dissect.target 3.19.dev58__py3-none-any.whl → 3.20__py3-none-any.whl

dissect/target/plugins/apps/container/docker.py

@@ -4,7 +4,7 @@ import json
 import logging
 import re
 from pathlib import Path
-from typing import Iterator, Optional
+from typing import Iterator
 
 from dissect.cstruct import cstruct
 from dissect.util import ts
@@ -128,12 +128,17 @@ class DockerPlugin(Plugin):
         for data_root in self.installs:
             images_path = data_root.joinpath("image/overlay2/repositories.json")
 
-            if images_path.exists():
-                repositories = json.loads(images_path.read_text()).get("Repositories")
-            else:
+            if not images_path.exists():
                 self.target.log.debug("No docker images found, file %s does not exist.", images_path)
                 continue
 
+            try:
+                repositories = json.loads(images_path.read_text()).get("Repositories", {})
+            except (json.JSONDecodeError, UnicodeDecodeError) as e:
+                self.target.log.warning("Unable to parse JSON in: %s", images_path)
+                self.target.log.debug("", exc_info=e)
+                continue
+
             for name, tags in repositories.items():
                 for tag, hash in tags.items():
                     image_metadata_path = data_root.joinpath(
@@ -142,8 +147,12 @@ class DockerPlugin(Plugin):
                     created = None
 
                     if image_metadata_path.exists():
-                        image_metadata = json.loads(image_metadata_path.read_text())
-                        created = convert_timestamp(image_metadata.get("created"))
+                        try:
+                            image_metadata = json.loads(image_metadata_path.read_text())
+                            created = convert_timestamp(image_metadata.get("created"))
+                        except (json.JSONDecodeError, UnicodeDecodeError) as e:
+                            self.target.log.warning("Unable to parse JSON in: %s", image_metadata_path)
+                            self.target.log.debug("", exc_info=e)
 
                     yield DockerImageRecord(
                         name=name,
@@ -160,47 +169,51 @@ class DockerPlugin(Plugin):
 
         for data_root in self.installs:
             for config_path in data_root.joinpath("containers").glob("**/config.v2.json"):
-                config = json.loads(config_path.read_text())
+                try:
+                    config = json.loads(config_path.read_text())
+                except (json.JSONDecodeError, UnicodeDecodeError) as e:
+                    self.target.log.warning("Unable to parse JSON in file: %s", config_path)
+                    self.target.log.debug("", exc_info=e)
+                    continue
+
                 container_id = config.get("ID")
 
                 # determine state
-                running = config.get("State").get("Running")
+                running = config.get("State", {}).get("Running")
                 if running:
-                    ports = config.get("NetworkSettings").get("Ports", {})
-                    pid = config.get("Pid")
-                else:
-                    ports = config.get("Config").get("ExposedPorts", {})
-                    pid = None
+                    ports = config.get("NetworkSettings", {}).get("Ports", {})
+
+                if not running or not ports:
+                    ports = config.get("Config", {}).get("ExposedPorts", {})
 
                 # parse volumes
                 volumes = []
-                if mount_points := config.get("MountPoints"):
-                    for mp in mount_points:
-                        mount_point = mount_points[mp]
+                if mount_points := config.get("MountPoints", {}):
+                    for mount_point in mount_points.values():
                         volumes.append(f"{mount_point.get('Source')}:{mount_point.get('Destination')}")
 
                 # determine mount point
                 mount_path = None
-                if config.get("Driver") == "overlay2":
+                if container_id and config.get("Driver") == "overlay2":
                     mount_path = data_root.joinpath("image/overlay2/layerdb/mounts", container_id)
                     if not mount_path.exists():
-                        self.target.log.warning("Overlay2 mount path for container %s does not exist!", container_id)
+                        self.target.log.warning("Overlay2 mount path does not exist for container: %s", container_id)
 
                 else:
-                    self.target.log.warning("Encountered unsupported container filesystem %s", config.get("Driver"))
+                    self.target.log.warning("Encountered unsupported container filesystem: %s", config.get("Driver"))
 
                 yield DockerContainerRecord(
                     container_id=container_id,
-                    image=config.get("Config").get("Image"),
-                    image_id=config.get("Image").split(":")[-1],
-                    command=config.get("Config").get("Cmd"),
+                    image=config.get("Config", {}).get("Image"),
+                    image_id=config.get("Image", "").split(":")[-1],
+                    command=f"{config.get('Path', '')} {' '.join(config.get('Args', []))}".strip(),
                     created=convert_timestamp(config.get("Created")),
                     running=running,
-                    pid=pid,
-                    started=convert_timestamp(config.get("State").get("StartedAt")),
-                    finished=convert_timestamp(config.get("State").get("FinishedAt")),
+                    pid=config.get("State", {}).get("Pid"),
+                    started=convert_timestamp(config.get("State", {}).get("StartedAt")),
+                    finished=convert_timestamp(config.get("State", {}).get("FinishedAt")),
                     ports=convert_ports(ports),
-                    names=config.get("Name").replace("/", "", 1),
+                    names=config.get("Name", "").replace("/", "", 1),
                     volumes=volumes,
                     mount_path=mount_path,
                     config_path=config_path,
@@ -288,19 +301,19 @@ class DockerPlugin(Plugin):
         for line in open_decompress(path, "rt"):
             try:
                 entry = json.loads(line)
-            except json.JSONDecodeError as e:
-                self.target.log.warning("Could not decode JSON line in file %s", path)
+            except (json.JSONDecodeError, UnicodeDecodeError) as e:
+                self.target.log.warning("Could not decode JSON line in file: %s", path)
                 self.target.log.debug("", exc_info=e)
                 continue
             yield entry
 
 
-def get_data_path(path: Path) -> Optional[str]:
+def get_data_path(path: Path) -> str | None:
     """Returns the configured Docker daemon data-root path."""
     try:
         config = json.loads(path.open("rt").read())
-    except json.JSONDecodeError as e:
-        log.warning("Could not read JSON file '%s'", path)
+    except (json.JSONDecodeError, UnicodeDecodeError) as e:
+        log.warning("Could not read JSON file: %s", path)
         log.debug(exc_info=e)
 
     return config.get("data-root")
@@ -341,7 +354,7 @@ def find_installs(target: Target) -> Iterator[Path]:
                     yield data_root_path
 
 
-def convert_timestamp(timestamp: str) -> str:
+def convert_timestamp(timestamp: str | None) -> str:
     """Docker sometimes uses (unpadded) 9 digit nanosecond precision
     in their timestamp logs, eg. "2022-12-19T13:37:00.123456789Z".
 
@@ -350,6 +363,9 @@ def convert_timestamp(timestamp: str) -> str:
     compatbility with the 6 digit %f microsecond directive.
     """
 
+    if not timestamp:
+        return
+
     timestamp_nanoseconds_plus_postfix = timestamp[19:]
     match = RE_DOCKER_NS.match(timestamp_nanoseconds_plus_postfix)
 

dissect/target/plugins/apps/editor/editor.py

@@ -0,0 +1,23 @@
+from dissect.target.plugin import NamespacePlugin, export
+
+COMMON_EDITOR_FIELDS = [
+    ("datetime", "ts"),
+    ("string", "editor"),
+    ("path", "source"),
+]
+
+
+class EditorPlugin(NamespacePlugin):
+    """Editor plugin."""
+
+    __namespace__ = "editor"
+
+    @export
+    def extensions(self) -> None:
+        """Yields installed extensions."""
+        raise NotImplementedError
+
+    @export
+    def history(self) -> None:
+        """Yields history of files."""
+        raise NotImplementedError

dissect/target/plugins/apps/{texteditor → editor}/windowsnotepad.py

@@ -16,11 +16,8 @@ from dissect.target.helpers.record import (
     WindowsUserRecord,
     create_extended_descriptor,
 )
-from dissect.target.plugin import export
-from dissect.target.plugins.apps.texteditor.texteditor import (
-    GENERIC_TAB_CONTENTS_RECORD_FIELDS,
-    TexteditorPlugin,
-)
+from dissect.target.plugin import alias, export
+from dissect.target.plugins.apps.editor.editor import COMMON_EDITOR_FIELDS, EditorPlugin
 from dissect.target.target import Target
 
 # Thanks to @Nordgaren, @daddycocoaman, @JustArion and @ogmini for their suggestions and feedback in the PR
@@ -94,16 +91,25 @@ struct options_v2 {
 };
 """
 
-WINDOWS_SAVED_TABS_EXTRA_FIELDS = [("datetime", "modification_time"), ("digest", "hashes"), ("path", "saved_path")]
+GENERIC_TAB_CONTENTS_RECORD_FIELDS = [
+    ("string", "content"),
+    ("path", "path"),
+    ("string", "deleted_content"),
+]
 
 WindowsNotepadUnsavedTabRecord = create_extended_descriptor([UserRecordDescriptorExtension])(
-    "texteditor/windowsnotepad/tab/unsaved",
-    GENERIC_TAB_CONTENTS_RECORD_FIELDS,
+    "application/editor/windowsnotepad/tab/unsaved",
+    COMMON_EDITOR_FIELDS + GENERIC_TAB_CONTENTS_RECORD_FIELDS,
 )
 
 WindowsNotepadSavedTabRecord = create_extended_descriptor([UserRecordDescriptorExtension])(
-    "texteditor/windowsnotepad/tab/saved",
-    GENERIC_TAB_CONTENTS_RECORD_FIELDS + WINDOWS_SAVED_TABS_EXTRA_FIELDS,
+    "application/editor/windowsnotepad/tab/saved",
+    COMMON_EDITOR_FIELDS
+    + GENERIC_TAB_CONTENTS_RECORD_FIELDS
+    + [
+        ("digest", "digest"),
+        ("path", "saved_path"),
+    ],
 )
 
 c_windowstab = cstruct().load(windowstab_def)
@@ -264,7 +270,7 @@ class WindowsNotepadTab:
         self.deleted_content = deleted_content if deleted_content else None
 
 
-class WindowsNotepadPlugin(TexteditorPlugin):
+class WindowsNotepadPlugin(EditorPlugin):
     """Windows notepad tab content plugin."""
 
     __namespace__ = "windowsnotepad"
@@ -273,28 +279,27 @@ class WindowsNotepadPlugin(TexteditorPlugin):
 
     def __init__(self, target: Target):
         super().__init__(target)
-        self.users_tabs: list[TargetPath, UnixUserRecord | WindowsUserRecord] = []
+        self.users_tabs: set[TargetPath, UnixUserRecord | WindowsUserRecord] = set()
         for user_details in self.target.user_details.all_with_home():
             for tab_file in user_details.home_path.glob(self.GLOB):
-                # These files seem to contain information on different settings / configurations,
-                # and are skipped for now
+                # These files contain information on different settings / configurations, and are skipped for now.
                 if tab_file.name.endswith(".1.bin") or tab_file.name.endswith(".0.bin"):
                     continue
 
-                self.users_tabs.append((tab_file, user_details.user))
+                self.users_tabs.add((tab_file, user_details.user))
 
     def check_compatible(self) -> None:
         if not self.users_tabs:
             raise UnsupportedPluginError("No Windows Notepad tab files found")
 
+    @alias("tabs")
     @export(record=[WindowsNotepadSavedTabRecord, WindowsNotepadUnsavedTabRecord])
-    def tabs(self) -> Iterator[WindowsNotepadSavedTabRecord | WindowsNotepadUnsavedTabRecord]:
+    def history(self) -> Iterator[WindowsNotepadSavedTabRecord | WindowsNotepadUnsavedTabRecord]:
         """Return contents from Windows 11 Notepad tabs - and its deleted content if available.
 
         Windows Notepad application for Windows 11 is now able to restore both saved and unsaved tabs when you re-open
         the application.
 
-
         Resources:
             - https://github.com/fox-it/dissect.target/pull/540
             - https://github.com/JustArion/Notepad-Tabs
@@ -304,37 +309,41 @@ class WindowsNotepadPlugin(TexteditorPlugin):
             - https://github.com/Nordgaren/tabstate-util/issues/1
             - https://medium.com/@mahmoudsoheem/new-digital-forensics-artifact-from-windows-notepad-527645906b7b
 
-        Yields a WindowsNotepadSavedTabRecord or WindowsNotepadUnsavedTabRecord. with fields:
+        Yields ``WindowsNotepadSavedTabRecord`` or ``WindowsNotepadUnsavedTabRecord`` records:
 
         .. code-block:: text
 
-            content (string): The content of the tab.
-            path (path): The path to the tab file.
-            deleted_content (string): The deleted content of the tab, if available.
-            hashes (digest): A digest of the tab content.
-            saved_path (path): The path where the tab was saved.
-            modification_time (datetime): The modification time of the tab.
+            ts              (datetime): The modification time of the tab.
+            content         (string):   The content of the tab.
+            path            (path):     The path to the tab file.
+            deleted_content (string):   The deleted content of the tab, if available.
+            digest          (digest):   A digest of the tab content.
+            saved_path      (path):     The path where the tab was saved.
         """
         for file, user in self.users_tabs:
-            # Parse the file
-            tab: WindowsNotepadTab = WindowsNotepadTab(file)
+            tab = WindowsNotepadTab(file)
 
             if tab.is_saved:
                 yield WindowsNotepadSavedTabRecord(
+                    ts=wintimestamp(tab.tab_header.timestamp),
+                    editor="windowsnotepad",
                     content=tab.content,
                     path=tab.file,
                     deleted_content=tab.deleted_content,
-                    hashes=digest((None, None, tab.tab_header.sha256.hex())),
+                    digest=digest((None, None, tab.tab_header.sha256.hex())),
                     saved_path=tab.tab_header.filePath,
-                    modification_time=wintimestamp(tab.tab_header.timestamp),
-                    _target=self.target,
+                    source=file,
                     _user=user,
+                    _target=self.target,
                 )
+
             else:
                 yield WindowsNotepadUnsavedTabRecord(
+                    editor="windowsnotepad",
                     content=tab.content,
+                    deleted_content=tab.deleted_content,
                     path=tab.file,
-                    _target=self.target,
+                    source=file,
                     _user=user,
-                    deleted_content=tab.deleted_content,
+                    _target=self.target,
                 )

dissect/target/plugins/apps/other/env.py

@@ -0,0 +1,56 @@
+from typing import Iterator
+
+from dissect.target.helpers.configutil import Env
+from dissect.target.helpers.record import TargetRecordDescriptor
+from dissect.target.plugin import Plugin, arg, export
+
+EnvironmentFileRecord = TargetRecordDescriptor(
+    "application/other/file/environment",
+    [
+        ("datetime", "ts_mtime"),
+        ("string", "key"),
+        ("string", "value"),
+        ("string", "comment"),
+        ("path", "path"),
+    ],
+)
+
+
+class EnvironmentFilePlugin(Plugin):
+    """Environment file plugin."""
+
+    def check_compatible(self) -> None:
+        # `--env-path` is provided at runtime
+        pass
+
+    @export(record=EnvironmentFileRecord)
+    @arg("--env-path", help="path to scan environment files in")
+    @arg("--extension", help="extension of files to scan", default="env")
+    def envfile(self, env_path: str, extension: str = "env") -> Iterator[EnvironmentFileRecord]:
+        """Yield environment variables found in ``.env`` files at the provided path."""
+
+        if not env_path:
+            self.target.log.error("No ``--path`` provided!")
+
+        if not (path := self.target.fs.path(env_path)).exists():
+            self.target.log.error("Provided path %s does not exist!", path)
+
+        for file in path.glob("**/*." + extension):
+            if not file.is_file():
+                continue
+
+            mtime = file.lstat().st_mtime
+
+            with file.open("r") as fh:
+                parser = Env(comments=True)
+                parser.read_file(fh)
+
+                for key, (value, comment) in parser.parsed_data.items():
+                    yield EnvironmentFileRecord(
+                        ts_mtime=mtime,
+                        key=key,
+                        value=value,
+                        comment=comment,
+                        path=file,
+                        _target=self.target,
+                    )

dissect/target/plugins/apps/shell/powershell.py

@@ -1,3 +1,5 @@
+from typing import Iterator
+
 from dissect.target.exceptions import UnsupportedPluginError
 from dissect.target.helpers.descriptor_extensions import UserRecordDescriptorExtension
 from dissect.target.helpers.record import create_extended_descriptor
@@ -14,6 +16,8 @@ ConsoleHostHistoryRecord = create_extended_descriptor([UserRecordDescriptorExten
 
 
 class PowerShellHistoryPlugin(Plugin):
+    """Windows PowerShell history plugin."""
+
     PATHS = [
         "AppData/Roaming/Microsoft/Windows/PowerShell/psreadline",
         ".local/share/powershell/PSReadLine",
@@ -35,10 +39,10 @@ class PowerShellHistoryPlugin(Plugin):
             raise UnsupportedPluginError("No ConsoleHost_history.txt files found")
 
     @export(record=ConsoleHostHistoryRecord)
-    def powershell_history(self):
+    def powershell_history(self) -> Iterator[ConsoleHostHistoryRecord]:
         """Return PowerShell command history for all users.
 
-        The PowerShell ConsoleHost_history.txt file contains information about the commands executed with PowerShell in
+        The PowerShell ``ConsoleHost_history.txt`` file contains information about the commands executed with PowerShell in
         a terminal. No data is recorded from terminal-less PowerShell sessions. Commands are saved to disk after the process has completed.
         PSReadLine does not save commands containing 'password', 'asplaintext', 'token', 'apikey' or 'secret'.
 

dissect/target/plugins/apps/shell/wget.py

@@ -0,0 +1,91 @@
+from typing import Iterator
+
+from dissect.target.exceptions import UnsupportedPluginError
+from dissect.target.helpers.descriptor_extensions import UserRecordDescriptorExtension
+from dissect.target.helpers.fsutil import TargetPath
+from dissect.target.helpers.record import create_extended_descriptor
+from dissect.target.plugin import Plugin, export
+from dissect.target.plugins.general.users import UserDetails
+from dissect.target.target import Target
+
+WgetHstsRecord = create_extended_descriptor([UserRecordDescriptorExtension])(
+    "apps/shell/wget/hsts",
+    [
+        ("datetime", "ts_created"),
+        ("uri", "host"),
+        ("boolean", "explicit_port"),
+        ("boolean", "include_subdomains"),
+        ("datetime", "max_age"),
+        ("path", "source"),
+    ],
+)
+
+
+class WgetPlugin(Plugin):
+    """Wget shell plugin."""
+
+    __namespace__ = "wget"
+
+    def __init__(self, target: Target):
+        super().__init__(target)
+        self.artifacts = list(self._find_artifacts())
+
+    def _find_artifacts(self) -> Iterator[tuple[UserDetails, TargetPath]]:
+        for user_details in self.target.user_details.all_with_home():
+            if (hsts_file := user_details.home_path.joinpath(".wget-hsts")).exists():
+                yield hsts_file, user_details
+
+    def check_compatible(self) -> None:
+        if not self.artifacts:
+            raise UnsupportedPluginError("No .wget-hsts files found on target")
+
+    @export(record=WgetHstsRecord)
+    def hsts(self) -> Iterator[WgetHstsRecord]:
+        """Yield domain entries found in wget HSTS files.
+
+        When using the ``wget`` command-line utility, a file named ``.wget-hsts`` is created in the user's home
+        directory by default. The ``.wget-hsts`` file records HTTP Strict Transport Security (HSTS) information for the
+        websites visited by the user via ``wget``.
+
+        Resources:
+            - https://www.gnu.org/software/wget
+            - https://gitlab.com/gnuwget/wget/-/blob/master/src/hsts.c
+            - https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
+
+        Yields ``WgetHstsRecord`` records with the following fields:
+
+        .. code-block:: text
+
+            ts_created          (datetime):  When the host was first added to the HSTS file
+            host                (uri):       The host that was accessed over TLS by wget
+            explicit_port       (boolean):   If the TCP port for TLS should be checked
+            include_subdomains  (boolean):   If subdomains are included in the HSTS check
+            max_age             (datetime):  Time to live of the entry in the HSTS file
+            source              (path):      Location of the .wget-hsts file
+        """
+        for hsts_file, user_details in self.artifacts:
+            if not hsts_file.is_file():
+                continue
+
+            for line in hsts_file.open("rt").readlines():
+                if not (line := line.strip()) or line.startswith("#"):
+                    continue
+
+                try:
+                    host, port, subdomain_count, created, max_age = line.split("\t")
+
+                except ValueError as e:
+                    self.target.log.warning("Unexpected wget hsts line in file: %s", hsts_file)
+                    self.target.log.debug("", exc_info=e)
+                    continue
+
+                yield WgetHstsRecord(
+                    ts_created=int(created),
+                    host=host,
+                    explicit_port=int(port),
+                    include_subdomains=int(subdomain_count),
+                    max_age=int(created) + int(max_age),
+                    source=hsts_file,
+                    _user=user_details.user,
+                    _target=self.target,
+                )

dissect/target/plugins/apps/ssh/openssh.py

@@ -31,6 +31,8 @@ def find_sshd_directory(target: Target) -> TargetPath:
 
 
 class OpenSSHPlugin(SSHPlugin):
+    """OpenSSH plugin."""
+
     __namespace__ = "openssh"
 
     SSHD_DIRECTORIES = ["/sysvol/ProgramData/ssh", "/etc/ssh"]

dissect/target/plugins/apps/ssh/opensshd.py

@@ -74,6 +74,8 @@ SSHD_MULTIPLE_DEFINITIONS_ALLOWED_FIELDS = (
 
 
 class SSHServerPlugin(SSHPlugin):
+    """OpenSSHd server plugin."""
+
     __namespace__ = "opensshd"
 
     def __init__(self, target: Target):

dissect/target/plugins/apps/virtualization/vmware_workstation.py

@@ -0,0 +1,61 @@
+from typing import Iterator
+
+from dissect.target.exceptions import UnsupportedPluginError
+from dissect.target.helpers.descriptor_extensions import UserRecordDescriptorExtension
+from dissect.target.helpers.fsutil import TargetPath
+from dissect.target.helpers.record import create_extended_descriptor
+from dissect.target.plugin import Plugin, alias, export
+from dissect.target.plugins.general.users import UserDetails
+from dissect.target.target import Target
+
+VmwareDragAndDropRecord = create_extended_descriptor([UserRecordDescriptorExtension])(
+    "virtualization/vmware/clipboard",
+    [
+        ("datetime", "ts"),
+        ("path", "path"),
+    ],
+)
+
+VMWARE_DND_PATHS = [
+    # Windows
+    "AppData/Local/Temp/VmwareDND",
+    # Linux
+    ".cache/vmware/drag_and_drop",
+]
+
+
+class VmwareWorkstationPlugin(Plugin):
+    """VMware Workstation plugin."""
+
+    __namespace__ = "vmware"
+
+    def __init__(self, target: Target):
+        super().__init__(target)
+        self.dnd_dirs = list(self.find_dnd_dirs())
+
+    def check_compatible(self) -> None:
+        if not self.dnd_dirs:
+            raise UnsupportedPluginError("No VMware Workstation DnD artifact(s) found")
+
+    def find_dnd_dirs(self) -> Iterator[tuple[UserDetails, TargetPath]]:
+        for user_details in self.target.user_details.all_with_home():
+            for dnd_path in VMWARE_DND_PATHS:
+                if (dnd_dir := user_details.home_path.joinpath(dnd_path)).exists():
+                    yield user_details, dnd_dir
+
+    @alias("draganddrop")
+    @export(record=VmwareDragAndDropRecord)
+    def clipboard(self) -> Iterator[VmwareDragAndDropRecord]:
+        """Yield cached VMware Workstation drag-and-drop file artifacts."""
+
+        for user_details, dnd_dir in self.dnd_dirs:
+            for file in dnd_dir.rglob("*/*"):
+                if file.is_dir():
+                    continue
+
+                yield VmwareDragAndDropRecord(
+                    ts=file.lstat().st_mtime,
+                    path=file,
+                    _user=user_details.user,
+                    _target=self.target,
+                )

dissect/target/plugins/apps/vpn/wireguard.py

@@ -52,15 +52,13 @@ class WireGuardPlugin(Plugin):
 
     __namespace__ = "wireguard"
 
-    """
-    TODO: NetworkManager uses a different stanza format
-          "/etc/NetworkManager/system-connections/Wireguard*",
-    TODO: systemd uses a different stanza format
-          "/etc/systemd/network/wg*.netdev",
-          "/etc/systemd/network/*wg*.netdev",
-    TODO: other locations such as $HOME/.config/wireguard
-    TODO: parse native network manager formats from MacOS, Ubuntu and Windows.
-    """
+    # TODO: NetworkManager uses a different stanza format
+    #       "/etc/NetworkManager/system-connections/Wireguard*",
+    # TODO: systemd uses a different stanza format
+    #       "/etc/systemd/network/wg*.netdev",
+    #       "/etc/systemd/network/*wg*.netdev",
+    # TODO: other locations such as $HOME/.config/wireguard
+    # TODO: parse native network manager formats from MacOS, Ubuntu and Windows.
 
     CONFIG_GLOBS = [
         # Linux
@@ -160,6 +158,8 @@ def _parse_config(content: str) -> ConfigParser:
 
 
 class MultiDict(OrderedDict):
+    """OrderedDict implementation which allows multiple values for the keys ``Peer`` and ``Interface``."""
+
     def __init__(self, *args, **kwargs):
         self._unique = 0
         super().__init__(*args, **kwargs)

dissect/target/plugins/apps/webhosting/cpanel.py

@@ -23,6 +23,8 @@ CPANEL_LASTLOGIN_PATTERN = re.compile(
 
 
 class CPanelPlugin(Plugin):
+    """cPanel webhosting plugin."""
+
     # TODO: Parse other log files https://support.cartika.com/portal/en/kb/articles/whm-cpanel-log-files-and-locations
     __namespace__ = "cpanel"
 

dissect/target/plugins/apps/webserver/caddy.py

@@ -22,6 +22,8 @@ LOG_REGEX = re.compile(
 
 
 class CaddyPlugin(WebserverPlugin):
+    """Caddy webserver plugin."""
+
     __namespace__ = "caddy"
 
     def __init__(self, target: Target):

dissect/target/plugins/apps/webserver/nginx.py

@@ -18,6 +18,8 @@ LOG_REGEX = re.compile(
 
 
 class NginxPlugin(WebserverPlugin):
+    """Nginx webserver plugin."""
+
     __namespace__ = "nginx"
 
     def __init__(self, target: Target):