dissect.target 3.19.dev13__py3-none-any.whl → 3.19.dev15__py3-none-any.whl

dissect/target/plugins/apps/remoteaccess/anydesk.py

@@ -1,91 +1,111 @@
-from datetime import datetime
+import re
+from datetime import datetime, timezone
+from typing import Iterator
 
 from dissect.target.exceptions import UnsupportedPluginError
+from dissect.target.helpers.descriptor_extensions import UserRecordDescriptorExtension
+from dissect.target.helpers.fsutil import TargetPath
+from dissect.target.helpers.record import create_extended_descriptor
 from dissect.target.plugin import export
 from dissect.target.plugins.apps.remoteaccess.remoteaccess import (
+    GENERIC_LOG_RECORD_FIELDS,
     RemoteAccessPlugin,
-    RemoteAccessRecord,
 )
+from dissect.target.plugins.general.users import UserDetails
 
 
 class AnydeskPlugin(RemoteAccessPlugin):
-    """
-    Anydesk plugin.
-    """
+    """Anydesk plugin."""
 
     __namespace__ = "anydesk"
 
     # Anydesk logs when installed as a service
     SERVICE_GLOBS = [
-        "/sysvol/ProgramData/AnyDesk/*.trace",  # Standard client >= Windows 7
-        "/sysvol/ProgramData/AnyDesk/ad_*/*.trace",  # Custom client >= Windows 7
-        "/var/log/anydesk*.trace",  # Standard/Custom client Linux/MacOS
+        # Standard client >= Windows 7
+        "sysvol/ProgramData/AnyDesk/*.trace",
+        # Custom client >= Windows 7
+        "sysvol/ProgramData/AnyDesk/ad_*/*.trace",
+        # Windows XP / 2003
+        "sysvol/Documents and Settings/Public/AnyDesk/*.trace",
+        "sysvol/Documents and Settings/Public/AnyDesk/ad_*/*.trace",
+        # Standard/Custom client Linux/MacOS
+        "var/log/anydesk*/*.trace",
     ]
 
     # User specific Anydesk logs
     USER_GLOBS = [
-        "appdata/roaming/AnyDesk/*.trace",  # Standard client Windows
-        "appdata/roaming/AnyDesk/ad_*/*.trace",  # Custom client Windows
-        ".anydesk/*.trace",  # Standard client Linux/MacOS
-        ".anydesk_ad_*/*.trace",  # Custom client Linux/MacOS
+        # Standard client Windows
+        "AppData/Roaming/AnyDesk/*.trace",
+        # Custom client Windows
+        "AppData/Roaming/AnyDesk/ad_*/*.trace",
+        # Windows XP / 2003
+        "AppData/AnyDesk/*.trace",
+        # Standard client Linux/MacOS
+        ".anydesk/*.trace",
+        # Custom client Linux/MacOS
+        ".anydesk_ad_*/*.trace",
     ]
 
+    RemoteAccessLogRecord = create_extended_descriptor([UserRecordDescriptorExtension])(
+        "remoteaccess/anydesk/log", GENERIC_LOG_RECORD_FIELDS
+    )
+
     def __init__(self, target):
         super().__init__(target)
 
-        self.logfiles = []
+        self.trace_files: set[tuple[TargetPath, UserDetails]] = set()
 
-        # Check service globs
+        # Service globs
         user = None
-        for log_glob in self.SERVICE_GLOBS:
-            for logfile in self.target.fs.glob(log_glob):
-                self.logfiles.append([logfile, user])
+        for trace_glob in self.SERVICE_GLOBS:
+            for trace_file in self.target.fs.path().glob(trace_glob):
+                self.trace_files.add((trace_file, user))
 
-        # Anydesk logs when as user
+        # User globs
         for user_details in self.target.user_details.all_with_home():
-            for log_glob in self.USER_GLOBS:
-                for logfile in user_details.home_path.glob(log_glob):
-                    self.logfiles.append([logfile, user_details.user])
+            for trace_glob in self.USER_GLOBS:
+                for trace_file in user_details.home_path.glob(trace_glob):
+                    self.trace_files.add((trace_file, user_details.user))
 
     def check_compatible(self) -> None:
-        if not (len(self.logfiles)):
-            raise UnsupportedPluginError("No Anydesk logs found")
+        if not self.trace_files:
+            raise UnsupportedPluginError("No Anydesk trace files found on target")
 
-    @export(record=RemoteAccessRecord)
-    def logs(self):
-        """Return the content of the AnyDesk logs.
+    @export(record=RemoteAccessLogRecord)
+    def logs(self) -> Iterator[RemoteAccessLogRecord]:
+        """Parse AnyDesk trace files.
 
         AnyDesk is a remote desktop application and can be used by adversaries to get (persistent) access to a machine.
-        Log files (.trace files) are retrieved from various location based on OS and client type.
+        Log files (.trace files) can be stored on various locations, based on target OS and client type.
+        Timestamps in trace files do not carry a time zone designator (TZD) but are in fact UTC.
 
         References:
             - https://www.inversecos.com/2021/02/forensic-analysis-of-anydesk-logs.html
             - https://support.anydesk.com/knowledge/trace-files#trace-file-locations
         """
-        for logfile, user in self.logfiles:
-            logfile = self.target.fs.path(logfile)
-
-            for line in logfile.open("rt"):
+        for trace_file, user in self.trace_files:
+            for line in trace_file.open("rt", errors="backslashreplace"):
                 line = line.strip()
 
-                # Skip empty lines
-                if not line:
-                    continue
-
-                if "* * * * * * * * * * * * * *" in line:
+                if not line or "* * * * * * * * * * * * * *" in line:
                     continue
 
-                level, ts_day, ts_time, description = line.split(" ", 3)
-                description = f"{level} {description}"
-                ts_time = ts_time.split(".")[0]
-
-                timestamp = datetime.strptime(f"{ts_day} {ts_time}", "%Y-%m-%d %H:%M:%S")
-
-                yield RemoteAccessRecord(
-                    ts=timestamp,
-                    tool="anydesk",
-                    logfile=str(logfile),
-                    description=description,
-                    _target=self.target,
-                    _user=user,
-                )
+                try:
+                    level, ts_date, ts_time, message = line.split(" ", 3)
+
+                    timestamp = datetime.strptime(f"{ts_date} {ts_time}", "%Y-%m-%d %H:%M:%S.%f").replace(
+                        tzinfo=timezone.utc
+                    )
+                    message = re.sub(r"\s\s+", " ", f"{level} {message}")
+
+                    yield self.RemoteAccessLogRecord(
+                        ts=timestamp,
+                        message=message,
+                        source=trace_file,
+                        _target=self.target,
+                        _user=user,
+                    )
+
+                except ValueError as e:
+                    self.target.log.warning("Could not parse log line in file %s: '%s'", trace_file, line)
+                    self.target.log.debug("", exc_info=e)

dissect/target/plugins/apps/remoteaccess/remoteaccess.py

@@ -2,14 +2,14 @@ from dissect.target.helpers.descriptor_extensions import UserRecordDescriptorExt
 from dissect.target.helpers.record import create_extended_descriptor
 from dissect.target.plugin import NamespacePlugin
 
-RemoteAccessRecord = create_extended_descriptor([UserRecordDescriptorExtension])(
-    "application/log/remoteaccess",
-    [
-        ("datetime", "ts"),
-        ("string", "tool"),
-        ("path", "logfile"),
-        ("string", "description"),
-    ],
+GENERIC_LOG_RECORD_FIELDS = [
+    ("datetime", "ts"),
+    ("string", "message"),
+    ("path", "source"),
+]
+
+RemoteAccessLogRecord = create_extended_descriptor([UserRecordDescriptorExtension])(
+    "remoteaccess/log", GENERIC_LOG_RECORD_FIELDS
 )
 
 

dissect/target/plugins/apps/remoteaccess/teamviewer.py

@@ -1,60 +1,72 @@
 import re
-from datetime import datetime
+from datetime import datetime, timezone
+from typing import Iterator
 
 from dissect.target.exceptions import UnsupportedPluginError
+from dissect.target.helpers.descriptor_extensions import UserRecordDescriptorExtension
+from dissect.target.helpers.fsutil import TargetPath
+from dissect.target.helpers.record import create_extended_descriptor
 from dissect.target.plugin import export
 from dissect.target.plugins.apps.remoteaccess.remoteaccess import (
+    GENERIC_LOG_RECORD_FIELDS,
     RemoteAccessPlugin,
-    RemoteAccessRecord,
 )
+from dissect.target.plugins.general.users import UserDetails
 
 START_PATTERN = re.compile(r"^(\d{2}|\d{4})/")
 
 
-class TeamviewerPlugin(RemoteAccessPlugin):
-    """
-    Teamviewer plugin.
+class TeamViewerPlugin(RemoteAccessPlugin):
+    """TeamViewer client plugin.
+
+    Resources:
+        - https://teamviewer.com/en/global/support/knowledge-base/teamviewer-classic/contact-support/find-your-log-files
+        - https://www.systoolsgroup.com/forensics/teamviewer/
+        - https://benleeyr.wordpress.com/2020/05/19/teamviewer-forensics-tested-on-v15/
     """
 
     __namespace__ = "teamviewer"
 
-    # Teamviewer log when service (Windows)
-    GLOBS = [
+    SYSTEM_GLOBS = [
         "sysvol/Program Files/TeamViewer/*.log",
         "sysvol/Program Files (x86)/TeamViewer/*.log",
     ]
 
+    USER_GLOBS = [
+        "AppData/Roaming/TeamViewer/teamviewer*_logfile.log",
+    ]
+
+    RemoteAccessLogRecord = create_extended_descriptor([UserRecordDescriptorExtension])(
+        "remoteaccess/teamviewer/log", GENERIC_LOG_RECORD_FIELDS
+    )
+
     def __init__(self, target):
         super().__init__(target)
 
-        self.logfiles = []
+        self.logfiles: list[list[TargetPath, UserDetails]] = []
 
-        # Check service globs
-        user = None
-        for log_glob in self.GLOBS:
+        # Find system service log files.
+        for log_glob in self.SYSTEM_GLOBS:
             for logfile in self.target.fs.glob(log_glob):
-                self.logfiles.append([logfile, user])
+                self.logfiles.append([logfile, None])
 
-        # Teamviewer logs when as user (Windows)
+        # Find user log files.
         for user_details in self.target.user_details.all_with_home():
-            for logfile in user_details.home_path.glob("appdata/roaming/teamviewer/teamviewer*_logfile.log"):
-                self.logfiles.append([logfile, user_details.user])
+            for log_glob in self.USER_GLOBS:
+                for logfile in user_details.home_path.glob(log_glob):
+                    self.logfiles.append([logfile, user_details])
 
     def check_compatible(self) -> None:
         if not len(self.logfiles):
             raise UnsupportedPluginError("No Teamviewer logs found")
 
-    @export(record=RemoteAccessRecord)
-    def logs(self):
-        """Return the content of the TeamViewer logs.
-
-        TeamViewer is a commercial remote desktop application. An adversary may use it to gain persistence on a
-        system.
+    @export(record=RemoteAccessLogRecord)
+    def logs(self) -> Iterator[RemoteAccessLogRecord]:
+        """Yield TeamViewer client logs.
 
-        References:
-            - https://www.teamviewer.com/nl/
+        TeamViewer is a commercial remote desktop application. An adversary may use it to gain persistence on a system.
         """
-        for logfile, user in self.logfiles:
+        for logfile, user_details in self.logfiles:
             logfile = self.target.fs.path(logfile)
 
             start_date = None
@@ -83,7 +95,7 @@ class TeamviewerPlugin(RemoteAccessPlugin):
                     if not re.match(START_PATTERN, line):
                         continue
 
-                    ts_day, ts_time, description = line.split(" ", 2)
+                    ts_day, ts_time, message = line.split(" ", 2)
                     ts_time = ts_time.split(".")[0]
 
                     # Correct for use of : as millisecond separator
@@ -99,13 +111,14 @@ class TeamviewerPlugin(RemoteAccessPlugin):
                     if ts_day.count("/") == 2 and len(ts_day.split("/")[0]) == 2:
                         ts_day = "20" + ts_day
 
-                    timestamp = datetime.strptime(f"{ts_day} {ts_time}", "%Y/%m/%d %H:%M:%S")
+                    timestamp = datetime.strptime(f"{ts_day} {ts_time}", "%Y/%m/%d %H:%M:%S").replace(
+                        tzinfo=timezone.utc
+                    )
 
-                    yield RemoteAccessRecord(
-                        tool="teamviewer",
+                    yield self.RemoteAccessLogRecord(
                         ts=timestamp,
-                        logfile=str(logfile),
-                        description=description,
+                        message=message,
+                        source=logfile,
                         _target=self.target,
-                        _user=user,
+                        _user=user_details.user if user_details else None,
                     )

dissect/target/plugins/os/windows/_os.py

@@ -79,15 +79,15 @@ class WindowsPlugin(OSPlugin):
             self.target.log.debug("", exc_info=e)
 
         sysvol_drive = self.target.fs.mounts.get("sysvol")
-        # Fallback mount the sysvol to C: if we didn't manage to mount it to any other drive letter
-        if sysvol_drive and operator.countOf(self.target.fs.mounts.values(), sysvol_drive) == 1:
+        if not sysvol_drive:
+            self.target.log.warning("No sysvol drive found")
+        elif operator.countOf(self.target.fs.mounts.values(), sysvol_drive) == 1:
+            # Fallback mount the sysvol to C: if we didn't manage to mount it to any other drive letter
             if "c:" not in self.target.fs.mounts:
                 self.target.log.debug("Unable to determine drive letter of sysvol, falling back to C:")
                 self.target.fs.mount("c:", sysvol_drive)
             else:
                 self.target.log.warning("Unknown drive letter for sysvol")
-        else:
-            self.target.log.warning("No sysvol drive found")
 
     @export(property=True)
     def hostname(self) -> Optional[str]:

{dissect.target-3.19.dev13.dist-info → dissect.target-3.19.dev15.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: dissect.target
-Version: 3.19.dev13
+Version: 3.19.dev15
 Summary: This module ties all other Dissect modules together, it provides a programming API and command line tools which allow easy access to various data sources inside disk images or file collections (a.k.a. targets)
 Author-email: Dissect Team <dissect@fox-it.com>
 License: Affero General Public License v3

{dissect.target-3.19.dev13.dist-info → dissect.target-3.19.dev15.dist-info}/RECORD

@@ -128,9 +128,9 @@ dissect/target/plugins/apps/browser/iexplore.py,sha256=g_xw0toaiyjevxO8g9XPCOqc-
 dissect/target/plugins/apps/container/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 dissect/target/plugins/apps/container/docker.py,sha256=KxQRbKGgxkf3YFBMa7fjeJ7qo8qjFys7zEmfQhDTnLw,15305
 dissect/target/plugins/apps/remoteaccess/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-dissect/target/plugins/apps/remoteaccess/anydesk.py,sha256=lHtgINWXfVpPuCTRyQmT2ZO-1vkoqiXZ7coj8cZ8p4c,3185
-dissect/target/plugins/apps/remoteaccess/remoteaccess.py,sha256=UQDmDC4Y-KxYl_8kaAh6SG_BLJZ6SeGnxG0gyD8tzaE,833
-dissect/target/plugins/apps/remoteaccess/teamviewer.py,sha256=SiEH36HM2NvdPuCjfLjQcMDsluwkcHp_3io9SoY8qFk,4032
+dissect/target/plugins/apps/remoteaccess/anydesk.py,sha256=IdijK3F6ppaB_IgKL-xDljlEbb8l9S2U0xSWKqK9xRs,4294
+dissect/target/plugins/apps/remoteaccess/remoteaccess.py,sha256=DWXkRDVUpFr1icK2fYwSXdZD204Xz0yRuO7rcJOwIwc,825
+dissect/target/plugins/apps/remoteaccess/teamviewer.py,sha256=0nGjgbzzrhESr1PeiXlGxYQ66-aOATO59CnVSwcGn4E,4889
 dissect/target/plugins/apps/shell/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 dissect/target/plugins/apps/shell/powershell.py,sha256=biPSMRWxPI6kRqP0-75yMtrw0Ti2Bzfl_xI3xbmmF48,2641
 dissect/target/plugins/apps/ssh/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
@@ -254,7 +254,7 @@ dissect/target/plugins/os/unix/log/lastlog.py,sha256=Wq89wRSFZSBsoKVCxjDofnC4yw9
 dissect/target/plugins/os/unix/log/messages.py,sha256=CXA-SkMPLaCgnTQg9nzII-7tO8Il_ENQmuYvDxo33rI,4698
 dissect/target/plugins/os/unix/log/utmp.py,sha256=1nPHIaBUHt_9z6PDrvyqg4huKLihUaWLrMmgMsbaeIo,7755
 dissect/target/plugins/os/windows/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-dissect/target/plugins/os/windows/_os.py,sha256=Iu-xgEqtkycx1yDx4b_GL29pSz1Lew7lUYCByBOmTOE,13127
+dissect/target/plugins/os/windows/_os.py,sha256=uBa0dVkFxDsxHAU3T23UEIOCgAx5R6cIpCgbGq3fflY,13131
 dissect/target/plugins/os/windows/activitiescache.py,sha256=Q2aILnhJ2rp2AwEbWwyBuSLjMbGqaYJTsavSbfkcFKE,6741
 dissect/target/plugins/os/windows/adpolicy.py,sha256=fULRFO_I_QxAn6G9SCwlLL-TLVliS13JEGnGotf7lSA,6983
 dissect/target/plugins/os/windows/amcache.py,sha256=ZZNOs3bILTf0AGkDkhoatndl0j39DXkstN7oOyxJECU,27188
@@ -344,10 +344,10 @@ dissect/target/volumes/luks.py,sha256=OmCMsw6rCUXG1_plnLVLTpsvE1n_6WtoRUGQbpmu1z
 dissect/target/volumes/lvm.py,sha256=wwQVR9I3G9YzmY6UxFsH2Y4MXGBcKL9aayWGCDTiWMU,2269
 dissect/target/volumes/md.py,sha256=j1K1iKmspl0C_OJFc7-Q1BMWN2OCC5EVANIgVlJ_fIE,1673
 dissect/target/volumes/vmfs.py,sha256=-LoUbn9WNwTtLi_4K34uV_-wDw2W5hgaqxZNj4UmqAQ,1730
-dissect.target-3.19.dev13.dist-info/COPYRIGHT,sha256=m-9ih2RVhMiXHI2bf_oNSSgHgkeIvaYRVfKTwFbnJPA,301
-dissect.target-3.19.dev13.dist-info/LICENSE,sha256=DZak_2itbUtvHzD3E7GNUYSRK6jdOJ-GqncQ2weavLA,34523
-dissect.target-3.19.dev13.dist-info/METADATA,sha256=oFZiiry3QZEqrgYijsGOlPjZn1DfUM3GBMdf8WZaIFc,12719
-dissect.target-3.19.dev13.dist-info/WHEEL,sha256=Wyh-_nZ0DJYolHNn1_hMa4lM7uDedD_RGVwbmTjyItk,91
-dissect.target-3.19.dev13.dist-info/entry_points.txt,sha256=tvFPa-Ap-gakjaPwRc6Fl6mxHzxEZ_arAVU-IUYeo_s,447
-dissect.target-3.19.dev13.dist-info/top_level.txt,sha256=Mn-CQzEYsAbkxrUI0TnplHuXnGVKzxpDw_po_sXpvv4,8
-dissect.target-3.19.dev13.dist-info/RECORD,,
+dissect.target-3.19.dev15.dist-info/COPYRIGHT,sha256=m-9ih2RVhMiXHI2bf_oNSSgHgkeIvaYRVfKTwFbnJPA,301
+dissect.target-3.19.dev15.dist-info/LICENSE,sha256=DZak_2itbUtvHzD3E7GNUYSRK6jdOJ-GqncQ2weavLA,34523
+dissect.target-3.19.dev15.dist-info/METADATA,sha256=S5x1NtWPGpIryy_gl8s0sYJtuGIfVQ1mLytzBXwwDfE,12719
+dissect.target-3.19.dev15.dist-info/WHEEL,sha256=Wyh-_nZ0DJYolHNn1_hMa4lM7uDedD_RGVwbmTjyItk,91
+dissect.target-3.19.dev15.dist-info/entry_points.txt,sha256=tvFPa-Ap-gakjaPwRc6Fl6mxHzxEZ_arAVU-IUYeo_s,447
+dissect.target-3.19.dev15.dist-info/top_level.txt,sha256=Mn-CQzEYsAbkxrUI0TnplHuXnGVKzxpDw_po_sXpvv4,8
+dissect.target-3.19.dev15.dist-info/RECORD,,