dissect.target 3.17.dev31__py3-none-any.whl → 3.17.dev34__py3-none-any.whl

dissect/target/filesystems/dir.py

@@ -7,6 +7,7 @@ from dissect.target.exceptions import (
     FilesystemError,
     IsADirectoryError,
     NotADirectoryError,
+    NotASymlinkError,
 )
 from dissect.target.filesystem import Filesystem, FilesystemEntry
 from dissect.target.helpers import fsutil
@@ -55,6 +56,8 @@ class DirectoryFilesystem(Filesystem):
 
 
 class DirectoryFilesystemEntry(FilesystemEntry):
+    entry: Path
+
     def get(self, path: str) -> FilesystemEntry:
         path = fsutil.join(self.path, path, alt_separator=self.fs.alt_separator)
         return self.fs.get(path)
@@ -113,7 +116,17 @@ class DirectoryFilesystemEntry(FilesystemEntry):
             return False
 
     def readlink(self) -> str:
-        return os.readlink(self.entry)  # Python 3.7 compatibility
+        if not self.is_symlink():
+            raise NotASymlinkError()
+
+        # We want to get the "truest" form of the symlink
+        # If we use the readlink() of pathlib.Path directly, it gets thrown into the path parsing of pathlib
+        # Because DirectoryFilesystem may also be used with TargetPath, we specifically handle that case here
+        # and use os.readlink for host paths
+        if isinstance(self.entry, fsutil.TargetPath):
+            return self.entry.get().readlink()
+        else:
+            return os.readlink(self.entry)
 
     def stat(self, follow_symlinks: bool = True) -> fsutil.stat_result:
         return self._resolve(follow_symlinks=follow_symlinks).entry.lstat()

dissect/target/filesystems/overlay.py

@@ -0,0 +1,103 @@
+import json
+import logging
+from pathlib import Path
+
+from dissect.target.filesystem import LayerFilesystem, VirtualFilesystem
+from dissect.target.filesystems.dir import DirectoryFilesystem
+
+log = logging.getLogger(__name__)
+
+
+class Overlay2Filesystem(LayerFilesystem):
+    """Overlay 2 filesystem implementation.
+
+    Deleted files will be present on the reconstructed filesystem.
+    Volumes and bind mounts will be added to their respective mount locations.
+    Does not support tmpfs mounts.
+
+    References:
+        - https://docs.docker.com/storage/storagedriver/
+        - https://docs.docker.com/storage/volumes/
+        - https://www.didactic-security.com/resources/docker-forensics.pdf
+        - https://www.didactic-security.com/resources/docker-forensics-cheatsheet.pdf
+        - https://github.com/google/docker-explorer
+    """
+
+    __type__ = "overlay2"
+
+    def __init__(self, path: Path, *args, **kwargs):
+        super().__init__(*args, **kwargs)
+        self.base_path = path
+
+        # base_path is /foo/bar/image/overlay2/layerdb/mounts/<id> so we traverse up to /foo/bar to get to the root.
+        root = path.parents[4]
+
+        layers = []
+        parent_layer = path.joinpath("parent").read_text()
+
+        # iterate over all image layers
+        while parent_layer:
+            hash_type, layer_hash = parent_layer.split(":")
+            layer_ref = root.joinpath("image", "overlay2", "layerdb", hash_type, layer_hash)
+            cache_id = layer_ref.joinpath("cache-id").read_text()
+            layers.append(("/", root.joinpath("overlay2", cache_id, "diff")))
+
+            if (parent_file := layer_ref.joinpath("parent")).exists():
+                parent_layer = parent_file.read_text()
+            else:
+                parent_layer = None
+
+        # add the container layers
+        for container_layer_name in ["init-id", "mount-id"]:
+            layer = path.joinpath(container_layer_name).read_text()
+            layers.append(("/", root.joinpath("overlay2", layer, "diff")))
+
+        # add anonymous volumes, named volumes and bind mounts
+        if (config_path := root.joinpath("containers", path.name, "config.v2.json")).exists():
+            try:
+                config = json.loads(config_path.read_text())
+            except json.JSONDecodeError as e:
+                log.warning("Unable to parse overlay mounts for container %s", path.name)
+                log.debug("", exc_info=e)
+                return
+
+            for mount in config.get("MountPoints").values():
+                if not mount["Type"] in ["volume", "bind"]:
+                    log.warning("Encountered unsupported mount type %s in container %s", mount["Type"], path.name)
+                    continue
+
+                if not mount["Source"] and mount["Name"]:
+                    # anonymous volumes do not have a Source but a volume id
+                    layer = root.joinpath("volumes", mount["Name"], "_data")
+                elif mount["Source"]:
+                    # named volumes and bind mounts have a Source set
+                    layer = root.parents[-1].joinpath(mount["Source"])
+                else:
+                    log.warning("Could not determine layer source for mount in container %s", path.name)
+                    log.debug(json.dumps(mount))
+                    continue
+
+                layers.append((mount["Destination"], layer))
+
+        # add hosts, hostname and resolv.conf files
+        for file in ["HostnamePath", "HostsPath", "ResolvConfPath"]:
+            if not config.get(file) or not (fp := path.parents[-1].joinpath(config.get(file))).exists():
+                log.warning("Container %s has no %s mount", path.name, file)
+                continue
+
+            layers.append(("/etc/" + fp.name, fp))
+
+        # append and mount every layer
+        for dest, layer in layers:
+            if layer.is_file() and dest in ["/etc/hosts", "/etc/hostname", "/etc/resolv.conf"]:
+                layer_fs = VirtualFilesystem()
+                layer_fs.map_file_fh("/etc/" + layer.name, layer.open("rb"))
+                dest = dest.split("/")[0]
+
+            else:
+                layer_fs = DirectoryFilesystem(layer)
+
+            self.append_layer().mount(dest, layer_fs)
+
+    def __repr__(self) -> str:
+        return f"<{self.__class__.__name__} {self.base_path}>"

dissect/target/helpers/compat/path_common.py

@@ -3,6 +3,7 @@ from __future__ import annotations
 import io
 import posixpath
 import stat
+import sys
 from typing import IO, TYPE_CHECKING, Iterator, Literal, Optional
 
 if TYPE_CHECKING:
@@ -27,11 +28,24 @@ try:
             self._fs = path._fs
             self._flavour = path._flavour
 
-        def __getitem__(self, idx: int) -> TargetPath:
-            result = super().__getitem__(idx)
-            result._fs = self._fs
-            result._flavour = self._flavour
-            return result
+        if sys.version_info >= (3, 10):
+
+            def __getitem__(self, idx: int) -> TargetPath:
+                result = super().__getitem__(idx)
+                result._fs = self._fs
+                result._flavour = self._flavour
+                return result
+
+        else:
+
+            def __getitem__(self, idx: int) -> TargetPath:
+                if idx < 0:
+                    idx = len(self) + idx
+
+                result = super().__getitem__(idx)
+                result._fs = self._fs
+                result._flavour = self._flavour
+                return result
 
 except ImportError:
     pass

dissect/target/loader.py

@@ -199,6 +199,7 @@ register("target", "TargetLoader")
 register("log", "LogLoader")
 # Disabling ResLoader because of DIS-536
 # register("res", "ResLoader")
+register("overlay", "Overlay2Loader")
 register("phobos", "PhobosLoader")
 register("velociraptor", "VelociraptorLoader")
 register("smb", "SmbLoader")

dissect/target/loaders/dir.py

@@ -1,9 +1,11 @@
 from __future__ import annotations
 
 import zipfile
+from collections import defaultdict
 from pathlib import Path
 from typing import TYPE_CHECKING
 
+from dissect.target.filesystem import LayerFilesystem
 from dissect.target.filesystems.dir import DirectoryFilesystem
 from dissect.target.filesystems.zip import ZipFilesystem
 from dissect.target.helpers import loaderutil
@@ -48,6 +50,7 @@ def map_dirs(target: Target, dirs: list[Path | tuple[str, Path]], os_type: str,
         alt_separator = "\\"
         case_sensitive = False
 
+    drive_letter_map = defaultdict(list)
     for path in dirs:
         drive_letter = None
         if isinstance(path, tuple):
@@ -59,13 +62,28 @@ def map_dirs(target: Target, dirs: list[Path | tuple[str, Path]], os_type: str,
             dfs = ZipFilesystem(path.root.fp, path.at, alt_separator=alt_separator, case_sensitive=case_sensitive)
         else:
             dfs = DirectoryFilesystem(path, alt_separator=alt_separator, case_sensitive=case_sensitive)
-        target.filesystems.add(dfs)
 
-        if os_type == OperatingSystem.WINDOWS:
-            loaderutil.add_virtual_ntfs_filesystem(target, dfs, **kwargs)
+        drive_letter_map[drive_letter].append(dfs)
+
+    fs_to_add = []
+    for drive_letter, dfs in drive_letter_map.items():
+        if drive_letter is not None:
+            if len(dfs) > 1:
+                vfs = LayerFilesystem()
+                for fs in dfs:
+                    vfs.append_fs_layer(fs)
+            else:
+                vfs = dfs[0]
 
-            if drive_letter is not None:
-                target.fs.mount(drive_letter.lower() + ":", dfs)
+            fs_to_add.append(vfs)
+            target.fs.mount(drive_letter.lower() + ":", vfs)
+        else:
+            fs_to_add.extend(dfs)
+
+    for fs in fs_to_add:
+        target.filesystems.add(fs)
+        if os_type == OperatingSystem.WINDOWS:
+            loaderutil.add_virtual_ntfs_filesystem(target, fs, **kwargs)
 
 
 def find_and_map_dirs(target: Target, path: Path, **kwargs) -> None:

dissect/target/loaders/itunes.py

@@ -28,9 +28,9 @@ except ImportError:
 try:
     from Crypto.Cipher import AES
 
-    HAS_PYCRYPTODOME = True
+    HAS_CRYPTO = True
 except ImportError:
-    HAS_PYCRYPTODOME = False
+    HAS_CRYPTO = False
 
 
 DOMAIN_TRANSLATION = {
@@ -383,7 +383,7 @@ def _create_cipher(key: bytes, iv: bytes = b"\x00" * 16, mode: str = "cbc") -> A
             raise ValueError(f"Invalid key size: {key_size}")
 
         return _pystandalone.cipher(f"aes-{key_size * 8}-{mode}", key, iv)
-    elif HAS_PYCRYPTODOME:
+    elif HAS_CRYPTO:
         mode_map = {
             "cbc": (AES.MODE_CBC, True),
             "ecb": (AES.MODE_ECB, False),

dissect/target/loaders/overlay.py

@@ -0,0 +1,31 @@
+from dissect.target.filesystems.overlay import Overlay2Filesystem
+from dissect.target.helpers.fsutil import TargetPath
+from dissect.target.loader import Loader
+from dissect.target.target import Target
+
+
+class Overlay2Loader(Loader):
+    """Load overlay2 filesystems"""
+
+    def __init__(self, path: TargetPath, **kwargs):
+        super().__init__(path.resolve(), **kwargs)
+
+    @staticmethod
+    def detect(path: TargetPath) -> bool:
+        # path should be a folder
+        if not path.is_dir():
+            return False
+
+        # with the following three files
+        for required_file in ["init-id", "parent", "mount-id"]:
+            if not path.joinpath(required_file).exists():
+                return False
+
+        # and should have the following parent folders
+        if "image/overlay2/layerdb/mounts/" not in path.as_posix():
+            return False
+
+        return True
+
+    def map(self, target: Target) -> None:
+        target.filesystems.add(Overlay2Filesystem(self.path))

dissect/target/loaders/velociraptor.py

@@ -61,6 +61,10 @@ def extract_drive_letter(name: str) -> Optional[str]:
     if len(name) == 14 and name.startswith("%5C%5C.%5C") and name.endswith("%3A"):
         return name[10].lower()
 
+    # X: in URL encoding
+    if len(name) == 4 and name.endswith("%3A"):
+        return name[0].lower()
+
 
 class VelociraptorLoader(DirLoader):
     """Load Rapid7 Velociraptor forensic image files.
@@ -71,10 +75,7 @@ class VelociraptorLoader(DirLoader):
         {"Generic.Collectors.File":{"Root":"/","collectionSpec":"Glob\\netc/**\\nvar/log/**"}}
 
     Generic.Collectors.File (Windows) and Windows.KapeFiles.Targets (Windows) uses the accessors mft, ntfs, lazy_ntfs,
-    ntfs_vss and auto. The loader only supports a collection where a single accessor is used, which can be forced by
-    using the following configuration::
-
-        {"Windows.KapeFiles.Targets":{"VSSAnalysisAge":"1000","_SANS_Triage":"Y"}}
+    ntfs_vss and auto. The loader supports a collection where multiple accessors were used.
 
     References:
         - https://www.rapid7.com/products/velociraptor/

dissect/target/plugins/apps/browser/brave.py

@@ -8,6 +8,7 @@ from dissect.target.plugins.apps.browser.browser import (
     GENERIC_DOWNLOAD_RECORD_FIELDS,
     GENERIC_EXTENSION_RECORD_FIELDS,
     GENERIC_HISTORY_RECORD_FIELDS,
+    GENERIC_PASSWORD_RECORD_FIELDS,
     BrowserPlugin,
 )
 from dissect.target.plugins.apps.browser.chromium import (
@@ -47,6 +48,10 @@ class BravePlugin(ChromiumMixin, BrowserPlugin):
         "browser/brave/extension", GENERIC_EXTENSION_RECORD_FIELDS
     )
 
+    BrowserPasswordRecord = create_extended_descriptor([UserRecordDescriptorExtension])(
+        "browser/brave/password", GENERIC_PASSWORD_RECORD_FIELDS
+    )
+
     @export(record=BrowserHistoryRecord)
     def history(self) -> Iterator[BrowserHistoryRecord]:
         """Return browser history records for Brave."""
@@ -66,3 +71,8 @@ class BravePlugin(ChromiumMixin, BrowserPlugin):
     def extensions(self) -> Iterator[BrowserExtensionRecord]:
         """Return browser extension records for Brave."""
         yield from super().extensions("brave")
+
+    @export(record=BrowserPasswordRecord)
+    def passwords(self) -> Iterator[BrowserPasswordRecord]:
+        """Return browser password records for Brave."""
+        yield from super().passwords("brave")

dissect/target/plugins/apps/browser/browser.py

@@ -1,6 +1,10 @@
+from functools import cache
+
+from dissect.target.helpers import keychain
 from dissect.target.helpers.descriptor_extensions import UserRecordDescriptorExtension
 from dissect.target.helpers.record import create_extended_descriptor
 from dissect.target.plugin import NamespacePlugin
+from dissect.target.target import Target
 
 GENERIC_DOWNLOAD_RECORD_FIELDS = [
     ("datetime", "ts_start"),
@@ -63,6 +67,21 @@ GENERIC_HISTORY_RECORD_FIELDS = [
     ("uri", "from_url"),
     ("path", "source"),
 ]
+
+GENERIC_PASSWORD_RECORD_FIELDS = [
+    ("datetime", "ts_created"),
+    ("datetime", "ts_last_used"),
+    ("datetime", "ts_last_changed"),
+    ("string", "browser"),
+    ("varint", "id"),
+    ("uri", "url"),
+    ("string", "encrypted_username"),
+    ("string", "encrypted_password"),
+    ("string", "decrypted_username"),
+    ("string", "decrypted_password"),
+    ("path", "source"),
+]
+
 BrowserDownloadRecord = create_extended_descriptor([UserRecordDescriptorExtension])(
     "browser/download", GENERIC_DOWNLOAD_RECORD_FIELDS
 )
@@ -75,11 +94,35 @@ BrowserHistoryRecord = create_extended_descriptor([UserRecordDescriptorExtension
 BrowserCookieRecord = create_extended_descriptor([UserRecordDescriptorExtension])(
     "browser/cookie", GENERIC_COOKIE_FIELDS
 )
+BrowserPasswordRecord = create_extended_descriptor([UserRecordDescriptorExtension])(
+    "browser/password", GENERIC_PASSWORD_RECORD_FIELDS
+)
 
 
 class BrowserPlugin(NamespacePlugin):
     __namespace__ = "browser"
 
+    def __init__(self, target: Target):
+        super().__init__(target)
+        self.keychain = cache(self.keychain)
+
+    def keychain(self) -> set:
+        """Retrieve a set of passphrases to use for decrypting saved browser credentials.
+
+        Always adds an empty passphrase as some browsers encrypt values using empty passphrases.
+
+        Returns:
+            Set of passphrase strings.
+        """
+        passphrases = set()
+        for provider in [self.__namespace__, "browser", "user", None]:
+            for key in keychain.get_keys_for_provider(provider) if provider else keychain.get_keys_without_provider():
+                if key.key_type == keychain.KeyType.PASSPHRASE:
+                    passphrases.add(key.value)
+
+        passphrases.add("")
+        return passphrases
+
 
 def try_idna(url: str) -> bytes:
     """Attempts to convert a possible Unicode url to ASCII using the IDNA standard.

dissect/target/plugins/apps/browser/chrome.py

@@ -8,6 +8,7 @@ from dissect.target.plugins.apps.browser.browser import (
     GENERIC_DOWNLOAD_RECORD_FIELDS,
     GENERIC_EXTENSION_RECORD_FIELDS,
     GENERIC_HISTORY_RECORD_FIELDS,
+    GENERIC_PASSWORD_RECORD_FIELDS,
     BrowserPlugin,
 )
 from dissect.target.plugins.apps.browser.chromium import (
@@ -49,6 +50,10 @@ class ChromePlugin(ChromiumMixin, BrowserPlugin):
         "browser/chrome/extension", GENERIC_EXTENSION_RECORD_FIELDS
     )
 
+    BrowserPasswordRecord = create_extended_descriptor([UserRecordDescriptorExtension])(
+        "browser/chrome/password", GENERIC_PASSWORD_RECORD_FIELDS
+    )
+
     @export(record=BrowserHistoryRecord)
     def history(self) -> Iterator[BrowserHistoryRecord]:
         """Return browser history records for Google Chrome."""
@@ -68,3 +73,8 @@ class ChromePlugin(ChromiumMixin, BrowserPlugin):
     def extensions(self) -> Iterator[BrowserExtensionRecord]:
         """Return browser extension records for Google Chrome."""
         yield from super().extensions("chrome")
+
+    @export(record=BrowserPasswordRecord)
+    def passwords(self) -> Iterator[BrowserPasswordRecord]:
+        """Return browser password records for Google Chrome."""
+        yield from super().passwords("chrome")