dissect.target 3.15.dev8__py3-none-any.whl → 3.15.dev10__py3-none-any.whl
Sign up to get free protection for your applications and to get access to all the features.
- dissect/target/loaders/velociraptor.py +12 -3
- {dissect.target-3.15.dev8.dist-info → dissect.target-3.15.dev10.dist-info}/METADATA +1 -1
- {dissect.target-3.15.dev8.dist-info → dissect.target-3.15.dev10.dist-info}/RECORD +8 -8
- {dissect.target-3.15.dev8.dist-info → dissect.target-3.15.dev10.dist-info}/COPYRIGHT +0 -0
- {dissect.target-3.15.dev8.dist-info → dissect.target-3.15.dev10.dist-info}/LICENSE +0 -0
- {dissect.target-3.15.dev8.dist-info → dissect.target-3.15.dev10.dist-info}/WHEEL +0 -0
- {dissect.target-3.15.dev8.dist-info → dissect.target-3.15.dev10.dist-info}/entry_points.txt +0 -0
- {dissect.target-3.15.dev8.dist-info → dissect.target-3.15.dev10.dist-info}/top_level.txt +0 -0
|
@@ -22,7 +22,8 @@ def find_fs_directories(path: Path) -> tuple[Optional[OperatingSystem], Optional
|
|
|
22
22
|
# As of Velociraptor version 0.7.0 the structure of the Velociraptor Offline Collector varies by operating system.
|
|
23
23
|
# Generic.Collectors.File (Unix) uses the accessors file and auto.
|
|
24
24
|
# Generic.Collectors.File (Windows) and Windows.KapeFiles.Targets (Windows) uses the accessors
|
|
25
|
-
# mft, ntfs, lazy_ntfs, ntfs_vss and auto.
|
|
25
|
+
# mft, ntfs, lazy_ntfs, ntfs_vss and auto. The loader only supports a collection where a single accessor is used.
|
|
26
|
+
# For Windows usage of the ntfs_vss accessor can be forced by configuring VSSAnalysisAge to be greater than 0.
|
|
26
27
|
|
|
27
28
|
fs_root = path.joinpath(FILESYSTEMS_ROOT)
|
|
28
29
|
|
|
@@ -36,14 +37,22 @@ def find_fs_directories(path: Path) -> tuple[Optional[OperatingSystem], Optional
|
|
|
36
37
|
|
|
37
38
|
# Windows
|
|
38
39
|
volumes = set()
|
|
40
|
+
vss_volumes = set()
|
|
39
41
|
for accessor in WINDOWS_ACCESSORS:
|
|
40
42
|
accessor_root = fs_root.joinpath(accessor)
|
|
41
43
|
if accessor_root.exists():
|
|
42
44
|
# If the accessor directory exists, assume all the subdirectories are volumes
|
|
43
|
-
|
|
45
|
+
for volume in accessor_root.iterdir():
|
|
46
|
+
# https://github.com/Velocidex/velociraptor/blob/87368e7cc678144592a1614bb3bbd0a0f900ded9/accessors/ntfs/vss.go#L82
|
|
47
|
+
if "HarddiskVolumeShadowCopy" in volume.name:
|
|
48
|
+
vss_volumes.add(volume)
|
|
49
|
+
else:
|
|
50
|
+
volumes.add(volume)
|
|
44
51
|
|
|
45
52
|
if volumes:
|
|
46
|
-
|
|
53
|
+
# The volumes that represent drives (C, D) are mounted first,
|
|
54
|
+
# otherwise one of the volume shadow copies could be detected as the root filesystem which results in errors.
|
|
55
|
+
return OperatingSystem.WINDOWS, list(volumes) + list(vss_volumes)
|
|
47
56
|
|
|
48
57
|
return None, None
|
|
49
58
|
|
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
Metadata-Version: 2.1
|
|
2
2
|
Name: dissect.target
|
|
3
|
-
Version: 3.15.
|
|
3
|
+
Version: 3.15.dev10
|
|
4
4
|
Summary: This module ties all other Dissect modules together, it provides a programming API and command line tools which allow easy access to various data sources inside disk images or file collections (a.k.a. targets)
|
|
5
5
|
Author-email: Dissect Team <dissect@fox-it.com>
|
|
6
6
|
License: Affero General Public License v3
|
|
@@ -88,7 +88,7 @@ dissect/target/loaders/targetd.py,sha256=sfbn2_j3il2G-rPywAoNT5YPtD5KmKkmBv1zrPD
|
|
|
88
88
|
dissect/target/loaders/utm.py,sha256=e5x5ZI3HeL0STh4S-CaQb68Rnug4SVZR9zlmHaGFj0M,978
|
|
89
89
|
dissect/target/loaders/vb.py,sha256=CnQcn7bAkMzIB1y-lWLtPPXdIVsyeDaT6hTZEurjkV4,2072
|
|
90
90
|
dissect/target/loaders/vbox.py,sha256=8JD7D8iAY9JRvTHsrosp5ZMsZezuLhZ10Zt8sEL7KBI,732
|
|
91
|
-
dissect/target/loaders/velociraptor.py,sha256=
|
|
91
|
+
dissect/target/loaders/velociraptor.py,sha256=tikJEVCUDloWJNd5J3jJjNcVkOp-OnEe1O79DY2WLWw,4372
|
|
92
92
|
dissect/target/loaders/vma.py,sha256=AAY5-s-nz6wgvmcFkptJD7nNXhpkdf6SqEKVOrJaIKs,644
|
|
93
93
|
dissect/target/loaders/vmwarevm.py,sha256=1MlKoIuWSwpYmpuLxDuVacvaYHUhAGO1KgZxzrc4fyg,428
|
|
94
94
|
dissect/target/loaders/vmx.py,sha256=o1rYYKu6ReleqqHf2aeRcNrmoRcngWZNhz1h7GlmggQ,962
|
|
@@ -305,10 +305,10 @@ dissect/target/volumes/luks.py,sha256=v_mHW05KM5iG8JDe47i2V4Q9O0r4rnAMA9m_qc9cYw
|
|
|
305
305
|
dissect/target/volumes/lvm.py,sha256=wwQVR9I3G9YzmY6UxFsH2Y4MXGBcKL9aayWGCDTiWMU,2269
|
|
306
306
|
dissect/target/volumes/md.py,sha256=j1K1iKmspl0C_OJFc7-Q1BMWN2OCC5EVANIgVlJ_fIE,1673
|
|
307
307
|
dissect/target/volumes/vmfs.py,sha256=-LoUbn9WNwTtLi_4K34uV_-wDw2W5hgaqxZNj4UmqAQ,1730
|
|
308
|
-
dissect.target-3.15.
|
|
309
|
-
dissect.target-3.15.
|
|
310
|
-
dissect.target-3.15.
|
|
311
|
-
dissect.target-3.15.
|
|
312
|
-
dissect.target-3.15.
|
|
313
|
-
dissect.target-3.15.
|
|
314
|
-
dissect.target-3.15.
|
|
308
|
+
dissect.target-3.15.dev10.dist-info/COPYRIGHT,sha256=m-9ih2RVhMiXHI2bf_oNSSgHgkeIvaYRVfKTwFbnJPA,301
|
|
309
|
+
dissect.target-3.15.dev10.dist-info/LICENSE,sha256=DZak_2itbUtvHzD3E7GNUYSRK6jdOJ-GqncQ2weavLA,34523
|
|
310
|
+
dissect.target-3.15.dev10.dist-info/METADATA,sha256=ejmdkEyrDCTWqaIq7QC0dXgbPUIA5S-fNopxO72qcII,11107
|
|
311
|
+
dissect.target-3.15.dev10.dist-info/WHEEL,sha256=oiQVh_5PnQM0E3gPdiz09WCNmwiHDMaGer_elqB3coM,92
|
|
312
|
+
dissect.target-3.15.dev10.dist-info/entry_points.txt,sha256=tvFPa-Ap-gakjaPwRc6Fl6mxHzxEZ_arAVU-IUYeo_s,447
|
|
313
|
+
dissect.target-3.15.dev10.dist-info/top_level.txt,sha256=Mn-CQzEYsAbkxrUI0TnplHuXnGVKzxpDw_po_sXpvv4,8
|
|
314
|
+
dissect.target-3.15.dev10.dist-info/RECORD,,
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|
|
File without changes
|