dissect.target 3.16.dev36__py3-none-any.whl → 3.16.dev38__py3-none-any.whl

dissect/target/helpers/fsutil.py

@@ -78,6 +78,7 @@ __all__ = [
     "generate_addr",
     "glob_ext",
     "glob_split",
+    "has_glob_magic",
     "isabs",
     "join",
     "normalize",

dissect/target/loaders/velociraptor.py

@@ -19,12 +19,6 @@ WINDOWS_ACCESSORS = ["mft", "ntfs", "lazy_ntfs", "ntfs_vss", "auto"]
 
 
 def find_fs_directories(path: Path) -> tuple[Optional[OperatingSystem], Optional[list[Path]]]:
-    # As of Velociraptor version 0.7.0 the structure of the Velociraptor Offline Collector varies by operating system.
-    # Generic.Collectors.File (Unix) uses the accessors file and auto.
-    # Generic.Collectors.File (Windows) and Windows.KapeFiles.Targets (Windows) uses the accessors
-    # mft, ntfs, lazy_ntfs, ntfs_vss and auto. The loader only supports a collection where a single accessor is used.
-    # For Windows usage of the ntfs_vss accessor can be forced by configuring VSSAnalysisAge to be greater than 0.
-
     fs_root = path.joinpath(FILESYSTEMS_ROOT)
 
     # Unix
@@ -43,6 +37,9 @@ def find_fs_directories(path: Path) -> tuple[Optional[OperatingSystem], Optional
         if accessor_root.exists():
             # If the accessor directory exists, assume all the subdirectories are volumes
             for volume in accessor_root.iterdir():
+                if not volume.is_dir():
+                    continue
+
                 # https://github.com/Velocidex/velociraptor/blob/87368e7cc678144592a1614bb3bbd0a0f900ded9/accessors/ntfs/vss.go#L82
                 if "HarddiskVolumeShadowCopy" in volume.name:
                     vss_volumes.add(volume)
@@ -60,6 +57,17 @@ def find_fs_directories(path: Path) -> tuple[Optional[OperatingSystem], Optional
 class VelociraptorLoader(DirLoader):
     """Load Rapid7 Velociraptor forensic image files.
 
+    As of Velociraptor version 0.7.0 the structure of the Velociraptor Offline Collector varies by operating system.
+    Generic.Collectors.File (Unix) uses the accessors file and auto. The loader supports the following configuration::
+
+        {"Generic.Collectors.File":{"Root":"/","collectionSpec":"Glob\\netc/**\\nvar/log/**"}}
+
+    Generic.Collectors.File (Windows) and Windows.KapeFiles.Targets (Windows) uses the accessors mft, ntfs, lazy_ntfs,
+    ntfs_vss and auto. The loader only supports a collection where a single accessor is used, which can be forced by
+    using the following configuration::
+
+        {"Windows.KapeFiles.Targets":{"VSSAnalysisAge":"1000","_SANS_Triage":"Y"}}
+
     References:
         - https://www.rapid7.com/products/velociraptor/
         - https://docs.velociraptor.app/

dissect/target/plugins/apps/webserver/iis.py

@@ -10,6 +10,7 @@ from flow.record.base import RE_VALID_FIELD_NAME
 from dissect.target import plugin
 from dissect.target.exceptions import FileNotFoundError as DissectFileNotFoundError
 from dissect.target.exceptions import PluginError, UnsupportedPluginError
+from dissect.target.helpers.fsutil import has_glob_magic
 from dissect.target.helpers.record import TargetRecordDescriptor
 from dissect.target.plugins.apps.webserver.webserver import (
     WebserverAccessLogRecord,
@@ -54,24 +55,33 @@ class IISLogsPlugin(WebserverPlugin):
 
     APPLICATION_HOST_CONFIG = "sysvol/windows/system32/inetsrv/config/applicationHost.config"
 
+    DEFAULT_LOG_PATHS = [
+        "sysvol\\Windows\\System32\\LogFiles\\W3SVC*\\*.log",
+        "sysvol\\Windows.old\\Windows\\System32\\LogFiles\\W3SVC*\\*.log",
+        "sysvol\\inetpub\\logs\\LogFiles\\*.log",
+        "sysvol\\inetpub\\logs\\LogFiles\\W3SVC*\\*.log",
+        "sysvol\\Resources\\Directory\\*\\LogFiles\\Web\\W3SVC*\\*.log",
+    ]
+
     __namespace__ = "iis"
 
     def __init__(self, target):
         super().__init__(target)
         self.config = self.target.fs.path(self.APPLICATION_HOST_CONFIG)
+        self.log_dirs = self.get_log_dirs()
 
         self._create_extended_descriptor = lru_cache(4096)(self._create_extended_descriptor)
 
     def check_compatible(self) -> None:
-        if not self.config.exists() and not self.target.fs.path("sysvol/files").exists():
-            raise UnsupportedPluginError("No ApplicationHost config file found")
+        if not self.log_dirs:
+            raise UnsupportedPluginError("No IIS log files found")
 
     @plugin.internal
     def get_log_dirs(self) -> list[tuple[str, Path]]:
-        log_paths = []
+        log_paths = set()
 
         if (sysvol_files := self.target.fs.path("sysvol/files")).exists():
-            log_paths.append(("auto", sysvol_files))
+            log_paths.add(("auto", sysvol_files))
 
         try:
             xml_data = ElementTree.fromstring(self.config.open().read(), forbid_dtd=True)
@@ -79,16 +89,33 @@ class IISLogsPlugin(WebserverPlugin):
                 log_format = log_file_element.get("logFormat") or "W3C"
                 if log_dir := log_file_element.get("directory"):
                     log_dir = self.target.resolve(log_dir)
-                    log_paths.append((log_format, log_dir))
+                    log_paths.add((log_format, log_dir))
 
         except (ElementTree.ParseError, DissectFileNotFoundError) as e:
-            self.target.log.warning(f"Error while parsing {self.config}: {e}")
+            self.target.log.warning("Error while parsing %s:%s", self.config, e)
+
+        for log_path in self.DEFAULT_LOG_PATHS:
+            try:
+                # later on we use */*.log to collect the files, so we need to move up 2 levels
+                log_dir = self.target.fs.path(log_path).parents[1]
+            except IndexError:
+                self.target.log.error("Incompatible path found: %s", log_path)
+                continue
+
+            if not has_glob_magic(str(log_dir)) and log_dir.exists():
+                log_paths.add(("auto", log_dir))
+                continue
+
+            for _log_dir_str in self.target.fs.glob(str(log_dir)):
+                if not (_log_dir := self.target.fs.path(_log_dir_str)).is_dir():
+                    continue
+                log_paths.add(("auto", _log_dir))
 
-        return log_paths
+        return list(log_paths)
 
     @plugin.internal
     def iter_log_format_path_pairs(self) -> list[tuple[str, str]]:
-        for log_format, log_dir_path in self.get_log_dirs():
+        for log_format, log_dir_path in self.log_dirs:
             for log_file in log_dir_path.glob("*/*.log"):
                 yield (log_format, log_file)
 

{dissect.target-3.16.dev36.dist-info → dissect.target-3.16.dev38.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: dissect.target
-Version: 3.16.dev36
+Version: 3.16.dev38
 Summary: This module ties all other Dissect modules together, it provides a programming API and command line tools which allow easy access to various data sources inside disk images or file collections (a.k.a. targets)
 Author-email: Dissect Team <dissect@fox-it.com>
 License: Affero General Public License v3

{dissect.target-3.16.dev36.dist-info → dissect.target-3.16.dev38.dist-info}/RECORD

@@ -48,7 +48,7 @@ dissect/target/helpers/configutil.py,sha256=t_UNvcWuMMT5C1tut_PgTwCnVUodf6RjhfXP
 dissect/target/helpers/cyber.py,sha256=Ki5oSU0GgQxjgC_yWoeieGP7GOY5blQCzNX7vy7Pgas,16782
 dissect/target/helpers/descriptor_extensions.py,sha256=uT8GwznfDAiIgMM7JKKOY0PXKMv2c0GCqJTCkWFgops,2605
 dissect/target/helpers/docs.py,sha256=J5U65Y3yOTqxDEZRCdrEmO63XQCeDzOJea1PwPM6Cyc,5146
-dissect/target/helpers/fsutil.py,sha256=pmaTi8uAN84EdN5Z7BinKrHfx6sswc2TjHdvt26PTSo,19759
+dissect/target/helpers/fsutil.py,sha256=Djm7r7gbxMlm7QQagWNeoHd-KoCn3u3JMMRc4TH950Q,19781
 dissect/target/helpers/hashutil.py,sha256=SD24rcV_y0sBEl7M9T-isjm-VzJvCiTN2BoWMqAOAVI,2160
 dissect/target/helpers/keychain.py,sha256=wYH0sf7eaxP0bZTo80RF_BQMWulCWmIQ8Tzt9K5TSNQ,3611
 dissect/target/helpers/lazy.py,sha256=823VtmdWsbJyVZvNWopDhQdqq2i1xtj6b8IKfveboKw,1771
@@ -102,7 +102,7 @@ dissect/target/loaders/targetd.py,sha256=sfbn2_j3il2G-rPywAoNT5YPtD5KmKkmBv1zrPD
 dissect/target/loaders/utm.py,sha256=e5x5ZI3HeL0STh4S-CaQb68Rnug4SVZR9zlmHaGFj0M,978
 dissect/target/loaders/vb.py,sha256=CnQcn7bAkMzIB1y-lWLtPPXdIVsyeDaT6hTZEurjkV4,2072
 dissect/target/loaders/vbox.py,sha256=8JD7D8iAY9JRvTHsrosp5ZMsZezuLhZ10Zt8sEL7KBI,732
-dissect/target/loaders/velociraptor.py,sha256=tikJEVCUDloWJNd5J3jJjNcVkOp-OnEe1O79DY2WLWw,4372
+dissect/target/loaders/velociraptor.py,sha256=WPnDIWANIIUPgc-kfXSjXptCQ2pkcy1jdkEydiOvs58,4613
 dissect/target/loaders/vma.py,sha256=AAY5-s-nz6wgvmcFkptJD7nNXhpkdf6SqEKVOrJaIKs,644
 dissect/target/loaders/vmwarevm.py,sha256=1MlKoIuWSwpYmpuLxDuVacvaYHUhAGO1KgZxzrc4fyg,428
 dissect/target/loaders/vmx.py,sha256=o1rYYKu6ReleqqHf2aeRcNrmoRcngWZNhz1h7GlmggQ,962
@@ -144,7 +144,7 @@ dissect/target/plugins/apps/webserver/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCe
 dissect/target/plugins/apps/webserver/apache.py,sha256=bD6_XObfO7W-cFlLRWyhdwEfw-Y57JBi47rWnXCx-vg,15026
 dissect/target/plugins/apps/webserver/caddy.py,sha256=qZsAK_tILGvroV4SWkDKc-Otwd41bUEtv9H9TuHmt-0,6422
 dissect/target/plugins/apps/webserver/citrix.py,sha256=FEPdBteEJeeGg3B95W_27O9wLJVhenEc5A5fSLDmK18,3044
-dissect/target/plugins/apps/webserver/iis.py,sha256=t92JGTuMbBlUma5BVurdOuzUYvrjpgT8NEHpu9Xz5F0,14734
+dissect/target/plugins/apps/webserver/iis.py,sha256=fnVF6npYXbVfg9SYvFOFMM1c7dT81mKS6cMerRDhuy4,15847
 dissect/target/plugins/apps/webserver/nginx.py,sha256=WA5soi1FU1c44oHRcyOoHK3gH8Jzc_Qi5uXcimDYukw,4129
 dissect/target/plugins/apps/webserver/webserver.py,sha256=a7a2lLrhsa9c1AXnwiLP-tqVv-IUbmaVaSZI5S0fKa8,1500
 dissect/target/plugins/child/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
@@ -332,10 +332,10 @@ dissect/target/volumes/luks.py,sha256=OmCMsw6rCUXG1_plnLVLTpsvE1n_6WtoRUGQbpmu1z
 dissect/target/volumes/lvm.py,sha256=wwQVR9I3G9YzmY6UxFsH2Y4MXGBcKL9aayWGCDTiWMU,2269
 dissect/target/volumes/md.py,sha256=j1K1iKmspl0C_OJFc7-Q1BMWN2OCC5EVANIgVlJ_fIE,1673
 dissect/target/volumes/vmfs.py,sha256=-LoUbn9WNwTtLi_4K34uV_-wDw2W5hgaqxZNj4UmqAQ,1730
-dissect.target-3.16.dev36.dist-info/COPYRIGHT,sha256=m-9ih2RVhMiXHI2bf_oNSSgHgkeIvaYRVfKTwFbnJPA,301
-dissect.target-3.16.dev36.dist-info/LICENSE,sha256=DZak_2itbUtvHzD3E7GNUYSRK6jdOJ-GqncQ2weavLA,34523
-dissect.target-3.16.dev36.dist-info/METADATA,sha256=8S8GPdefFjHJ2czAB3CLuF18XOPxF9OGteckjZlsVTY,11107
-dissect.target-3.16.dev36.dist-info/WHEEL,sha256=oiQVh_5PnQM0E3gPdiz09WCNmwiHDMaGer_elqB3coM,92
-dissect.target-3.16.dev36.dist-info/entry_points.txt,sha256=tvFPa-Ap-gakjaPwRc6Fl6mxHzxEZ_arAVU-IUYeo_s,447
-dissect.target-3.16.dev36.dist-info/top_level.txt,sha256=Mn-CQzEYsAbkxrUI0TnplHuXnGVKzxpDw_po_sXpvv4,8
-dissect.target-3.16.dev36.dist-info/RECORD,,
+dissect.target-3.16.dev38.dist-info/COPYRIGHT,sha256=m-9ih2RVhMiXHI2bf_oNSSgHgkeIvaYRVfKTwFbnJPA,301
+dissect.target-3.16.dev38.dist-info/LICENSE,sha256=DZak_2itbUtvHzD3E7GNUYSRK6jdOJ-GqncQ2weavLA,34523
+dissect.target-3.16.dev38.dist-info/METADATA,sha256=LCsm2qVyfCBMvuEx5O0DbD_J-OhYuilVWMT_N2YRS7s,11107
+dissect.target-3.16.dev38.dist-info/WHEEL,sha256=oiQVh_5PnQM0E3gPdiz09WCNmwiHDMaGer_elqB3coM,92
+dissect.target-3.16.dev38.dist-info/entry_points.txt,sha256=tvFPa-Ap-gakjaPwRc6Fl6mxHzxEZ_arAVU-IUYeo_s,447
+dissect.target-3.16.dev38.dist-info/top_level.txt,sha256=Mn-CQzEYsAbkxrUI0TnplHuXnGVKzxpDw_po_sXpvv4,8
+dissect.target-3.16.dev38.dist-info/RECORD,,