,10976
-dissect.target-3.13.dev16.dist-info/WHEEL,sha256=Xo9-1PvkuimrydujYJAjF7pCkriuXBpUPEjma1nZyJ0,92
-dissect.target-3.13.dev16.dist-info/entry_points.txt,sha256=tvFPa-Ap-gakjaPwRc6Fl6mxHzxEZ_arAVU-IUYeo_s,447
-dissect.target-3.13.dev16.dist-info/top_level.txt,sha256=Mn-CQzEYsAbkxrUI0TnplHuXnGVKzxpDw_po_sXpvv4,8
-dissect.target-3.13.dev16.dist-info/RECORD,,
+dissect.target-3.13.dev18.dist-info/COPYRIGHT,sha256=m-9ih2RVhMiXHI2bf_oNSSgHgkeIvaYRVfKTwFbnJPA,301
+dissect.target-3.13.dev18.dist-info/LICENSE,sha256=DZak_2itbUtvHzD3E7GNUYSRK6jdOJ-GqncQ2weavLA,34523
+dissect.target-3.13.dev18.dist-info/METADATA,sha256=-hfPY54YoeRrjNIVFKc5zW1sccqHSp6eXq9Kc9cBwbQ,10976
+dissect.target-3.13.dev18.dist-info/WHEEL,sha256=Xo9-1PvkuimrydujYJAjF7pCkriuXBpUPEjma1nZyJ0,92
+dissect.target-3.13.dev18.dist-info/entry_points.txt,sha256=tvFPa-Ap-gakjaPwRc6Fl6mxHzxEZ_arAVU-IUYeo_s,447
+dissect.target-3.13.dev18.dist-info/top_level.txt,sha256=Mn-CQzEYsAbkxrUI0TnplHuXnGVKzxpDw_po_sXpvv4,8
+dissect.target-3.13.dev18.dist-info/RECORD,,