dissect.target 3.14.dev29__py3-none-any.whl → 3.15__py3-none-any.whl

dissect/target/plugins/apps/webserver/webserver.py

@@ -1,16 +1,16 @@
-from typing import Iterator
+from typing import Iterator, Union
 
-from dissect.target.exceptions import UnsupportedPluginError
 from dissect.target.helpers.record import TargetRecordDescriptor
-from dissect.target.plugin import Plugin, export
-from dissect.target.target import Target
+from dissect.target.plugin import NamespacePlugin, export
 
 WebserverAccessLogRecord = TargetRecordDescriptor(
-    "application/log/webserver",
+    "application/log/webserver/access",
     [
         ("datetime", "ts"),
         ("string", "remote_user"),
         ("net.ipaddress", "remote_ip"),
+        ("net.ipaddress", "local_ip"),
+        ("varint", "pid"),
         ("string", "method"),
         ("uri", "uri"),
         ("string", "protocol"),
@@ -18,49 +18,33 @@ WebserverAccessLogRecord = TargetRecordDescriptor(
         ("varint", "bytes_sent"),
         ("uri", "referer"),
         ("string", "useragent"),
+        ("varint", "response_time_ms"),
         ("path", "source"),
     ],
 )
 
+WebserverErrorLogRecord = TargetRecordDescriptor(
+    "application/log/webserver/error",
+    [
+        ("datetime", "ts"),
+        ("net.ipaddress", "remote_ip"),
+        ("varint", "pid"),
+        ("string", "module"),
+        ("string", "level"),
+        ("string", "error_source"),
+        ("string", "error_code"),
+        ("string", "message"),
+        ("path", "source"),
+    ],
+)
 
-class WebserverPlugin(Plugin):
+
+class WebserverPlugin(NamespacePlugin):
     __namespace__ = "webserver"
     __findable__ = False
 
-    WEBSERVERS = [
-        "apache",
-        "nginx",
-        "iis",
-        "caddy",
-    ]
-
-    def __init__(self, target: Target):
-        super().__init__(target)
-        self._plugins = []
-        for entry in self.WEBSERVERS:
-            try:
-                self._plugins.append(getattr(self.target, entry))
-            except Exception:  # noqa
-                target.log.exception("Failed to load webserver plugin: %s", entry)
-
-    def check_compatible(self) -> None:
-        if not len(self._plugins):
-            raise UnsupportedPluginError("No compatible webserver plugins found")
-
-    def _func(self, f: str) -> Iterator[WebserverAccessLogRecord]:
-        for p in self._plugins:
-            try:
-                yield from getattr(p, f)()
-            except Exception:
-                self.target.log.exception("Failed to execute webserver plugin: %s.%s", p._name, f)
-
-    @export(record=WebserverAccessLogRecord)
-    def logs(self) -> Iterator[WebserverAccessLogRecord]:
+    @export(record=[WebserverAccessLogRecord, WebserverErrorLogRecord])
+    def logs(self) -> Iterator[Union[WebserverAccessLogRecord, WebserverErrorLogRecord]]:
         """Returns log file records from installed webservers."""
         yield from self.access()
-        # TODO: In the future we should add error logs too.
-
-    @export(record=WebserverAccessLogRecord)
-    def access(self) -> Iterator[WebserverAccessLogRecord]:
-        """Returns WebserverAccessLogRecord records from installed webservers."""
-        yield from self._func("access")
+        yield from self.error()

dissect/target/plugins/child/wsl.py

@@ -26,7 +26,7 @@ def find_wsl_installs(target: Target) -> Iterator[Path]:
                     continue
                 base_path = target.resolve(distribution_key.value("BasePath").value)
                 # WSL needs diskname to be ext4.vhdx, but they can be renamed when WSL is not active
-                yield from target.fs.path(base_path).glob("*.vhdx")
+                yield from base_path.glob("*.vhdx")
     except PluginError:
         pass
 

dissect/target/plugins/filesystem/ntfs/mft.py

@@ -123,6 +123,12 @@ class MftPlugin(Plugin):
 
         The Master File Table (MFT) contains primarily metadata about every file and folder on a NFTS filesystem.
 
+        If the filesystem is part of a virtual NTFS filesystem (a ``VirtualFilesystem`` with the MFT properties
+        added to it through a "fake" ``NtfsFilesystem``), the paths returned in the MFT records are based on the
+        mount point of the ``VirtualFilesystem``. This ensures that the proper original drive letter is used when
+        available.
+        When no drive letter can be determined, the path will show as e.g. ``\\$fs$\\fs0``.
+
         References:
             - https://docs.microsoft.com/en-us/windows/win32/fileio/master-file-table
         """
@@ -136,6 +142,10 @@ class MftPlugin(Plugin):
             if fs.__type__ != "ntfs":
                 continue
 
+            # If this filesystem is a "fake" NTFS filesystem, used to enhance a
+            # VirtualFilesystem, The driveletter (more accurate mount point)
+            # returned will be that of the VirtualFilesystem. This makes sure
+            # the paths returned in the records are actually reachable.
             drive_letter = get_drive_letter(self.target, fs)
             volume_uuid = get_volume_identifier(fs)
 

dissect/target/plugins/filesystem/ntfs/mft_timeline.py

@@ -105,6 +105,12 @@ class MftTimelinePlugin(Plugin):
 
         The Master File Table (MFT) contains metadata about every file and folder on a NFTS filesystem.
 
+        If the filesystem is part of a virtual NTFS filesystem (a ``VirtualFilesystem`` with the MFT properties
+        added to it through a "fake" ``NtfsFilesystem``), the paths returned in the MFT records are based on the
+        mount point of the ``VirtualFilesystem``. This ensures that the proper original drive letter is used when
+        available.
+        When no drive letter can be determined, the path will show as e.g. ``\\$fs$\\fs0``.
+
         References:
             - https://docs.microsoft.com/en-us/windows/win32/fileio/master-file-table
         """
@@ -112,6 +118,10 @@ class MftTimelinePlugin(Plugin):
             if fs.__type__ != "ntfs":
                 continue
 
+            # If this filesystem is a "fake" NTFS filesystem, used to enhance a
+            # VirtualFilesystem, The driveletter (more accurate mount point)
+            # returned will be that of the VirtualFilesystem. This makes sure
+            # the paths returned in the records are actually reachable.
             drive_letter = get_drive_letter(self.target, fs)
             extras = Extras(
                 serial=fs.ntfs.serial,

dissect/target/plugins/filesystem/ntfs/usnjrnl.py

@@ -34,6 +34,12 @@ class UsnjrnlPlugin(Plugin):
         The Update Sequence Number Journal (UsnJrnl) is a feature of an NTFS file system and contains information about
         filesystem activities. Each volume has its own UsnJrnl.
 
+        If the filesystem is part of a virtual NTFS filesystem (a ``VirtualFilesystem`` with the UsnJrnl
+        properties added to it through a "fake" ``NtfsFilesystem``), the paths returned in the UsnJrnl records
+        are based on the mount point of the ``VirtualFilesystem``. This ensures that the proper original drive
+        letter is used when available.
+        When no drive letter can be determined, the path will show as e.g. ``\\$fs$\\fs0``.
+
         References:
             - https://en.wikipedia.org/wiki/USN_Journal
             - https://velociraptor.velocidex.com/the-windows-usn-journal-f0c55c9010e
@@ -47,6 +53,10 @@ class UsnjrnlPlugin(Plugin):
             if not usnjrnl:
                 continue
 
+            # If this filesystem is a "fake" NTFS filesystem, used to enhance a
+            # VirtualFilesystem, The driveletter (more accurate mount point)
+            # returned will be that of the VirtualFilesystem. This makes sure
+            # the paths returned in the records are actually reachable.
             drive_letter = get_drive_letter(self.target, fs)
             for record in usnjrnl.records():
                 try:

dissect/target/plugins/filesystem/ntfs/utils.py

@@ -1,3 +1,4 @@
+import re
 from enum import Enum, auto
 from typing import Optional, Tuple
 from uuid import UUID
@@ -8,6 +9,8 @@ from dissect.ntfs.mft import MftRecord
 from dissect.target import Target
 from dissect.target.filesystems.ntfs import NtfsFilesystem
 
+DRIVE_LETTER_RE = re.compile(r"[a-zA-Z]:")
+
 
 class InformationType(Enum):
     STANDARD_INFORMATION = auto()
@@ -20,13 +23,33 @@ def get_drive_letter(target: Target, filesystem: NtfsFilesystem):
 
     When the drive letter is not available for that filesystem it returns empty.
     """
+    # A filesystem can be known under multiple drives (mount points). If it is
+    # a windows system volume, there are the default sysvol and c: drives.
+    # If the target has a virtual ntfs filesystem, e.g. as constructed by the
+    # tar and dir loaders, there is also the /$fs$/fs<n> drive, under which the
+    # "fake" ntfs filesystem is mounted.
+    # The precedence for drives is first the drive letter drives (e.g. c:),
+    # second the "normally" named drives (e.g. sysvol) and finally the anonymous
+    # drives (e.g. /$fs/fs0).
     mount_items = (item for item in target.fs.mounts.items() if hasattr(item[1], "ntfs"))
-    driveletters = [key for key, fs in mount_items if fs.ntfs is filesystem.ntfs]
+    drives = [key for key, fs in mount_items if fs.ntfs is filesystem.ntfs]
+
+    single_letter_drives = []
+    other_drives = []
+    anon_drives = []
+
+    for drive in drives:
+        if DRIVE_LETTER_RE.match(drive):
+            single_letter_drives.append(drive)
+        elif "$fs$" in drive:
+            anon_drives.append(drive)
+        else:
+            other_drives.append(drive)
+
+    drives = sorted(single_letter_drives) + sorted(other_drives) + sorted(anon_drives)
 
-    if driveletters:
-        # Currently, mount_dict contain 2 instances of the same filesystem: 'sysvol' and 'c:'
-        # This is to choose the latter which will be 'c:'
-        return f"{driveletters[-1]}\\"
+    if drives:
+        return f"{drives[0]}\\"
     else:
         return ""
 

dissect/target/plugins/filesystem/resolver.py

@@ -2,7 +2,7 @@ import re
 from typing import Optional
 
 from dissect.target.helpers import fsutil
-from dissect.target.plugin import Plugin, internal
+from dissect.target.plugin import OperatingSystem, Plugin, internal
 
 re_quoted = re.compile(r"\"(.+?)\"")
 
@@ -34,10 +34,12 @@ class ResolverPlugin(Plugin):
         if not path:
             return path
 
-        if self.target.os == "windows":
-            return self.resolve_windows(path, user_sid=user)
+        if self.target.os == OperatingSystem.WINDOWS:
+            resolved_path = self.resolve_windows(path, user_sid=user)
         else:
-            return self.resolve_default(path, user_id=user)
+            resolved_path = self.resolve_default(path, user_id=user)
+
+        return self.target.fs.path(resolved_path)
 
     def resolve_windows(self, path: str, user_sid: Optional[str] = None) -> str:
         # Normalize first so the replacements are easier

dissect/target/plugins/general/default.py

@@ -13,8 +13,6 @@ from dissect.target.plugin import OSPlugin, export
 
 
 class DefaultPlugin(OSPlugin):
-    __skip__ = True
-
     def __init__(self, target: Target):
         super().__init__(target)
         if len(target.filesystems) == 1:

dissect/target/plugins/general/example.py

@@ -55,7 +55,6 @@ class ExamplePlugin(Plugin):
 
     # IMPORTANT: Remove these attributes when using this as boilerplate for your own plugin!
     __findable__ = False
-    __skip__ = True
 
     def check_compatible(self) -> None:
         """Perform a compatibility check with the target.

dissect/target/plugins/general/loaders.py

@@ -1,7 +1,5 @@
-import itertools
-
 from dissect.target.helpers.docs import INDENT_STEP, get_docstring
-from dissect.target.loader import LOADERS, DirLoader
+from dissect.target.loader import LOADERS_BY_SCHEME
 from dissect.target.plugin import Plugin, export
 
 
@@ -16,10 +14,10 @@ class LoaderListPlugin(Plugin):
         """List the available loaders."""
 
         loaders_info = {}
-        for loader in itertools.chain(LOADERS, [DirLoader]):
+        for key, loader in LOADERS_BY_SCHEME.items():
             try:
                 docstring = get_docstring(loader, "No documentation.").splitlines()[0].strip()
-                loaders_info[loader.__name__] = docstring
+                loaders_info[key] = docstring
             except ImportError:
                 continue
 

dissect/target/plugins/os/unix/_os.py

@@ -254,7 +254,7 @@ class UnixPlugin(OSPlugin):
                                 continue
         return os_release
 
-    def _get_architecture(self, os: str = "unix") -> Optional[str]:
+    def _get_architecture(self, os: str = "unix", path: str = "/bin/ls") -> Optional[str]:
         arch_strings = {
             0x00: "Unknown",
             0x02: "SPARC",
@@ -271,8 +271,8 @@ class UnixPlugin(OSPlugin):
         }
 
         for fs in self.target.filesystems:
-            if fs.exists("/bin/ls"):
-                fh = fs.open("/bin/ls")
+            if fs.exists(path):
+                fh = fs.open(path)
                 fh.seek(4)
                 # ELF - e_ident[EI_CLASS]
                 bits = unpack("B", fh.read(1))[0]

dissect/target/plugins/os/unix/bsd/citrix/_os.py

@@ -3,7 +3,7 @@ from __future__ import annotations
 import re
 from typing import Iterator, Optional
 
-from dissect.target.filesystem import Filesystem, VirtualFilesystem
+from dissect.target.filesystem import Filesystem
 from dissect.target.helpers.record import UnixUserRecord
 from dissect.target.plugin import OperatingSystem, export
 from dissect.target.plugins.os.unix.bsd._os import BsdPlugin
@@ -18,12 +18,12 @@ RE_CONFIG_USER = re.compile(r"bind system user (?P<user>[^ ]+) ")
 RE_LOADER_CONFIG_KERNEL_VERSION = re.compile(r'kernel="/(?P<version>.*)"')
 
 
-class CitrixBsdPlugin(BsdPlugin):
+class CitrixPlugin(BsdPlugin):
     def __init__(self, target: Target):
         super().__init__(target)
         self._ips = []
         self._hostname = None
-        self.config_usernames = []
+        self._config_usernames = []
         self._parse_netscaler_configs()
 
     def _parse_netscaler_configs(self) -> None:
@@ -49,26 +49,46 @@ class CitrixBsdPlugin(BsdPlugin):
 
     @classmethod
     def detect(cls, target: Target) -> Optional[Filesystem]:
-        newfilesystem = VirtualFilesystem()
-        is_citrix = False
+        ramdisk = None
+        for fs in target.filesystems:
+            # /netscaler can be present on both the ramdisk and the harddisk. Therefore we also check for the /log
+            # folder, which is not present on the ramdisk. We regard the harddisk as the system volume, as it is
+            # possible to only have a disk image of a Netscaler. However, in the case where we only have the ramdisk,
+            # we want to fall back on that as the system volume. Thus we store that filesystem in a fallback variable.
+            if fs.exists("/netscaler"):
+                if fs.exists("/log"):
+                    return fs
+                ramdisk = fs
+
+        # At this point, we could not find the filesystem for '/var'. Thus, we fall back to the ramdisk variable, which
+        # is either 'None' (in which case this isn't a Citrix netscaler), or points to the filesystem of the ramdisk.
+        return ramdisk
+
+    @classmethod
+    def create(cls, target: Target, sysvol: Filesystem) -> CitrixPlugin:
+        # A disk image of a Citrix Netscaler contains two partitions, that after boot are mounted to /var and /flash.
+        # The rest of the filesystem is recreated at runtime into a 'ramdisk'. Currently, this plugin does not
+        # yet support recreating the ramdisk from a 'clean' state. This might be possible in a future iteration but
+        # requires further research.
+
+        # When the ramdisk is present within the target's filesystems, mount it accordingly,
         for fs in target.filesystems:
             if fs.exists("/bin/freebsd-version"):
-                newfilesystem.map_fs("/", fs)
-                break
+                # If available, mount the ramdisk first.
+                target.fs.mount("/", fs)
+        # The 'disk' filesystem is mounted at '/var'.
+        target.fs.mount("/var", sysvol)
+
+        # Enumerate filesystems for flash partition
         for fs in target.filesystems:
             if fs.exists("/nsconfig") and fs.exists("/boot"):
-                newfilesystem.map_fs("/flash", fs)
-                is_citrix = True
-            elif fs.exists("/netscaler"):
-                newfilesystem.map_fs("/var", fs)
-                is_citrix = True
-        if is_citrix:
-            return newfilesystem
-        return None
+                target.fs.mount("/flash", fs)
+
+        return cls(target)
 
     @export(property=True)
     def hostname(self) -> Optional[str]:
-        return self._hostname
+        return self._hostname or super().hostname
 
     @export(property=True)
     def version(self) -> Optional[str]:
@@ -96,16 +116,21 @@ class CitrixBsdPlugin(BsdPlugin):
     @export(record=UnixUserRecord)
     def users(self) -> Iterator[UnixUserRecord]:
         nstmp_users = set()
-        nstmp_path = "/var/nstmp/"
-
-        nstmp_user_path = nstmp_path + "{username}"
-
-        for entry in self.target.fs.scandir(nstmp_path):
-            if entry.is_dir() and entry.name != "#nsinternal#":
-                nstmp_users.add(entry.name)
+        seen = set()
+        nstmp_path = self.target.fs.path("/var/nstmp/")
+
+        # Build a set of nstmp users
+        if nstmp_path.exists():
+            for entry in nstmp_path.iterdir():
+                if entry.is_dir() and entry.name != "#nsinternal#":
+                    # The nsmonitor user has a home directory of /var/nstmp/monitors rather than /var/nstmp/nsmonitor
+                    username = "nsmonitor" if entry.name == "monitors" else entry.name
+                    nstmp_users.add(username)
+
+        # Yield users from the config, matching them to their 'home' in /var/nstmp if it exists.
         for username in self._config_usernames:
-            nstmp_home = nstmp_user_path.format(username=username)
-            user_home = nstmp_home if self.target.fs.exists(nstmp_home) else None
+            nstmp_home = nstmp_path.joinpath(username)
+            user_home = nstmp_home if nstmp_home.exists() else None
 
             if user_home:
                 # After this loop we will yield all users who are not in the config, but are listed in /var/nstmp/
@@ -114,13 +139,28 @@ class CitrixBsdPlugin(BsdPlugin):
 
             if username == "root" and self.target.fs.exists("/root"):
                 # If we got here, 'root' is present both in /var/nstmp and in /root. In such cases, we yield
-                # the 'root' user as having '/root' as a home, not in /var/nstmp.
-                user_home = "/root"
+                # the 'root' user as having '/root' as a home, not in /var/nstmp, as there is no 'nscli_history'
+                # for the root user in /var/nstmp.
+                user_home = self.target.fs.path("/root")
 
+            seen.add((username, user_home.as_posix() if user_home else None, None))
             yield UnixUserRecord(name=username, home=user_home)
 
+        # Yield all users in nstmp that were not observed in the config
         for username in nstmp_users:
-            yield UnixUserRecord(name=username, home=nstmp_user_path.format(username=username))
+            # The nsmonitor user has a home directory of /var/nstmp/monitors rather than /var/nstmp/nsmonitor
+            home = nstmp_path.joinpath(username) if username != "nsmonitor" else nstmp_path.joinpath("monitors")
+            seen.add((username, home.as_posix(), None))
+            yield UnixUserRecord(name=username, home=home)
+
+        # Yield users from /etc/passwd if we have not seem them in previous loops
+        for user in super().users():
+            if (user.name, user.home.as_posix(), user.shell) in seen:
+                continue
+            # To prevent bogus command history for all users without a home whenever a history is located at the root
+            # of the filesystem, we set the user home to None if their home is equivalent to '/'
+            user.home = user.home if user.home != "/" else None
+            yield user
 
     @export(property=True)
     def os(self) -> str:

dissect/target/plugins/os/unix/bsd/citrix/history.py

@@ -0,0 +1,130 @@
+import re
+from typing import Iterator, Optional
+
+from dissect.target.helpers.fsutil import TargetPath
+from dissect.target.helpers.record import UnixUserRecord
+from dissect.target.helpers.utils import year_rollover_helper
+from dissect.target.plugin import export
+from dissect.target.plugins.os.unix.history import (
+    CommandHistoryPlugin,
+    CommandHistoryRecord,
+)
+
+RE_CITRIX_NETSCALER_BASH_HISTORY_DATE = re.compile(r"(?P<date>[^<]+)\s")
+
+CITRIX_NETSCALER_BASH_HISTORY_RE = re.compile(
+    r"""
+        (?P<date>[^<]+)
+        \s
+        <
+            (?P<syslog_facility>[^\.]+)
+            \.
+            (?P<syslog_loglevel>[^>]+)
+        >
+        \s
+        (?P<hostname>[^\s]+)
+        \s
+        (?P<process_name>[^\[]+)
+            \[
+                (?P<process_id>\d+)
+            \]
+        :
+        \s
+        (?P<username>.*)\s
+        on\s
+            (?P<destination>[^\s]+)\s
+        shell_command=
+        \"
+            (?P<command>.*)
+        \"
+    $
+    """,
+    re.VERBOSE,
+)
+
+
+class CitrixCommandHistoryPlugin(CommandHistoryPlugin):
+    COMMAND_HISTORY_ABSOLUTE_PATHS = (("citrix-netscaler-bash", "/var/log/bash.log*"),)
+    COMMAND_HISTORY_RELATIVE_PATHS = CommandHistoryPlugin.COMMAND_HISTORY_RELATIVE_PATHS + (
+        ("citrix-netscaler-cli", ".nscli_history"),
+    )
+
+    def _find_history_files(self) -> list[tuple[str, TargetPath, Optional[UnixUserRecord]]]:
+        """Find history files on the target that this plugin can parse."""
+        history_files = []
+        for shell, history_absolute_path_glob in self.COMMAND_HISTORY_ABSOLUTE_PATHS:
+            for path in self.target.fs.path("/").glob(history_absolute_path_glob.lstrip("/")):
+                history_files.append((shell, path, None))
+
+        # Also utilize the _find_history_files function of the parent class
+        history_files.extend(super()._find_history_files())
+        return history_files
+
+    def _find_user_by_name(self, username: str) -> Optional[UnixUserRecord]:
+        """Cached function to return the matching UnixUserRecord for a given username."""
+        if username is None:
+            return None
+
+        user_details = self.target.user_details.find(username=username)
+        return user_details.user if user_details else None
+
+    @export(record=CommandHistoryRecord)
+    def commandhistory(self) -> Iterator[CommandHistoryRecord]:
+        """Return shell history for all users.
+
+        When using a shell, history of the used commands is kept on the system.
+        """
+
+        for shell, history_path, user in self._history_files:
+            if shell == "citrix-netscaler-cli":
+                yield from self.parse_netscaler_cli_history(history_path, user)
+            elif shell == "citrix-netscaler-bash":
+                yield from self.parse_netscaler_bash_history(history_path)
+
+    def parse_netscaler_bash_history(self, path: TargetPath) -> Iterator[CommandHistoryRecord]:
+        """Parse bash.log* contents."""
+        for ts, line in year_rollover_helper(path, RE_CITRIX_NETSCALER_BASH_HISTORY_DATE, "%b %d %H:%M:%S "):
+            line = line.strip()
+            if not line:
+                continue
+
+            match = CITRIX_NETSCALER_BASH_HISTORY_RE.match(line)
+            if not match:
+                continue
+
+            group = match.groupdict()
+            command = group.get("command")
+            user = self._find_user_by_name(group.get("username"))
+
+            yield CommandHistoryRecord(
+                ts=ts,
+                command=command,
+                shell="citrix-netscaler-bash",
+                source=path,
+                _target=self.target,
+                _user=user,
+            )
+
+    def parse_netscaler_cli_history(
+        self, history_file: TargetPath, user: UnixUserRecord
+    ) -> Iterator[CommandHistoryRecord]:
+        """Parses the history file of the Citrix Netscaler CLI.
+
+        The only difference compared to generic bash history files is that the first line will start with
+        ``_HiStOrY_V2_``, which we will skip.
+        """
+        for idx, line in enumerate(history_file.open("rt")):
+            if not (line := line.strip()):
+                continue
+
+            if idx == 0 and line == "_HiStOrY_V2_":
+                continue
+
+            yield CommandHistoryRecord(
+                ts=None,
+                command=line,
+                shell="citrix-netscaler-cli",
+                source=history_file,
+                _target=self.target,
+                _user=user,
+            )

dissect/target/plugins/os/unix/generic.py

@@ -1,4 +1,5 @@
 from datetime import datetime
+from pathlib import Path
 from statistics import median
 from typing import Optional
 
@@ -15,18 +16,7 @@ class GenericPlugin(Plugin):
     def activity(self) -> Optional[datetime]:
         """Return last seen activity based on filesystem timestamps."""
         var_log = self.target.fs.path("/var/log")
-        if not var_log.exists():
-            return
-
-        last_seen = 0
-        for f in var_log.iterdir():
-            if not f.exists():
-                continue
-            if f.stat().st_mtime > last_seen:
-                last_seen = f.stat().st_mtime
-
-        if last_seen != 0:
-            return ts.from_unix(last_seen)
+        return calculate_last_activity(var_log)
 
     @export(property=True)
     def install_date(self) -> Optional[datetime]:
@@ -63,3 +53,18 @@ class GenericPlugin(Plugin):
         root_stat = self.target.fs.stat("/")
         if root_stat.st_ctime == root_stat.st_mtime:
             return ts.from_unix(root_stat.st_ctime)
+
+
+def calculate_last_activity(folder: Path) -> Optional[datetime]:
+    if not folder.exists():
+        return
+
+    last_seen = 0
+    for file in folder.iterdir():
+        if not file.exists():
+            continue
+        if file.stat().st_mtime > last_seen:
+            last_seen = file.stat().st_mtime
+
+    if last_seen != 0:
+        return ts.from_unix(last_seen)