dissect.target 3.19.dev58__py3-none-any.whl → 3.20__py3-none-any.whl

dissect/target/plugins/os/unix/log/utmp.py

@@ -1,17 +1,17 @@
-import gzip
+from __future__ import annotations
+
 import ipaddress
 import struct
 from collections import namedtuple
 from typing import Iterator
 
 from dissect.cstruct import cstruct
-from dissect.util.stream import BufferedStream
 from dissect.util.ts import from_unix
 
 from dissect.target.exceptions import UnsupportedPluginError
-from dissect.target.helpers.fsutil import TargetPath
+from dissect.target.helpers.fsutil import TargetPath, open_decompress
 from dissect.target.helpers.record import TargetRecordDescriptor
-from dissect.target.plugin import OperatingSystem, Plugin, export
+from dissect.target.plugin import Plugin, alias, export
 from dissect.target.target import Target
 
 UTMP_FIELDS = [
@@ -27,16 +27,12 @@ UTMP_FIELDS = [
 
 BtmpRecord = TargetRecordDescriptor(
     "linux/log/btmp",
-    [
-        *UTMP_FIELDS,
-    ],
+    UTMP_FIELDS,
 )
 
 WtmpRecord = TargetRecordDescriptor(
     "linux/log/wtmp",
-    [
-        *UTMP_FIELDS,
-    ],
+    UTMP_FIELDS,
 )
 
 utmp_def = """
@@ -104,24 +100,13 @@ UTMP_ENTRY = namedtuple(
 class UtmpFile:
     """utmp maintains a full accounting of the current status of the system"""
 
-    def __init__(self, target: Target, path: TargetPath):
-        self.fh = target.fs.path(path).open()
-
-        if "gz" in path:
-            self.compressed = True
-        else:
-            self.compressed = False
+    def __init__(self, path: TargetPath):
+        self.fh = open_decompress(path, "rb")
 
     def __iter__(self):
-        if self.compressed:
-            gzip_entry = BufferedStream(gzip.open(self.fh, mode="rb"))
-            byte_stream = gzip_entry
-        else:
-            byte_stream = self.fh
-
         while True:
             try:
-                entry = c_utmp.entry(byte_stream)
+                entry = c_utmp.entry(self.fh)
 
                 r_type = ""
                 if entry.ut_type in c_utmp.Type:
@@ -151,7 +136,7 @@ class UtmpFile:
                             # ut_addr_v6 is parsed as IPv4 address. This could not lead to incorrect results.
                             ut_addr = ipaddress.ip_address(struct.pack("<i", entry.ut_addr_v6[0]))
 
-                utmp_entry = UTMP_ENTRY(
+                yield UTMP_ENTRY(
                     ts=from_unix(entry.ut_tv.tv_sec),
                     ut_type=r_type,
                     ut_pid=entry.ut_pid,
@@ -162,25 +147,37 @@ class UtmpFile:
                     ut_addr=ut_addr,
                 )
 
-                yield utmp_entry
             except EOFError:
                 break
 
 
 class UtmpPlugin(Plugin):
-    WTMP_GLOB = "/var/log/wtmp*"
-    BTMP_GLOB = "/var/log/btmp*"
+    """Unix utmp log plugin."""
+
+    def __init__(self, target: Target):
+        super().__init__(target)
+        self.btmp_paths = list(self.target.fs.path("/").glob("var/log/btmp*"))
+        self.wtmp_paths = list(self.target.fs.path("/").glob("var/log/wtmp*"))
+        self.utmp_paths = list(self.target.fs.path("/").glob("var/run/utmp*"))
 
     def check_compatible(self) -> None:
-        if not self.target.os == OperatingSystem.LINUX and not any(
-            [
-                list(self.target.fs.glob(self.BTMP_GLOB)),
-                list(self.target.fs.glob(self.WTMP_GLOB)),
-            ]
-        ):
-            raise UnsupportedPluginError("No WTMP or BTMP log files found")
-
-    @export(record=[BtmpRecord])
+        if not any(self.btmp_paths + self.wtmp_paths + self.utmp_paths):
+            raise UnsupportedPluginError("No wtmp and/or btmp log files found")
+
+    def _build_record(self, record: TargetRecordDescriptor, entry: UTMP_ENTRY) -> Iterator[BtmpRecord | WtmpRecord]:
+        return record(
+            ts=entry.ts,
+            ut_type=entry.ut_type,
+            ut_pid=entry.ut_pid,
+            ut_user=entry.ut_user,
+            ut_line=entry.ut_line,
+            ut_id=entry.ut_id,
+            ut_host=entry.ut_host,
+            ut_addr=entry.ut_addr,
+            _target=self.target,
+        )
+
+    @export(record=BtmpRecord)
     def btmp(self) -> Iterator[BtmpRecord]:
         """Return failed login attempts stored in the btmp file.
 
@@ -190,26 +187,18 @@ class UtmpPlugin(Plugin):
             - https://en.wikipedia.org/wiki/Utmp
             - https://www.thegeekdiary.com/what-is-the-purpose-of-utmp-wtmp-and-btmp-files-in-linux/
         """
-        btmp_paths = self.target.fs.glob(self.BTMP_GLOB)
-        for btmp_path in btmp_paths:
-            btmp = UtmpFile(self.target, btmp_path)
-
-            for entry in btmp:
-                yield BtmpRecord(
-                    ts=entry.ts,
-                    ut_type=entry.ut_type,
-                    ut_pid=entry.ut_pid,
-                    ut_user=entry.ut_user,
-                    ut_line=entry.ut_line,
-                    ut_id=entry.ut_id,
-                    ut_host=entry.ut_host,
-                    ut_addr=entry.ut_addr,
-                    _target=self.target,
-                )
+        for path in self.btmp_paths:
+            if not path.is_file():
+                self.target.log.warning("Unable to parse btmp file: %s is not a file", path)
+                continue
 
-    @export(record=[WtmpRecord])
+            for entry in UtmpFile(path):
+                yield self._build_record(BtmpRecord, entry)
+
+    @alias("utmp")
+    @export(record=WtmpRecord)
     def wtmp(self) -> Iterator[WtmpRecord]:
-        """Return the content of the wtmp log files.
+        """Yield contents of wtmp log files.
 
         The wtmp file contains the historical data of the utmp file. The utmp file contains information about users
         logins at which terminals, logouts, system events and current status of the system, system boot time
@@ -218,19 +207,11 @@ class UtmpPlugin(Plugin):
         References:
             - https://www.thegeekdiary.com/what-is-the-purpose-of-utmp-wtmp-and-btmp-files-in-linux/
         """
-        wtmp_paths = self.target.fs.glob(self.WTMP_GLOB)
-        for wtmp_path in wtmp_paths:
-            wtmp = UtmpFile(self.target, wtmp_path)
-
-            for entry in wtmp:
-                yield WtmpRecord(
-                    ts=entry.ts,
-                    ut_type=entry.ut_type,
-                    ut_pid=entry.ut_pid,
-                    ut_user=entry.ut_user,
-                    ut_line=entry.ut_line,
-                    ut_id=entry.ut_id,
-                    ut_host=entry.ut_host,
-                    ut_addr=entry.ut_addr,
-                    _target=self.target,
-                )
+
+        for path in self.wtmp_paths + self.utmp_paths:
+            if not path.is_file():
+                self.target.log.warning("Unable to parse wtmp file: %s is not a file", path)
+                continue
+
+            for entry in UtmpFile(path):
+                yield self._build_record(WtmpRecord, entry)

dissect/target/plugins/os/unix/packagemanager.py

@@ -1,15 +1,12 @@
 from __future__ import annotations
 
 from enum import Enum
-from typing import Iterator
 
-from dissect.target import Target
-from dissect.target.exceptions import UnsupportedPluginError
 from dissect.target.helpers.record import TargetRecordDescriptor
-from dissect.target.plugin import Plugin, export
+from dissect.target.plugin import NamespacePlugin
 
 PackageManagerLogRecord = TargetRecordDescriptor(
-    "unix/log/packagemanager",
+    "unix/packagemanager/log",
     [
         ("datetime", "ts"),
         ("string", "package_manager"),
@@ -22,6 +19,8 @@ PackageManagerLogRecord = TargetRecordDescriptor(
 
 
 class OperationTypes(Enum):
+    """Valid operation types."""
+
     Install = "install"
     Update = "update"
     Downgrade = "downgrade"
@@ -45,37 +44,5 @@ class OperationTypes(Enum):
         return OperationTypes.Other
 
 
-class PackageManagerPlugin(Plugin):
+class PackageManagerPlugin(NamespacePlugin):
     __namespace__ = "packagemanager"
-    __findable__ = False
-
-    TOOLS = [
-        "apt",
-        "yum",
-        "zypper",
-    ]
-
-    def __init__(self, target: Target):
-        super().__init__(target)
-        self._plugins = []
-        for entry in self.TOOLS:
-            try:
-                self._plugins.append(getattr(self.target, entry))
-            except Exception:
-                target.log.exception(f"Failed to load tool plugin: {entry}")
-
-    def check_compatible(self) -> None:
-        if not len(self._plugins):
-            raise UnsupportedPluginError("No compatible plugins found")
-
-    def _func(self, f: str) -> Iterator[PackageManagerLogRecord]:
-        for p in self._plugins:
-            try:
-                yield from getattr(p, f)()
-            except Exception:
-                self.target.log.exception("Failed to execute package manager plugin: %s.%s", p._name, f)
-
-    @export(record=PackageManagerLogRecord)
-    def logs(self) -> Iterator[PackageManagerLogRecord]:
-        """Returns logs from all available Unix package managers."""
-        yield from self._func("logs")

dissect/target/plugins/os/unix/shadow.py

@@ -25,6 +25,8 @@ UnixShadowRecord = TargetRecordDescriptor(
 
 
 class ShadowPlugin(Plugin):
+    """Unix shadow passwords plugin."""
+
     def check_compatible(self) -> None:
         if not self.target.fs.path("/etc/shadow").exists():
             raise UnsupportedPluginError("No shadow file found")
@@ -36,7 +38,7 @@ class ShadowPlugin(Plugin):
         """Yield shadow records from /etc/shadow files.
 
         Resources:
-            - https://manpages.ubuntu.com/manpages/oracular/en/man5/passwd.5.html#file:/etc/shadow
+            - https://manpages.ubuntu.com/manpages/oracular/en/man5/passwd.5.html
         """
 
         seen_hashes = set()

dissect/target/plugins/os/unix/trash.py

@@ -0,0 +1,132 @@
+from typing import Iterator
+
+from dissect.target.exceptions import UnsupportedPluginError
+from dissect.target.helpers import configutil
+from dissect.target.helpers.descriptor_extensions import UserRecordDescriptorExtension
+from dissect.target.helpers.fsutil import TargetPath
+from dissect.target.helpers.record import create_extended_descriptor
+from dissect.target.plugin import Plugin, alias, export
+from dissect.target.plugins.general.users import UserDetails
+from dissect.target.target import Target
+
+TrashRecord = create_extended_descriptor([UserRecordDescriptorExtension])(
+    "linux/filesystem/recyclebin",
+    [
+        ("datetime", "ts"),
+        ("path", "path"),
+        ("filesize", "filesize"),
+        ("path", "deleted_path"),
+        ("path", "source"),
+    ],
+)
+
+
+class GnomeTrashPlugin(Plugin):
+    """Linux GNOME Trash plugin."""
+
+    PATHS = [
+        # Default $XDG_DATA_HOME/Trash
+        ".local/share/Trash",
+    ]
+
+    def __init__(self, target: Target):
+        super().__init__(target)
+        self.trashes = list(self._garbage_collector())
+
+    def _garbage_collector(self) -> Iterator[tuple[UserDetails, TargetPath]]:
+        """it aint much, but its honest work"""
+        for user_details in self.target.user_details.all_with_home():
+            for trash_path in self.PATHS:
+                if (path := user_details.home_path.joinpath(trash_path)).exists():
+                    yield user_details, path
+
+    def check_compatible(self) -> None:
+        if not self.trashes:
+            raise UnsupportedPluginError("No Trash folder(s) found")
+
+    @export(record=TrashRecord)
+    @alias(name="recyclebin")
+    def trash(self) -> Iterator[TrashRecord]:
+        """Yield deleted files from GNOME Trash folders.
+
+        Recovers deleted files and artifacts from ``$HOME/.local/share/Trash``.
+        Probably also works with other desktop interfaces as long as they follow the Trash specification from FreeDesktop.
+
+        Currently does not parse media trash locations such as ``/media/$Label/.Trash-1000/*``.
+
+        Resources:
+            - https://specifications.freedesktop.org/trash-spec/latest/
+            - https://github.com/GNOME/glib/blob/main/gio/glocalfile.c
+            - https://specifications.freedesktop.org/basedir-spec/latest/
+
+        Yields ``TrashRecord`` records with the following fields:
+
+        .. code-block:: text
+
+            ts           (datetime): timestamp when the file was deleted or for expunged files when it could not be permanently deleted
+            path         (path):     path where the file was located before it was deleted
+            filesize     (filesize): size in bytes of the deleted file
+            deleted_path (path):     path to the current location of the deleted file
+            source       (path):     path to the .trashinfo file
+        """  # noqa: E501
+
+        for user_details, trash in self.trashes:
+            for trash_info_file in trash.glob("info/*.trashinfo"):
+                trash_info = configutil.parse(trash_info_file, hint="ini").get("Trash Info", {})
+                original_path = self.target.fs.path(trash_info.get("Path", ""))
+
+                # We use the basename of the .trashinfo file and not the Path variable inside the
+                # ini file. This way we can keep duplicate basenames of trashed files separated correctly.
+                deleted_path = trash / "files" / trash_info_file.name.replace(".trashinfo", "")
+
+                if deleted_path.exists():
+                    deleted_files = [deleted_path]
+
+                    if deleted_path.is_dir():
+                        for child in deleted_path.rglob("*"):
+                            deleted_files.append(child)
+
+                    for file in deleted_files:
+                        # NOTE: We currently do not 'fix' the original_path of files inside deleted directories.
+                        # This would require guessing where the parent folder starts, which is impossible without
+                        # making assumptions.
+                        yield TrashRecord(
+                            ts=trash_info.get("DeletionDate", 0),
+                            path=original_path,
+                            filesize=file.lstat().st_size if file.is_file() else None,
+                            deleted_path=file,
+                            source=trash_info_file,
+                            _user=user_details.user,
+                            _target=self.target,
+                        )
+
+                # We cannot determine if the deleted entry is a directory since the path does
+                # not exist at $TRASH/files, so we work with what we have instead.
+                else:
+                    self.target.log.warning(f"Expected trashed file(s) at {deleted_path}")
+                    yield TrashRecord(
+                        ts=trash_info.get("DeletionDate", 0),
+                        path=original_path,
+                        filesize=0,
+                        deleted_path=deleted_path,
+                        source=trash_info_file,
+                        _user=user_details.user,
+                        _target=self.target,
+                    )
+
+            # We also iterate expunged folders, they can contain files that could not be
+            # deleted when the user pressed the "empty trash" button in the file manager.
+            # Resources:
+            #   - https://gitlab.gnome.org/GNOME/glib/-/issues/1665
+            #   - https://bugs.launchpad.net/ubuntu/+source/nautilus/+bug/422012
+            for item in (trash / "expunged").rglob("*/*"):
+                stat = item.lstat()
+                yield TrashRecord(
+                    ts=stat.st_mtime,  # NOTE: This is the timestamp at which the file failed to delete
+                    path=None,  # We do not know the original file path
+                    filesize=stat.st_size if item.is_file() else None,
+                    deleted_path=item,
+                    source=trash / "expunged",
+                    _user=user_details.user,
+                    _target=self.target,
+                )

dissect/target/plugins/os/windows/_os.py

@@ -2,7 +2,9 @@ from __future__ import annotations
 
 import operator
 import struct
-from typing import Any, Iterator, Optional
+from typing import Any, Iterator
+
+from flow.record.fieldtypes import windows_path
 
 from dissect.target.exceptions import RegistryError, RegistryValueNotFoundError
 from dissect.target.filesystem import Filesystem
@@ -10,6 +12,14 @@ from dissect.target.helpers.record import WindowsUserRecord
 from dissect.target.plugin import OperatingSystem, OSPlugin, export
 from dissect.target.target import Target
 
+ARCH_MAP = {
+    "x86": 32,
+    "IA64": 64,
+    "ARM64": 64,
+    "EM64T": 64,
+    "AMD64": 64,
+}
+
 
 class WindowsPlugin(OSPlugin):
     CURRENT_VERSION_KEY = "HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion"
@@ -26,7 +36,7 @@ class WindowsPlugin(OSPlugin):
         )
 
     @classmethod
-    def detect(cls, target: Target) -> Optional[Filesystem]:
+    def detect(cls, target: Target) -> Filesystem | None:
         for fs in target.filesystems:
             if fs.exists("/windows/system32") or fs.exists("/winnt"):
                 return fs
@@ -90,7 +100,7 @@ class WindowsPlugin(OSPlugin):
                 self.target.log.warning("Unknown drive letter for sysvol")
 
     @export(property=True)
-    def hostname(self) -> Optional[str]:
+    def hostname(self) -> str | None:
         key = "HKLM\\SYSTEM\\ControlSet001\\Control\\Computername\\Computername"
         try:
             return self.target.registry.value(key, "Computername").value
@@ -99,28 +109,7 @@ class WindowsPlugin(OSPlugin):
 
     @export(property=True)
     def ips(self) -> list[str]:
-        key = "HKLM\\SYSTEM\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Interfaces"
-        fields = ["IPAddress", "DhcpIPAddress"]
-        ips = set()
-
-        for r in self.target.registry.keys(key):
-            for s in r.subkeys():
-                for field in fields:
-                    try:
-                        ip = s.value(field).value
-                    except RegistryValueNotFoundError:
-                        continue
-
-                    if isinstance(ip, str):
-                        ip = [ip]
-
-                    for i in ip:
-                        if i == "0.0.0.0":
-                            continue
-
-                        ips.add(i)
-
-        return list(ips)
+        return list(set(map(str, self.target.network.ips())))
 
     def _get_version_reg_value(self, value_name: str) -> Any:
         try:
@@ -130,7 +119,7 @@ class WindowsPlugin(OSPlugin):
 
         return value
 
-    def _legacy_current_version(self) -> Optional[str]:
+    def _legacy_current_version(self) -> str | None:
         """Returns the NT version as used up to and including NT 6.3.
 
         This corresponds with Windows 8 / Windows 2012 Server.
@@ -142,7 +131,7 @@ class WindowsPlugin(OSPlugin):
         """
         return self._get_version_reg_value("CurrentVersion")
 
-    def _major_version(self) -> Optional[int]:
+    def _major_version(self) -> int | None:
         """Return the NT major version number (starting from NT 10.0 / Windows 10).
 
         Returns:
@@ -152,7 +141,7 @@ class WindowsPlugin(OSPlugin):
         """
         return self._get_version_reg_value("CurrentMajorVersionNumber")
 
-    def _minor_version(self) -> Optional[int]:
+    def _minor_version(self) -> int | None:
         """Return the NT minor version number (starting from NT 10.0 / Windows 10).
 
         Returns:
@@ -162,7 +151,7 @@ class WindowsPlugin(OSPlugin):
         """
         return self._get_version_reg_value("CurrentMinorVersionNumber")
 
-    def _nt_version(self) -> Optional[int]:
+    def _nt_version(self) -> int | None:
         """Return the Windows NT version in x.y format.
 
         For systems up to and including NT 6.3 (Win 8 / Win 2012 Server) this
@@ -190,7 +179,7 @@ class WindowsPlugin(OSPlugin):
         return version
 
     @export(property=True)
-    def version(self) -> Optional[str]:
+    def version(self) -> str | None:
         """Return a string representation of the Windows version of the target.
 
         For Windows versions before Windows 10 this looks like::
@@ -276,7 +265,7 @@ class WindowsPlugin(OSPlugin):
         return version_string
 
     @export(property=True)
-    def architecture(self) -> Optional[str]:
+    def architecture(self) -> str | None:
         """
         Returns a dict containing the architecture and bitness of the system
 
@@ -284,19 +273,11 @@ class WindowsPlugin(OSPlugin):
             Dict: arch: architecture, bitness: bits
         """
 
-        arch_strings = {
-            "x86": 32,
-            "IA64": 64,
-            "ARM64": 64,
-            "EM64T": 64,
-            "AMD64": 64,
-        }
-
         key = "HKLM\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\Environment"
 
         try:
             arch = self.target.registry.key(key).value("PROCESSOR_ARCHITECTURE").value
-            bits = arch_strings.get(arch)
+            bits = ARCH_MAP.get(arch)
 
             # return {"arch": arch, "bitness": bits}
             if bits == 64:
@@ -333,7 +314,7 @@ class WindowsPlugin(OSPlugin):
                 yield WindowsUserRecord(
                     sid=subkey.name,
                     name=name,
-                    home=home,
+                    home=windows_path(home),
                     _target=self.target,
                 )
 

dissect/target/plugins/os/windows/activitiescache.py

@@ -1,3 +1,8 @@
+from __future__ import annotations
+
+from datetime import datetime
+from typing import Iterator
+
 from dissect.sql import sqlite3
 from dissect.util.ts import from_unix
 
@@ -42,8 +47,8 @@ class ActivitiesCachePlugin(Plugin):
     """Plugin that parses the ActivitiesCache.db on newer Windows 10 machines.
 
     References:
-        https://www.cclsolutionsgroup.com/resources/technical-papers
-        https://salt4n6.com/2018/05/03/windows-10-timeline-forensic-artefacts/
+        - https://www.cclsolutionsgroup.com/resources/technical-papers
+        - https://salt4n6.com/2018/05/03/windows-10-timeline-forensic-artefacts/
     """
 
     def __init__(self, target):
@@ -62,7 +67,7 @@ class ActivitiesCachePlugin(Plugin):
             raise UnsupportedPluginError("No ActiviesCache.db files found")
 
     @export(record=ActivitiesCacheRecord)
-    def activitiescache(self):
+    def activitiescache(self) -> Iterator[ActivitiesCacheRecord]:
         """Return ActivitiesCache.db database content.
 
         The Windows Activities Cache database keeps track of activity on a device, such as application and services
@@ -143,7 +148,7 @@ class ActivitiesCachePlugin(Plugin):
                 )
 
 
-def mkts(ts):
+def mkts(ts: int) -> datetime | None:
     """Timestamps inside ActivitiesCache.db are stored in a Unix-like format.
 
     Source: https://salt4n6.com/2018/05/03/windows-10-timeline-forensic-artefacts/

dissect/target/plugins/os/windows/adpolicy.py

@@ -1,4 +1,5 @@
 from struct import unpack
+from typing import Iterator
 
 from defusedxml import ElementTree
 from dissect.cstruct import cstruct
@@ -90,7 +91,7 @@ class ADPolicyPlugin(Plugin):
                 self.target.log.warning("Unable to read XML policy file: %s", error)
 
     @export(record=ADPolicyRecord)
-    def adpolicy(self):
+    def adpolicy(self) -> Iterator[ADPolicyRecord]:
         """Return all AD policies (also known as GPOs or Group Policy Objects).
 
         An Active Directory (AD) maintains global policies that should be adhered by all systems in the domain.