dissect.target 3.19.dev41__py3-none-any.whl → 3.19.dev42__py3-none-any.whl

dissect/target/helpers/utils.py

@@ -13,6 +13,17 @@ from dissect.target.helpers import fsutil
 log = logging.getLogger(__name__)
 
 
+def findall(buf: bytes, needle: bytes) -> Iterator[int]:
+    offset = 0
+    while True:
+        offset = buf.find(needle, offset)
+        if offset == -1:
+            break
+
+        yield offset
+        offset += 1
+
+
 class StrEnum(str, Enum):
     """Sortable and serializible string-based enum"""
 

dissect/target/plugins/os/windows/catroot.py

@@ -5,6 +5,7 @@ from flow.record.fieldtypes import digest
 
 from dissect.target.exceptions import UnsupportedPluginError
 from dissect.target.helpers.record import TargetRecordDescriptor
+from dissect.target.helpers.utils import findall
 from dissect.target.plugin import Plugin, export
 
 try:
@@ -36,17 +37,6 @@ CatrootRecord = TargetRecordDescriptor(
 )
 
 
-def findall(buf: bytes, needle: bytes) -> Iterator[int]:
-    offset = 0
-    while True:
-        offset = buf.find(needle, offset)
-        if offset == -1:
-            break
-
-        yield offset
-        offset += 1
-
-
 def _get_package_name(sequence: Sequence) -> str:
     """Parse sequences within a sequence and return the 'PackageName' value if it exists."""
     for value in sequence.native.values():

dissect/target/plugins/os/windows/jumplist.py

@@ -0,0 +1,292 @@
+from __future__ import annotations
+
+import io
+import logging
+from struct import error as StructError
+from typing import BinaryIO, Iterator
+
+from dissect.cstruct import cstruct
+from dissect.ole import OLE
+from dissect.ole.exceptions import Error as OleError
+from dissect.shellitem.lnk import Lnk
+
+from dissect.target import Target
+from dissect.target.exceptions import UnsupportedPluginError
+from dissect.target.helpers.descriptor_extensions import UserRecordDescriptorExtension
+from dissect.target.helpers.record import create_extended_descriptor
+from dissect.target.helpers.shell_application_ids import APPLICATION_IDENTIFIERS
+from dissect.target.helpers.utils import findall
+from dissect.target.plugin import Plugin, export
+from dissect.target.plugins.os.windows.lnk import LnkRecord, parse_lnk_file
+
+log = logging.getLogger(__name__)
+
+LNK_GUID = b"\x01\x14\x02\x00\x00\x00\x00\x00\xc0\x00\x00\x00\x00\x00\x00\x46"
+
+JumpListRecord = create_extended_descriptor([UserRecordDescriptorExtension])(
+    "windows/jumplist",
+    [
+        ("string", "type"),
+        ("string", "application_id"),
+        ("string", "application_name"),
+        *LnkRecord.target_fields,
+    ],
+)
+
+
+custom_destination_def = """
+struct header {
+    int version;
+    int unknown1;
+    int unknown2;
+    int value_type;
+}
+
+struct header_end {
+    int number_of_entries;
+}
+
+struct header_end_0 {
+    uint16  name_length;
+    wchar   name[name_length];
+    int     number_of_entries;
+}
+
+struct footer {
+    char magic[4];
+}
+"""
+
+c_custom_destination = cstruct()
+c_custom_destination.load(custom_destination_def)
+
+
+class JumpListFile:
+    def __init__(self, fh: BinaryIO, file_name: str):
+        self.fh = fh
+        self.file_name = file_name
+
+        self.application_id, self.application_type = file_name.split(".")
+        self.application_type = self.application_type.split("-")[0]
+        self.application_name = APPLICATION_IDENTIFIERS.get(self.application_id)
+
+    def __iter__(self) -> Iterator[Lnk]:
+        raise NotImplementedError
+
+    @property
+    def name(self) -> str:
+        """Return the name of the application."""
+        return self.application_name
+
+    @property
+    def id(self) -> str:
+        """Return the application identifier."""
+        return self.application_id
+
+    @property
+    def type(self) -> str:
+        """Return the type of the Jump List file."""
+        return self.application_type
+
+
+class AutomaticDestinationFile(JumpListFile):
+    """Parse Jump List AutomaticDestination file."""
+
+    def __init__(self, fh: BinaryIO, file_name: str):
+        super().__init__(fh, file_name)
+        self.ole = OLE(self.fh)
+
+    def __iter__(self) -> Iterator[Lnk]:
+        for dir_name in self.ole.root.listdir():
+            if dir_name == "DestList":
+                continue
+
+            dir = self.ole.get(dir_name)
+
+            for item in dir.open():
+                try:
+                    yield Lnk(io.BytesIO(item))
+                except StructError:
+                    continue
+                except Exception as e:
+                    log.warning("Failed to parse LNK file from directory %s", dir_name)
+                    log.debug("", exc_info=e)
+                    continue
+
+
+class CustomDestinationFile(JumpListFile):
+    """Parse Jump List CustomDestination file."""
+
+    MAGIC_FOOTER = 0xBABFFBAB
+    VERSIONS = [2]
+
+    def __init__(self, fh: BinaryIO, file_name: str):
+        super().__init__(fh, file_name)
+
+        self.fh.seek(-4, io.SEEK_END)
+        self.footer = c_custom_destination.footer(self.fh.read(4))
+        self.magic = int.from_bytes(self.footer.magic, "little")
+
+        self.fh.seek(0, io.SEEK_SET)
+        self.header = c_custom_destination.header(self.fh)
+        self.version = self.header.version
+
+        if self.header.value_type == 0:
+            self.header_end = c_custom_destination.header_end_0(self.fh)
+        elif self.header.value_type in [1, 2]:
+            self.header_end = c_custom_destination.header_end(self.fh)
+        else:
+            raise NotImplementedError(
+                f"The value_type ({self.header.value_type}) of the CustomDestination file is not implemented"
+            )
+
+        if self.version not in self.VERSIONS:
+            raise NotImplementedError(f"The CustomDestination file has an unsupported version: {self.version}")
+
+        if not self.MAGIC_FOOTER == self.magic:
+            raise ValueError(f"The CustomDestination file has an invalid magic footer: {self.magic}")
+
+    def __iter__(self) -> Iterator[Lnk]:
+        # Searches for all LNK GUID's because the number of entries in the header is not always correct.
+        buf = self.fh.read()
+
+        for offset in findall(buf, LNK_GUID):
+            try:
+                lnk = Lnk(io.BytesIO(buf[offset + len(LNK_GUID) :]))
+                yield lnk
+            except EOFError:
+                break
+            except Exception as e:
+                log.warning("Failed to parse LNK file from a CustomDestination file")
+                log.debug("", exc_info=e)
+                continue
+
+
+class JumpListPlugin(Plugin):
+    """Jump List is a Windows feature introduced in Windows 7.
+
+    It stores information about recently accessed applications and files.
+
+    References:
+        - https://forensics.wiki/jump_lists
+        - https://github.com/libyal/dtformats/blob/main/documentation/Jump%20lists%20format.asciidoc
+    """
+
+    __namespace__ = "jumplist"
+
+    def __init__(self, target: Target):
+        super().__init__(target)
+        self.automatic_destinations = []
+        self.custom_destinations = []
+
+        for user_details in self.target.user_details.all_with_home():
+            for destination in user_details.home_path.glob(
+                "AppData/Roaming/Microsoft/Windows/Recent/CustomDestinations/*.customDestinations-ms"
+            ):
+                self.custom_destinations.append([destination, user_details.user])
+
+        for user_details in self.target.user_details.all_with_home():
+            for destination in user_details.home_path.glob(
+                "AppData/Roaming/Microsoft/Windows/Recent/AutomaticDestinations/*.automaticDestinations-ms"
+            ):
+                self.automatic_destinations.append([destination, user_details.user])
+
+    def check_compatible(self) -> None:
+        if not any([self.automatic_destinations, self.custom_destinations]):
+            raise UnsupportedPluginError("No Jump List files found")
+
+    @export(record=JumpListRecord)
+    def custom_destination(self) -> Iterator[JumpListRecord]:
+        """Return the content of CustomDestination Windows Jump Lists.
+
+        These are created when a user pins an application or a file in a Jump List.
+
+        Yields JumpListRecord with fields:
+
+        .. code-block:: text
+
+            type (string): Type of Jump List.
+            application_id (string): ID of the application.
+            application_name (string): Name of the application.
+            lnk_path (path): Path of the link (.lnk) file.
+            lnk_name (string): Name of the link (.lnk) file.
+            lnk_mtime (datetime): Modification time of the link (.lnk) file.
+            lnk_atime (datetime): Access time of the link (.lnk) file.
+            lnk_ctime (datetime): Creation time of the link (.lnk) file.
+            lnk_relativepath (path): Relative path of target file to the link (.lnk) file.
+            lnk_workdir (path): Path of the working directory the link (.lnk) file will execute from.
+            lnk_iconlocation (path): Path of the display icon used for the link (.lnk) file.
+            lnk_arguments (string): Command-line arguments passed to the target (linked) file.
+            local_base_path (string): Absolute path of the target (linked) file.
+            common_path_suffix (string): Suffix of the local_base_path.
+            lnk_full_path (string): Full path of the linked file. Made from local_base_path and common_path_suffix.
+            lnk_net_name (string): Specifies a server share path; for example, "\\\\server\\share".
+            lnk_device_name (string): Specifies a device; for example, the drive letter "D:"
+            machine_id (string): The NetBIOS name of the machine where the linked file was last known to reside.
+            target_mtime (datetime): Modification time of the target (linked) file.
+            target_atime (datetime): Access time of the target (linked) file.
+            target_ctime (datetime): Creation time of the target (linked) file.
+        """
+        yield from self._generate_records(self.custom_destinations, CustomDestinationFile)
+
+    @export(record=JumpListRecord)
+    def automatic_destination(self) -> Iterator[JumpListRecord]:
+        """Return the content of AutomaticDestination Windows Jump Lists.
+
+        These are created automatically when a user opens an application or file.
+
+        Yields JumpListRecord with fields:
+
+        .. code-block:: text
+
+            type (string): Type of Jump List.
+            application_id (string): ID of the application.
+            application_name (string): Name of the application.
+            lnk_path (path): Path of the link (.lnk) file.
+            lnk_name (string): Name of the link (.lnk) file.
+            lnk_mtime (datetime): Modification time of the link (.lnk) file.
+            lnk_atime (datetime): Access time of the link (.lnk) file.
+            lnk_ctime (datetime): Creation time of the link (.lnk) file.
+            lnk_relativepath (path): Relative path of target file to the link (.lnk) file.
+            lnk_workdir (path): Path of the working directory the link (.lnk) file will execute from.
+            lnk_iconlocation (path): Path of the display icon used for the link (.lnk) file.
+            lnk_arguments (string): Command-line arguments passed to the target (linked) file.
+            local_base_path (string): Absolute path of the target (linked) file.
+            common_path_suffix (string): Suffix of the local_base_path.
+            lnk_full_path (string): Full path of the linked file. Made from local_base_path and common_path_suffix.
+            lnk_net_name (string): Specifies a server share path; for example, "\\\\server\\share".
+            lnk_device_name (string): Specifies a device; for example, the drive letter "D:"
+            machine_id (string): The NetBIOS name of the machine where the linked file was last known to reside.
+            target_mtime (datetime): Modification time of the target (linked) file.
+            target_atime (datetime): Access time of the target (linked) file.
+            target_ctime (datetime): Creation time of the target (linked) file.
+        """
+        yield from self._generate_records(self.automatic_destinations, AutomaticDestinationFile)
+
+    def _generate_records(
+        self,
+        destinations: list,
+        destination_file: AutomaticDestinationFile | CustomDestinationFile,
+    ) -> Iterator[JumpListRecord]:
+        for destination, user in destinations:
+            fh = destination.open("rb")
+
+            try:
+                jumplist = destination_file(fh, destination.name)
+            except OleError:
+                continue
+            except Exception as e:
+                self.target.log.warning("Failed to parse Jump List file: %s", destination)
+                self.target.log.debug("", exc_info=e)
+                continue
+
+            for lnk in jumplist:
+                if lnk := parse_lnk_file(self.target, lnk, destination):
+                    yield JumpListRecord(
+                        type=jumplist.type,
+                        application_name=jumplist.name,
+                        application_id=jumplist.id,
+                        **lnk._asdict(),
+                        _user=user,
+                        _target=self.target,
+                    )

dissect/target/plugins/os/windows/lnk.py

@@ -34,6 +34,89 @@ LnkRecord = TargetRecordDescriptor(
 )
 
 
+def parse_lnk_file(target: Target, lnk_file: Lnk, lnk_path: TargetPath) -> Iterator[LnkRecord]:
+    # we need to get the active codepage from the system to properly decode some values
+    codepage = target.codepage or "ascii"
+
+    lnk_net_name = lnk_device_name = None
+
+    if lnk_file.link_header:
+        lnk_name = lnk_file.stringdata.name_string.string if lnk_file.flag("has_name") else None
+
+        lnk_mtime = ts.from_unix(lnk_path.stat().st_mtime)
+        lnk_atime = ts.from_unix(lnk_path.stat().st_atime)
+        lnk_ctime = ts.from_unix(lnk_path.stat().st_ctime)
+
+        lnk_relativepath = (
+            target.fs.path(lnk_file.stringdata.relative_path.string) if lnk_file.flag("has_relative_path") else None
+        )
+        lnk_workdir = (
+            target.fs.path(lnk_file.stringdata.working_dir.string) if lnk_file.flag("has_working_dir") else None
+        )
+        lnk_iconlocation = (
+            target.fs.path(lnk_file.stringdata.icon_location.string) if lnk_file.flag("has_icon_location") else None
+        )
+        lnk_arguments = lnk_file.stringdata.command_line_arguments.string if lnk_file.flag("has_arguments") else None
+        local_base_path = (
+            lnk_file.linkinfo.local_base_path.decode(codepage)
+            if lnk_file.flag("has_link_info") and lnk_file.linkinfo.flag("volumeid_and_local_basepath")
+            else None
+        )
+        common_path_suffix = (
+            lnk_file.linkinfo.common_path_suffix.decode(codepage) if lnk_file.flag("has_link_info") else None
+        )
+
+        if local_base_path and common_path_suffix:
+            lnk_full_path = target.fs.path(local_base_path + common_path_suffix)
+        elif local_base_path and not common_path_suffix:
+            lnk_full_path = target.fs.path(local_base_path)
+        else:
+            lnk_full_path = None
+
+        if lnk_file.flag("has_link_info"):
+            if lnk_file.linkinfo.flag("common_network_relative_link_and_pathsuffix"):
+                lnk_net_name = (
+                    lnk_file.linkinfo.common_network_relative_link.net_name.decode()
+                    if lnk_file.linkinfo.common_network_relative_link.net_name
+                    else None
+                )
+                lnk_device_name = (
+                    lnk_file.linkinfo.common_network_relative_link.device_name.decode()
+                    if lnk_file.linkinfo.common_network_relative_link.device_name
+                    else None
+                )
+        try:
+            machine_id = lnk_file.extradata.TRACKER_PROPS.machine_id.decode(codepage).strip("\x00")
+        except AttributeError:
+            machine_id = None
+
+        target_mtime = ts.wintimestamp(lnk_file.link_header.write_time)
+        target_atime = ts.wintimestamp(lnk_file.link_header.access_time)
+        target_ctime = ts.wintimestamp(lnk_file.link_header.creation_time)
+
+        return LnkRecord(
+            lnk_path=lnk_path,
+            lnk_name=lnk_name,
+            lnk_mtime=lnk_mtime,
+            lnk_atime=lnk_atime,
+            lnk_ctime=lnk_ctime,
+            lnk_relativepath=lnk_relativepath,
+            lnk_workdir=lnk_workdir,
+            lnk_iconlocation=lnk_iconlocation,
+            lnk_arguments=lnk_arguments,
+            local_base_path=local_base_path,
+            common_path_suffix=common_path_suffix,
+            lnk_full_path=lnk_full_path,
+            lnk_net_name=lnk_net_name,
+            lnk_device_name=lnk_device_name,
+            machine_id=machine_id,
+            target_mtime=target_mtime,
+            target_atime=target_atime,
+            target_ctime=target_ctime,
+            _target=target,
+        )
+
+
 class LnkPlugin(Plugin):
     def __init__(self, target: Target) -> None:
         super().__init__(target)
@@ -74,97 +157,9 @@ class LnkPlugin(Plugin):
             target_ctime (datetime): Creation time of the target (linked) file.
         """
 
-        # we need to get the active codepage from the system to properly decode some values
-        codepage = self.target.codepage or "ascii"
-
         for entry in self.lnk_entries(path):
             lnk_file = Lnk(entry.open())
-            lnk_net_name = lnk_device_name = None
-
-            if lnk_file.link_header:
-                lnk_path = entry
-                lnk_name = lnk_file.stringdata.name_string.string if lnk_file.flag("has_name") else None
-
-                lnk_mtime = ts.from_unix(entry.stat().st_mtime)
-                lnk_atime = ts.from_unix(entry.stat().st_atime)
-                lnk_ctime = ts.from_unix(entry.stat().st_ctime)
-
-                lnk_relativepath = (
-                    self.target.fs.path(lnk_file.stringdata.relative_path.string)
-                    if lnk_file.flag("has_relative_path")
-                    else None
-                )
-                lnk_workdir = (
-                    self.target.fs.path(lnk_file.stringdata.working_dir.string)
-                    if lnk_file.flag("has_working_dir")
-                    else None
-                )
-                lnk_iconlocation = (
-                    self.target.fs.path(lnk_file.stringdata.icon_location.string)
-                    if lnk_file.flag("has_icon_location")
-                    else None
-                )
-                lnk_arguments = (
-                    lnk_file.stringdata.command_line_arguments.string if lnk_file.flag("has_arguments") else None
-                )
-                local_base_path = (
-                    lnk_file.linkinfo.local_base_path.decode(codepage)
-                    if lnk_file.flag("has_link_info") and lnk_file.linkinfo.flag("volumeid_and_local_basepath")
-                    else None
-                )
-                common_path_suffix = (
-                    lnk_file.linkinfo.common_path_suffix.decode(codepage) if lnk_file.flag("has_link_info") else None
-                )
-
-                if local_base_path and common_path_suffix:
-                    lnk_full_path = self.target.fs.path(local_base_path + common_path_suffix)
-                elif local_base_path and not common_path_suffix:
-                    lnk_full_path = self.target.fs.path(local_base_path)
-                else:
-                    lnk_full_path = None
-
-                if lnk_file.flag("has_link_info"):
-                    if lnk_file.linkinfo.flag("common_network_relative_link_and_pathsuffix"):
-                        lnk_net_name = (
-                            lnk_file.linkinfo.common_network_relative_link.net_name.decode()
-                            if lnk_file.linkinfo.common_network_relative_link.net_name
-                            else None
-                        )
-                        lnk_device_name = (
-                            lnk_file.linkinfo.common_network_relative_link.device_name.decode()
-                            if lnk_file.linkinfo.common_network_relative_link.device_name
-                            else None
-                        )
-                try:
-                    machine_id = lnk_file.extradata.TRACKER_PROPS.machine_id.decode(codepage).strip("\x00")
-                except AttributeError:
-                    machine_id = None
-
-                target_mtime = ts.wintimestamp(lnk_file.link_header.write_time)
-                target_atime = ts.wintimestamp(lnk_file.link_header.access_time)
-                target_ctime = ts.wintimestamp(lnk_file.link_header.creation_time)
-
-                yield LnkRecord(
-                    lnk_path=lnk_path,
-                    lnk_name=lnk_name,
-                    lnk_mtime=lnk_mtime,
-                    lnk_atime=lnk_atime,
-                    lnk_ctime=lnk_ctime,
-                    lnk_relativepath=lnk_relativepath,
-                    lnk_workdir=lnk_workdir,
-                    lnk_iconlocation=lnk_iconlocation,
-                    lnk_arguments=lnk_arguments,
-                    local_base_path=local_base_path,
-                    common_path_suffix=common_path_suffix,
-                    lnk_full_path=lnk_full_path,
-                    lnk_net_name=lnk_net_name,
-                    lnk_device_name=lnk_device_name,
-                    machine_id=machine_id,
-                    target_mtime=target_mtime,
-                    target_atime=target_atime,
-                    target_ctime=target_ctime,
-                    _target=self.target,
-                )
+            yield parse_lnk_file(self.target, lnk_file, entry)
 
     def lnk_entries(self, path: Optional[str] = None) -> Iterator[TargetPath]:
         if path:

{dissect.target-3.19.dev41.dist-info → dissect.target-3.19.dev42.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: dissect.target
-Version: 3.19.dev41
+Version: 3.19.dev42
 Summary: This module ties all other Dissect modules together, it provides a programming API and command line tools which allow easy access to various data sources inside disk images or file collections (a.k.a. targets)
 Author-email: Dissect Team <dissect@fox-it.com>
 License: Affero General Public License v3
@@ -72,6 +72,7 @@ Requires-Dist: dissect.extfs <4,>=3 ; extra == 'full'
 Requires-Dist: dissect.fat <4,>=3 ; extra == 'full'
 Requires-Dist: dissect.ffs <4,>=3 ; extra == 'full'
 Requires-Dist: dissect.jffs <2,>=1 ; extra == 'full'
+Requires-Dist: dissect.ole <4,>=3 ; extra == 'full'
 Requires-Dist: dissect.shellitem <4,>=3 ; extra == 'full'
 Requires-Dist: dissect.squashfs <2,>=1 ; extra == 'full'
 Requires-Dist: dissect.sql <4,>=3 ; extra == 'full'

{dissect.target-3.19.dev41.dist-info → dissect.target-3.19.dev42.dist-info}/RECORD

@@ -64,9 +64,10 @@ dissect/target/helpers/protobuf.py,sha256=b4DsnqrRLrefcDjx7rQno-_LBcwtJXxuKf5RdO
 dissect/target/helpers/record.py,sha256=zwqEnFSgxgX6JdhhF4zycMMZK09crCTWWEFzRxZSuC8,5658
 dissect/target/helpers/record_modifier.py,sha256=3I_rC5jqvl0TsW3V8OQ6Dltz_D8J4PU1uhhzbJGKm9c,3245
 dissect/target/helpers/regutil.py,sha256=kX-sSZbW8Qkg29Dn_9zYbaQrwLumrr4Y8zJ1EhHXIAM,27337
+dissect/target/helpers/shell_application_ids.py,sha256=hYxrP-YtHK7ZM0ectJFHfoMB8QUXLbYNKmKXMWLZRlA,38132
 dissect/target/helpers/shell_folder_ids.py,sha256=Behhb8oh0kMxrEk6YYKYigCDZe8Hw5QS6iK_d2hTs2Y,24978
 dissect/target/helpers/targetd.py,sha256=ELhUulzQ4OgXgHsWhsLgM14vut8Wm6btr7qTynlwKaE,1812
-dissect/target/helpers/utils.py,sha256=r36Bn0UL0E6Z8ajmQrHzC6RyUxTRdwJ1PNsd904Lmzs,4027
+dissect/target/helpers/utils.py,sha256=K3xVq9D0FwIhTBAuiWN8ph7Pq2GABgG3hOz-3AmKuEA,4244
 dissect/target/helpers/compat/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 dissect/target/helpers/compat/path_310.py,sha256=PsLDIodlp3Hv5u-w7GDl6_LnTtchBYcRjz2MicX1egg,16982
 dissect/target/helpers/compat/path_311.py,sha256=2aydxCMWu1pN8PTBCo8HUbHRMC1xO-hj013j4QxaogE,18182
@@ -262,7 +263,7 @@ dissect/target/plugins/os/windows/_os.py,sha256=uBa0dVkFxDsxHAU3T23UEIOCgAx5R6cI
 dissect/target/plugins/os/windows/activitiescache.py,sha256=Q2aILnhJ2rp2AwEbWwyBuSLjMbGqaYJTsavSbfkcFKE,6741
 dissect/target/plugins/os/windows/adpolicy.py,sha256=fULRFO_I_QxAn6G9SCwlLL-TLVliS13JEGnGotf7lSA,6983
 dissect/target/plugins/os/windows/amcache.py,sha256=ZZNOs3bILTf0AGkDkhoatndl0j39DXkstN7oOyxJECU,27188
-dissect/target/plugins/os/windows/catroot.py,sha256=wHW_p4M0aFonZJ2xZFIbgLbJopdCIXO9jVrGPHLsMLc,11105
+dissect/target/plugins/os/windows/catroot.py,sha256=QVwMF5nuMzCkWnoOMs5BkwYoKN61HKmlxo8mKMoD3w8,10937
 dissect/target/plugins/os/windows/cim.py,sha256=jsrpu6TZpBUh7VWI9AV2Ib5bebTwsvqOwRfa5gjJd7c,3056
 dissect/target/plugins/os/windows/clfs.py,sha256=begVsZ-CY97Ksh6S1g03LjyBgu8ERY2hfNDWYPj0GXI,4872
 dissect/target/plugins/os/windows/credhist.py,sha256=YSjuyd53Augdy_lKKzZHtx5Ozt0HzF6LDYIOb-8P1Pw,7058
@@ -270,7 +271,8 @@ dissect/target/plugins/os/windows/datetime.py,sha256=YKHUZU6lkKJocq15y0yCwvIIOb1
 dissect/target/plugins/os/windows/defender.py,sha256=zh3brEvJmknD5ef0PGuLZ1G95Fgdh-dlgi-ZEbADKXo,32716
 dissect/target/plugins/os/windows/env.py,sha256=-u9F9xWy6PUbQmu5Tv_MDoVmy6YB-7CbHokIK_T3S44,13891
 dissect/target/plugins/os/windows/generic.py,sha256=BSvDPfB9faU0uquMj0guw5tnR_97Nn0XAEE4k05BFSQ,22273
-dissect/target/plugins/os/windows/lnk.py,sha256=2zpzpPbxL1qrxdbiZfhOGWKNujcj9tMy75_KrBXB1QE,8485
+dissect/target/plugins/os/windows/jumplist.py,sha256=3gZk6O1B3lKK2Jxe0B-HapOCEehk94CYNvCVDpQC9nQ,11773
+dissect/target/plugins/os/windows/lnk.py,sha256=toEZV00CESLUsF7UmN65-ivWk0Ijg-ZPST0qyD-antY,7860
 dissect/target/plugins/os/windows/locale.py,sha256=yXVdclpUqss9h8Nq7N4kg3OHwWGDfjdfiLiUZR3wqv8,2324
 dissect/target/plugins/os/windows/notifications.py,sha256=T1CIvQgpW__qDR0Rq5zpeWmRWwjNDpvdMnvJJ_6tZXs,17378
 dissect/target/plugins/os/windows/prefetch.py,sha256=v4OgSKMwcihz0SOuA0o0Ec8wsAKuiuEmJolqZmHFgJA,10491
@@ -350,10 +352,10 @@ dissect/target/volumes/luks.py,sha256=OmCMsw6rCUXG1_plnLVLTpsvE1n_6WtoRUGQbpmu1z
 dissect/target/volumes/lvm.py,sha256=wwQVR9I3G9YzmY6UxFsH2Y4MXGBcKL9aayWGCDTiWMU,2269
 dissect/target/volumes/md.py,sha256=7ShPtusuLGaIv27SvEETtgsuoQyAa4iAAeOR1NEaajI,1689
 dissect/target/volumes/vmfs.py,sha256=-LoUbn9WNwTtLi_4K34uV_-wDw2W5hgaqxZNj4UmqAQ,1730
-dissect.target-3.19.dev41.dist-info/COPYRIGHT,sha256=m-9ih2RVhMiXHI2bf_oNSSgHgkeIvaYRVfKTwFbnJPA,301
-dissect.target-3.19.dev41.dist-info/LICENSE,sha256=DZak_2itbUtvHzD3E7GNUYSRK6jdOJ-GqncQ2weavLA,34523
-dissect.target-3.19.dev41.dist-info/METADATA,sha256=6k7QjO0aOrwuszOsHAU-DZhDHHRAq_EhsQloJ_AdgMY,12845
-dissect.target-3.19.dev41.dist-info/WHEEL,sha256=HiCZjzuy6Dw0hdX5R3LCFPDmFS4BWl8H-8W39XfmgX4,91
-dissect.target-3.19.dev41.dist-info/entry_points.txt,sha256=BWuxAb_6AvUAQpIQOQU0IMTlaF6TDht2AIZK8bHd-zE,492
-dissect.target-3.19.dev41.dist-info/top_level.txt,sha256=Mn-CQzEYsAbkxrUI0TnplHuXnGVKzxpDw_po_sXpvv4,8
-dissect.target-3.19.dev41.dist-info/RECORD,,
+dissect.target-3.19.dev42.dist-info/COPYRIGHT,sha256=m-9ih2RVhMiXHI2bf_oNSSgHgkeIvaYRVfKTwFbnJPA,301
+dissect.target-3.19.dev42.dist-info/LICENSE,sha256=DZak_2itbUtvHzD3E7GNUYSRK6jdOJ-GqncQ2weavLA,34523
+dissect.target-3.19.dev42.dist-info/METADATA,sha256=XF7DS_1vdvBgQLUXWDQ8JfwXd5FAffF06CNgi2LA0DM,12897
+dissect.target-3.19.dev42.dist-info/WHEEL,sha256=HiCZjzuy6Dw0hdX5R3LCFPDmFS4BWl8H-8W39XfmgX4,91
+dissect.target-3.19.dev42.dist-info/entry_points.txt,sha256=BWuxAb_6AvUAQpIQOQU0IMTlaF6TDht2AIZK8bHd-zE,492
+dissect.target-3.19.dev42.dist-info/top_level.txt,sha256=Mn-CQzEYsAbkxrUI0TnplHuXnGVKzxpDw_po_sXpvv4,8
+dissect.target-3.19.dev42.dist-info/RECORD,,