dissect.target 3.15.dev20__py3-none-any.whl → 3.15.dev21__py3-none-any.whl

dissect/target/plugins/filesystem/ntfs/mft.py

@@ -123,6 +123,12 @@ class MftPlugin(Plugin):
 
         The Master File Table (MFT) contains primarily metadata about every file and folder on a NFTS filesystem.
 
+        If the filesystem is part of a virtual NTFS filesystem (a ``VirtualFilesystem`` with the MFT properties
+        added to it through a "fake" ``NtfsFilesystem``), the paths returned in the MFT records are based on the
+        mount point of the ``VirtualFilesystem``. This ensures that the proper original drive letter is used when
+        available.
+        When no drive letter can be determined, the path will show as e.g. ``\\$fs$\\fs0``.
+
         References:
             - https://docs.microsoft.com/en-us/windows/win32/fileio/master-file-table
         """
@@ -136,6 +142,10 @@ class MftPlugin(Plugin):
             if fs.__type__ != "ntfs":
                 continue
 
+            # If this filesystem is a "fake" NTFS filesystem, used to enhance a
+            # VirtualFilesystem, The driveletter (more accurate mount point)
+            # returned will be that of the VirtualFilesystem. This makes sure
+            # the paths returned in the records are actually reachable.
             drive_letter = get_drive_letter(self.target, fs)
             volume_uuid = get_volume_identifier(fs)
 

dissect/target/plugins/filesystem/ntfs/mft_timeline.py

@@ -105,6 +105,12 @@ class MftTimelinePlugin(Plugin):
 
         The Master File Table (MFT) contains metadata about every file and folder on a NFTS filesystem.
 
+        If the filesystem is part of a virtual NTFS filesystem (a ``VirtualFilesystem`` with the MFT properties
+        added to it through a "fake" ``NtfsFilesystem``), the paths returned in the MFT records are based on the
+        mount point of the ``VirtualFilesystem``. This ensures that the proper original drive letter is used when
+        available.
+        When no drive letter can be determined, the path will show as e.g. ``\\$fs$\\fs0``.
+
         References:
             - https://docs.microsoft.com/en-us/windows/win32/fileio/master-file-table
         """
@@ -112,6 +118,10 @@ class MftTimelinePlugin(Plugin):
             if fs.__type__ != "ntfs":
                 continue
 
+            # If this filesystem is a "fake" NTFS filesystem, used to enhance a
+            # VirtualFilesystem, The driveletter (more accurate mount point)
+            # returned will be that of the VirtualFilesystem. This makes sure
+            # the paths returned in the records are actually reachable.
             drive_letter = get_drive_letter(self.target, fs)
             extras = Extras(
                 serial=fs.ntfs.serial,

dissect/target/plugins/filesystem/ntfs/usnjrnl.py

@@ -34,6 +34,12 @@ class UsnjrnlPlugin(Plugin):
         The Update Sequence Number Journal (UsnJrnl) is a feature of an NTFS file system and contains information about
         filesystem activities. Each volume has its own UsnJrnl.
 
+        If the filesystem is part of a virtual NTFS filesystem (a ``VirtualFilesystem`` with the UsnJrnl
+        properties added to it through a "fake" ``NtfsFilesystem``), the paths returned in the UsnJrnl records
+        are based on the mount point of the ``VirtualFilesystem``. This ensures that the proper original drive
+        letter is used when available.
+        When no drive letter can be determined, the path will show as e.g. ``\\$fs$\\fs0``.
+
         References:
             - https://en.wikipedia.org/wiki/USN_Journal
             - https://velociraptor.velocidex.com/the-windows-usn-journal-f0c55c9010e
@@ -47,6 +53,10 @@ class UsnjrnlPlugin(Plugin):
             if not usnjrnl:
                 continue
 
+            # If this filesystem is a "fake" NTFS filesystem, used to enhance a
+            # VirtualFilesystem, The driveletter (more accurate mount point)
+            # returned will be that of the VirtualFilesystem. This makes sure
+            # the paths returned in the records are actually reachable.
             drive_letter = get_drive_letter(self.target, fs)
             for record in usnjrnl.records():
                 try:

dissect/target/plugins/filesystem/ntfs/utils.py

@@ -1,3 +1,4 @@
+import re
 from enum import Enum, auto
 from typing import Optional, Tuple
 from uuid import UUID
@@ -8,6 +9,8 @@ from dissect.ntfs.mft import MftRecord
 from dissect.target import Target
 from dissect.target.filesystems.ntfs import NtfsFilesystem
 
+DRIVE_LETTER_RE = re.compile(r"[a-zA-Z]:")
+
 
 class InformationType(Enum):
     STANDARD_INFORMATION = auto()
@@ -20,13 +23,33 @@ def get_drive_letter(target: Target, filesystem: NtfsFilesystem):
 
     When the drive letter is not available for that filesystem it returns empty.
     """
+    # A filesystem can be known under multiple drives (mount points). If it is
+    # a windows system volume, there are the default sysvol and c: drives.
+    # If the target has a virtual ntfs filesystem, e.g. as constructed by the
+    # tar and dir loaders, there is also the /$fs$/fs<n> drive, under which the
+    # "fake" ntfs filesystem is mounted.
+    # The precedence for drives is first the drive letter drives (e.g. c:),
+    # second the "normally" named drives (e.g. sysvol) and finally the anonymous
+    # drives (e.g. /$fs/fs0).
     mount_items = (item for item in target.fs.mounts.items() if hasattr(item[1], "ntfs"))
-    driveletters = [key for key, fs in mount_items if fs.ntfs is filesystem.ntfs]
+    drives = [key for key, fs in mount_items if fs.ntfs is filesystem.ntfs]
+
+    single_letter_drives = []
+    other_drives = []
+    anon_drives = []
+
+    for drive in drives:
+        if DRIVE_LETTER_RE.match(drive):
+            single_letter_drives.append(drive)
+        elif "$fs$" in drive:
+            anon_drives.append(drive)
+        else:
+            other_drives.append(drive)
+
+    drives = sorted(single_letter_drives) + sorted(other_drives) + sorted(anon_drives)
 
-    if driveletters:
-        # Currently, mount_dict contain 2 instances of the same filesystem: 'sysvol' and 'c:'
-        # This is to choose the latter which will be 'c:'
-        return f"{driveletters[-1]}\\"
+    if drives:
+        return f"{drives[0]}\\"
     else:
         return ""
 

{dissect.target-3.15.dev20.dist-info → dissect.target-3.15.dev21.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: dissect.target
-Version: 3.15.dev20
+Version: 3.15.dev21
 Summary: This module ties all other Dissect modules together, it provides a programming API and command line tools which allow easy access to various data sources inside disk images or file collections (a.k.a. targets)
 Author-email: Dissect Team <dissect@fox-it.com>
 License: Affero General Public License v3

{dissect.target-3.15.dev20.dist-info → dissect.target-3.15.dev21.dist-info}/RECORD

@@ -153,10 +153,10 @@ dissect/target/plugins/filesystem/resolver.py,sha256=HfyASUFV4F9uD-yFXilFpPTORAs
 dissect/target/plugins/filesystem/walkfs.py,sha256=aCEBmT3uoQdMdSGUshMOsKpcjrzAFg3HzeYW24PJZwk,2296
 dissect/target/plugins/filesystem/yara.py,sha256=q_pbrQArNaWP4ILRzK7VQhukIw16LhUvntoviHmZ38Q,2241
 dissect/target/plugins/filesystem/ntfs/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-dissect/target/plugins/filesystem/ntfs/mft.py,sha256=O5OHo2WDVhvflsQq8DcUaDRgDeWPcJs_1C_bqfm1PO0,8806
-dissect/target/plugins/filesystem/ntfs/mft_timeline.py,sha256=EJr_SFNkCrGx0VKIQFu-0zhNYuNv_7PpaXsYjE6UzE4,6033
-dissect/target/plugins/filesystem/ntfs/usnjrnl.py,sha256=2n64bhiBOuhVv9GsgFQcfMSE9CQ-RRfu2b3i9E2wzeQ,2938
-dissect/target/plugins/filesystem/ntfs/utils.py,sha256=9oRkmrByR1JPiIM0n_evORcK6NDQuDqrmiVIolupeck,2316
+dissect/target/plugins/filesystem/ntfs/mft.py,sha256=Za-fsTcKlAlhm9ugJlMdwsJVf2Osrh4PrEGSFuv-Eeo,9564
+dissect/target/plugins/filesystem/ntfs/mft_timeline.py,sha256=vvNFAZbr7s3X2OTYf4ES_L6-XsouTXcTymfxnHfZ1Rw,6791
+dissect/target/plugins/filesystem/ntfs/usnjrnl.py,sha256=uiT1ipmcAo__6VIUi8R_vvIu22vdnjMACKwLSAbzYjs,3704
+dissect/target/plugins/filesystem/ntfs/utils.py,sha256=xG7Lgw9NX4tDDrZVRm0vycFVJTOM7j-HrjqzDh0f4uA,3136
 dissect/target/plugins/filesystem/unix/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 dissect/target/plugins/filesystem/unix/capability.py,sha256=oTJVEr8Yszejd-FxU0D8J49ATxNrJOcUnBFIc96k8kg,5920
 dissect/target/plugins/filesystem/unix/suid.py,sha256=Q0Y5CyPm34REruyZYP5siFAka4i7QEOOxZ9K2L-SxPY,1290
@@ -315,10 +315,10 @@ dissect/target/volumes/luks.py,sha256=v_mHW05KM5iG8JDe47i2V4Q9O0r4rnAMA9m_qc9cYw
 dissect/target/volumes/lvm.py,sha256=wwQVR9I3G9YzmY6UxFsH2Y4MXGBcKL9aayWGCDTiWMU,2269
 dissect/target/volumes/md.py,sha256=j1K1iKmspl0C_OJFc7-Q1BMWN2OCC5EVANIgVlJ_fIE,1673
 dissect/target/volumes/vmfs.py,sha256=-LoUbn9WNwTtLi_4K34uV_-wDw2W5hgaqxZNj4UmqAQ,1730
-dissect.target-3.15.dev20.dist-info/COPYRIGHT,sha256=m-9ih2RVhMiXHI2bf_oNSSgHgkeIvaYRVfKTwFbnJPA,301
-dissect.target-3.15.dev20.dist-info/LICENSE,sha256=DZak_2itbUtvHzD3E7GNUYSRK6jdOJ-GqncQ2weavLA,34523
-dissect.target-3.15.dev20.dist-info/METADATA,sha256=P3aZf5INRmResMw5qj2ipews4T7dSbv7eHIUFfYp5L4,11113
-dissect.target-3.15.dev20.dist-info/WHEEL,sha256=oiQVh_5PnQM0E3gPdiz09WCNmwiHDMaGer_elqB3coM,92
-dissect.target-3.15.dev20.dist-info/entry_points.txt,sha256=tvFPa-Ap-gakjaPwRc6Fl6mxHzxEZ_arAVU-IUYeo_s,447
-dissect.target-3.15.dev20.dist-info/top_level.txt,sha256=Mn-CQzEYsAbkxrUI0TnplHuXnGVKzxpDw_po_sXpvv4,8
-dissect.target-3.15.dev20.dist-info/RECORD,,
+dissect.target-3.15.dev21.dist-info/COPYRIGHT,sha256=m-9ih2RVhMiXHI2bf_oNSSgHgkeIvaYRVfKTwFbnJPA,301
+dissect.target-3.15.dev21.dist-info/LICENSE,sha256=DZak_2itbUtvHzD3E7GNUYSRK6jdOJ-GqncQ2weavLA,34523
+dissect.target-3.15.dev21.dist-info/METADATA,sha256=4zEuRFKt1qhipeN98KP4OJXi0bz5r8RLmqBrRUbQbuI,11113
+dissect.target-3.15.dev21.dist-info/WHEEL,sha256=oiQVh_5PnQM0E3gPdiz09WCNmwiHDMaGer_elqB3coM,92
+dissect.target-3.15.dev21.dist-info/entry_points.txt,sha256=tvFPa-Ap-gakjaPwRc6Fl6mxHzxEZ_arAVU-IUYeo_s,447
+dissect.target-3.15.dev21.dist-info/top_level.txt,sha256=Mn-CQzEYsAbkxrUI0TnplHuXnGVKzxpDw_po_sXpvv4,8
+dissect.target-3.15.dev21.dist-info/RECORD,,