dissect.target 3.20.1__py3-none-any.whl → 3.20.2.dev12__py3-none-any.whl

dissect/target/plugins/os/unix/linux/fortios/_os.py

@@ -2,6 +2,7 @@ from __future__ import annotations
 
 import gzip
 import hashlib
+import struct
 from base64 import b64decode
 from datetime import datetime
 from io import BytesIO
@@ -17,11 +18,17 @@ from dissect.target.helpers.fsutil import open_decompress
 from dissect.target.helpers.record import TargetRecordDescriptor, UnixUserRecord
 from dissect.target.plugin import OperatingSystem, export
 from dissect.target.plugins.os.unix.linux._os import LinuxPlugin
-from dissect.target.plugins.os.unix.linux.fortios._keys import KERNEL_KEY_MAP
+from dissect.target.plugins.os.unix.linux.fortios._keys import (
+    KERNEL_KEY_MAP,
+    AesKey,
+    ChaCha20Key,
+    ChaCha20Seed,
+)
 from dissect.target.target import Target
 
 try:
     from Crypto.Cipher import AES, ChaCha20
+    from Crypto.Util import Counter
 
     HAS_CRYPTO = True
 except ImportError:
@@ -95,8 +102,11 @@ class FortiOSPlugin(LinuxPlugin):
             # The rootfs.gz file could be encrypted.
             try:
                 kernel_hash = get_kernel_hash(sysvol)
-                key, iv = key_iv_for_kernel_hash(kernel_hash)
-                rfs_fh = decrypt_rootfs(rootfs.open(), key, iv)
+                target.log.info("Kernel hash: %s", kernel_hash)
+                key = key_iv_for_kernel_hash(kernel_hash)
+                target.log.info("Trying to decrypt_rootfs using key: %r", key)
+                rfs_fh = decrypt_rootfs(rootfs.open(), key)
+                target.log.info("Decrypted fh: %r", rfs_fh)
                 vfs = TarFilesystem(rfs_fh, tarinfo=cpio.CpioInfo)
             except RuntimeError:
                 target.log.warning("Could not decrypt rootfs.gz. Missing `pycryptodome` dependency.")
@@ -471,7 +481,7 @@ def decrypt_password(input: str) -> str:
         return "ENC:" + input
 
 
-def key_iv_for_kernel_hash(kernel_hash: str) -> tuple[bytes, bytes]:
+def key_iv_for_kernel_hash(kernel_hash: str) -> AesKey | ChaCha20Key:
     """Return decryption key and IV for a specific sha256 kernel hash.
 
     The decryption key and IV are used to decrypt the ``rootfs.gz`` file.
@@ -486,17 +496,96 @@ def key_iv_for_kernel_hash(kernel_hash: str) -> tuple[bytes, bytes]:
         ValueError: When no decryption keys are available for the given kernel hash.
     """
 
-    key = bytes.fromhex(KERNEL_KEY_MAP.get(kernel_hash, ""))
-    if len(key) == 32:
+    key = KERNEL_KEY_MAP.get(kernel_hash)
+    if isinstance(key, ChaCha20Seed):
         # FortiOS 7.4.x uses a KDF to derive the key and IV
-        return _kdf_7_4_x(key)
-    elif len(key) == 48:
+        key, iv = _kdf_7_4_x(key.key)
+        return ChaCha20Key(key, iv)
+    elif isinstance(key, ChaCha20Key):
         # FortiOS 7.0.13 and 7.0.14 uses a static key and IV
-        return key[:32], key[32:]
+        return key
+    elif isinstance(key, AesKey):
+        # FortiOS 7.0.16, 7.2.9, 7.4.4, 7.6.0 and higher uses AES-CTR with a custom CTR increment
+        return key
     raise ValueError(f"No known decryption keys for kernel hash: {kernel_hash}")
 
 
-def decrypt_rootfs(fh: BinaryIO, key: bytes, iv: bytes) -> BinaryIO:
+def chacha20_decrypt(fh: BinaryIO, key: ChaCha20Key) -> bytes:
+    """Decrypt file using ChaCha20 with given ChaCha20Key.
+
+    Args:
+        fh: File-like object to the encrypted rootfs.gz file.
+        key: ChaCha20Key.
+
+    Returns:
+        Decrypted bytes.
+    """
+
+    # First 8 bytes = counter, last 8 bytes = nonce
+    # PyCryptodome interally divides this seek by 64 to get a (position, offset) tuple
+    # We're interested in updating the position in the ChaCha20 internal state, so to make
+    # PyCryptodome "OpenSSL-compatible" we have to multiply the counter by 64
+    cipher = ChaCha20.new(key=key.key, nonce=key.iv[8:])
+    cipher.seek(int.from_bytes(key.iv[:8], "little") * 64)
+    return cipher.decrypt(fh.read())
+
+
+def calculate_counter_increment(iv: bytes) -> int:
+    """Calculate the custom FortiGate CTR increment from IV.
+
+    Args:
+        iv: 16 bytes IV.
+
+    Returns:
+        Custom CTR increment.
+    """
+    increment = 0
+    for i in range(16):
+        increment ^= (iv[i] & 15) ^ ((iv[i] >> 4) & 0xFF)
+    return max(increment, 1)
+
+
+def aes_decrypt(fh: BinaryIO, key: AesKey) -> bytes:
+    """Decrypt file using a custom AES CTR increment with given AesKey.
+
+    Args:
+        fh: File-like object to the encrypted rootfs.gz file.
+        key: AesKey.
+
+    Returns:
+        Decrypted bytes.
+    """
+
+    data = bytearray(fh.read())
+
+    # Calculate custom CTR increment from IV
+    increment = calculate_counter_increment(key.iv)
+    advance_block = (b"\x69" * 16) * (increment - 1)
+
+    # AES counter is little-endian and has a prefix
+    prefix, counter = struct.unpack("<8sQ", key.iv)
+    ctr = Counter.new(
+        64,
+        prefix=prefix,
+        initial_value=counter,
+        little_endian=True,
+        allow_wraparound=True,
+    )
+    cipher = AES.new(key.key, mode=AES.MODE_CTR, counter=ctr)
+
+    nblocks, nleft = divmod(len(data), 16)
+    for i in range(nblocks):
+        offset = i * 16
+        data[offset : offset + 16] = cipher.decrypt(data[offset : offset + 16])
+        cipher.decrypt(advance_block)  # custom advance the counter
+
+    if nleft:
+        data[nblocks * 16 :] = cipher.decrypt(data[nblocks * 16 :])
+
+    return data
+
+
+def decrypt_rootfs(fh: BinaryIO, key: ChaCha20Key | AesKey) -> BinaryIO:
     """Attempt to decrypt an encrypted ``rootfs.gz`` file with given key and IV.
 
     FortiOS releases as of 7.4.1 / 2023-08-31, have ChaCha20 encrypted ``rootfs.gz`` files.
@@ -511,8 +600,7 @@ def decrypt_rootfs(fh: BinaryIO, key: bytes, iv: bytes) -> BinaryIO:
 
     Args:
         fh: File-like object to the encrypted rootfs.gz file.
-        key: ChaCha20 key.
-        iv: ChaCha20 iv.
+        key: ChaCha20Key or AesKey.
 
     Returns:
         File-like object to the decrypted rootfs.gz file.
@@ -525,13 +613,12 @@ def decrypt_rootfs(fh: BinaryIO, key: bytes, iv: bytes) -> BinaryIO:
     if not HAS_CRYPTO:
         raise RuntimeError("Missing pycryptodome dependency")
 
-    # First 8 bytes = counter, last 8 bytes = nonce
-    # PyCryptodome interally divides this seek by 64 to get a (position, offset) tuple
-    # We're interested in updating the position in the ChaCha20 internal state, so to make
-    # PyCryptodome "OpenSSL-compatible" we have to multiply the counter by 64
-    cipher = ChaCha20.new(key=key, nonce=iv[8:])
-    cipher.seek(int.from_bytes(iv[:8], "little") * 64)
-    result = cipher.decrypt(fh.read())
+    result = b""
+    if isinstance(key, ChaCha20Key):
+        result = chacha20_decrypt(fh, key)
+    elif isinstance(key, AesKey):
+        result = aes_decrypt(fh, key)
+        result = result[:-256]  # strip off the 256 byte footer
 
     if result[0:2] != b"\x1f\x8b":
         raise ValueError("Failed to decrypt: No gzip magic header found.")
@@ -539,7 +626,7 @@ def decrypt_rootfs(fh: BinaryIO, key: bytes, iv: bytes) -> BinaryIO:
     return BytesIO(result)
 
 
-def _kdf_7_4_x(key_data: str | bytes) -> tuple[bytes, bytes]:
+def _kdf_7_4_x(key_data: str | bytes, offset_key: int = 4, offset_iv: int = 5) -> tuple[bytes, bytes]:
     """Derive 32 byte key and 16 byte IV from 32 byte seed.
 
     As the IV needs to be 16 bytes, we return the first 16 bytes of the sha256 hash.
@@ -548,8 +635,8 @@ def _kdf_7_4_x(key_data: str | bytes) -> tuple[bytes, bytes]:
     if isinstance(key_data, str):
         key_data = bytes.fromhex(key_data)
 
-    key = hashlib.sha256(key_data[4:32] + key_data[:4]).digest()
-    iv = hashlib.sha256(key_data[5:32] + key_data[:5]).digest()[:16]
+    key = hashlib.sha256(key_data[offset_key:32] + key_data[:offset_key]).digest()
+    iv = hashlib.sha256(key_data[offset_iv:32] + key_data[:offset_iv]).digest()[:16]
     return key, iv
 
 

dissect/target/plugins/os/unix/linux/network_managers.py

@@ -567,7 +567,7 @@ def parse_unix_dhcp_log_messages(target: Target, iter_all: bool = False) -> set[
             continue
 
         # Debian and CentOS dhclient
-        if hasattr(record, "daemon") and record.daemon == "dhclient" and "bound to" in line:
+        if hasattr(record, "service") and record.service == "dhclient" and "bound to" in line:
             ip = line.split("bound to")[1].split(" ")[1].strip()
             ips.add(ip)
             continue

dissect/target/plugins/os/unix/log/auth.py

@@ -1,6 +1,5 @@
 from __future__ import annotations
 
-import itertools
 import logging
 import re
 from abc import ABC, abstractmethod
@@ -12,24 +11,18 @@ from typing import Any, Iterator
 
 from dissect.target import Target
 from dissect.target.exceptions import UnsupportedPluginError
-from dissect.target.helpers.fsutil import open_decompress
 from dissect.target.helpers.record import DynamicDescriptor, TargetRecordDescriptor
 from dissect.target.helpers.utils import year_rollover_helper
 from dissect.target.plugin import Plugin, alias, export
+from dissect.target.plugins.os.unix.log.helpers import (
+    RE_LINE,
+    RE_TS,
+    is_iso_fmt,
+    iso_readlines,
+)
 
 log = logging.getLogger(__name__)
 
-RE_TS = re.compile(r"^[A-Za-z]{3}\s*\d{1,2}\s\d{1,2}:\d{2}:\d{2}")
-RE_TS_ISO = re.compile(r"^\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d{6}\+\d{2}:\d{2}")
-RE_LINE = re.compile(
-    r"""
-    \d{2}:\d{2}\s                           # First match on the similar ending of the different timestamps
-    (?P<hostname>\S+)\s                     # The hostname
-    (?P<service>\S+?)(\[(?P<pid>\d+)\])?:   # The service with optionally the PID between brackets
-    \s*(?P<message>.+?)\s*$                 # The log message stripped from spaces left and right
-    """,
-    re.VERBOSE,
-)
 
 # Generic regular expressions
 RE_IPV4_ADDRESS = re.compile(
@@ -347,27 +340,3 @@ class AuthPlugin(Plugin):
 
             for ts, line in iterable:
                 yield self._auth_log_builder.build_record(ts, auth_file, line)
-
-
-def iso_readlines(file: Path) -> Iterator[tuple[datetime, str]]:
-    """Iterator reading the provided auth log file in ISO format. Mimics ``year_rollover_helper`` behaviour."""
-    with open_decompress(file, "rt") as fh:
-        for line in fh:
-            if not (match := RE_TS_ISO.match(line)):
-                log.warning("No timestamp found in one of the lines in %s!", file)
-                log.debug("Skipping line: %s", line)
-                continue
-
-            try:
-                ts = datetime.strptime(match[0], "%Y-%m-%dT%H:%M:%S.%f%z")
-            except ValueError as e:
-                log.warning("Unable to parse ISO timestamp in line: %s", line)
-                log.debug("", exc_info=e)
-                continue
-
-            yield ts, line
-
-
-def is_iso_fmt(file: Path) -> bool:
-    """Determine if the provided auth log file uses new ISO format logging or not."""
-    return any(itertools.islice(iso_readlines(file), 0, 2))

dissect/target/plugins/os/unix/log/helpers.py

@@ -0,0 +1,46 @@
+import itertools
+import logging
+import re
+from datetime import datetime
+from pathlib import Path
+from typing import Iterator
+
+from dissect.target.helpers.fsutil import open_decompress
+
+log = logging.getLogger(__name__)
+
+RE_TS = re.compile(r"^[A-Za-z]{3}\s*\d{1,2}\s\d{1,2}:\d{2}:\d{2}")
+RE_TS_ISO = re.compile(r"^\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d{6}\+\d{2}:\d{2}")
+RE_LINE = re.compile(
+    r"""
+    \d{2}:\d{2}\s                           # First match on the similar ending of the different timestamps
+    (?:\S+)\s                               # The hostname, but do not capture it
+    (?P<service>\S+?)(\[(?P<pid>\d+)\])?:    # The service / daemon with optionally the PID between brackets
+    \s*(?P<message>.+?)\s*$                 # The log message stripped from spaces left and right
+    """,
+    re.VERBOSE,
+)
+
+
+def iso_readlines(file: Path) -> Iterator[tuple[datetime, str]]:
+    """Iterator reading the provided log file in ISO format. Mimics ``year_rollover_helper`` behaviour."""
+    with open_decompress(file, "rt") as fh:
+        for line in fh:
+            if not (match := RE_TS_ISO.match(line)):
+                log.warning("No timestamp found in one of the lines in %s!", file)
+                log.debug("Skipping line: %s", line)
+                continue
+
+            try:
+                ts = datetime.strptime(match[0], "%Y-%m-%dT%H:%M:%S.%f%z")
+            except ValueError as e:
+                log.warning("Unable to parse ISO timestamp in line: %s", line)
+                log.debug("", exc_info=e)
+                continue
+
+            yield ts, line
+
+
+def is_iso_fmt(file: Path) -> bool:
+    """Determine if the provided log file uses ISO 8601 timestamp format logging or not."""
+    return any(itertools.islice(iso_readlines(file), 0, 2))

dissect/target/plugins/os/unix/log/messages.py

@@ -11,12 +11,18 @@ from dissect.target.helpers.fsutil import open_decompress
 from dissect.target.helpers.record import TargetRecordDescriptor
 from dissect.target.helpers.utils import year_rollover_helper
 from dissect.target.plugin import Plugin, alias, export
+from dissect.target.plugins.os.unix.log.helpers import (
+    RE_LINE,
+    RE_TS,
+    is_iso_fmt,
+    iso_readlines,
+)
 
 MessagesRecord = TargetRecordDescriptor(
     "linux/log/messages",
     [
         ("datetime", "ts"),
-        ("string", "daemon"),
+        ("string", "service"),
         ("varint", "pid"),
         ("string", "message"),
         ("path", "source"),
@@ -24,12 +30,8 @@ MessagesRecord = TargetRecordDescriptor(
 )
 
 DEFAULT_TS_LOG_FORMAT = "%b %d %H:%M:%S"
-RE_TS = re.compile(r"(\w+\s{1,2}\d+\s\d{2}:\d{2}:\d{2})")
-RE_DAEMON = re.compile(r"^[^:]+:\d+:\d+[^\[\]:]+\s([^\[:]+)[\[|:]{1}")
-RE_PID = re.compile(r"\w\[(\d+)\]")
-RE_MSG = re.compile(r"[^:]+:\d+:\d+[^:]+:\s(.*)$")
 RE_CLOUD_INIT_LINE = re.compile(
-    r"^(?P<ts>\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2},\d{3}) - (?P<daemon>.*)\[(?P<log_level>\w+)\]\: (?P<message>.*)$"
+    r"^(?P<ts>\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2},\d{3}) - (?P<service>.*)\[(?P<log_level>\w+)\]\: (?P<message>.*)$"
 )
 
 
@@ -56,7 +58,7 @@ class MessagesPlugin(Plugin):
     def messages(self) -> Iterator[MessagesRecord]:
         """Return contents of /var/log/messages*, /var/log/syslog* and cloud-init logs.
 
-        Due to year rollover detection, the contents of the files are returned in reverse.
+        Due to year rollover detection, the log contents could be returned in reversed or mixed chronological order.
 
         The messages log file holds information about a variety of events such as the system error messages, system
         startups and shutdowns, change in the network configuration, etc. Aims to store valuable, non-debug and
@@ -75,16 +77,23 @@ class MessagesPlugin(Plugin):
                 yield from self._parse_cloud_init_log(log_file, tzinfo)
                 continue
 
-            for ts, line in year_rollover_helper(log_file, RE_TS, DEFAULT_TS_LOG_FORMAT, tzinfo):
-                daemon = dict(enumerate(RE_DAEMON.findall(line))).get(0)
-                pid = dict(enumerate(RE_PID.findall(line))).get(0)
-                message = dict(enumerate(RE_MSG.findall(line))).get(0, line)
+            if is_iso_fmt(log_file):
+                iterable = iso_readlines(log_file)
+
+            else:
+                iterable = year_rollover_helper(log_file, RE_TS, DEFAULT_TS_LOG_FORMAT, tzinfo)
+
+            for ts, line in iterable:
+                match = RE_LINE.search(line)
+
+                if not match:
+                    self.target.log.warning("Unable to parse message line in %s", log_file)
+                    self.target.log.debug("Line %s", line)
+                    continue
 
                 yield MessagesRecord(
                     ts=ts,
-                    daemon=daemon,
-                    pid=pid,
-                    message=message,
+                    **match.groupdict(),
                     source=log_file,
                     _target=self.target,
                 )
@@ -134,7 +143,7 @@ class MessagesPlugin(Plugin):
 
                 yield MessagesRecord(
                     ts=ts,
-                    daemon=values["daemon"],
+                    service=values["service"],
                     pid=None,
                     message=values["message"],
                     source=log_file,

dissect/target/plugins/os/windows/activitiescache.py

@@ -116,36 +116,38 @@ class ActivitiesCachePlugin(Plugin):
         for user, cache_file in self.cachefiles:
             fh = cache_file.open()
             db = sqlite3.SQLite3(fh)
-            for r in db.table("Activity").rows():
-                yield ActivitiesCacheRecord(
-                    start_time=mkts(r["[StartTime]"]),
-                    end_time=mkts(r["[EndTime]"]),
-                    last_modified_time=mkts(r["[LastModifiedTime]"]),
-                    last_modified_on_client=mkts(r["[LastModifiedOnClient]"]),
-                    original_last_modified_on_client=mkts(r["[OriginalLastModifiedOnClient]"]),
-                    expiration_time=mkts(r["[ExpirationTime]"]),
-                    app_id=r["[AppId]"],
-                    enterprise_id=r["[EnterpriseId]"],
-                    app_activity_id=r["[AppActivityId]"],
-                    group_app_activity_id=r["[GroupAppActivityId]"],
-                    group=r["[Group]"],
-                    activity_type=r["[ActivityType]"],
-                    activity_status=r["[ActivityStatus]"],
-                    priority=r["[Priority]"],
-                    match_id=r["[MatchId]"],
-                    etag=r["[ETag]"],
-                    tag=r["[Tag]"],
-                    is_local_only=r["[IsLocalOnly]"],
-                    created_in_cloud=r["[CreatedInCloud]"],
-                    platform_device_id=r["[PlatformDeviceId]"],
-                    package_id_hash=r["[PackageIdHash]"],
-                    id=r["[Id]"],
-                    payload=r["[Payload]"],
-                    original_payload=r["[OriginalPayload]"],
-                    clipboard_payload=r["[ClipboardPayload]"],
-                    _target=self.target,
-                    _user=user,
-                )
+
+            if table := db.table("Activity"):
+                for r in table.rows():
+                    yield ActivitiesCacheRecord(
+                        start_time=mkts(r["[StartTime]"]),
+                        end_time=mkts(r["[EndTime]"]),
+                        last_modified_time=mkts(r["[LastModifiedTime]"]),
+                        last_modified_on_client=mkts(r["[LastModifiedOnClient]"]),
+                        original_last_modified_on_client=mkts(r["[OriginalLastModifiedOnClient]"]),
+                        expiration_time=mkts(r["[ExpirationTime]"]),
+                        app_id=r["[AppId]"],
+                        enterprise_id=r["[EnterpriseId]"],
+                        app_activity_id=r["[AppActivityId]"],
+                        group_app_activity_id=r["[GroupAppActivityId]"],
+                        group=r["[Group]"],
+                        activity_type=r["[ActivityType]"],
+                        activity_status=r["[ActivityStatus]"],
+                        priority=r["[Priority]"],
+                        match_id=r["[MatchId]"],
+                        etag=r["[ETag]"],
+                        tag=r["[Tag]"],
+                        is_local_only=r["[IsLocalOnly]"],
+                        created_in_cloud=r["[CreatedInCloud]"],
+                        platform_device_id=r["[PlatformDeviceId]"],
+                        package_id_hash=r["[PackageIdHash]"],
+                        id=r["[Id]"],
+                        payload=r["[Payload]"],
+                        original_payload=r["[OriginalPayload]"],
+                        clipboard_payload=r["[ClipboardPayload]"],
+                        _target=self.target,
+                        _user=user,
+                    )
 
 
 def mkts(ts: int) -> datetime | None:

dissect/target/plugins/os/windows/catroot.py

@@ -217,15 +217,24 @@ class CatrootPlugin(Plugin):
             with ese_file.open("rb") as fh:
                 ese_db = EseDB(fh)
 
-                tables = [table.name for table in ese_db.tables()]
                 for hash_type, table_name in [("sha256", "HashCatNameTableSHA256"), ("sha1", "HashCatNameTableSHA1")]:
-                    if table_name not in tables:
+                    try:
+                        table = ese_db.table(table_name)
+                    except KeyError as e:
+                        self.target.log.warning("EseDB %s has no table %s", ese_file, table_name)
+                        self.target.log.debug("", exc_info=e)
                         continue
 
-                    for record in ese_db.table(table_name).records():
+                    for record in table.records():
                         file_digest = digest()
-                        setattr(file_digest, hash_type, record.get("HashCatNameTable_HashCol").hex())
-                        catroot_names = record.get("HashCatNameTable_CatNameCol").decode().rstrip("|").split("|")
+
+                        try:
+                            setattr(file_digest, hash_type, record.get("HashCatNameTable_HashCol").hex())
+                            catroot_names = record.get("HashCatNameTable_CatNameCol").decode().rstrip("|").split("|")
+                        except Exception as e:
+                            self.target.log.warning("Unable to parse catroot names for %s in %s", record, ese_file)
+                            self.target.log.debug("", exc_info=e)
+                            continue
 
                         for catroot_name in catroot_names:
                             yield CatrootRecord(

dissect/target/plugins/os/windows/lnk.py

@@ -1,4 +1,6 @@
-from typing import Iterator, Optional
+from __future__ import annotations
+
+from typing import Iterator
 
 from dissect.shellitem.lnk import Lnk
 from dissect.util import ts
@@ -34,7 +36,7 @@ LnkRecord = TargetRecordDescriptor(
 )
 
 
-def parse_lnk_file(target: Target, lnk_file: Lnk, lnk_path: TargetPath) -> Iterator[LnkRecord]:
+def parse_lnk_file(target: Target, lnk_file: Lnk, lnk_path: TargetPath) -> LnkRecord:
     # we need to get the active codepage from the system to properly decode some values
     codepage = target.codepage or "ascii"
 
@@ -132,7 +134,7 @@ class LnkPlugin(Plugin):
 
     @arg("--path", "-p", dest="path", default=None, help="Path to directory or .lnk file in target")
     @export(record=LnkRecord)
-    def lnk(self, path: Optional[str] = None) -> Iterator[LnkRecord]:
+    def lnk(self, path: str | None = None) -> Iterator[LnkRecord]:
         """Parse all .lnk files in /ProgramData, /Users, and /Windows or from a specified path in record format.
 
         Yields a LnkRecord record with the following fields:
@@ -160,10 +162,14 @@ class LnkPlugin(Plugin):
         """
 
         for entry in self.lnk_entries(path):
-            lnk_file = Lnk(entry.open())
-            yield parse_lnk_file(self.target, lnk_file, entry)
-
-    def lnk_entries(self, path: Optional[str] = None) -> Iterator[TargetPath]:
+            try:
+                lnk_file = Lnk(entry.open())
+                yield parse_lnk_file(self.target, lnk_file, entry)
+            except Exception as e:
+                self.target.log.warning("Failed to parse link file %s", lnk_file)
+                self.target.log.debug("", exc_info=e)
+
+    def lnk_entries(self, path: str | None = None) -> Iterator[TargetPath]:
         if path:
             target_path = self.target.fs.path(path)
             if not target_path.exists():

dissect/target/plugins/os/windows/notifications.py

@@ -442,43 +442,45 @@ class NotificationsPlugin(Plugin):
         """
         for user, wpndatabase in self.wpndb_files:
             db = sqlite3.SQLite3(wpndatabase.open())
-
             handlers = {}
-            for row in db.table("NotificationHandler").rows():
-                handlers[row["[RecordId]"]] = WpnDatabaseNotificationHandlerRecord(
-                    created_time=datetime.datetime.strptime(row["[CreatedTime]"], "%Y-%m-%d %H:%M:%S"),
-                    modified_time=datetime.datetime.strptime(row["[ModifiedTime]"], "%Y-%m-%d %H:%M:%S"),
-                    id=row["[RecordId]"],
-                    primary_id=row["[PrimaryId]"],
-                    wns_id=row["[WNSId]"],
-                    handler_type=row["[HandlerType]"],
-                    wnf_event_name=row["[WNFEventName]"],
-                    system_data_property_set=row["[SystemDataPropertySet]"],
-                    _target=self.target,
-                    _user=user,
-                )
-
-            for row in db.table("Notification").rows():
-                record = WpnDatabaseNotificationRecord(
-                    arrival_time=wintimestamp(row["[ArrivalTime]"]),
-                    expiry_time=wintimestamp(row["[ExpiryTime]"]),
-                    order=row["[Order]"],
-                    id=row["[Id]"],
-                    handler_id=row["[HandlerId]"],
-                    activity_id=UUID(bytes=row["[ActivityId]"]),
-                    type=row["[Type]"],
-                    payload=row["[Payload]"],
-                    payload_type=row["[PayloadType]"],
-                    tag=row["[Tag]"],
-                    group=row["[Group]"],
-                    boot_id=row["[BootId]"],
-                    expires_on_reboot=row["[ExpiresOnReboot]"] != "FALSE",
-                    _target=self.target,
-                    _user=user,
-                )
-                handler = handlers.get(row["[HandlerId]"])
 
-                if handler:
-                    yield GroupedRecord("windows/notification/wpndatabase/grouped", [record, handler])
-                else:
-                    yield record
+            if table := db.table("NotificationHandler"):
+                for row in table.rows():
+                    handlers[row["[RecordId]"]] = WpnDatabaseNotificationHandlerRecord(
+                        created_time=datetime.datetime.strptime(row["[CreatedTime]"], "%Y-%m-%d %H:%M:%S"),
+                        modified_time=datetime.datetime.strptime(row["[ModifiedTime]"], "%Y-%m-%d %H:%M:%S"),
+                        id=row["[RecordId]"],
+                        primary_id=row["[PrimaryId]"],
+                        wns_id=row["[WNSId]"],
+                        handler_type=row["[HandlerType]"],
+                        wnf_event_name=row["[WNFEventName]"],
+                        system_data_property_set=row["[SystemDataPropertySet]"],
+                        _target=self.target,
+                        _user=user,
+                    )
+
+            if table := db.table("Notification"):
+                for row in table.rows():
+                    record = WpnDatabaseNotificationRecord(
+                        arrival_time=wintimestamp(row["[ArrivalTime]"]),
+                        expiry_time=wintimestamp(row["[ExpiryTime]"]),
+                        order=row["[Order]"],
+                        id=row["[Id]"],
+                        handler_id=row["[HandlerId]"],
+                        activity_id=UUID(bytes=row["[ActivityId]"]),
+                        type=row["[Type]"],
+                        payload=row["[Payload]"],
+                        payload_type=row["[PayloadType]"],
+                        tag=row["[Tag]"],
+                        group=row["[Group]"],
+                        boot_id=row["[BootId]"],
+                        expires_on_reboot=row["[ExpiresOnReboot]"] != "FALSE",
+                        _target=self.target,
+                        _user=user,
+                    )
+                    handler = handlers.get(row["[HandlerId]"])
+
+                    if handler:
+                        yield GroupedRecord("windows/notification/wpndatabase/grouped", [record, handler])
+                    else:
+                        yield record