dissect.target 3.20.dev10__py3-none-any.whl → 3.20.dev12__py3-none-any.whl

dissect/target/plugins/os/unix/log/messages.py

@@ -6,7 +6,7 @@ from dissect.target import Target
 from dissect.target.exceptions import UnsupportedPluginError
 from dissect.target.helpers.record import TargetRecordDescriptor
 from dissect.target.helpers.utils import year_rollover_helper
-from dissect.target.plugin import Plugin, export
+from dissect.target.plugin import Plugin, alias, export
 
 MessagesRecord = TargetRecordDescriptor(
     "linux/log/messages",
@@ -24,7 +24,9 @@ RE_TS = re.compile(r"(\w+\s{1,2}\d+\s\d{2}:\d{2}:\d{2})")
 RE_DAEMON = re.compile(r"^[^:]+:\d+:\d+[^\[\]:]+\s([^\[:]+)[\[|:]{1}")
 RE_PID = re.compile(r"\w\[(\d+)\]")
 RE_MSG = re.compile(r"[^:]+:\d+:\d+[^:]+:\s(.*)$")
-RE_CLOUD_INIT_LINE = re.compile(r"(?P<ts>.*) - (?P<daemon>.*)\[(?P<log_level>\w+)\]\: (?P<message>.*)$")
+RE_CLOUD_INIT_LINE = re.compile(
+    r"^(?P<ts>\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2},\d{3}) - (?P<daemon>.*)\[(?P<log_level>\w+)\]\: (?P<message>.*)$"
+)
 
 
 class MessagesPlugin(Plugin):
@@ -43,19 +45,12 @@ class MessagesPlugin(Plugin):
         if not self.log_files:
             raise UnsupportedPluginError("No log files found")
 
-    @export(record=MessagesRecord)
-    def syslog(self) -> Iterator[MessagesRecord]:
-        """Return contents of /var/log/messages*, /var/log/syslog* and cloud-init logs.
-
-        See ``messages`` for more information.
-        """
-        return self.messages()
-
+    @alias("syslog")
     @export(record=MessagesRecord)
     def messages(self) -> Iterator[MessagesRecord]:
         """Return contents of /var/log/messages*, /var/log/syslog* and cloud-init logs.
 
-        Note: due to year rollover detection, the contents of the files are returned in reverse.
+        Due to year rollover detection, the contents of the files are returned in reverse.
 
         The messages log file holds information about a variety of events such as the system error messages, system
         startups and shutdowns, change in the network configuration, etc. Aims to store valuable, non-debug and

dissect/target/plugins/os/unix/trash.py

@@ -0,0 +1,132 @@
+from typing import Iterator
+
+from dissect.target.exceptions import UnsupportedPluginError
+from dissect.target.helpers import configutil
+from dissect.target.helpers.descriptor_extensions import UserRecordDescriptorExtension
+from dissect.target.helpers.fsutil import TargetPath
+from dissect.target.helpers.record import create_extended_descriptor
+from dissect.target.plugin import Plugin, alias, export
+from dissect.target.plugins.general.users import UserDetails
+from dissect.target.target import Target
+
+TrashRecord = create_extended_descriptor([UserRecordDescriptorExtension])(
+    "linux/filesystem/recyclebin",
+    [
+        ("datetime", "ts"),
+        ("path", "path"),
+        ("filesize", "filesize"),
+        ("path", "deleted_path"),
+        ("path", "source"),
+    ],
+)
+
+
+class GnomeTrashPlugin(Plugin):
+    """Linux GNOME Trash plugin."""
+
+    PATHS = [
+        # Default $XDG_DATA_HOME/Trash
+        ".local/share/Trash",
+    ]
+
+    def __init__(self, target: Target):
+        super().__init__(target)
+        self.trashes = list(self._garbage_collector())
+
+    def _garbage_collector(self) -> Iterator[tuple[UserDetails, TargetPath]]:
+        """it aint much, but its honest work"""
+        for user_details in self.target.user_details.all_with_home():
+            for trash_path in self.PATHS:
+                if (path := user_details.home_path.joinpath(trash_path)).exists():
+                    yield user_details, path
+
+    def check_compatible(self) -> None:
+        if not self.trashes:
+            raise UnsupportedPluginError("No Trash folder(s) found")
+
+    @export(record=TrashRecord)
+    @alias(name="recyclebin")
+    def trash(self) -> Iterator[TrashRecord]:
+        """Yield deleted files from GNOME Trash folders.
+
+        Recovers deleted files and artifacts from ``$HOME/.local/share/Trash``.
+        Probably also works with other desktop interfaces as long as they follow the Trash specification from FreeDesktop.
+
+        Currently does not parse media trash locations such as ``/media/$Label/.Trash-1000/*``.
+
+        Resources:
+            - https://specifications.freedesktop.org/trash-spec/latest/
+            - https://github.com/GNOME/glib/blob/main/gio/glocalfile.c
+            - https://specifications.freedesktop.org/basedir-spec/latest/
+
+        Yields ``TrashRecord``s with the following fields:
+
+        .. code-block:: text
+
+            ts           (datetime): timestamp when the file was deleted or for expunged files when it could not be permanently deleted
+            path         (path):     path where the file was located before it was deleted
+            filesize     (filesize): size in bytes of the deleted file
+            deleted_path (path):     path to the current location of the deleted file
+            source       (path):     path to the .trashinfo file
+        """  # noqa: E501
+
+        for user_details, trash in self.trashes:
+            for trash_info_file in trash.glob("info/*.trashinfo"):
+                trash_info = configutil.parse(trash_info_file, hint="ini").get("Trash Info", {})
+                original_path = self.target.fs.path(trash_info.get("Path", ""))
+
+                # We use the basename of the .trashinfo file and not the Path variable inside the
+                # ini file. This way we can keep duplicate basenames of trashed files separated correctly.
+                deleted_path = trash / "files" / trash_info_file.name.replace(".trashinfo", "")
+
+                if deleted_path.exists():
+                    deleted_files = [deleted_path]
+
+                    if deleted_path.is_dir():
+                        for child in deleted_path.rglob("*"):
+                            deleted_files.append(child)
+
+                    for file in deleted_files:
+                        # NOTE: We currently do not 'fix' the original_path of files inside deleted directories.
+                        # This would require guessing where the parent folder starts, which is impossible without
+                        # making assumptions.
+                        yield TrashRecord(
+                            ts=trash_info.get("DeletionDate", 0),
+                            path=original_path,
+                            filesize=file.lstat().st_size if file.is_file() else None,
+                            deleted_path=file,
+                            source=trash_info_file,
+                            _user=user_details.user,
+                            _target=self.target,
+                        )
+
+                # We cannot determine if the deleted entry is a directory since the path does
+                # not exist at $TRASH/files, so we work with what we have instead.
+                else:
+                    self.target.log.warning(f"Expected trashed file(s) at {deleted_path}")
+                    yield TrashRecord(
+                        ts=trash_info.get("DeletionDate", 0),
+                        path=original_path,
+                        filesize=0,
+                        deleted_path=deleted_path,
+                        source=trash_info_file,
+                        _user=user_details.user,
+                        _target=self.target,
+                    )
+
+            # We also iterate expunged folders, they can contain files that could not be
+            # deleted when the user pressed the "empty trash" button in the file manager.
+            # Resources:
+            #   - https://gitlab.gnome.org/GNOME/glib/-/issues/1665
+            #   - https://bugs.launchpad.net/ubuntu/+source/nautilus/+bug/422012
+            for item in (trash / "expunged").rglob("*/*"):
+                stat = item.lstat()
+                yield TrashRecord(
+                    ts=stat.st_mtime,  # NOTE: This is the timestamp at which the file failed to delete
+                    path=None,  # We do not know the original file path
+                    filesize=stat.st_size if item.is_file() else None,
+                    deleted_path=item,
+                    source=trash / "expunged",
+                    _user=user_details.user,
+                    _target=self.target,
+                )

dissect/target/tools/utils.py

@@ -90,6 +90,10 @@ def generate_argparse_for_unbound_method(
         raise ValueError(f"Value `{method}` is not an unbound plugin method")
 
     desc = method.__doc__ or docs.get_func_description(method, with_docstrings=True)
+
+    if "\n" in desc:
+        desc = inspect.cleandoc(desc)
+
     help_formatter = argparse.RawDescriptionHelpFormatter
     parser = argparse.ArgumentParser(description=desc, formatter_class=help_formatter, conflict_handler="resolve")
 

{dissect.target-3.20.dev10.dist-info → dissect.target-3.20.dev12.dist-info}/METADATA

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: dissect.target
-Version: 3.20.dev10
+Version: 3.20.dev12
 Summary: This module ties all other Dissect modules together, it provides a programming API and command line tools which allow easy access to various data sources inside disk images or file collections (a.k.a. targets)
 Author-email: Dissect Team <dissect@fox-it.com>
 License: Affero General Public License v3

{dissect.target-3.20.dev10.dist-info → dissect.target-3.20.dev12.dist-info}/RECORD

@@ -198,6 +198,7 @@ dissect/target/plugins/os/unix/history.py,sha256=rvRlcHw3wEtgdyfjX-RBLQUQAd0uHzf
 dissect/target/plugins/os/unix/locale.py,sha256=XOcKBwfK3YJ266eBFKNc1xaZgY8QEQGJOS8PJRJt4ME,4292
 dissect/target/plugins/os/unix/packagemanager.py,sha256=Wm2AAJOD_B3FAcZNXgWtSm_YwbvrHBYOP8bPmOXNjG4,2427
 dissect/target/plugins/os/unix/shadow.py,sha256=W6W6rMru7IVnuBc6sl5wsRWTOrJdS1s7_2_q7QRf7Is,4148
+dissect/target/plugins/os/unix/trash.py,sha256=wzq9nprRKjFs9SHaENz8PMbpQMfFoLH1KW4EPWMLJdA,6099
 dissect/target/plugins/os/unix/bsd/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 dissect/target/plugins/os/unix/bsd/_os.py,sha256=e5rttTOFOmd7e2HqP9ZZFMEiPLBr-8rfH0XH1IIeroQ,1372
 dissect/target/plugins/os/unix/bsd/citrix/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
@@ -258,7 +259,7 @@ dissect/target/plugins/os/unix/log/audit.py,sha256=OjorWTmCFvCI5RJq6m6WNW0Lhb-po
 dissect/target/plugins/os/unix/log/auth.py,sha256=l7gCuRdvv9gL0U1N0yrR9hVsMnr4t_k4t-n-f6PrOxg,2388
 dissect/target/plugins/os/unix/log/journal.py,sha256=auVRfrW4NRU7HguoDLTz4l_IwNdPZLPAqD7jhrOTzH8,17404
 dissect/target/plugins/os/unix/log/lastlog.py,sha256=Wq89wRSFZSBsoKVCxjDofnC4yw9XJ4iOF0XJe9EucCo,2448
-dissect/target/plugins/os/unix/log/messages.py,sha256=CXA-SkMPLaCgnTQg9nzII-7tO8Il_ENQmuYvDxo33rI,4698
+dissect/target/plugins/os/unix/log/messages.py,sha256=O10Uw3PGTanfGpphUWYqOwOIR7XiiM-clfboVCoiP0U,4501
 dissect/target/plugins/os/unix/log/utmp.py,sha256=1nPHIaBUHt_9z6PDrvyqg4huKLihUaWLrMmgMsbaeIo,7755
 dissect/target/plugins/os/windows/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 dissect/target/plugins/os/windows/_os.py,sha256=-x5TD5BvFw-7zEfqT6WG7n04YSeyr7wVLO07y6xkBP8,12476
@@ -350,7 +351,7 @@ dissect/target/tools/mount.py,sha256=8GRYnu4xEmFBHxuIZAYhOMyyTGX8fat1Ou07DNiUnW4
 dissect/target/tools/query.py,sha256=e-yAN9zdQjuOiTuoOQoo17mVEQGGcOgaA9YkF4GYpkM,15394
 dissect/target/tools/reg.py,sha256=FDsiBBDxjWVUBTRj8xn82vZe-J_d9piM-TKS3PHZCcM,3193
 dissect/target/tools/shell.py,sha256=dmshIriwdd_UwrdUcTfWkcYD8Z0mjzbDqwyZG-snDdM,50482
-dissect/target/tools/utils.py,sha256=cGk_DxEqVL0ofxlIC15GD4w3PV5RSE_IaKvVkAxEhR8,11974
+dissect/target/tools/utils.py,sha256=JJZDSso1CEK2sv4Z3HJNgqxH6G9S5lbmV-C3h-XmcMo,12035
 dissect/target/tools/yara.py,sha256=70k-2VMulf1EdkX03nCACzejaOEcsFHOyX-4E40MdQU,2044
 dissect/target/tools/dump/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 dissect/target/tools/dump/run.py,sha256=aD84peRS4zHqC78fH7Vd4ni3m1ZmVP70LyMwBRvoDGY,9463
@@ -364,10 +365,10 @@ dissect/target/volumes/luks.py,sha256=OmCMsw6rCUXG1_plnLVLTpsvE1n_6WtoRUGQbpmu1z
 dissect/target/volumes/lvm.py,sha256=wwQVR9I3G9YzmY6UxFsH2Y4MXGBcKL9aayWGCDTiWMU,2269
 dissect/target/volumes/md.py,sha256=7ShPtusuLGaIv27SvEETtgsuoQyAa4iAAeOR1NEaajI,1689
 dissect/target/volumes/vmfs.py,sha256=-LoUbn9WNwTtLi_4K34uV_-wDw2W5hgaqxZNj4UmqAQ,1730
-dissect.target-3.20.dev10.dist-info/COPYRIGHT,sha256=m-9ih2RVhMiXHI2bf_oNSSgHgkeIvaYRVfKTwFbnJPA,301
-dissect.target-3.20.dev10.dist-info/LICENSE,sha256=DZak_2itbUtvHzD3E7GNUYSRK6jdOJ-GqncQ2weavLA,34523
-dissect.target-3.20.dev10.dist-info/METADATA,sha256=5OxnXAwEsto5SeG-Tz-CR8M_5sqbSNn3Z41qo9bgFYY,12897
-dissect.target-3.20.dev10.dist-info/WHEEL,sha256=GV9aMThwP_4oNCtvEC2ec3qUYutgWeAzklro_0m4WJQ,91
-dissect.target-3.20.dev10.dist-info/entry_points.txt,sha256=BWuxAb_6AvUAQpIQOQU0IMTlaF6TDht2AIZK8bHd-zE,492
-dissect.target-3.20.dev10.dist-info/top_level.txt,sha256=Mn-CQzEYsAbkxrUI0TnplHuXnGVKzxpDw_po_sXpvv4,8
-dissect.target-3.20.dev10.dist-info/RECORD,,
+dissect.target-3.20.dev12.dist-info/COPYRIGHT,sha256=m-9ih2RVhMiXHI2bf_oNSSgHgkeIvaYRVfKTwFbnJPA,301
+dissect.target-3.20.dev12.dist-info/LICENSE,sha256=DZak_2itbUtvHzD3E7GNUYSRK6jdOJ-GqncQ2weavLA,34523
+dissect.target-3.20.dev12.dist-info/METADATA,sha256=PD0L9p9grMOhAAKSl17OUW03GOBhlRdnI6qX6nyKWT0,12897
+dissect.target-3.20.dev12.dist-info/WHEEL,sha256=GV9aMThwP_4oNCtvEC2ec3qUYutgWeAzklro_0m4WJQ,91
+dissect.target-3.20.dev12.dist-info/entry_points.txt,sha256=BWuxAb_6AvUAQpIQOQU0IMTlaF6TDht2AIZK8bHd-zE,492
+dissect.target-3.20.dev12.dist-info/top_level.txt,sha256=Mn-CQzEYsAbkxrUI0TnplHuXnGVKzxpDw_po_sXpvv4,8
+dissect.target-3.20.dev12.dist-info/RECORD,,