dissect.target 3.20.2.dev17__py3-none-any.whl → 3.20.2.dev19__py3-none-any.whl

dissect/target/plugins/os/windows/credential/credhist.py

@@ -125,7 +125,7 @@ class CredHistFile:
                 yield CredHistEntry(
                     version=entry.dwVersion,
                     guid=UUID(bytes_le=entry.guidLink),
-                    user_sid=read_sid(entry.pSid),
+                    user_sid=read_sid(entry.pSid) if entry.pSid else None,
                     hash_alg=HashAlgorithm.from_id(entry.algHash),
                     cipher_alg=cipher_alg,
                     sha1=None,

dissect/target/plugins/os/windows/generic.py

@@ -611,11 +611,12 @@ class GenericPlugin(Plugin):
 
         try:
             key = self.target.registry.key("HKLM\\SECURITY\\Policy\\PolMachineAccountS")
+            raw_sid = key.value("(Default)").value
 
             yield ComputerSidRecord(
                 ts=key.timestamp,
                 sidtype="Domain",
-                sid=read_sid(key.value("(Default)").value),
+                sid=read_sid(raw_sid) if raw_sid else None,
                 _target=self.target,
             )
         except (RegistryError, struct.error):

dissect/target/plugins/os/windows/regf/cam.py

@@ -0,0 +1,118 @@
+from typing import Iterator
+
+from dissect.util.ts import wintimestamp
+from flow.record.fieldtypes import windows_path
+
+from dissect.target.exceptions import UnsupportedPluginError
+from dissect.target.helpers.descriptor_extensions import (
+    RegistryRecordDescriptorExtension,
+    UserRecordDescriptorExtension,
+)
+from dissect.target.helpers.record import create_extended_descriptor
+from dissect.target.helpers.regutil import RegistryKey, RegistryValueNotFoundError
+from dissect.target.plugin import Plugin, export
+from dissect.target.target import Target
+
+CamRecord = create_extended_descriptor([RegistryRecordDescriptorExtension, UserRecordDescriptorExtension])(
+    "windows/registry/cam",
+    [
+        ("datetime", "ts"),
+        ("string", "device"),
+        ("string", "app_name"),
+        ("path", "path"),
+        ("datetime", "last_started"),
+        ("datetime", "last_stopped"),
+        ("varint", "duration"),
+    ],
+)
+
+
+class CamPlugin(Plugin):
+    """Plugin that iterates various Capability Access Manager registry key locations."""
+
+    CONSENT_STORES = [
+        "HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\ConsentStore",
+        "HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\CapabilityAccessManager\\ConsentStore",
+    ]
+
+    def __init__(self, target: Target):
+        super().__init__(target)
+        self.app_regf_keys = self._find_apps()
+
+    def _find_apps(self) -> list[RegistryKey]:
+        apps = []
+        for store in self.target.registry.keys(self.CONSENT_STORES):
+            for key in store.subkeys():
+                apps.append(key)
+
+        return apps
+
+    def check_compatible(self) -> None:
+        if not self.app_regf_keys:
+            raise UnsupportedPluginError("No Capability Access Manager keys found")
+
+    def yield_apps(self) -> Iterator[RegistryKey]:
+        for app in self.app_regf_keys:
+            for key in app.subkeys():
+                if key.name == "NonPackaged":  # NonPackaged registry key has more apps, so yield those apps
+                    yield from key.subkeys()
+                else:
+                    yield key
+
+    @export(record=CamRecord)
+    def cam(self) -> Iterator[CamRecord]:
+        """Iterate Capability Access Manager key locations.
+
+        The Capability Access Manager keeps track of processes that access I/O devices, like the webcam or microphone.
+        Applications are divided into packaged and non-packaged applications meaning Microsoft or
+        non-Microsoft applications.
+
+        References:
+            - https://docs.velociraptor.app/exchange/artifacts/pages/windows.registry.capabilityaccessmanager/
+            - https://svch0st.medium.com/can-you-track-processes-accessing-the-camera-and-microphone-7e6885b37072
+
+        Yields ``CamRecord`` with the following fields:
+
+        .. code-block:: text
+
+            hostname (string): The target hostname.
+            domain (string): The target domain.
+            ts (datetime): The modification timestamp of the registry key.
+            device (string): Name of the device privacy permission where asked for.
+            app_name (string): The name of the application.
+            path (path): The possible path to the application.
+            last_started (datetime): When the application last started using the device.
+            last_stopped (datetime): When the application last stopped using the device.
+            duration (datetime): How long the application used the device (seconds).
+        """
+
+        for key in self.yield_apps():
+            last_started = None
+            last_stopped = None
+            duration = None
+
+            try:
+                last_started = wintimestamp(key.value("LastUsedTimeStart").value)
+            except RegistryValueNotFoundError:
+                self.target.log.warning("No LastUsedTimeStart for application: %s", key.name)
+
+            try:
+                last_stopped = wintimestamp(key.value("LastUsedTimeStop").value)
+            except RegistryValueNotFoundError:
+                self.target.log.warning("No LastUsedTimeStop for application: %s", key.name)
+
+            if last_started and last_stopped:
+                duration = (last_stopped - last_started).seconds
+
+            yield CamRecord(
+                ts=key.ts,
+                device=key.path.split("\\")[-2],
+                app_name=key.name,
+                path=windows_path(key.name.replace("#", "\\")) if "#" in key.name else None,
+                last_started=last_started,
+                last_stopped=last_stopped,
+                duration=duration,
+                _target=self.target,
+                _key=key,
+                _user=self.target.registry.get_user(key),
+            )

{dissect.target-3.20.2.dev17.dist-info → dissect.target-3.20.2.dev19.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.2
 Name: dissect.target
-Version: 3.20.2.dev17
+Version: 3.20.2.dev19
 Summary: This module ties all other Dissect modules together, it provides a programming API and command line tools which allow easy access to various data sources inside disk images or file collections (a.k.a. targets)
 Author-email: Dissect Team <dissect@fox-it.com>
 License: Affero General Public License v3

{dissect.target-3.20.2.dev17.dist-info → dissect.target-3.20.2.dev19.dist-info}/RECORD

@@ -287,7 +287,7 @@ dissect/target/plugins/os/windows/clfs.py,sha256=begVsZ-CY97Ksh6S1g03LjyBgu8ERY2
 dissect/target/plugins/os/windows/datetime.py,sha256=YKHUZU6lkKJocq15y0yCwvIIOb1Ej-kfvEBmHbrdIGw,9467
 dissect/target/plugins/os/windows/defender.py,sha256=JAJy8hr6jFGd290N1d5a-bVeD8rHc6E_pWEHxTpiMDk,32735
 dissect/target/plugins/os/windows/env.py,sha256=U5D74i_7tICxGDanqDU42Jqsx0asFFMIs6SpUwTnJc4,13884
-dissect/target/plugins/os/windows/generic.py,sha256=RJ1znzsIa4CFxmdMh91SjMY_pnjwxvldlTEKo58m_e8,24262
+dissect/target/plugins/os/windows/generic.py,sha256=6jNRUrbvME3P7amvs3FxCuEtK7FLO2kiaNstAPv0JS8,24313
 dissect/target/plugins/os/windows/jumplist.py,sha256=3gZk6O1B3lKK2Jxe0B-HapOCEehk94CYNvCVDpQC9nQ,11773
 dissect/target/plugins/os/windows/lnk.py,sha256=AvqVmvP-QWHPKEI49hP-JeOVSI2R3Vxpy-lpfT70pSg,8097
 dissect/target/plugins/os/windows/locale.py,sha256=QiLWGgWrGBGHiXgep5iSOo6VNim4YC-xd4MdW0BUJPA,2486
@@ -306,7 +306,7 @@ dissect/target/plugins/os/windows/ual.py,sha256=S43ltndKKrs2SqeDLgZv4dzdqtJD8c3Y
 dissect/target/plugins/os/windows/wer.py,sha256=y4ZU6Yai53UsZ4VLr0V9_uLhZJZ_UEtdPuNzxKbGoEY,9269
 dissect/target/plugins/os/windows/wua_history.py,sha256=QNtOQNZWKsKyUUrUV8aeoAMDKoH-ERkLx8ahnJzpHCY,54783
 dissect/target/plugins/os/windows/credential/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
-dissect/target/plugins/os/windows/credential/credhist.py,sha256=YSjuyd53Augdy_lKKzZHtx5Ozt0HzF6LDYIOb-8P1Pw,7058
+dissect/target/plugins/os/windows/credential/credhist.py,sha256=MBpnVycpQTbjD1THb5MbpKSBFYs8g8l1gCP68VamkIk,7082
 dissect/target/plugins/os/windows/credential/lsa.py,sha256=bo5zS4gDvMDU0c4456ZJ4FrDkcTnWdpmLaQZnZ33_fI,5638
 dissect/target/plugins/os/windows/credential/sam.py,sha256=iRqMNPLqrObJG2h6brzvAyeVBnIIgHVX_p_Hw_Jfa3A,15599
 dissect/target/plugins/os/windows/defender_helpers/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
@@ -339,6 +339,7 @@ dissect/target/plugins/os/windows/regf/applications.py,sha256=AZwaLXsVmqMjoZYI3d
 dissect/target/plugins/os/windows/regf/appxdebugkeys.py,sha256=X8MYLcD76pIZoIWwS_DgUp6q6pi2WO7jhZeoc4uGLak,3966
 dissect/target/plugins/os/windows/regf/auditpol.py,sha256=vTqWw0_vu9p_emWC8FuYcYQpOXhEFQQDLV0K6-18i9c,5208
 dissect/target/plugins/os/windows/regf/bam.py,sha256=jJ0i-82uteBU0hPgs81f8NV8NCeRtIklK82Me2S_ro0,2131
+dissect/target/plugins/os/windows/regf/cam.py,sha256=e0y4mhWBfgMIRvOxybLFGZ3ztH3tyqvv5wY5uVEDatI,4717
 dissect/target/plugins/os/windows/regf/cit.py,sha256=WYuwzTJKSR8Ki0582zpTpRUApx_J3OIYFWivKgqH-Is,39178
 dissect/target/plugins/os/windows/regf/clsid.py,sha256=ellokL8H7TR8XkGqqWraJ3bL0qP5RJrjNsp4JeBLU7A,3810
 dissect/target/plugins/os/windows/regf/firewall.py,sha256=86JvlBc418nHB5l3IkbEnTw6zr-H5pEGEoZ8fBhmeLE,3231
@@ -383,10 +384,10 @@ dissect/target/volumes/luks.py,sha256=OmCMsw6rCUXG1_plnLVLTpsvE1n_6WtoRUGQbpmu1z
 dissect/target/volumes/lvm.py,sha256=wwQVR9I3G9YzmY6UxFsH2Y4MXGBcKL9aayWGCDTiWMU,2269
 dissect/target/volumes/md.py,sha256=7ShPtusuLGaIv27SvEETtgsuoQyAa4iAAeOR1NEaajI,1689
 dissect/target/volumes/vmfs.py,sha256=-LoUbn9WNwTtLi_4K34uV_-wDw2W5hgaqxZNj4UmqAQ,1730
-dissect.target-3.20.2.dev17.dist-info/COPYRIGHT,sha256=m-9ih2RVhMiXHI2bf_oNSSgHgkeIvaYRVfKTwFbnJPA,301
-dissect.target-3.20.2.dev17.dist-info/LICENSE,sha256=DZak_2itbUtvHzD3E7GNUYSRK6jdOJ-GqncQ2weavLA,34523
-dissect.target-3.20.2.dev17.dist-info/METADATA,sha256=3Zv71EoGm3Np-VOObIAcfDmZYOheFzB1Qtne5bvskj8,13184
-dissect.target-3.20.2.dev17.dist-info/WHEEL,sha256=In9FTNxeP60KnTkGw7wk6mJPYd_dQSjEZmXdBdMCI-8,91
-dissect.target-3.20.2.dev17.dist-info/entry_points.txt,sha256=yQwLCWUuzHgS6-sfCcRk66gAfoCfqXdCjqKjvhnQW8o,537
-dissect.target-3.20.2.dev17.dist-info/top_level.txt,sha256=Mn-CQzEYsAbkxrUI0TnplHuXnGVKzxpDw_po_sXpvv4,8
-dissect.target-3.20.2.dev17.dist-info/RECORD,,
+dissect.target-3.20.2.dev19.dist-info/COPYRIGHT,sha256=m-9ih2RVhMiXHI2bf_oNSSgHgkeIvaYRVfKTwFbnJPA,301
+dissect.target-3.20.2.dev19.dist-info/LICENSE,sha256=DZak_2itbUtvHzD3E7GNUYSRK6jdOJ-GqncQ2weavLA,34523
+dissect.target-3.20.2.dev19.dist-info/METADATA,sha256=-4siqHElFX4TAmQ403qAyFwVMdhU1UPquE_a68cW0LU,13184
+dissect.target-3.20.2.dev19.dist-info/WHEEL,sha256=In9FTNxeP60KnTkGw7wk6mJPYd_dQSjEZmXdBdMCI-8,91
+dissect.target-3.20.2.dev19.dist-info/entry_points.txt,sha256=yQwLCWUuzHgS6-sfCcRk66gAfoCfqXdCjqKjvhnQW8o,537
+dissect.target-3.20.2.dev19.dist-info/top_level.txt,sha256=Mn-CQzEYsAbkxrUI0TnplHuXnGVKzxpDw_po_sXpvv4,8
+dissect.target-3.20.2.dev19.dist-info/RECORD,,