dissect.target 3.20.1__py3-none-any.whl → 3.20.2.dev11__py3-none-any.whl
Sign up to get free protection for your applications and to get access to all the features.
- dissect/target/helpers/configutil.py +3 -3
- dissect/target/loaders/itunes.py +5 -3
- dissect/target/plugins/apps/browser/iexplore.py +7 -3
- dissect/target/plugins/general/plugins.py +1 -1
- dissect/target/plugins/os/unix/_os.py +1 -1
- dissect/target/plugins/os/unix/esxi/_os.py +34 -32
- dissect/target/plugins/os/unix/linux/fortios/_keys.py +7919 -1951
- dissect/target/plugins/os/unix/linux/fortios/_os.py +109 -22
- dissect/target/plugins/os/unix/linux/network_managers.py +1 -1
- dissect/target/plugins/os/unix/log/auth.py +6 -37
- dissect/target/plugins/os/unix/log/helpers.py +46 -0
- dissect/target/plugins/os/unix/log/messages.py +24 -15
- dissect/target/plugins/os/windows/activitiescache.py +32 -30
- dissect/target/plugins/os/windows/catroot.py +14 -5
- dissect/target/plugins/os/windows/lnk.py +13 -7
- dissect/target/plugins/os/windows/notifications.py +40 -38
- dissect/target/plugins/os/windows/regf/cit.py +20 -7
- dissect/target/tools/diff.py +990 -0
- {dissect.target-3.20.1.dist-info → dissect.target-3.20.2.dev11.dist-info}/METADATA +2 -2
- {dissect.target-3.20.1.dist-info → dissect.target-3.20.2.dev11.dist-info}/RECORD +25 -23
- {dissect.target-3.20.1.dist-info → dissect.target-3.20.2.dev11.dist-info}/entry_points.txt +1 -0
- {dissect.target-3.20.1.dist-info → dissect.target-3.20.2.dev11.dist-info}/COPYRIGHT +0 -0
- {dissect.target-3.20.1.dist-info → dissect.target-3.20.2.dev11.dist-info}/LICENSE +0 -0
- {dissect.target-3.20.1.dist-info → dissect.target-3.20.2.dev11.dist-info}/WHEEL +0 -0
- {dissect.target-3.20.1.dist-info → dissect.target-3.20.2.dev11.dist-info}/top_level.txt +0 -0
@@ -632,8 +632,8 @@ def local_wintimestamp(target, ts):
|
|
632
632
|
class CITPlugin(Plugin):
|
633
633
|
"""Plugin that parses CIT data from the registry.
|
634
634
|
|
635
|
-
|
636
|
-
|
635
|
+
References:
|
636
|
+
- https://dfir.ru/2018/12/02/the-cit-database-and-the-syscache-hive/
|
637
637
|
"""
|
638
638
|
|
639
639
|
__namespace__ = "cit"
|
@@ -641,7 +641,7 @@ class CITPlugin(Plugin):
|
|
641
641
|
KEY = "HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\CIT"
|
642
642
|
|
643
643
|
def check_compatible(self) -> None:
|
644
|
-
if not
|
644
|
+
if not list(self.target.registry.keys(self.KEY)):
|
645
645
|
raise UnsupportedPluginError("No CIT registry key found")
|
646
646
|
|
647
647
|
@export(record=get_args(CITRecords))
|
@@ -770,8 +770,9 @@ class CITPlugin(Plugin):
|
|
770
770
|
yield from _yield_bitmap_records(
|
771
771
|
self.target, cit, entry.use_data.bitmaps.foreground, CITProgramBitmapForegroundRecord
|
772
772
|
)
|
773
|
-
except Exception:
|
774
|
-
self.target.log.
|
773
|
+
except Exception as e:
|
774
|
+
self.target.log.warning("Failed to parse CIT value: %s", value.name)
|
775
|
+
self.target.log.debug("", exc_info=e)
|
775
776
|
|
776
777
|
@export(record=CITPostUpdateUseInfoRecord)
|
777
778
|
def puu(self) -> Iterator[CITPostUpdateUseInfoRecord]:
|
@@ -788,10 +789,16 @@ class CITPlugin(Plugin):
|
|
788
789
|
for reg_key in keys:
|
789
790
|
for key in self.target.registry.keys(reg_key):
|
790
791
|
try:
|
791
|
-
|
792
|
+
key_value = key.value("PUUActive").value
|
793
|
+
puu = c_cit.CIT_POST_UPDATE_USE_INFO(key_value)
|
792
794
|
except RegistryValueNotFoundError:
|
793
795
|
continue
|
794
796
|
|
797
|
+
except EOFError as e:
|
798
|
+
self.target.log.warning("Exception reading CIT structure in key %s", key.path)
|
799
|
+
self.target.log.debug("Unable to parse value %s", key_value, exc_info=e)
|
800
|
+
continue
|
801
|
+
|
795
802
|
yield CITPostUpdateUseInfoRecord(
|
796
803
|
log_time_start=wintimestamp(puu.LogTimeStart),
|
797
804
|
update_key=puu.UpdateKey,
|
@@ -852,10 +859,16 @@ class CITPlugin(Plugin):
|
|
852
859
|
for reg_key in keys:
|
853
860
|
for key in self.target.registry.keys(reg_key):
|
854
861
|
try:
|
855
|
-
|
862
|
+
key_value = key.value("DP").value
|
863
|
+
dp = c_cit.CIT_DP_DATA(key_value)
|
856
864
|
except RegistryValueNotFoundError:
|
857
865
|
continue
|
858
866
|
|
867
|
+
except EOFError as e:
|
868
|
+
self.target.log.warning("Exception reading CIT structure in key %s", key.path)
|
869
|
+
self.target.log.debug("Unable to parse value %s", key_value, exc_info=e)
|
870
|
+
continue
|
871
|
+
|
859
872
|
user = self.target.registry.get_user(key)
|
860
873
|
log_time_start = wintimestamp(dp.LogTimeStart)
|
861
874
|
|