dissect.target 3.16.dev44__py3-none-any.whl → 3.17__py3-none-any.whl

dissect/target/plugins/apps/browser/firefox.py

@@ -1,5 +1,9 @@
+import hmac
 import json
-from typing import Iterator
+import logging
+from base64 import b64decode
+from hashlib import pbkdf2_hmac, sha1
+from typing import Iterator, Optional
 
 from dissect.sql import sqlite3
 from dissect.sql.exceptions import Error as SQLError
@@ -8,15 +12,41 @@ from dissect.util.ts import from_unix_ms, from_unix_us
 
 from dissect.target.exceptions import FileNotFoundError, UnsupportedPluginError
 from dissect.target.helpers.descriptor_extensions import UserRecordDescriptorExtension
+from dissect.target.helpers.fsutil import TargetPath
 from dissect.target.helpers.record import create_extended_descriptor
 from dissect.target.plugin import export
 from dissect.target.plugins.apps.browser.browser import (
     GENERIC_COOKIE_FIELDS,
     GENERIC_DOWNLOAD_RECORD_FIELDS,
+    GENERIC_EXTENSION_RECORD_FIELDS,
     GENERIC_HISTORY_RECORD_FIELDS,
+    GENERIC_PASSWORD_RECORD_FIELDS,
     BrowserPlugin,
     try_idna,
 )
+from dissect.target.plugins.general.users import UserDetails
+
+try:
+    from asn1crypto import algos, core
+
+    HAS_ASN1 = True
+
+except ImportError:
+    HAS_ASN1 = False
+
+
+try:
+    from Crypto.Cipher import AES, DES3
+    from Crypto.Util.Padding import unpad
+
+    HAS_CRYPTO = True
+
+except ImportError:
+    HAS_CRYPTO = False
+
+FIREFOX_EXTENSION_RECORD_FIELDS = [("uri", "source_uri"), ("string[]", "optional_permissions")]
+
+log = logging.getLogger(__name__)
 
 
 class FirefoxPlugin(BrowserPlugin):
@@ -48,21 +78,37 @@ class FirefoxPlugin(BrowserPlugin):
         "browser/firefox/download", GENERIC_DOWNLOAD_RECORD_FIELDS
     )
 
+    BrowserExtensionRecord = create_extended_descriptor([UserRecordDescriptorExtension])(
+        "browser/firefox/extension", GENERIC_EXTENSION_RECORD_FIELDS + FIREFOX_EXTENSION_RECORD_FIELDS
+    )
+
+    BrowserPasswordRecord = create_extended_descriptor([UserRecordDescriptorExtension])(
+        "browser/firefox/password", GENERIC_PASSWORD_RECORD_FIELDS
+    )
+
     def __init__(self, target):
         super().__init__(target)
-        self.users_dirs = []
+        self.users_dirs: list[tuple[UserDetails, TargetPath]] = []
         for user_details in self.target.user_details.all_with_home():
             for directory in self.DIRS:
                 cur_dir = user_details.home_path.joinpath(directory)
                 if not cur_dir.exists():
                     continue
-                self.users_dirs.append((user_details.user, cur_dir))
+                self.users_dirs.append((user_details, cur_dir))
 
     def check_compatible(self) -> None:
         if not len(self.users_dirs):
             raise UnsupportedPluginError("No Firefox directories found")
 
-    def _iter_db(self, filename: str) -> Iterator[SQLite3]:
+    def _iter_profiles(self) -> Iterator[tuple[UserDetails, TargetPath, TargetPath]]:
+        """Yield user directories."""
+        for user, cur_dir in self.users_dirs:
+            for profile_dir in cur_dir.iterdir():
+                if not profile_dir.is_dir():
+                    continue
+                yield user, cur_dir, profile_dir
+
+    def _iter_db(self, filename: str) -> Iterator[tuple[UserDetails, SQLite3]]:
         """Yield opened history database files of all users.
 
         Args:
@@ -71,16 +117,15 @@ class FirefoxPlugin(BrowserPlugin):
         Yields:
             Opened SQLite3 databases.
         """
-        for user, cur_dir in self.users_dirs:
-            for profile_dir in cur_dir.iterdir():
-                if profile_dir.is_dir():
-                    db_file = profile_dir.joinpath(filename)
-                    try:
-                        yield user, db_file, sqlite3.SQLite3(db_file.open())
-                    except FileNotFoundError:
-                        self.target.log.warning("Could not find %s file: %s", filename, db_file)
-                    except SQLError as e:
-                        self.target.log.warning("Could not open %s file: %s", filename, db_file, exc_info=e)
+        for user, cur_dir, profile_dir in self._iter_profiles():
+            db_file = profile_dir.joinpath(filename)
+            try:
+                yield user, db_file, sqlite3.SQLite3(db_file.open())
+            except FileNotFoundError:
+                self.target.log.warning("Could not find %s file: %s", filename, db_file)
+            except SQLError as e:
+                self.target.log.warning("Could not open %s file: %s", filename, db_file)
+                self.target.log.debug("", exc_info=e)
 
     @export(record=BrowserHistoryRecord)
     def history(self) -> Iterator[BrowserHistoryRecord]:
@@ -135,7 +180,7 @@ class FirefoxPlugin(BrowserPlugin):
                         from_url=try_idna(from_place.url) if from_place else None,
                         source=db_file,
                         _target=self.target,
-                        _user=user,
+                        _user=user.user,
                     )
             except SQLError as e:
                 self.target.log.warning("Error processing history file: %s", db_file, exc_info=e)
@@ -167,7 +212,7 @@ class FirefoxPlugin(BrowserPlugin):
                     yield self.BrowserCookieRecord(
                         ts_created=from_unix_us(cookie.creationTime),
                         ts_last_accessed=from_unix_us(cookie.lastAccessed),
-                        browser="Firefox",
+                        browser="firefox",
                         name=cookie.name,
                         value=cookie.value,
                         host=cookie.host,
@@ -177,7 +222,7 @@ class FirefoxPlugin(BrowserPlugin):
                         is_http_only=bool(cookie.isHttpOnly),
                         same_site=bool(cookie.sameSite),
                         source=db_file,
-                        _user=user,
+                        _user=user.user,
                     )
             except SQLError as e:
                 self.target.log.warning("Error processing cookie file: %s", db_file, exc_info=e)
@@ -261,8 +306,456 @@ class FirefoxPlugin(BrowserPlugin):
                         state=state,
                         source=db_file,
                         _target=self.target,
-                        _user=user,
+                        _user=user.user,
                     )
             except SQLError as e:
                 self.target.log.warning("Error processing history file: %s", db_file, exc_info=e)
-                self.target.log.warning("Error processing history file: %s", db_file, exc_info=e)
+
+    @export(record=BrowserExtensionRecord)
+    def extensions(self) -> Iterator[BrowserExtensionRecord]:
+        """Return browser extension records for Firefox.
+
+        Yields BrowserExtensionRecord with the following fields::
+            ts_install (datetime): Extension install timestamp.
+            ts_update (datetime): Extension update timestamp.
+            browser (string): The browser from which the records are generated.
+            id (string): Extension unique identifier.
+            name (string): Name of the extension.
+            short_name (string): Short name of the extension.
+            default_title (string): Default title of the extension.
+            description (string): Description of the extension.
+            version (string): Version of the extension.
+            ext_path (path): Relative path of the extension.
+            from_webstore (boolean): Extension from webstore.
+            permissions (string[]): Permissions of the extension.
+            manifest (varint): Version of the extensions' manifest.
+            optional_permissions (string[]): Optional permissions of the extension.
+            source_uri (path): Source path from which the extension was downloaded.
+            source (path): The source file of the download record.
+        """
+        for user, _, profile_dir in self._iter_profiles():
+            extension_file = profile_dir.joinpath("extensions.json")
+
+            if not extension_file.exists():
+                self.target.log.warning(
+                    "No 'extensions.json' addon file found for user %s in directory %s", user, profile_dir
+                )
+                continue
+
+            try:
+                extensions = json.load(extension_file.open())
+
+                for extension in extensions.get("addons", []):
+                    yield self.BrowserExtensionRecord(
+                        ts_install=extension.get("installDate", 0) // 1000,
+                        ts_update=extension.get("updateDate", 0) // 1000,
+                        browser="firefox",
+                        id=extension.get("id"),
+                        name=extension.get("defaultLocale", {}).get("name"),
+                        short_name=None,
+                        default_title=None,
+                        description=extension.get("defaultLocale", {}).get("description"),
+                        version=extension.get("version"),
+                        ext_path=extension.get("path"),
+                        from_webstore=None,
+                        permissions=extension.get("userPermissions", {}).get("permissions"),
+                        manifest_version=extension.get("manifestVersion"),
+                        source_uri=extension.get("sourceURI"),
+                        optional_permissions=extension.get("optionalPermissions", {}).get("permissions"),
+                        source=extension_file,
+                        _target=self.target,
+                        _user=user.user,
+                    )
+
+            except FileNotFoundError:
+                self.target.log.info(
+                    "No 'extensions.json' addon file found for user %s in directory %s", user, profile_dir
+                )
+            except json.JSONDecodeError:
+                self.target.log.warning(
+                    "extensions.json file in directory %s is malformed, consider inspecting the file manually",
+                    profile_dir,
+                )
+
+    @export(record=BrowserPasswordRecord)
+    def passwords(self) -> Iterator[BrowserPasswordRecord]:
+        """Return Firefox browser password records.
+
+        Automatically decrypts passwords from Firefox 58 onwards (2018) if no primary password is set.
+        Alternatively, you can supply a primary password through the keychain to access the Firefox password store.
+
+        ``PASSPHRASE`` passwords in the keychain with providers ``browser``, ``firefox``, ``user`` and no provider
+        can be used to decrypt secrets for this plugin.
+
+        Resources:
+            - https://github.com/lclevy/firepwd
+        """
+        for user, _, profile_dir in self._iter_profiles():
+            login_file = profile_dir.joinpath("logins.json")
+            key3_file = profile_dir.joinpath("key3.db")
+            key4_file = profile_dir.joinpath("key4.db")
+
+            if not login_file.exists():
+                self.target.log.warning(
+                    "No 'logins.json' password file found for user %s in directory %s", user, profile_dir
+                )
+                continue
+
+            if key3_file.exists() and not key4_file.exists():
+                self.target.log.warning("Unsupported file 'key3.db' found in %s", profile_dir)
+                continue
+
+            if not key4_file.exists():
+                self.target.log.warning("No 'key4.db' found in %s", profile_dir)
+                continue
+
+            try:
+                logins = json.load(login_file.open())
+
+                for login in logins.get("logins", []):
+                    decrypted_username = None
+                    decrypted_password = None
+
+                    for password in self.keychain():
+                        try:
+                            decrypted_username, decrypted_password = decrypt(
+                                login.get("encryptedUsername"),
+                                login.get("encryptedPassword"),
+                                key4_file,
+                                password,
+                            )
+                        except ValueError as e:
+                            self.target.log.warning("Exception while trying to decrypt")
+                            self.target.log.debug("", exc_info=e)
+
+                        if decrypted_password and decrypted_username:
+                            break
+
+                    yield self.BrowserPasswordRecord(
+                        ts_created=login.get("timeCreated", 0) // 1000,
+                        ts_last_used=login.get("timeLastUsed", 0) // 1000,
+                        ts_last_changed=login.get("timePasswordChanged", 0) // 1000,
+                        browser="firefox",
+                        id=login.get("id"),
+                        url=login.get("hostname"),
+                        encrypted_username=login.get("encryptedUsername"),
+                        encrypted_password=login.get("encryptedPassword"),
+                        decrypted_username=decrypted_username,
+                        decrypted_password=decrypted_password,
+                        source=login_file,
+                        _target=self.target,
+                        _user=user.user,
+                    )
+
+            except FileNotFoundError:
+                self.target.log.info("No password file found for user %s in directory %s", user, profile_dir)
+            except json.JSONDecodeError:
+                self.target.log.warning(
+                    "logins.json file in directory %s is malformed, consider inspecting the file manually", profile_dir
+                )
+
+
+# Define separately because it is not defined in asn1crypto
+pbeWithSha1AndTripleDES_CBC = "1.2.840.113549.1.12.5.1.3"
+CKA_ID = b"\xf8\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01"
+
+
+def decrypt_moz_3des(global_salt: bytes, primary_password: bytes, entry_salt: str, encrypted: bytes) -> bytes:
+    if not HAS_CRYPTO:
+        raise ValueError("Missing pycryptodome dependency")
+
+    hp = sha1(global_salt + primary_password).digest()
+    pes = entry_salt + b"\x00" * (20 - len(entry_salt))
+    chp = sha1(hp + entry_salt).digest()
+    k1 = hmac.new(chp, pes + entry_salt, sha1).digest()
+    tk = hmac.new(chp, pes, sha1).digest()
+    k2 = hmac.new(chp, tk + entry_salt, sha1).digest()
+    k = k1 + k2
+    iv = k[-8:]
+    key = k[:24]
+    return DES3.new(key, DES3.MODE_CBC, iv).decrypt(encrypted)
+
+
+def decode_login_data(data: str) -> tuple[bytes, bytes, bytes]:
+    """Decode Firefox login data.
+
+    Args:
+        data: Base64 encoded data in string format.
+
+    Raises:
+        ValueError: When missing ``pycryptodome`` or ``asn1crypto`` dependencies.
+
+    Returns:
+        Tuple of bytes with ``key_id``, ``iv`` and ``ciphertext``
+    """
+
+    # SEQUENCE {
+    #     KEY_ID
+    #     SEQUENCE {
+    #         OBJECT_IDENTIFIER
+    #         IV
+    #     }
+    #     CIPHERTEXT
+    # }
+
+    if not HAS_CRYPTO:
+        raise ValueError("Missing pycryptodome dependency")
+
+    if not HAS_ASN1:
+        raise ValueError("Missing asn1crypto dependency")
+
+    decoded = core.load(b64decode(data))
+    key_id = decoded[0].native
+    iv = decoded[1][1].native
+    ciphertext = decoded[2].native
+    return key_id, iv, ciphertext
+
+
+def decrypt_pbes2(decoded_item: core.Sequence, primary_password: bytes, global_salt: bytes) -> bytes:
+    """Decrypt an item with the given primary password and salt.
+
+    Args:
+        decoded_item: ``core.Sequence`` is a ``list`` representation of ``SEQUENCE`` as described below.
+        primary_password: ``bytes`` of Firefox primary password to decrypt ciphertext with.
+        global_salt: ``bytes`` of salt to prepend to primary password when calculating AES key.
+
+    Raises:
+        ValueError: When missing ``pycryptodome`` or ``asn1crypto`` dependencies.
+
+    Returns:
+        Bytes of decrypted AES ciphertext.
+    """
+
+    # SEQUENCE {
+    #   SEQUENCE {
+    #     OBJECTIDENTIFIER 1.2.840.113549.1.5.13 => pkcs5 pbes2
+    #     SEQUENCE {
+    #       SEQUENCE {
+    #         OBJECTIDENTIFIER 1.2.840.113549.1.5.12 => pbkdf2
+    #         SEQUENCE {
+    #           OCTETSTRING 32 bytes, entrySalt
+    #           INTEGER 01
+    #           INTEGER 20
+    #           SEQUENCE {
+    #             OBJECTIDENTIFIER 1.2.840.113549.2.9 => hmacWithSHA256
+    #           }
+    #         }
+    #       }
+    #       SEQUENCE {
+    #         OBJECTIDENTIFIER 2.16.840.1.101.3.4.1.42 => aes256-CBC
+    #         OCTETSTRING 14 bytes, iv
+    #       }
+    #     }
+    #   }
+    #   OCTETSTRING encrypted
+    # }
+
+    if not HAS_CRYPTO:
+        raise ValueError("Missing pycryptodome dependency")
+
+    if not HAS_ASN1:
+        raise ValueError("Missing asn1crypto dependency")
+
+    pkcs5_oid = decoded_item[0][1][0][0].dotted
+    if algos.KdfAlgorithmId.map(pkcs5_oid) != "pbkdf2":
+        raise ValueError(f"Expected pbkdf2 object identifier, got: {pkcs5_oid}")
+
+    sha256_oid = decoded_item[0][1][0][1][3][0].dotted
+    if algos.HmacAlgorithmId.map(sha256_oid) != "sha256":
+        raise ValueError(f"Expected SHA256 object identifier, got: {pkcs5_oid}")
+
+    aes256_cbc_oid = decoded_item[0][1][1][0].dotted
+    if algos.EncryptionAlgorithmId.map(aes256_cbc_oid) != "aes256_cbc":
+        raise ValueError(f"Expected AES256-CBC object identifier, got: {pkcs5_oid}")
+
+    entry_salt = decoded_item[0][1][0][1][0].native
+    iteration_count = decoded_item[0][1][0][1][1].native
+    key_length = decoded_item[0][1][0][1][2].native
+
+    if key_length != 32:
+        raise ValueError(f"Expected key_length to be 32, got: {key_length}")
+
+    k = sha1(global_salt + primary_password).digest()
+    key = pbkdf2_hmac("sha256", k, entry_salt, iteration_count, dklen=key_length)
+
+    iv = b"\x04\x0e" + decoded_item[0][1][1][1].native
+    cipher_text = decoded_item[1].native
+    return AES.new(key, AES.MODE_CBC, iv).decrypt(cipher_text)
+
+
+def decrypt_sha1_triple_des_cbc(decoded_item: core.Sequence, primary_password: bytes, global_salt: bytes) -> bytes:
+    """Decrypt an item with the given Firefox primary password and salt.
+
+    Args:
+        decoded_item: ``core.Sequence`` is a ``list`` representation of ``SEQUENCE`` as described below.
+        primary_password: ``bytes`` of Firefox primary password to decrypt ciphertext with.
+        global_salt: ``bytes`` of salt to prepend to primary password when calculating AES key.
+
+    Raises:
+        ValueError: When missing ``pycryptodome`` or ``asn1crypto`` dependencies.
+
+    Returns:
+        Bytes of decrypted 3DES ciphertext.
+    """
+
+    # SEQUENCE {
+    #     SEQUENCE {
+    #         OBJECTIDENTIFIER 1.2.840.113549.1.12.5.1.3
+    #         SEQUENCE {
+    #             OCTETSTRING entry_salt
+    #             INTEGER 01
+    #         }
+    #     }
+    #     OCTETSTRING encrypted
+    # }
+
+    entry_salt = decoded_item[0][1][0].native
+    cipher_text = decoded_item[1].native
+    key = decrypt_moz_3des(global_salt, primary_password, entry_salt, cipher_text)
+    return key[:24]
+
+
+def decrypt_master_key(decoded_item: core.Sequence, primary_password: bytes, global_salt: bytes) -> tuple[bytes, str]:
+    """Decrypt the provided ``core.Sequence`` with the provided Firefox primary password and salt.
+
+    At this stage we are not yet sure of the structure of ``decoded_item``. The structure will depend on the
+    ``core.Sequence`` object identifier at ``decoded_item[0][0]``, hence we extract it. This function will
+    then call the apropriate ``decrypt_pbes2``or ``decrypt_sha1_triple_des_cbc`` functions to decrypt the item.
+
+    Args:
+        decoded_item: ``core.Sequence`` is a ``list`` representation of ``SEQUENCE`` as described below.
+        primary_password: ``bytes`` of Firefox primary password to decrypt ciphertext with.
+        global_salt: ``bytes`` of salt to prepend to primary password when calculating AES key.
+
+    Raises:
+        ValueError: When missing ``pycryptodome`` or ``asn1crypto`` dependencies.
+
+    Returns:
+        Tuple of decrypted bytes and a string representation of the identified encryption algorithm.
+    """
+
+    # SEQUENCE {
+    #     SEQUENCE {
+    #         OBJECTIDENTIFIER ???
+    #         ...
+    #     }
+    #     ...
+    # }
+
+    if not HAS_CRYPTO:
+        raise ValueError("Missing pycryptodome dependency")
+
+    if not HAS_ASN1:
+        raise ValueError("Missing asn1crypto depdendency")
+
+    object_identifier = decoded_item[0][0]
+    algorithm = object_identifier.dotted
+
+    if algos.EncryptionAlgorithmId.map(algorithm) == "pbes2":
+        return decrypt_pbes2(decoded_item, primary_password, global_salt), algorithm
+    elif algorithm == pbeWithSha1AndTripleDES_CBC:
+        return decrypt_sha1_triple_des_cbc(decoded_item, primary_password, global_salt), algorithm
+    else:
+        # Firefox supports other algorithms (i.e. Firefox before 2018), but decrypting these is not (yet) supported.
+        return b"", algorithm
+
+
+def query_global_salt(key4_file: TargetPath) -> tuple[str, str]:
+    with key4_file.open("rb") as fh:
+        db = sqlite3.SQLite3(fh)
+        for row in db.table("metadata").rows():
+            if row.get("id") == "password":
+                return row.get("item1", ""), row.get("item2", "")
+
+
+def query_master_key(key4_file: TargetPath) -> tuple[str, str]:
+    with key4_file.open("rb") as fh:
+        db = sqlite3.SQLite3(fh)
+        for row in db.table("nssPrivate").rows():
+            return row.get("a11", ""), row.get("a102", "")
+
+
+def retrieve_master_key(primary_password: bytes, key4_file: TargetPath) -> tuple[bytes, str]:
+    if not HAS_CRYPTO:
+        raise ValueError("Missing pycryptodome dependency")
+
+    if not HAS_ASN1:
+        raise ValueError("Missing asn1crypto dependency")
+
+    global_salt, password_check = query_global_salt(key4_file)
+    decoded_password_check = core.load(password_check)
+
+    try:
+        decrypted_password_check, algorithm = decrypt_master_key(decoded_password_check, primary_password, global_salt)
+    except EOFError:
+        raise ValueError("No primary password provided")
+
+    if not decrypted_password_check:
+        raise ValueError(f"Encountered unknown algorithm {algorithm} while decrypting master key")
+
+    expected_password_check = b"password-check\x02\x02"
+    if decrypted_password_check != b"password-check\x02\x02":
+        log.debug("Expected %s but got %s", expected_password_check, decrypted_password_check)
+        raise ValueError("Master key decryption failed. Provided password could be missing or incorrect")
+
+    master_key, master_key_cka = query_master_key(key4_file)
+    if master_key == b"":
+        raise ValueError("Password master key is not defined")
+
+    if master_key_cka != CKA_ID:
+        raise ValueError(f"Password master key CKA_ID '{master_key_cka}' is not equal to expected value '{CKA_ID}'")
+
+    decoded_master_key = core.load(master_key)
+    decrypted, algorithm = decrypt_master_key(decoded_master_key, primary_password, global_salt)
+    return decrypted[:24], algorithm
+
+
+def decrypt_field(key: bytes, field: tuple[bytes, bytes, bytes]) -> bytes:
+    if not HAS_CRYPTO:
+        raise ValueError("Missing pycryptodome dependency")
+
+    cka, iv, ciphertext = field
+
+    if cka != CKA_ID:
+        raise ValueError(f"Expected cka to equal '{CKA_ID}' but got '{cka}'")
+
+    return unpad(DES3.new(key, DES3.MODE_CBC, iv).decrypt(ciphertext), 8)
+
+
+def decrypt(
+    username: str, password: str, key4_file: TargetPath, primary_password: str = ""
+) -> tuple[Optional[str], Optional[str]]:
+    """Decrypt a stored username and password using provided credentials and key4 file.
+
+    Args:
+        username: Encoded and encrypted password.
+        password Encoded and encrypted password.
+        key4_file: Path to key4.db file.
+        primary_password: Password to use for decryption routine.
+
+    Returns:
+        A tuple of decoded username and password strings.
+
+    Resources:
+        - https://github.com/lclevy/firepwd
+    """
+    if not HAS_CRYPTO:
+        raise ValueError("Missing pycryptodome dependency")
+
+    if not HAS_ASN1:
+        raise ValueError("Missing asn1crypto dependency")
+
+    try:
+        username = decode_login_data(username)
+        password = decode_login_data(password)
+
+        primary_password_bytes = primary_password.encode()
+        key, algorithm = retrieve_master_key(primary_password_bytes, key4_file)
+
+        if algorithm == pbeWithSha1AndTripleDES_CBC or algos.EncryptionAlgorithmId.map(algorithm) == "pbes2":
+            username = decrypt_field(key, username)
+            password = decrypt_field(key, password)
+            return username.decode(), password.decode()
+
+    except ValueError as e:
+        raise ValueError(f"Failed to decrypt password using keyfile: {key4_file}, password: {primary_password}") from e

dissect/target/plugins/apps/browser/iexplore.py

@@ -26,7 +26,7 @@ class WebCache:
         self.target = target
         self.db = esedb.EseDB(fh)
 
-    def find_containers(self, name: str) -> table.Table:
+    def find_containers(self, name: str) -> Iterator[table.Table]:
         """Look up all ``ContainerId`` values for a given container name.
 
         Args:
@@ -212,7 +212,7 @@ class InternetExplorerPlugin(BrowserPlugin):
                     ts_end=ts_end,
                     browser="iexplore",
                     id=container_record.EntryId,
-                    path=self.target.fs.path(down_path),
+                    path=self.target.fs.path(down_path) if down_path else None,
                     url=down_url,
                     size=None,
                     state=None,

dissect/target/plugins/apps/container/docker.py

@@ -23,16 +23,18 @@ DockerContainerRecord = TargetRecordDescriptor(
     [
         ("string", "container_id"),
         ("string", "image"),
+        ("string", "image_id"),
         ("string", "command"),
         ("datetime", "created"),
-        ("string", "running"),
+        ("boolean", "running"),
         ("varint", "pid"),
         ("datetime", "started"),
         ("datetime", "finished"),
         ("string", "ports"),
         ("string", "names"),
         ("stringlist", "volumes"),
-        ("string", "source"),
+        ("path", "mount_path"),
+        ("path", "config_path"),
     ],
 )
 
@@ -159,6 +161,9 @@ class DockerPlugin(Plugin):
         for data_root in self.installs:
             for config_path in data_root.joinpath("containers").glob("**/config.v2.json"):
                 config = json.loads(config_path.read_text())
+                container_id = config.get("ID")
+
+                # determine state
                 running = config.get("State").get("Running")
                 if running:
                     ports = config.get("NetworkSettings").get("Ports", {})
@@ -166,14 +171,28 @@ class DockerPlugin(Plugin):
                 else:
                     ports = config.get("Config").get("ExposedPorts", {})
                     pid = None
+
+                # parse volumes
                 volumes = []
                 if mount_points := config.get("MountPoints"):
                     for mp in mount_points:
                         mount_point = mount_points[mp]
                         volumes.append(f"{mount_point.get('Source')}:{mount_point.get('Destination')}")
+
+                # determine mount point
+                mount_path = None
+                if config.get("Driver") == "overlay2":
+                    mount_path = data_root.joinpath("image/overlay2/layerdb/mounts", container_id)
+                    if not mount_path.exists():
+                        self.target.log.warning("Overlay2 mount path for container %s does not exist!", container_id)
+
+                else:
+                    self.target.log.warning("Encountered unsupported container filesystem %s", config.get("Driver"))
+
                 yield DockerContainerRecord(
-                    container_id=config.get("ID"),
+                    container_id=container_id,
                     image=config.get("Config").get("Image"),
+                    image_id=config.get("Image").split(":")[-1],
                     command=config.get("Config").get("Cmd"),
                     created=convert_timestamp(config.get("Created")),
                     running=running,
@@ -183,7 +202,8 @@ class DockerPlugin(Plugin):
                     ports=convert_ports(ports),
                     names=config.get("Name").replace("/", "", 1),
                     volumes=volumes,
-                    source=config_path,
+                    mount_path=mount_path,
+                    config_path=config_path,
                     _target=self.target,
                 )