dissect.target 3.18.dev15__py3-none-any.whl → 3.19__py3-none-any.whl

dissect/target/plugins/apps/browser/firefox.py

@@ -3,6 +3,7 @@ import json
 import logging
 from base64 import b64decode
 from hashlib import pbkdf2_hmac, sha1
+from itertools import chain
 from typing import Iterator, Optional
 
 from dissect.sql import sqlite3
@@ -14,7 +15,7 @@ from dissect.target.exceptions import FileNotFoundError, UnsupportedPluginError
 from dissect.target.helpers.descriptor_extensions import UserRecordDescriptorExtension
 from dissect.target.helpers.fsutil import TargetPath
 from dissect.target.helpers.record import create_extended_descriptor
-from dissect.target.plugin import export
+from dissect.target.plugin import OperatingSystem, export
 from dissect.target.plugins.apps.browser.browser import (
     GENERIC_COOKIE_FIELDS,
     GENERIC_DOWNLOAD_RECORD_FIELDS,
@@ -24,7 +25,7 @@ from dissect.target.plugins.apps.browser.browser import (
     BrowserPlugin,
     try_idna,
 )
-from dissect.target.plugins.general.users import UserDetails
+from dissect.target.plugins.general.users import UserRecord
 
 try:
     from asn1crypto import algos, core
@@ -44,7 +45,10 @@ try:
 except ImportError:
     HAS_CRYPTO = False
 
-FIREFOX_EXTENSION_RECORD_FIELDS = [("uri", "source_uri"), ("string[]", "optional_permissions")]
+FIREFOX_EXTENSION_RECORD_FIELDS = [
+    ("uri", "source_uri"),
+    ("string[]", "optional_permissions"),
+]
 
 log = logging.getLogger(__name__)
 
@@ -54,7 +58,7 @@ class FirefoxPlugin(BrowserPlugin):
 
     __namespace__ = "firefox"
 
-    DIRS = [
+    USER_DIRS = [
         # Windows
         "AppData/Roaming/Mozilla/Firefox/Profiles",
         "AppData/local/Mozilla/Firefox/Profiles",
@@ -66,6 +70,10 @@ class FirefoxPlugin(BrowserPlugin):
         "Library/Application Support/Firefox",
     ]
 
+    SYSTEM_DIRS = [
+        "/data/data/org.mozilla.vrbrowser/files/mozilla",
+    ]
+
     BrowserHistoryRecord = create_extended_descriptor([UserRecordDescriptorExtension])(
         "browser/firefox/history", GENERIC_HISTORY_RECORD_FIELDS
     )
@@ -79,7 +87,8 @@ class FirefoxPlugin(BrowserPlugin):
     )
 
     BrowserExtensionRecord = create_extended_descriptor([UserRecordDescriptorExtension])(
-        "browser/firefox/extension", GENERIC_EXTENSION_RECORD_FIELDS + FIREFOX_EXTENSION_RECORD_FIELDS
+        "browser/firefox/extension",
+        GENERIC_EXTENSION_RECORD_FIELDS + FIREFOX_EXTENSION_RECORD_FIELDS,
     )
 
     BrowserPasswordRecord = create_extended_descriptor([UserRecordDescriptorExtension])(
@@ -88,27 +97,32 @@ class FirefoxPlugin(BrowserPlugin):
 
     def __init__(self, target):
         super().__init__(target)
-        self.users_dirs: list[tuple[UserDetails, TargetPath]] = []
+        self.dirs: list[tuple[UserRecord, TargetPath]] = []
+
         for user_details in self.target.user_details.all_with_home():
-            for directory in self.DIRS:
+            for directory in self.USER_DIRS:
                 cur_dir = user_details.home_path.joinpath(directory)
                 if not cur_dir.exists():
                     continue
-                self.users_dirs.append((user_details, cur_dir))
+                self.dirs.append((user_details.user, cur_dir))
+
+        for directory in self.SYSTEM_DIRS:
+            if (cur_dir := target.fs.path(directory)).exists():
+                self.dirs.append((None, cur_dir))
 
     def check_compatible(self) -> None:
-        if not len(self.users_dirs):
+        if not len(self.dirs):
             raise UnsupportedPluginError("No Firefox directories found")
 
-    def _iter_profiles(self) -> Iterator[tuple[UserDetails, TargetPath, TargetPath]]:
+    def _iter_profiles(self) -> Iterator[tuple[UserRecord, TargetPath, TargetPath]]:
         """Yield user directories."""
-        for user, cur_dir in self.users_dirs:
+        for user, cur_dir in self.dirs:
             for profile_dir in cur_dir.iterdir():
                 if not profile_dir.is_dir():
                     continue
                 yield user, cur_dir, profile_dir
 
-    def _iter_db(self, filename: str) -> Iterator[tuple[UserDetails, SQLite3]]:
+    def _iter_db(self, filename: str) -> Iterator[tuple[UserRecord, SQLite3]]:
         """Yield opened history database files of all users.
 
         Args:
@@ -117,12 +131,24 @@ class FirefoxPlugin(BrowserPlugin):
         Yields:
             Opened SQLite3 databases.
         """
-        for user, cur_dir, profile_dir in self._iter_profiles():
-            db_file = profile_dir.joinpath(filename)
+        iter_system = ((None, system_dir, None) for user, system_dir in self.dirs if user is None)
+
+        for user, cur_dir, profile_dir in chain(iter_system, self._iter_profiles()):
+            if user is None and profile_dir is None:
+                db_file = cur_dir.parent.joinpath(filename)
+                # On some Android variants, some files may exist in the base directory (places.sqlite) but others
+                # in a nested profile directory (cookies.sqlite)
+                # /data/data/org.mozilla.vrbrowser/files/places.sqlite
+                # /data/data/org.mozilla.vrbrowser/files/mozilla/xxxxxx.default/cookies.sqlite
+                if not db_file.exists():
+                    continue
+            else:
+                db_file = profile_dir.joinpath(filename)
+
             try:
                 yield user, db_file, sqlite3.SQLite3(db_file.open())
             except FileNotFoundError:
-                self.target.log.warning("Could not find %s file: %s", filename, db_file)
+                self.target.log.info("Could not find %s file: %s", filename, db_file)
             except SQLError as e:
                 self.target.log.warning("Could not open %s file: %s", filename, db_file)
                 self.target.log.debug("", exc_info=e)
@@ -151,6 +177,11 @@ class FirefoxPlugin(BrowserPlugin):
             from_url (uri): URL of the "from" visit.
             source: (path): The source file of the history record.
         """
+        if self.target.os == OperatingSystem.ANDROID:
+            from_timestamp = from_unix_ms
+        else:
+            from_timestamp = from_unix_us
+
         for user, db_file, db in self._iter_db("places.sqlite"):
             try:
                 places = {row.id: row for row in db.table("moz_places").rows()}
@@ -167,7 +198,7 @@ class FirefoxPlugin(BrowserPlugin):
                         from_visit, from_place = None, None
 
                     yield self.BrowserHistoryRecord(
-                        ts=from_unix_us(row.visit_date),
+                        ts=from_timestamp(row.visit_date),
                         browser="firefox",
                         id=row.id,
                         url=try_idna(place.url),
@@ -183,7 +214,7 @@ class FirefoxPlugin(BrowserPlugin):
                         from_url=try_idna(from_place.url) if from_place else None,
                         source=db_file,
                         _target=self.target,
-                        _user=user.user,
+                        _user=user,
                     )
             except SQLError as e:
                 self.target.log.warning("Error processing history file: %s", db_file, exc_info=e)
@@ -228,7 +259,8 @@ class FirefoxPlugin(BrowserPlugin):
                         is_http_only=bool(cookie.isHttpOnly),
                         same_site=bool(cookie.sameSite),
                         source=db_file,
-                        _user=user.user,
+                        _target=self.target,
+                        _user=user,
                     )
             except SQLError as e:
                 self.target.log.warning("Error processing cookie file: %s", db_file, exc_info=e)
@@ -254,7 +286,10 @@ class FirefoxPlugin(BrowserPlugin):
         for user, db_file, db in self._iter_db("places.sqlite"):
             try:
                 places = {row.id: row for row in db.table("moz_places").rows()}
-                attributes = {row.id: row.name for row in db.table("moz_anno_attributes").rows()}
+                if not (moz_anno_attributes := db.table("moz_anno_attributes")):
+                    continue
+
+                attributes = {row.id: row.name for row in moz_anno_attributes.rows()}
                 annotations = {}
 
                 for row in db.table("moz_annos"):
@@ -315,7 +350,7 @@ class FirefoxPlugin(BrowserPlugin):
                         state=state,
                         source=db_file,
                         _target=self.target,
-                        _user=user.user,
+                        _user=user,
                     )
             except SQLError as e:
                 self.target.log.warning("Error processing history file: %s", db_file, exc_info=e)
@@ -350,7 +385,9 @@ class FirefoxPlugin(BrowserPlugin):
 
             if not extension_file.exists():
                 self.target.log.warning(
-                    "No 'extensions.json' addon file found for user %s in directory %s", user, profile_dir
+                    "No 'extensions.json' addon file found for user %s in directory %s",
+                    user.name,
+                    profile_dir,
                 )
                 continue
 
@@ -359,29 +396,31 @@ class FirefoxPlugin(BrowserPlugin):
 
                 for extension in extensions.get("addons", []):
                     yield self.BrowserExtensionRecord(
-                        ts_install=extension.get("installDate", 0) // 1000,
-                        ts_update=extension.get("updateDate", 0) // 1000,
+                        ts_install=from_unix_ms(extension.get("installDate", 0)),
+                        ts_update=from_unix_ms(extension.get("updateDate", 0)),
                         browser="firefox",
                         id=extension.get("id"),
-                        name=extension.get("defaultLocale", {}).get("name"),
+                        name=(extension.get("defaultLocale", {}) or {}).get("name"),
                         short_name=None,
                         default_title=None,
-                        description=extension.get("defaultLocale", {}).get("description"),
+                        description=(extension.get("defaultLocale", {}) or {}).get("description"),
                         version=extension.get("version"),
                         ext_path=extension.get("path"),
                         from_webstore=None,
-                        permissions=extension.get("userPermissions", {}).get("permissions"),
+                        permissions=(extension.get("userPermissions", {}) or {}).get("permissions"),
                         manifest_version=extension.get("manifestVersion"),
                         source_uri=extension.get("sourceURI"),
-                        optional_permissions=extension.get("optionalPermissions", {}).get("permissions"),
+                        optional_permissions=(extension.get("optionalPermissions", {}) or {}).get("permissions"),
                         source=extension_file,
                         _target=self.target,
-                        _user=user.user,
+                        _user=user,
                     )
 
             except FileNotFoundError:
                 self.target.log.info(
-                    "No 'extensions.json' addon file found for user %s in directory %s", user, profile_dir
+                    "No 'extensions.json' addon file found for user %s in directory %s",
+                    user.name,
+                    profile_dir,
                 )
             except json.JSONDecodeError:
                 self.target.log.warning(
@@ -409,7 +448,9 @@ class FirefoxPlugin(BrowserPlugin):
 
             if not login_file.exists():
                 self.target.log.warning(
-                    "No 'logins.json' password file found for user %s in directory %s", user, profile_dir
+                    "No 'logins.json' password file found for user %s in directory %s",
+                    user.name,
+                    profile_dir,
                 )
                 continue
 
@@ -444,9 +485,9 @@ class FirefoxPlugin(BrowserPlugin):
                             break
 
                     yield self.BrowserPasswordRecord(
-                        ts_created=login.get("timeCreated", 0) // 1000,
-                        ts_last_used=login.get("timeLastUsed", 0) // 1000,
-                        ts_last_changed=login.get("timePasswordChanged", 0) // 1000,
+                        ts_created=from_unix_ms(login.get("timeCreated", 0)),
+                        ts_last_used=from_unix_ms(login.get("timeLastUsed", 0)),
+                        ts_last_changed=from_unix_ms(login.get("timePasswordChanged", 0)),
                         browser="firefox",
                         id=login.get("id"),
                         url=login.get("hostname"),
@@ -456,14 +497,19 @@ class FirefoxPlugin(BrowserPlugin):
                         decrypted_password=decrypted_password,
                         source=login_file,
                         _target=self.target,
-                        _user=user.user,
+                        _user=user,
                     )
 
             except FileNotFoundError:
-                self.target.log.info("No password file found for user %s in directory %s", user, profile_dir)
+                self.target.log.info(
+                    "No password file found for user %s in directory %s",
+                    user.name,
+                    profile_dir,
+                )
             except json.JSONDecodeError:
                 self.target.log.warning(
-                    "logins.json file in directory %s is malformed, consider inspecting the file manually", profile_dir
+                    "logins.json file in directory %s is malformed, consider inspecting the file manually",
+                    profile_dir,
                 )
 
 

dissect/target/plugins/apps/remoteaccess/anydesk.py

@@ -1,91 +1,111 @@
-from datetime import datetime
+import re
+from datetime import datetime, timezone
+from typing import Iterator
 
 from dissect.target.exceptions import UnsupportedPluginError
+from dissect.target.helpers.descriptor_extensions import UserRecordDescriptorExtension
+from dissect.target.helpers.fsutil import TargetPath
+from dissect.target.helpers.record import create_extended_descriptor
 from dissect.target.plugin import export
 from dissect.target.plugins.apps.remoteaccess.remoteaccess import (
+    GENERIC_LOG_RECORD_FIELDS,
     RemoteAccessPlugin,
-    RemoteAccessRecord,
 )
+from dissect.target.plugins.general.users import UserDetails
 
 
 class AnydeskPlugin(RemoteAccessPlugin):
-    """
-    Anydesk plugin.
-    """
+    """Anydesk plugin."""
 
     __namespace__ = "anydesk"
 
     # Anydesk logs when installed as a service
     SERVICE_GLOBS = [
-        "/sysvol/ProgramData/AnyDesk/*.trace",  # Standard client >= Windows 7
-        "/sysvol/ProgramData/AnyDesk/ad_*/*.trace",  # Custom client >= Windows 7
-        "/var/log/anydesk*.trace",  # Standard/Custom client Linux/MacOS
+        # Standard client >= Windows 7
+        "sysvol/ProgramData/AnyDesk/*.trace",
+        # Custom client >= Windows 7
+        "sysvol/ProgramData/AnyDesk/ad_*/*.trace",
+        # Windows XP / 2003
+        "sysvol/Documents and Settings/Public/AnyDesk/*.trace",
+        "sysvol/Documents and Settings/Public/AnyDesk/ad_*/*.trace",
+        # Standard/Custom client Linux/MacOS
+        "var/log/anydesk*/*.trace",
     ]
 
     # User specific Anydesk logs
     USER_GLOBS = [
-        "appdata/roaming/AnyDesk/*.trace",  # Standard client Windows
-        "appdata/roaming/AnyDesk/ad_*/*.trace",  # Custom client Windows
-        ".anydesk/*.trace",  # Standard client Linux/MacOS
-        ".anydesk_ad_*/*.trace",  # Custom client Linux/MacOS
+        # Standard client Windows
+        "AppData/Roaming/AnyDesk/*.trace",
+        # Custom client Windows
+        "AppData/Roaming/AnyDesk/ad_*/*.trace",
+        # Windows XP / 2003
+        "AppData/AnyDesk/*.trace",
+        # Standard client Linux/MacOS
+        ".anydesk/*.trace",
+        # Custom client Linux/MacOS
+        ".anydesk_ad_*/*.trace",
     ]
 
+    RemoteAccessLogRecord = create_extended_descriptor([UserRecordDescriptorExtension])(
+        "remoteaccess/anydesk/log", GENERIC_LOG_RECORD_FIELDS
+    )
+
     def __init__(self, target):
         super().__init__(target)
 
-        self.logfiles = []
+        self.trace_files: set[tuple[TargetPath, UserDetails]] = set()
 
-        # Check service globs
+        # Service globs
         user = None
-        for log_glob in self.SERVICE_GLOBS:
-            for logfile in self.target.fs.glob(log_glob):
-                self.logfiles.append([logfile, user])
+        for trace_glob in self.SERVICE_GLOBS:
+            for trace_file in self.target.fs.path().glob(trace_glob):
+                self.trace_files.add((trace_file, user))
 
-        # Anydesk logs when as user
+        # User globs
         for user_details in self.target.user_details.all_with_home():
-            for log_glob in self.USER_GLOBS:
-                for logfile in user_details.home_path.glob(log_glob):
-                    self.logfiles.append([logfile, user_details.user])
+            for trace_glob in self.USER_GLOBS:
+                for trace_file in user_details.home_path.glob(trace_glob):
+                    self.trace_files.add((trace_file, user_details.user))
 
     def check_compatible(self) -> None:
-        if not (len(self.logfiles)):
-            raise UnsupportedPluginError("No Anydesk logs found")
+        if not self.trace_files:
+            raise UnsupportedPluginError("No Anydesk trace files found on target")
 
-    @export(record=RemoteAccessRecord)
-    def logs(self):
-        """Return the content of the AnyDesk logs.
+    @export(record=RemoteAccessLogRecord)
+    def logs(self) -> Iterator[RemoteAccessLogRecord]:
+        """Parse AnyDesk trace files.
 
         AnyDesk is a remote desktop application and can be used by adversaries to get (persistent) access to a machine.
-        Log files (.trace files) are retrieved from various location based on OS and client type.
+        Log files (.trace files) can be stored on various locations, based on target OS and client type.
+        Timestamps in trace files do not carry a time zone designator (TZD) but are in fact UTC.
 
         References:
             - https://www.inversecos.com/2021/02/forensic-analysis-of-anydesk-logs.html
             - https://support.anydesk.com/knowledge/trace-files#trace-file-locations
         """
-        for logfile, user in self.logfiles:
-            logfile = self.target.fs.path(logfile)
-
-            for line in logfile.open("rt"):
+        for trace_file, user in self.trace_files:
+            for line in trace_file.open("rt", errors="backslashreplace"):
                 line = line.strip()
 
-                # Skip empty lines
-                if not line:
-                    continue
-
-                if "* * * * * * * * * * * * * *" in line:
+                if not line or "* * * * * * * * * * * * * *" in line:
                     continue
 
-                level, ts_day, ts_time, description = line.split(" ", 3)
-                description = f"{level} {description}"
-                ts_time = ts_time.split(".")[0]
-
-                timestamp = datetime.strptime(f"{ts_day} {ts_time}", "%Y-%m-%d %H:%M:%S")
-
-                yield RemoteAccessRecord(
-                    ts=timestamp,
-                    tool="anydesk",
-                    logfile=str(logfile),
-                    description=description,
-                    _target=self.target,
-                    _user=user,
-                )
+                try:
+                    level, ts_date, ts_time, message = line.split(" ", 3)
+
+                    timestamp = datetime.strptime(f"{ts_date} {ts_time}", "%Y-%m-%d %H:%M:%S.%f").replace(
+                        tzinfo=timezone.utc
+                    )
+                    message = re.sub(r"\s\s+", " ", f"{level} {message}")
+
+                    yield self.RemoteAccessLogRecord(
+                        ts=timestamp,
+                        message=message,
+                        source=trace_file,
+                        _target=self.target,
+                        _user=user,
+                    )
+
+                except ValueError as e:
+                    self.target.log.warning("Could not parse log line in file %s: '%s'", trace_file, line)
+                    self.target.log.debug("", exc_info=e)

dissect/target/plugins/apps/remoteaccess/remoteaccess.py

@@ -2,14 +2,14 @@ from dissect.target.helpers.descriptor_extensions import UserRecordDescriptorExt
 from dissect.target.helpers.record import create_extended_descriptor
 from dissect.target.plugin import NamespacePlugin
 
-RemoteAccessRecord = create_extended_descriptor([UserRecordDescriptorExtension])(
-    "application/log/remoteaccess",
-    [
-        ("datetime", "ts"),
-        ("string", "tool"),
-        ("path", "logfile"),
-        ("string", "description"),
-    ],
+GENERIC_LOG_RECORD_FIELDS = [
+    ("datetime", "ts"),
+    ("string", "message"),
+    ("path", "source"),
+]
+
+RemoteAccessLogRecord = create_extended_descriptor([UserRecordDescriptorExtension])(
+    "remoteaccess/log", GENERIC_LOG_RECORD_FIELDS
 )
 
 

dissect/target/plugins/apps/remoteaccess/teamviewer.py

@@ -1,60 +1,74 @@
 import re
-from datetime import datetime
+from datetime import datetime, timezone
+from typing import Iterator
 
 from dissect.target.exceptions import UnsupportedPluginError
+from dissect.target.helpers.descriptor_extensions import UserRecordDescriptorExtension
+from dissect.target.helpers.fsutil import TargetPath
+from dissect.target.helpers.record import create_extended_descriptor
 from dissect.target.plugin import export
 from dissect.target.plugins.apps.remoteaccess.remoteaccess import (
+    GENERIC_LOG_RECORD_FIELDS,
     RemoteAccessPlugin,
-    RemoteAccessRecord,
 )
+from dissect.target.plugins.general.users import UserDetails
 
 START_PATTERN = re.compile(r"^(\d{2}|\d{4})/")
 
 
-class TeamviewerPlugin(RemoteAccessPlugin):
-    """
-    Teamviewer plugin.
+class TeamViewerPlugin(RemoteAccessPlugin):
+    """TeamViewer client plugin.
+
+    Resources:
+        - https://teamviewer.com/en/global/support/knowledge-base/teamviewer-classic/contact-support/find-your-log-files
+        - https://www.systoolsgroup.com/forensics/teamviewer/
+        - https://benleeyr.wordpress.com/2020/05/19/teamviewer-forensics-tested-on-v15/
     """
 
     __namespace__ = "teamviewer"
 
-    # Teamviewer log when service (Windows)
-    GLOBS = [
+    SYSTEM_GLOBS = [
         "sysvol/Program Files/TeamViewer/*.log",
         "sysvol/Program Files (x86)/TeamViewer/*.log",
+        "/var/log/teamviewer*/*.log",
+    ]
+
+    USER_GLOBS = [
+        "AppData/Roaming/TeamViewer/teamviewer*_logfile.log",
+        "Library/Logs/TeamViewer/teamviewer*_logfile*.log",
     ]
 
+    RemoteAccessLogRecord = create_extended_descriptor([UserRecordDescriptorExtension])(
+        "remoteaccess/teamviewer/log", GENERIC_LOG_RECORD_FIELDS
+    )
+
     def __init__(self, target):
         super().__init__(target)
 
-        self.logfiles = []
+        self.logfiles: list[list[TargetPath, UserDetails]] = []
 
-        # Check service globs
-        user = None
-        for log_glob in self.GLOBS:
+        # Find system service log files.
+        for log_glob in self.SYSTEM_GLOBS:
             for logfile in self.target.fs.glob(log_glob):
-                self.logfiles.append([logfile, user])
+                self.logfiles.append([logfile, None])
 
-        # Teamviewer logs when as user (Windows)
+        # Find user log files.
         for user_details in self.target.user_details.all_with_home():
-            for logfile in user_details.home_path.glob("appdata/roaming/teamviewer/teamviewer*_logfile.log"):
-                self.logfiles.append([logfile, user_details.user])
+            for log_glob in self.USER_GLOBS:
+                for logfile in user_details.home_path.glob(log_glob):
+                    self.logfiles.append([logfile, user_details])
 
     def check_compatible(self) -> None:
         if not len(self.logfiles):
             raise UnsupportedPluginError("No Teamviewer logs found")
 
-    @export(record=RemoteAccessRecord)
-    def logs(self):
-        """Return the content of the TeamViewer logs.
-
-        TeamViewer is a commercial remote desktop application. An adversary may use it to gain persistence on a
-        system.
+    @export(record=RemoteAccessLogRecord)
+    def logs(self) -> Iterator[RemoteAccessLogRecord]:
+        """Yield TeamViewer client logs.
 
-        References:
-            - https://www.teamviewer.com/nl/
+        TeamViewer is a commercial remote desktop application. An adversary may use it to gain persistence on a system.
         """
-        for logfile, user in self.logfiles:
+        for logfile, user_details in self.logfiles:
             logfile = self.target.fs.path(logfile)
 
             start_date = None
@@ -83,7 +97,7 @@ class TeamviewerPlugin(RemoteAccessPlugin):
                     if not re.match(START_PATTERN, line):
                         continue
 
-                    ts_day, ts_time, description = line.split(" ", 2)
+                    ts_day, ts_time, message = line.split(" ", 2)
                     ts_time = ts_time.split(".")[0]
 
                     # Correct for use of : as millisecond separator
@@ -99,13 +113,14 @@ class TeamviewerPlugin(RemoteAccessPlugin):
                     if ts_day.count("/") == 2 and len(ts_day.split("/")[0]) == 2:
                         ts_day = "20" + ts_day
 
-                    timestamp = datetime.strptime(f"{ts_day} {ts_time}", "%Y/%m/%d %H:%M:%S")
+                    timestamp = datetime.strptime(f"{ts_day} {ts_time}", "%Y/%m/%d %H:%M:%S").replace(
+                        tzinfo=timezone.utc
+                    )
 
-                    yield RemoteAccessRecord(
-                        tool="teamviewer",
+                    yield self.RemoteAccessLogRecord(
                         ts=timestamp,
-                        logfile=str(logfile),
-                        description=description,
+                        message=message,
+                        source=logfile,
                         _target=self.target,
-                        _user=user,
+                        _user=user_details.user if user_details else None,
                     )

dissect/target/plugins/apps/ssh/openssh.py

@@ -7,7 +7,6 @@ from typing import Iterator
 from dissect.target import Target
 from dissect.target.exceptions import UnsupportedPluginError
 from dissect.target.helpers.fsutil import TargetPath
-from dissect.target.helpers.ssh import SSHPrivateKey
 from dissect.target.plugin import export
 from dissect.target.plugins.apps.ssh.ssh import (
     AuthorizedKeysRecord,
@@ -15,6 +14,7 @@ from dissect.target.plugins.apps.ssh.ssh import (
     PrivateKeyRecord,
     PublicKeyRecord,
     SSHPlugin,
+    SSHPrivateKey,
     calculate_fingerprints,
 )