dissect.target 3.14.dev29__py3-none-any.whl → 3.15__py3-none-any.whl

dissect/target/plugins/os/unix/linux/fortios/_os.py

@@ -0,0 +1,534 @@
+from __future__ import annotations
+
+import gzip
+import hashlib
+from base64 import b64decode
+from datetime import datetime
+from io import BytesIO
+from tarfile import ReadError
+from typing import BinaryIO, Iterator, Optional, TextIO, Union
+
+from dissect.util import cpio
+from dissect.util.compression import xz
+
+from dissect.target.filesystem import Filesystem
+from dissect.target.filesystems.tar import TarFilesystem
+from dissect.target.helpers.fsutil import open_decompress
+from dissect.target.helpers.record import TargetRecordDescriptor, UnixUserRecord
+from dissect.target.plugin import OperatingSystem, export
+from dissect.target.plugins.os.unix.linux._os import LinuxPlugin
+from dissect.target.target import Target
+
+try:
+    from Crypto.Cipher import AES, ChaCha20
+
+    HAS_PYCRYPTODOME = True
+except ImportError:
+    HAS_PYCRYPTODOME = False
+
+FortiOSUserRecord = TargetRecordDescriptor(
+    "fortios/user",
+    [
+        ("string", "name"),
+        ("string[]", "groups"),
+        ("string", "password"),
+        ("path", "home"),
+    ],
+)
+
+
+class FortiOSPlugin(LinuxPlugin):
+    """FortiOS plugin for various Fortinet appliances."""
+
+    def __init__(self, target: Target):
+        super().__init__(target)
+        self._version = None
+        self._config = self._load_config()
+
+    def _load_config(self) -> dict:
+        CONFIG_FILES = {
+            "/data/system.conf": "global-config",  # FortiManager
+            "/data/config/daemon.conf.gz": "daemon",  # FortiOS 4.x
+            "/data/config/sys_global.conf.gz": "global-config",  # Seen in FortiOS 5.x - 7.x
+            "/data/config/sys_vd_root.conf.gz": "root-config",  # FortiOS 4.x
+            "/data/config/sys_vd_root+root.conf.gz": "root-config",  # Seen in FortiOS 6.x - 7.x
+            "/data/config/global_system_interface.gz": "interfaces",  # Seen in FortiOS 5.x - 7.x
+        }
+
+        config = {}
+        for conf_file, section in CONFIG_FILES.items():
+            if (conf_path := self.target.fs.path(conf_file)).exists():
+                if conf_file.endswith("gz"):
+                    fh = gzip.open(conf_path.open("rb"), "rt")
+                else:
+                    fh = conf_path.open("rt")
+
+                if not self._version and section in ["global-config", "root-config"]:
+                    self._version = fh.readline().split("=", 1)[1]
+
+                parsed = FortiOSConfig.from_fh(fh)
+                config |= {section: parsed} if section else parsed
+
+        return config
+
+    @classmethod
+    def detect(cls, target: Target) -> Optional[Filesystem]:
+        for fs in target.filesystems:
+            # Tested on FortiGate and FortiAnalyzer, other Fortinet devices may look different.
+            if fs.exists("/rootfs.gz") and (fs.exists("/.fgtsum") or fs.exists("/.fmg_sign") or fs.exists("/flatkc")):
+                return fs
+
+    @classmethod
+    def create(cls, target: Target, sysvol: Filesystem) -> FortiOSPlugin:
+        target.log.warning("Attempting to load rootfs.gz, this can take a while.")
+        rootfs = sysvol.path("/rootfs.gz")
+        vfs = None
+
+        try:
+            if open_decompress(rootfs).read(4) == b"0707":
+                vfs = TarFilesystem(rootfs.open(), tarinfo=cpio.CpioInfo)
+            else:
+                vfs = TarFilesystem(rootfs.open())
+        except ReadError:
+            # The rootfs.gz file could be encrypted.
+            try:
+                rfs_fh = decrypt_rootfs(rootfs.open(), get_kernel_hash(sysvol))
+                vfs = TarFilesystem(rfs_fh, tarinfo=cpio.CpioInfo)
+            except RuntimeError:
+                target.log.warning("Could not decrypt rootfs.gz. Missing `pycryptodome` dependency.")
+            except ValueError as e:
+                target.log.warning("Could not decrypt rootfs.gz. Unsupported kernel version.")
+                target.log.debug("", exc_info=e)
+            except ReadError as e:
+                target.log.warning("Could not mount rootfs.gz. It could be corrupt.")
+                target.log.debug("", exc_info=e)
+
+        if vfs:
+            target.fs.mount("/", vfs)
+
+        target.fs.mount("/data", sysvol)
+
+        # FortiGate
+        if (datafs_tar := sysvol.path("/datafs.tar.gz")).exists():
+            target.fs.add_layer().mount("/data", TarFilesystem(datafs_tar.open("rb")))
+
+        # Additional FortiGate or FortiManager tars with corrupt XZ streams
+        target.log.warning("Attempting to load XZ files, this can take a while.")
+        for path in (
+            "bin.tar.xz",
+            "usr.tar.xz",
+            "migadmin.tar.xz",
+            "node-scripts.tar.xz",
+            "docker.tar.xz",
+            "syntax.tar.xz",
+        ):
+            if (tar := target.fs.path(path)).exists() or (tar := sysvol.path(path)).exists():
+                fh = xz.repair_checksum(tar.open("rb"))
+                target.fs.add_layer().mount("/", TarFilesystem(fh))
+
+        # FortiAnalyzer and FortiManager
+        if (rootfs_ext_tar := sysvol.path("rootfs-ext.tar.xz")).exists():
+            target.fs.add_layer().mount("/", TarFilesystem(rootfs_ext_tar.open("rb")))
+
+        # Filesystem mounts can be discovered in the FortiCare debug report
+        # or using ``fnsysctl ls`` and ``fnsysctl df`` in the cli.
+        for fs in target.filesystems:
+            # log partition
+            if fs.__type__ == "ext" and (
+                fs.extfs.volume_name.startswith("LOGUSEDX") or fs.path("/root/clog").is_symlink()
+            ):
+                target.fs.mount("/var/log", fs)
+
+            # EFI partition
+            if fs.__type__ == "fat" and fs.path("/EFI").exists():
+                target.fs.mount("/boot", fs)
+
+            # data2 partition
+            if fs.__type__ == "ext" and (
+                (fs.path("/new_alert_msg").exists() and fs.path("/template").exists())  # FortiGate
+                or (fs.path("/swapfile").exists() and fs.path("/old_fmversion").exists())  # FortiManager
+            ):
+                target.fs.mount("/data2", fs)
+
+        # Symlink unix-like paths
+        unix_paths = [("/data/passwd", "/etc/passwd")]
+        for src, dst in unix_paths:
+            if target.fs.path(src).exists() and not target.fs.path(dst).exists():
+                target.fs.symlink(src, dst)
+
+        return cls(target)
+
+    @export(property=True)
+    def hostname(self) -> str | None:
+        """Return configured hostname."""
+        try:
+            return self._config["global-config"]["system"]["global"]["hostname"][0]
+        except KeyError:
+            return None
+
+    @export(property=True)
+    def ips(self) -> list[str]:
+        """Return IP addresses of configured interfaces."""
+        result = []
+
+        try:
+            # FortiOS 6 and 7 (from global_system_interface.gz)
+            for key, iface in self._config["interfaces"].items():
+                if not key.startswith("port"):
+                    continue
+                result += [ip for ip in iface["ip"] if not ip.startswith("255")]
+        except KeyError as e:
+            self.target.log.debug("Exception while parsing FortiOS interfaces", exc_info=e)
+
+        try:
+            # Other versions
+            for conf in self._config["global-config"]["system"]["interface"].values():
+                if "ip" in conf:
+                    result.append(conf.ip[0])
+        except KeyError as e:
+            self.target.log.debug("Exception while parsing FortiOS system interfaces", exc_info=e)
+
+        return result
+
+    @export(property=True)
+    def dns(self) -> list[str]:
+        """Return configured WAN DNS servers."""
+        entries = []
+        try:
+            for entry in self._config["global-config"]["system"]["dns"].values():
+                entries.append(entry[0])
+        except KeyError:
+            pass
+        return entries
+
+    @export(property=True)
+    def version(self) -> str:
+        """Return FortiOS version."""
+        if self._version:
+            return parse_version(self._version)
+        return "FortiOS Unknown"
+
+    @export(record=FortiOSUserRecord)
+    def users(self) -> Iterator[Union[FortiOSUserRecord, UnixUserRecord]]:
+        """Return local users of the FortiOS system."""
+
+        # Possible unix-like users
+        yield from super().users()
+
+        # FortiGate administrative users
+        try:
+            for username, entry in self._config["global-config"]["system"]["admin"].items():
+                yield FortiOSUserRecord(
+                    name=username,
+                    password=":".join(entry.get("password", [])),
+                    groups=[entry["accprofile"][0]],
+                    home="/root",
+                    _target=self.target,
+                )
+        except KeyError as e:
+            self.target.log.warning("Exception while parsing FortiOS admin users")
+            self.target.log.debug("", exc_info=e)
+
+        # FortiManager administrative users
+        try:
+            for username, entry in self._config["global-config"]["system"]["admin"]["user"].items():
+                yield FortiOSUserRecord(
+                    name=username,
+                    password=":".join(entry.get("password", [])),
+                    groups=[entry["profileid"][0]],
+                    home="/root",
+                    _target=self.target,
+                )
+        except KeyError as e:
+            self.target.log.warning("Exception while parsing FortiManager admin users")
+            self.target.log.debug("", exc_info=e)
+
+        # Local users
+        try:
+            local_groups = local_groups_to_users(self._config["root-config"]["user"]["group"])
+            for username, entry in self._config["root-config"]["user"].get("local", {}).items():
+                try:
+                    password = decrypt_password(entry["passwd"][-1])
+                except (ValueError, RuntimeError):
+                    password = ":".join(entry.get("passwd", []))
+
+                yield FortiOSUserRecord(
+                    name=username,
+                    password=password,
+                    groups=local_groups.get(username, []),
+                    home=None,
+                    _target=self.target,
+                )
+        except KeyError as e:
+            self.target.log.warning("Exception while parsing FortiOS local users")
+            self.target.log.debug("", exc_info=e)
+
+        # Temporary guest users
+        try:
+            for _, entry in self._config["root-config"]["user"]["group"].get("guestgroup", {}).get("guest", {}).items():
+                try:
+                    password = decrypt_password(entry.get("password")[-1])
+                except (ValueError, RuntimeError):
+                    password = ":".join(entry.get("password"))
+
+                yield FortiOSUserRecord(
+                    name=entry["user-id"][0],
+                    password=password,
+                    groups=["guestgroup"],
+                    home=None,
+                    _target=self.target,
+                )
+        except KeyError as e:
+            self.target.log.warning("Exception while parsing FortiOS temporary guest users")
+            self.target.log.debug("", exc_info=e)
+
+    @export(property=True)
+    def os(self) -> str:
+        return OperatingSystem.FORTIOS.value
+
+    @export(property=True)
+    def architecture(self) -> Optional[str]:
+        """Return architecture FortiOS runs on."""
+        paths = ["/lib/libav.so", "/bin/ctr"]
+        for path in paths:
+            if self.target.fs.path(path).exists():
+                return self._get_architecture(path=path)
+
+
+class ConfigNode(dict):
+    def set(self, path: list[str], value: str) -> None:
+        node = self
+
+        for part in path[:-1]:
+            if part not in node:
+                node[part] = ConfigNode()
+            node = node[part]
+
+        node[path[-1]] = value
+
+    def __getattr__(self, attr: str) -> ConfigNode | str:
+        return self[attr]
+
+
+class FortiOSConfig(ConfigNode):
+    @classmethod
+    def from_fh(cls, fh: TextIO) -> FortiOSConfig:
+        root = cls()
+
+        stack = []
+        for parts in _parse_config(fh):
+            cmd = parts[0]
+
+            if cmd == "config":
+                if parts[1] == "vdom" and stack == [["vdom"]]:
+                    continue
+
+                stack.append(parts[1:])
+
+            elif cmd == "edit":
+                stack.append(parts[1:])
+
+            elif cmd == "end":
+                if stack:
+                    stack.pop()
+
+            elif cmd == "next":
+                if stack:
+                    stack.pop()
+
+            elif cmd == "set":
+                path = []
+                for part in stack:
+                    path += part
+
+                path.append(parts[1])
+                root.set(path, parts[2:])
+
+        return root
+
+
+def _parse_config(fh: TextIO) -> Iterator[list[str]]:
+    parts = []
+    string = None
+
+    for line in fh:
+        if not (line := line.strip()) or line.startswith("#"):
+            continue
+
+        for part in line.split(" "):
+            if part.startswith('"'):
+                if part.endswith('"'):
+                    parts.append(part[1:-1])
+                else:
+                    string = [part[1:]]
+            elif part.endswith('"') and part[-2] != "\\":
+                string.append(part[:-1])
+                parts.append(" ".join(string))
+                string = None
+            elif string:
+                string.append(part)
+            else:
+                parts.append(part)
+
+        if string:
+            string.append("\n")
+
+        if parts and not string:
+            yield parts
+            parts = []
+
+
+def parse_version(input: str) -> str:
+    """Attempt to parse the config FortiOS version to a readable format.
+
+    The input ``FGVM64-7.4.1-FW-build2463-230830:opmode=0:vdom=0`` would
+    return the following output: ``FortiGate VM 7.4.1 (build 2463, 2023-08-30)``.
+
+    Resources:
+        - https://support.fortinet.com/Download/VMImages.aspx
+    """
+
+    PREFIXES = {
+        "FGV": "FortiGate VM",  # FGVM64
+        "FGT": "FortiGate",  # can also be FGT-VM in 4.x/5.x
+        "FMG": "FortiManager",
+        "FAZ": "FortiAnalyzer",
+        "FFW": "FortiFirewall",
+        "FOS": "FortiOS",
+        "FWB": "FortiWeb",
+        "FAD": "FortiADC",
+    }
+
+    try:
+        version_str = input.split(":", 1)[0].strip()
+        type, version, _, build_num, build_date = version_str.rsplit("-", 4)
+
+        build_num = build_num.replace("build", "build ", 1)
+        build_date = datetime.strptime(build_date, "%y%m%d").strftime("%Y-%m-%d")
+        type = PREFIXES.get(type[:3], type)
+
+        return f"{type} {version} ({build_num}, {build_date})"
+    except ValueError:
+        return input
+
+
+def local_groups_to_users(config_groups: dict) -> dict:
+    """Map FortiOS groups to a dict with usernames as key."""
+    user_groups = {}
+    for group, items in config_groups.items():
+        for user in items.get("member", []):
+            if user in user_groups:
+                user_groups[user].append(group)
+            else:
+                user_groups[user] = [group]
+    return user_groups
+
+
+def decrypt_password(input: str) -> str:
+    """Decrypt FortiOS encrypted secrets.
+
+    Works for FortiGate 5.x, 6.x and 7.x (CVE-2019-6693).
+
+    NOTE:
+        - FortiManager uses a 16-byte IV and is not supported (CVE-2020-9289).
+        - FortiGate 4.x uses DES and a static 8-byte key and is not supported.
+
+    Returns decoded plaintext or original input ciphertext when decryption failed.
+
+    Resources:
+        - https://www.fortiguard.com/psirt/FG-IR-19-007
+    """
+
+    if not HAS_PYCRYPTODOME:
+        raise RuntimeError("PyCryptodome module not available")
+
+    if input[:3] in ["SH2", "AK1"]:
+        raise ValueError("Password is a hash (SHA-256 or SHA-1) and cannot be decrypted.")
+
+    ciphertext = b64decode(input)
+    iv = ciphertext[:4] + b"\x00" * 12
+    key = b"Mary had a littl"
+    cipher = AES.new(key, iv=iv, mode=AES.MODE_CBC)
+    plaintext = cipher.decrypt(ciphertext[4:])
+
+    try:
+        return plaintext.split(b"\x00", 1)[0].decode()
+    except UnicodeDecodeError:
+        return "ENC:" + input
+
+
+def decrypt_rootfs(fh: BinaryIO, kernel_hash: str) -> BinaryIO:
+    """Attempt to decrypt an encrypted ``rootfs.gz`` file.
+
+    FortiOS releases as of 7.4.1 / 2023-08-31, have ChaCha20 encrypted ``rootfs.gz`` files.
+    This function attempts to decrypt a ``rootfs.gz`` file using a static key and IV
+    which can be found in the kernel.
+
+    Currently supported versions (each release has a new key):
+        - FortiGate VM 7.0.13
+        - FortiGate VM 7.4.1
+        - FortiGate VM 7.4.2
+
+    Resources:
+        - https://docs.fortinet.com/document/fortimanager/7.4.2/release-notes/519207/special-notices
+        - Reversing kernel (fgt_verifier_iv, fgt_verifier_decrypt, fgt_verifier_initrd)
+    """
+
+    if not HAS_PYCRYPTODOME:
+        raise RuntimeError("PyCryptodome module not available")
+
+    # SHA256 hashes of kernel files
+    KERNEL_KEY_MAP = {
+        # FortiGate VM 7.0.13
+        "25cb2c8a419cde1f42d38fc6cbc95cf8b53db41096d0648015674d8220eba6bf": (
+            bytes.fromhex("c87e13e1f7d21c1aca81dc13329c3a948d6e420d3a859f3958bd098747873d08"),
+            bytes.fromhex("87486a24637e9a66f09ec182eee25594"),
+        ),
+        # FortiGate VM 7.4.1
+        "a008b47327293e48502a121ee8709f243ad5da4e63d6f663c253db27bd01ea28": _kdf_7_4_x(
+            "366486c0f2c6322ec23e4f33a98caa1b19d41c74bb4f25f6e8e2087b0655b30f"
+        ),
+        # FortiGate VM 7.4.2
+        "c392cf83ab484e0b2419b2711b02cdc88a73db35634c10340037243394a586eb": _kdf_7_4_x(
+            "480767be539de28ee773497fa731dd6368adc9946df61da8e1253fa402ba0302"
+        ),
+    }
+
+    if not (key_data := KERNEL_KEY_MAP.get(kernel_hash)):
+        raise ValueError("Failed to decrypt: Unknown kernel hash.")
+
+    key, iv = key_data
+    # First 8 bytes = counter, last 8 bytes = nonce
+    # PyCryptodome interally divides this seek by 64 to get a (position, offset) tuple
+    # We're interested in updating the position in the ChaCha20 internal state, so to make
+    # PyCryptodome "OpenSSL-compatible" we have to multiply the counter by 64
+    cipher = ChaCha20.new(key=key, nonce=iv[8:])
+    cipher.seek(int.from_bytes(iv[:8], "little") * 64)
+    result = cipher.decrypt(fh.read())
+
+    if result[0:2] != b"\x1f\x8b":
+        raise ValueError("Failed to decrypt: No gzip magic header found.")
+
+    return BytesIO(result)
+
+
+def _kdf_7_4_x(key_data: Union[str, bytes]) -> tuple[bytes, bytes]:
+    """Derive 32 byte key and 16 byte IV from 32 byte seed.
+
+    As the IV needs to be 16 bytes, we return the first 16 bytes of the sha256 hash.
+    """
+
+    if isinstance(key_data, str):
+        key_data = bytes.fromhex(key_data)
+
+    key = hashlib.sha256(key_data[4:32] + key_data[:4]).digest()
+    iv = hashlib.sha256(key_data[5:32] + key_data[:5]).digest()[:16]
+    return key, iv
+
+
+def get_kernel_hash(sysvol: Filesystem) -> Optional[str]:
+    """Return the SHA256 hash of the (compressed) kernel."""
+    kernel_files = ["flatkc", "vmlinuz", "vmlinux"]
+    for k in kernel_files:
+        if sysvol.path(k).exists():
+            return sysvol.sha256(k)

dissect/target/plugins/os/unix/linux/fortios/generic.py

@@ -0,0 +1,30 @@
+from datetime import datetime
+from typing import Optional
+
+from dissect.util import ts
+
+from dissect.target.exceptions import UnsupportedPluginError
+from dissect.target.plugin import Plugin, export
+from dissect.target.plugins.os.unix.generic import calculate_last_activity
+
+
+class GenericPlugin(Plugin):
+    def check_compatible(self) -> None:
+        if self.target.os != "fortios":
+            raise UnsupportedPluginError("FortiOS specific plugin loaded on non-FortiOS target")
+
+    @export(property=True)
+    def install_date(self) -> Optional[datetime]:
+        """Return the likely install date of FortiOS."""
+        files = ["/data/etc/cloudinit.log", "/data/.vm_provisioned", "/data/etc/ssh/ssh_host_dsa_key"]
+        for file in files:
+            if (fp := self.target.fs.path(file)).exists():
+                return ts.from_unix(fp.stat().st_mtime)
+
+    @export(property=True)
+    def activity(self) -> Optional[datetime]:
+        """Return last seen activity based on filesystem timestamps."""
+        log_dirs = ["/var/log/log/root", "/var/log/root", "/data"]
+        for log_dir in log_dirs:
+            if (var_log := self.target.fs.path(log_dir)).exists():
+                return calculate_last_activity(var_log)

dissect/target/plugins/os/unix/linux/fortios/locale.py

@@ -0,0 +1,109 @@
+from typing import Optional
+
+from dissect.target.exceptions import UnsupportedPluginError
+from dissect.target.plugin import Plugin, export
+
+
+class LocalePlugin(Plugin):
+    def check_compatible(self) -> None:
+        if self.target.os != "fortios":
+            raise UnsupportedPluginError("FortiOS specific plugin loaded on non-FortiOS target")
+
+    @export(property=True)
+    def timezone(self) -> Optional[str]:
+        """Return configured UI/system timezone."""
+        try:
+            timezone_num = self.target._os._config["global-config"]["system"]["global"]["timezone"][0]
+            return translate_timezone(timezone_num)
+        except KeyError:
+            pass
+
+    @export(property=True)
+    def language(self) -> Optional[str]:
+        """Return configured UI language."""
+        LANG_MAP = {
+            "english": "en_US",
+            "french": "fr_FR",
+            "spanish": "es_ES",
+            "portuguese": "pt_PT",
+            "japanese": "ja_JP",
+            "trach": "zh_TW",
+            "simch": "zh_CN",
+            "korean": "ko_KR",
+        }
+        try:
+            lang_str = self.target._os._config["global-config"]["system"]["global"].get("language", ["english"])[0]
+            return LANG_MAP.get(lang_str, lang_str)
+        except KeyError:
+            pass
+
+
+def translate_timezone(timezone_num: str) -> str:
+    """Translate a FortiOS timezone number to IANA TZ.
+
+    Resources:
+        - https://<fortios>/ng/system/settings
+    """
+
+    TZ_MAP = {
+        "01": "Etc/GMT+11",  # (GMT-11:00) Midway Island, Samoa
+        "02": "Pacific/Honolulu",  # (GMT-10:00) Hawaii
+        "03": "America/Anchorage",  # (GMT-9:00) Alaska
+        "04": "America/Los_Angeles",  # (GMT-8:00) Pacific Time (US & Canada)
+        "05": "America/Phoenix",  # (GMT-7:00) Arizona
+        "81": "America/Chihuahua",  # (GMT-7:00) Baja California Sur, Chihuahua
+        "06": "America/Denver",  # (GMT-7:00) Mountain Time (US & Canada)
+        "07": "America/Guatemala",  # (GMT-6:00) Central America
+        "08": "America/Chicago",  # (GMT-6:00) Central Time (US & Canada)
+        "09": "America/Mexico_City",  # (GMT-6:00) Mexico City
+        "10": "America/Regina",  # (GMT-6:00) Saskatchewan
+        "11": "America/Bogota",  # (GMT-5:00) Bogota, Lima,Quito
+        "12": "America/New_York",  # (GMT-5:00) Eastern Time (US & Canada)
+        "13": "America/Indianapolis",  # (GMT-5:00) Indiana (East)
+        "74": "America/Caracas",  # (GMT-4:00) Caracas
+        "14": "America/Halifax",  # (GMT-4:00) Atlantic Time (Canada)
+        "77": "Etc/GMT+4",  # (GMT-4:00) Georgetown
+        "15": "America/La_Paz",  # (GMT-4:00) La Paz
+        "87": "America/Asuncion",  # (GMT-4:00) Paraguay
+        "16": "America/Santiago",  # (GMT-3:00) Santiago
+        "17": "America/St_Johns",  # (GMT-3:30) Newfoundland
+        "18": "America/Sao_Paulo",  # (GMT-3:00) Brasilia
+        "19": "America/Buenos_Aires",  # (GMT-3:00) Buenos Aires
+        "20": "America/Godthab",  # (GMT-3:00) Nuuk (Greenland)
+        "75": "America/Montevideo",  # (GMT-3:00) Uruguay
+        "21": "Etc/GMT+2",  # (GMT-2:00) Mid-Atlantic
+        "22": "Atlantic/Azores",  # (GMT-1:00) Azores
+        "23": "Atlantic/Cape_Verde",  # (GMT-1:00) Cape Verde Is.
+        "24": "Atlantic/Reykjavik",  # (GMT) Monrovia
+        "80": "Europe/London",  # (GMT) Greenwich Mean Time
+        "79": "Africa/Casablanca",  # (GMT) Casablanca
+        "25": "Etc/UTC",  # (GMT) Dublin, Edinburgh, Lisbon, London, Canary Is.
+        "26": "Europe/Berlin",  # (GMT+1:00) Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna
+        "27": "Europe/Budapest",  # (GMT+1:00) Belgrade, Bratislava, Budapest, Ljubljana, Prague
+        "28": "Europe/Paris",  # (GMT+1:00) Brussels, Copenhagen, Madrid, Paris
+        "78": "Africa/Windhoek",  # (GMT+1:00) Namibia
+        "29": "Europe/Warsaw",  # (GMT+1:00) Sarajevo, Skopje, Warsaw, Zagreb
+        "30": "Africa/Lagos",  # (GMT+1:00) West Central Africa
+        "31": "Europe/Kiev",  # (GMT+2:00) Athens, Sofia, Vilnius
+        "32": "Europe/Bucharest",  # (GMT+2:00) Bucharest
+        "33": "Africa/Cairo",  # (GMT+2:00) Cairo
+        "34": "Africa/Johannesburg",  # (GMT+2:00) Harare, Pretoria
+        "35": "Europe/Helsinki",  # (GMT+2:00) Helsinki, Riga, Tallinn
+        "36": "Asia/Jerusalem",  # (GMT+2:00) Jerusalem
+        "37": "Asia/Baghdad",  # (GMT+3:00) Baghdad
+        "38": "Asia/Riyadh",  # (GMT+3:00) Kuwait, Riyadh
+        "83": "Europe/Moscow",  # (GMT+3:00) Moscow
+        "84": "Europe/Minsk",  # (GMT+3:00) Minsk
+        "40": "Africa/Nairobi",  # (GMT+3:00) Nairobi
+        "85": "Europe/Istanbul",  # (GMT+3:00) Istanbul
+        "41": "Asia/Tehran",  # (GMT+3:30) Tehran
+        "42": "Asia/Dubai",  # (GMT+4:00) Abu Dhabi, Muscat
+        "43": "Asia/Baku",  # (GMT+4:00) Baku
+        "39": "Europe/Volgograd",  # (GMT+3:00) St. Petersburg, Volgograd
+        "44": "Asia/Kabul",  # (GMT+4:30) Kabul
+        "46": "Asia/Karachi",  # (GMT+5:00) Islamabad, Karachi, Tashkent
+        "47": "Asia/Calcutta",  # (GMT+5:30) Kolkata, Chennai, Mumbai, New Delhi
+        "51": "Asia/Colombo",  # (GMT+5:30) Sri Jayawardenepara
+    }
+
+    return TZ_MAP.get(timezone_num, timezone_num)

dissect/target/plugins/os/windows/log/evt.py

@@ -100,7 +100,7 @@ class WindowsEventlogsMixin:
 
         # resolve aliases (like `%systemroot%`) in the paths
         file_paths = [self.target.resolve(p) for p in file_paths]
-        file_paths = [self.target.fs.path(path) for path in file_paths if filename_regex.match(path)]
+        file_paths = [path for path in file_paths if filename_regex.match(str(path))]
 
         self.target.log.debug("Log files found in '%s': %d", self.EVENTLOG_REGISTRY_KEY, len(file_paths))