dissect.target 3.19.dev57__py3-none-any.whl → 3.20__py3-none-any.whl

dissect/target/plugins/os/windows/regf/shimcache.py

@@ -108,7 +108,7 @@ MAGIC_WIN10 = 0x73743031
 
 
 class SHIMCACHE_WIN_TYPE(IntEnum):
-    """Specific shimcache versions"""
+    """Shimcache version mapping."""
 
     VERSION_WIN10_CREATORS = 0x1001
     VERSION_WIN10 = 0x1000

dissect/target/plugins/os/windows/regf/usb.py

@@ -54,7 +54,8 @@ class UsbPlugin(Plugin):
 
     To get a full picture of the USB history on a Windows machine, you should parse the
     relevant EventIDs using the evtx plugin. For more research on event log USB forensics, see:
-        - https://www.researchgate.net/publication/318514858
+
+        - https://www.researchgate.net/publication/318514858_USB_Storage_Device_Forensics_for_Windows_10
         - https://dfir.pubpub.org/pub/h78di10n/release/2
         - https://www.senturean.com/posts/19_08_03_usb_storage_forensics_1/#1-system-events
 

dissect/target/plugins/os/windows/regf/userassist.py

@@ -1,4 +1,5 @@
 import codecs
+from typing import Iterator
 
 from dissect.cstruct import cstruct
 from dissect.util.ts import wintimestamp
@@ -60,7 +61,7 @@ class UserAssistPlugin(Plugin):
             raise UnsupportedPluginError("No UserAssist key found")
 
     @export(record=UserAssistRecord)
-    def userassist(self):
+    def userassist(self) -> Iterator[UserAssistRecord]:
         """Return the UserAssist information for each user.
 
         The UserAssist registry keys contain information about programs that were recently executed on the system.

dissect/target/plugins/os/windows/registry.py

@@ -68,6 +68,10 @@ class RegistryPlugin(Plugin):
         "COMPONENTS",
         "DEFAULT",
         "ELAM",
+        "USER.DAT",  # Win 95/98/ME
+        "SYSTEM.DAT",  # Win 95/98/ME
+        "CLASSES.DAT",  # Win ME
+        "REG.DAT",  # Win 3.1
     ]
 
     def __init__(self, target: Target) -> None:
@@ -88,7 +92,14 @@ class RegistryPlugin(Plugin):
 
     def _init_registry(self) -> None:
         dirs = [
+            # Windows XP or newer
             ("sysvol/windows/system32/config", False),
+            # Windows NT3, NT4, 2k
+            ("sysvol/WINNT/system32/config", False),
+            # Windows 3.11, 95, 98, ME
+            ("sysvol/windows", False),
+            # ReactOS (alternative location)
+            ("sysvol/reactos", False),
             # RegBack hives are often empty files
             ("sysvol/windows/system32/config/RegBack", True),
         ]

dissect/target/plugins/os/windows/services.py

@@ -1,4 +1,5 @@
 import re
+from typing import Iterator
 
 from dissect.target.exceptions import (
     RegistryError,
@@ -62,8 +63,8 @@ class ServicesPlugin(Plugin):
             raise UnsupportedPluginError("No services found in the registry")
 
     @export(record=ServiceRecord)
-    def services(self):
-        """Return information about all installed services.
+    def services(self) -> Iterator[ServiceRecord]:
+        """Return information about all installed Windows services.
 
         The HKLM\\SYSTEM\\CurrentControlSet\\Services registry key contains information about the installed services and
         drivers on the system.

dissect/target/plugins/os/windows/startupinfo.py

@@ -1,4 +1,7 @@
+from __future__ import annotations
+
 import datetime
+from typing import Iterator
 
 from defusedxml import ElementTree
 
@@ -34,7 +37,7 @@ StartupInfoRecord = TargetRecordDescriptor(
 )
 
 
-def parse_ts(time_string):
+def parse_ts(time_string: str) -> datetime.datetime | None:
     if not time_string:
         return None
 
@@ -42,6 +45,8 @@ def parse_ts(time_string):
 
 
 class StartupInfoPlugin(Plugin):
+    """Windows startup info plugin."""
+
     def __init__(self, target):
         super().__init__(target)
         self._files = []
@@ -55,7 +60,7 @@ class StartupInfoPlugin(Plugin):
             raise UnsupportedPluginError("No StartupInfo files found")
 
     @export(record=StartupInfoRecord)
-    def startupinfo(self):
+    def startupinfo(self) -> Iterator[StartupInfoRecord]:
         """Return the contents of StartupInfo files.
 
         On a Windows system, the StartupInfo log files contain information about process execution for the first 90

dissect/target/plugins/os/windows/syscache.py

@@ -1,3 +1,5 @@
+from typing import Iterator
+
 from dissect.ntfs import ntfs
 
 from dissect.target.exceptions import RegistryValueNotFoundError, UnsupportedPluginError
@@ -41,7 +43,7 @@ class SyscachePlugin(Plugin):
             raise UnsupportedPluginError("Could not load Syscache.hve")
 
     @export(record=SyscacheRecord)
-    def syscache(self):
+    def syscache(self) -> Iterator[SyscacheRecord]:
         """Parse the objects in the ObjectTable from the Syscache.hve file."""
 
         # Try to get the system volume
@@ -75,7 +77,8 @@ class SyscachePlugin(Plugin):
                 full_path = None
                 if mft:
                     try:
-                        full_path = self.target.fs.path("\\".join(["sysvol", mft.mft(file_segment).fullpath()]))
+                        if path := mft(file_segment).full_path():
+                            full_path = self.target.fs.path("\\".join(["sysvol", path]))
                     except ntfs.Error:
                         pass
 

dissect/target/plugins/os/windows/tasks.py

@@ -125,7 +125,7 @@ class TasksPlugin(Plugin):
         intervals. An adversary may leverage such scheduled tasks to gain persistence on a system.
 
         References:
-            https://en.wikipedia.org/wiki/Windows_Task_Scheduler
+            - https://en.wikipedia.org/wiki/Windows_Task_Scheduler
 
         Yields:
             The scheduled tasks found on the target.

dissect/target/plugins/os/windows/thumbcache.py

@@ -1,5 +1,7 @@
+from __future__ import annotations
+
 from pathlib import Path
-from typing import Iterator, Optional, Union
+from typing import Iterator
 
 from dissect.thumbcache import Error, Thumbcache
 from dissect.thumbcache.tools.extract_with_index import dump_entry_data_through_index
@@ -33,6 +35,8 @@ IconcacheRecord = TargetRecordDescriptor("windows/thumbcache/iconcache", GENERIC
 
 
 class ThumbcachePlugin(Plugin):
+    """Windows thumbcache plugin."""
+
     __namespace__ = "thumbcache"
 
     def get_cache_paths(self) -> Iterator[TargetPath]:
@@ -71,8 +75,8 @@ class ThumbcachePlugin(Plugin):
         self,
         record_type: TargetRecordDescriptor,
         prefix: str,
-        output_dir: Optional[Path],
-    ) -> Iterator[Union[ThumbcacheRecord, IconcacheRecord, IndexRecord]]:
+        output_dir: Path | None,
+    ) -> Iterator[ThumbcacheRecord | IconcacheRecord | IndexRecord]:
         for cache_path in self.get_cache_paths():
             try:
                 if output_dir:
@@ -91,10 +95,12 @@ class ThumbcachePlugin(Plugin):
 
     @arg("--output", "-o", dest="output_dir", type=Path, help="Path to extract thumbcache thumbnails to.")
     @export(record=[ThumbcacheRecord, IndexRecord])
-    def thumbcache(self, output_dir: Optional[Path] = None) -> Iterator[Union[ThumbcacheRecord, IndexRecord]]:
+    def thumbcache(self, output_dir: Path | None = None) -> Iterator[ThumbcacheRecord | IndexRecord]:
+        """Yield thumbcache thumbnails."""
         yield from self._parse_thumbcache(ThumbcacheRecord, "thumbcache", output_dir)
 
     @arg("--output", "-o", dest="output_dir", type=Path, help="Path to extract iconcache thumbnails to.")
     @export(record=[IconcacheRecord, IndexRecord])
-    def iconcache(self, output_dir: Optional[Path] = None) -> Iterator[Union[IconcacheRecord, IndexRecord]]:
+    def iconcache(self, output_dir: Path | None = None) -> Iterator[IconcacheRecord | IndexRecord]:
+        """Yield iconcache thumbnails."""
         yield from self._parse_thumbcache(IconcacheRecord, "iconcache", output_dir)

dissect/target/plugins/os/windows/ual.py

@@ -1,3 +1,6 @@
+from pathlib import Path
+from typing import Any, Iterator
+
 from dissect.esedb.exceptions import Error
 from dissect.esedb.tools import ual
 
@@ -165,14 +168,14 @@ class UalPlugin(Plugin):
         if not any([path.exists() for path in self.mdb_paths]):
             raise UnsupportedPluginError("No MDB files found")
 
-    def find_mdb_files(self):
+    def find_mdb_files(self) -> list[Path]:
         return [
             path
             for path in self.target.fs.path("/").glob(self.LOG_DB_GLOB)
             if path.exists() and path.name != self.IDENTITY_DB_FILENAME
         ]
 
-    def populate_role_guid_map(self):
+    def populate_role_guid_map(self) -> None:
         identity_db = self.target.fs.path(self.IDENTITY_DB_PATH)
         if not identity_db.exists():
             return
@@ -192,13 +195,13 @@ class UalPlugin(Plugin):
                 "role_name": record.get("RoleName"),
             }
 
-    def read_table_records(self, table_name):
+    def read_table_records(self, table_name: str) -> Iterator[tuple[Path, dict[str, Any]]]:
         for mdb_path in self.mdb_paths:
             fh = mdb_path.open()
             try:
                 parser = ual.UAL(fh)
             except Error as e:
-                self.target.log.warning(f"Error opening {mdb_path} database", exc_info=e)
+                self.target.log.warning("Error opening database: %s", mdb_path, exc_info=e)
                 continue
 
             for table_record in parser.get_table_records(table_name):
@@ -206,7 +209,7 @@ class UalPlugin(Plugin):
                 yield mdb_path, values
 
     @export(record=ClientAccessRecord)
-    def client_access(self):
+    def client_access(self) -> Iterator[ClientAccessRecord]:
         """Return client access data within the User Access Logs."""
         for path, client_record in self.read_table_records("CLIENTS"):
             common_values = {k: v for k, v in client_record.items() if k != "activity_counts"}
@@ -224,7 +227,7 @@ class UalPlugin(Plugin):
                 )
 
     @export(record=RoleAccessRecord)
-    def role_access(self):
+    def role_access(self) -> Iterator[RoleAccessRecord]:
         """Return role access data within the User Access Logs."""
         for path, record in self.read_table_records("ROLE_ACCESS"):
             role_guid_data = self.role_guid_map.get(record.get("role_guid"), {})
@@ -237,19 +240,19 @@ class UalPlugin(Plugin):
             )
 
     @export(record=VirtualMachineRecord)
-    def virtual_machines(self):
+    def virtual_machines(self) -> Iterator[VirtualMachineRecord]:
         """Return virtual machine data within the User Access Logs."""
         for path, record in self.read_table_records("VIRTUALMACHINES"):
             yield VirtualMachineRecord(path=path, _target=self.target, **record)
 
     @export(record=DomainSeenRecord)
-    def domains_seen(self):
+    def domains_seen(self) -> Iterator[DomainSeenRecord]:
         """Return DNS data within the User Access Logs."""
         for path, record in self.read_table_records("DNS"):
             yield DomainSeenRecord(path=path, _target=self.target, **record)
 
     @export(record=SystemIdentityRecord)
-    def system_identities(self):
+    def system_identities(self) -> Iterator[SystemIdentityRecord]:
         """Return system identity data within the User Access Logs."""
         if not self.identity_db_parser:
             return

dissect/target/plugins/os/windows/wer.py

@@ -4,6 +4,7 @@ from typing import Iterator
 
 from defusedxml import ElementTree
 from dissect.util.ts import wintimestamp
+from flow.record.base import is_valid_field_name
 
 from dissect.target.exceptions import UnsupportedPluginError
 from dissect.target.helpers.fsutil import Path
@@ -11,7 +12,9 @@ from dissect.target.helpers.record import DynamicDescriptor, TargetRecordDescrip
 from dissect.target.plugin import Plugin, export
 from dissect.target.target import Target
 
-camel_case_patterns = [re.compile(r"(\S)([A-Z][a-z]+)"), re.compile(r"([a-z0-9])([A-Z])"), re.compile(r"(\w)[.\s](\w)")]
+CAMEL_CASE_PATTERNS = [re.compile(r"(\S)([A-Z][a-z]+)"), re.compile(r"([a-z0-9])([A-Z])"), re.compile(r"(\w)[.\s](\w)")]
+RE_VALID_KEY_START_CHARS = re.compile(r"[a-zA-Z]")
+RE_VALID_KEY_CHARS = re.compile(r"[a-zA-Z0-9_]")
 
 
 def _create_record_descriptor(record_name: str, record_fields: list[tuple[str, str]]) -> TargetRecordDescriptor:
@@ -49,13 +52,25 @@ class WindowsErrorReportingPlugin(Plugin):
 
     def _sanitize_key(self, key: str) -> str:
         # Convert camel case to snake case
-        for pattern in camel_case_patterns:
+        for pattern in CAMEL_CASE_PATTERNS:
             key = pattern.sub(r"\1_\2", key)
 
-        # Keep only basic characters in key
-        key = re.sub(r"[^a-zA-Z0-9_]", "", key)
-
-        return key.lower()
+        clean_key = ""
+        separator = "_"
+        prev_encoded = False
+        for idx, char in enumerate(key):
+            if prev_encoded:
+                clean_key += separator
+            clean_key += char
+            if not is_valid_field_name(clean_key):
+                clean_key = clean_key[:-1]
+                prefix = f"{separator}x" if (idx != 0 and not prev_encoded) else "x"
+                clean_key += prefix + char.encode("utf-8").hex()
+                prev_encoded = True
+            else:
+                prev_encoded = False
+
+        return clean_key.lower()
 
     def _collect_wer_data(self, wer_file: Path) -> tuple[list[tuple[str, str]], dict[str, str]]:
         """Parse data from a .wer file."""

dissect/target/plugins/os/windows/wua_history.py

@@ -994,7 +994,6 @@ class WuaHistoryPlugin(Plugin):
             - https://learn.microsoft.com/en-us/windows/deployment/update/windows-update-error-reference
             - https://learn.microsoft.com/en-us/troubleshoot/windows-client/installing-updates-features-roles/common-windows-update-errors
             - https://learn.microsoft.com/en-us/troubleshoot/windows-client/installing-updates-features-roles/common-windows-update-errors?context=%2Fwindows%2Fdeployment%2Fcontext%2Fcontext
-
             - https://github.com/libyal/esedb-kb/blob/main/documentation/Windows%20Update.asciidoc
             - https://www.nirsoft.net/articles/extract-windows-updates-list-external-drive.html
 

dissect/target/target.py

@@ -19,6 +19,7 @@ from dissect.target.exceptions import (
     VolumeSystemError,
 )
 from dissect.target.helpers import config
+from dissect.target.helpers.fsutil import TargetPath
 from dissect.target.helpers.loaderutil import extract_path_info
 from dissect.target.helpers.record import ChildTargetRecord
 from dissect.target.helpers.utils import StrEnum, parse_path_uri, slugify
@@ -86,8 +87,13 @@ class Target:
         self._errors = []
         self._applied = False
 
+        # We do not want to look for config files at the Target path if it is actually a child Target.
+        config_paths = [Path.cwd(), Path.home()]
+        if not isinstance(path, TargetPath):
+            config_paths = [self.path] + config_paths
+
         try:
-            self._config = config.load([self.path, Path.cwd(), Path.home()])
+            self._config = config.load(config_paths)
         except Exception as e:
             self.log.warning("Error loading config file: %s", self.path)
             self.log.debug("", exc_info=e)
@@ -230,7 +236,7 @@ class Target:
             try:
                 loader_instance = loader_cls(path, parsed_path=parsed_path)
             except Exception as e:
-                raise TargetError(f"Failed to initiate {loader_cls.__name__} for target {path}: {e}", cause=e)
+                raise TargetError(f"Failed to initiate {loader_cls.__name__} for target {path}: {e}") from e
             return cls._load(path, loader_instance)
         return cls.open_raw(path)
 
@@ -422,7 +428,7 @@ class Target:
             target.apply()
             return target
         except Exception as e:
-            raise TargetError(f"Failed to load target: {path}", cause=e)
+            raise TargetError(f"Failed to load target: {path}") from e
 
     def _init_os(self) -> None:
         """Internal function that attemps to load an OSPlugin for this target."""
@@ -535,7 +541,7 @@ class Target:
             except PluginError:
                 raise
             except Exception as e:
-                raise PluginError(f"An exception occurred while trying to initialize a plugin: {plugin_cls}", cause=e)
+                raise PluginError(f"An exception occurred while trying to initialize a plugin: {plugin_cls}") from e
         else:
             p = plugin_cls
 
@@ -550,8 +556,8 @@ class Target:
                 raise
             except Exception as e:
                 raise UnsupportedPluginError(
-                    f"An exception occurred while checking for plugin compatibility: {plugin_cls}", cause=e
-                )
+                    f"An exception occurred while checking for plugin compatibility: {plugin_cls}"
+                ) from e
 
         self._register_plugin_functions(p)
 
@@ -608,9 +614,8 @@ class Target:
                     # Just take the last known cause for now
                     raise UnsupportedPluginError(
                         f"Unsupported function `{function}` for target with OS plugin {self._os_plugin}",
-                        cause=causes[0] if causes else None,
                         extra=causes[1:] if len(causes) > 1 else None,
-                    )
+                    ) from causes[0] if causes else None
 
         # We still ended up with no compatible plugins
         if function not in self._functions:

dissect/target/tools/dump/utils.py

@@ -38,6 +38,8 @@ log = structlog.get_logger(__name__)
 
 
 class Compression(enum.Enum):
+    """Supported compression types."""
+
     BZIP2 = "bzip2"
     GZIP = "gzip"
     LZ4 = "lz4"
@@ -46,6 +48,8 @@ class Compression(enum.Enum):
 
 
 class Serialization(enum.Enum):
+    """Supported serialization methods."""
+
     JSONLINES = "jsonlines"
     MSGPACK = "msgpack"
 

dissect/target/tools/fsutils.py

@@ -207,7 +207,7 @@ def print_stat(path: fsutil.TargetPath, stdout: TextIO, dereference: bool = Fals
         filetype=filetype(path),
         device="?",
         inode=s.st_ino,
-        blocks=s.st_blocks or "?",
+        blocks=s.st_blocks if s.st_blocks is not None else "?",
         blksize=s.st_blksize or "?",
         nlink=s.st_nlink,
         modeord=oct(stat.S_IMODE(s.st_mode)),

dissect/target/tools/info.py

@@ -137,7 +137,7 @@ def print_target_info(target: Target) -> None:
             continue
 
         if isinstance(value, list):
-            value = ", ".join(value)
+            value = ", ".join(map(str, value))
 
         if isinstance(value, datetime):
             value = value.isoformat(timespec="microseconds")

dissect/target/tools/mount.py

@@ -99,14 +99,24 @@ def main():
     options = parse_options_string(args.options) if args.options else {}
 
     options["nothreads"] = True
-    options["allow_other"] = True
     options["ro"] = True
-
-    print(f"Mounting to {args.mount} with options: {_format_options(options)}")
+    # Check if the allow other option is either not set (None) or set to True with -o allow_other=True
+    if (allow_other := options.get("allow_other")) is None or str(allow_other).lower() == "true":
+        options["allow_other"] = True
+        # If allow_other was not set, warn the user that it will be set by default
+        if allow_other is None:
+            log.warning("Using option 'allow_other' by default, please use '-o allow_other=False' to unset")
+    # Let the user be able to unset the allow_other option by supplying -o allow_other=False
+    elif str(allow_other).lower() == "false":
+        options["allow_other"] = False
+
+    log.info("Mounting to %s with options: %s", args.mount, _format_options(options))
     try:
         FUSE(DissectMount(vfs), args.mount, **options)
-    except RuntimeError:
-        parser.exit("FUSE error")
+    except RuntimeError as e:
+        log.error("Mounting target %s failed", t)
+        log.debug("", exc_info=e)
+        parser.exit(1)
 
 
 def _format_options(options: dict[str, Union[str, bool]]) -> str:

dissect/target/tools/query.py

@@ -18,7 +18,6 @@ from dissect.target.exceptions import (
     UnsupportedPluginError,
 )
 from dissect.target.helpers import cache, record_modifier
-from dissect.target.loaders.targetd import ProxyLoader
 from dissect.target.plugin import PLUGINS, OSPlugin, Plugin, find_plugin_functions
 from dissect.target.report import ExecutionReport
 from dissect.target.tools.utils import (
@@ -170,33 +169,40 @@ def main():
     # Show the list of available plugins for the given optional target and optional
     # search pattern, only display plugins that can be applied to ANY targets
     if args.list:
-        collected_plugins = {}
+        collected_plugins = []
 
         if targets:
             for plugin_target in Target.open_all(targets, args.children):
-                if isinstance(plugin_target._loader, ProxyLoader):
-                    parser.error("can't list compatible plugins for remote targets.")
                 funcs, _ = find_plugin_functions(plugin_target, args.list, compatibility=True, show_hidden=True)
                 for func in funcs:
-                    collected_plugins[func.path] = func.plugin_desc
+                    collected_plugins.append(func)
         else:
             funcs, _ = find_plugin_functions(Target(), args.list, compatibility=False, show_hidden=True)
             for func in funcs:
-                collected_plugins[func.path] = func.plugin_desc
+                collected_plugins.append(func)
 
-        # Display in a user friendly manner
         target = Target()
         fparser = generate_argparse_for_bound_method(target.plugins, usage_tmpl=USAGE_FORMAT_TMPL)
         fargs, rest = fparser.parse_known_args(rest)
 
+        # Display in a user friendly manner
         if collected_plugins:
-            target.plugins(list(collected_plugins.values()))
+            if args.json:
+                print('{"plugins": ', end="")
+            target.plugins(collected_plugins, as_json=args.json)
 
         # No real targets specified, show the available loaders
         if not targets:
             fparser = generate_argparse_for_bound_method(target.loaders, usage_tmpl=USAGE_FORMAT_TMPL)
             fargs, rest = fparser.parse_known_args(rest)
-            target.loaders(**vars(fargs))
+            del fargs.as_json
+            if args.json:
+                print(', "loaders": ', end="")
+            target.loaders(**vars(fargs), as_json=args.json)
+
+        if args.json:
+            print("}")
+
         parser.exit()
 
     if not targets: