PyPI - dissect.target - Versions diffs - 3.20.dev23__py3-none-any.whl → 3.20.dev26__py3-none-any.whl - Mend

dissect.target 3.20.dev23py3-none-any.whl → 3.20.dev26py3-none-any.whl

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

dissect/target/filesystems/btrfs.py CHANGED Viewed

@@ -181,6 +181,9 @@ class BtrfsFilesystemEntry(FilesystemEntry):
         # Add block information of the filesystem
         st_info.st_blksize = entry.btrfs.sector_size
-        st_info.st_blocks = math.ceil(entry.size / st_info.st_blksize)
+        st_info.st_blocks = 0
+        if not self.is_dir():
+            st_info.st_blocks = (st_info.st_blksize // 512) * math.ceil(st_info.st_size / st_info.st_blksize)
         return st_info

dissect/target/filesystems/ntfs.py CHANGED Viewed

@@ -1,5 +1,6 @@
 from __future__ import annotations
+import math
 import stat
 from typing import BinaryIO, Iterator, Optional
@@ -151,12 +152,14 @@ class NtfsFilesystemEntry(FilesystemEntry):
         record = self.dereference()
         size = 0
+        real_size = 0
         if self.is_symlink():
             mode = stat.S_IFLNK
         elif self.is_file():
             mode = stat.S_IFREG
             try:
                 size = record.size(self.ads)
+                real_size = record.size(self.ads, allocated=True)
             except NtfsFileNotFoundError as e:
                 # Occurs when it cannot find the the specific ads inside its attributes
                 raise FileNotFoundError from e
@@ -176,16 +179,29 @@ class NtfsFilesystemEntry(FilesystemEntry):
                 0,
                 size,
                 stdinfo.last_access_time.timestamp(),
-                stdinfo.last_change_time.timestamp(),
+                stdinfo.last_modification_time.timestamp(),
+                # ctime gets set to creation time for python <3.12 purposes
                 stdinfo.creation_time.timestamp(),
             ]
         )
         # Set the nanosecond resolution separately
         st_info.st_atime_ns = stdinfo.last_access_time_ns
-        st_info.st_mtime_ns = stdinfo.last_change_time_ns
+        st_info.st_mtime_ns = stdinfo.last_modification_time_ns
         st_info.st_ctime_ns = stdinfo.creation_time_ns
+        st_info.st_birthtime = stdinfo.creation_time.timestamp()
+        st_info.st_birthtime_ns = stdinfo.creation_time_ns
+        # real_size is none if the size is resident
+        st_info.st_blksize = record.ntfs.cluster_size
+        blocks = 0
+        if not record.resident:
+            blocks = math.ceil(real_size / 512)
+        st_info.st_blocks = blocks
         return st_info
     def attr(self) -> AttributeMap:

dissect/target/plugins/os/windows/regf/shellbags.py CHANGED Viewed

@@ -1,6 +1,10 @@
+from __future__ import annotations
 import io
 import logging
 import uuid
+from datetime import datetime
+from typing import Any, Iterator
 from dissect.cstruct import cstruct
 from dissect.util.ts import dostimestamp
@@ -13,7 +17,9 @@ from dissect.target.helpers.descriptor_extensions import (
     UserRecordDescriptorExtension,
 )
 from dissect.target.helpers.record import create_extended_descriptor
+from dissect.target.helpers.regutil import RegistryKey
 from dissect.target.plugin import Plugin, export
+from dissect.target.target import Target
 log = logging.getLogger(__name__)
@@ -170,30 +176,30 @@ struct SHITEM_MTP_VOLUME_GUID {
 };
 struct SHITEM_MTP_VOLUME {
-    uint16  size;
-    uint8   type;
-    uint8   unk0;
-    uint16  data_size;
-    uint32  data_signature;
-    uint32  unk1;
-    uint16  unk2;
-    uint16  unk3;
-    uint16  unk4;
-    uint16  unk5;
-    uint32  unk6;
-    uint64  unk7;
-    uint32  unk8;
-    uint32  name_size;
-    uint32  identifier_size;
-    uint32  filesystem_size;
-    uint32  num_guid;
-    wchar   name[name_size];
-    wchar   identifier[identifier_size];
-    wchar   filesystem[filesystem_size];
-    SHITEM_MTP_VOLUME_GUID     guids[num_guid];
-    uint32  unk9;
-    char    class_identifier[16];
-    uint32  num_properties;
+    uint16                      size;
+    uint8                       type;
+    uint8                       unk0;
+    uint16                      data_size;
+    uint32                      data_signature;
+    uint32                      unk1;
+    uint16                      unk2;
+    uint16                      unk3;
+    uint16                      unk4;
+    uint16                      unk5;
+    uint32                      unk6;
+    uint64                      unk7;
+    uint32                      unk8;
+    uint32                      name_size;
+    uint32                      identifier_size;
+    uint32                      filesystem_size;
+    uint32                      num_guid;
+    wchar                       name[name_size];
+    wchar                       identifier[identifier_size];
+    wchar                       filesystem[filesystem_size];
+    SHITEM_MTP_VOLUME_GUID      guids[num_guid];
+    uint32                      unk9;
+    char                        class_identifier[16];
+    uint32                      num_properties;
 };
 struct SHITEM_USERS_PROPERTY_VIEW {
@@ -248,267 +254,6 @@ c_bag = cstruct().load(bag_def)
 DELEGATE_ITEM_IDENTIFIER = b"\x74\x1a\x59\x5e\x96\xdf\xd3\x48\x8d\x67\x17\x33\xbc\xee\x28\xba"
-ShellBagRecord = create_extended_descriptor([RegistryRecordDescriptorExtension, UserRecordDescriptorExtension])(
-    "windows/shellbag",
-    [
-        ("path", "path"),
-        ("datetime", "creation_time"),
-        ("datetime", "modification_time"),
-        ("datetime", "access_time"),
-        ("datetime", "regf_modification_time"),
-    ],
-)
-class ShellBagsPlugin(Plugin):
-    """Windows Shellbags plugin.
-    References:
-        - https://github.com/libyal/libfwsi
-    """
-    KEYS = [
-        "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell",
-        "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\ShellNoRoam",
-        "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\Shell",
-        "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\ShellNoRoam",
-        "HKEY_CURRENT_USER\\Software\\Classes\\Wow6432Node\\Local Settings\\Software\\Microsoft\\Windows\\Shell",
-        "HKEY_CURRENT_USER\\Software\\Classes\\Wow6432Node\\Local Settings\\Software\\Microsoft\\Windows\\ShellNoRoam",
-        "HKEY_CURRENT_USER\\Local Settings\\Software\\Microsoft\\Windows\\Shell\\BagMRU",
-    ]
-    def __init__(self, target):
-        super().__init__(target)
-        self.bagkeys = list(self.target.registry.keys(self.KEYS))
-    def check_compatible(self) -> None:
-        if not len(self.bagkeys) > 0:
-            raise UnsupportedPluginError("No shellbags found")
-    @export(record=ShellBagRecord)
-    def shellbags(self):
-        """Return Windows Shellbags.
-        Shellbags are registry keys to improve user experience when using Windows Explorer. It stores information about
-        for example file/folder creation time and access time.
-        References:
-            - https://www.hackingarticles.in/forensic-investigation-shellbags/
-        """
-        for regkey in self.bagkeys:
-            try:
-                bagsmru = regkey.subkey("BagMRU")
-                for r in self._walk_bags(bagsmru, None):
-                    yield r
-            except RegistryKeyNotFoundError:
-                continue
-            except Exception:  # noqa
-                self.target.log.exception("Exception while parsing shellbags")
-                continue
-    def _walk_bags(self, key, path_prefix):
-        path_prefix = [] if path_prefix is None else [path_prefix]
-        user = self.target.registry.get_user(key)
-        for reg_val in key.values():
-            name, value = reg_val.name, reg_val.value
-            if not name.isdigit():
-                continue
-            path = None
-            for item in parse_shell_item_list(value):
-                path = "\\".join(path_prefix + [item.name])
-                yield ShellBagRecord(
-                    path=windows_path(path),
-                    creation_time=item.creation_time,
-                    modification_time=item.modification_time,
-                    access_time=item.access_time,
-                    regf_modification_time=key.ts,
-                    _target=self.target,
-                    _user=user,
-                    _key=key,
-                )
-            for r in self._walk_bags(key.subkey(name), path):
-                yield r
-def parse_shell_item_list(buf):
-    offset = 0
-    end = len(buf)
-    list_buf = memoryview(buf)
-    parent = None
-    while offset < end:
-        size = c_bag.uint16(list_buf[offset : offset + 2])
-        if size == 0:
-            break
-        item_buf = list_buf[offset : offset + size]
-        entry = None
-        if size >= 8:
-            signature = c_bag.uint32(item_buf[4:8])
-            if signature == 0x39DE2184:
-                entry = CONTROL_PANEL_CATEGORY
-            elif signature == 0x4D677541:
-                entry = CDBURN
-            elif signature == 0x49534647:
-                entry = GAME_FOLDER
-            elif signature == 0xFFFFFF38:
-                entry = CONTROL_PANEL_CPL_FILE
-        if size >= 10 and not entry:
-            signature = c_bag.uint32(item_buf[6:10])
-            if signature == 0x07192006:
-                entry = MTP_FILE_ENTRY
-            elif signature == 0x10312005:
-                entry = MTP_VOLUME
-            elif signature in (0x10141981, 0x23A3DFD5, 0x23FEBBEE, 0x3B93AFBB, 0xBEEBEE00):
-                entry = USERS_PROPERTY_VIEW
-            elif signature == 0x46534643:
-                entry = UNKNOWN_0x74
-        if size >= 38 and not entry:
-            if item_buf[size - 32 : size] == DELEGATE_ITEM_IDENTIFIER:
-                entry = DELEGATE
-        if size >= 3 and not entry:
-            class_type = item_buf[2]
-            mask_type = class_type & 0x70
-            if mask_type == 0x00:
-                if class_type == 0x00:
-                    entry = UNKNOWN0
-                elif class_type == 0x01:
-                    entry = UNKNOWN1
-            elif mask_type == 0x10:
-                if class_type == 0x1F:
-                    entry = ROOT_FOLDER
-            elif mask_type == 0x20:
-                if class_type in (0x23, 0x25, 0x29, 0x2A, 0x2E, 0x2F):
-                    entry = VOLUME
-            elif mask_type == 0x30:
-                if class_type in (0x30, 0x31, 0x32, 0x35, 0x36, 0xB1):
-                    entry = FILE_ENTRY
-            elif mask_type == 0x40:
-                if class_type in (0x41, 0x42, 0x46, 0x47, 0x4C, 0xC3):
-                    entry = NETWORK
-            elif mask_type == 0x50:
-                if class_type == 0x52:
-                    entry = COMPRESSED_FOLDER
-            elif mask_type == 0x60:
-                if class_type == 0x61:
-                    entry = URI
-            elif mask_type == 0x70:
-                if class_type == 0x71:
-                    entry = CONTROL_PANEL
-            else:
-                if not entry:
-                    log.debug("No supported shell item found for size 0x%04x and type 0x%02x", size, class_type)
-                    entry = UNKNOWN
-        if not entry:
-            log.debug("No supported shell item found for size 0x%04x", size)
-            entry = UNKNOWN
-        entry = entry(item_buf)
-        entry.parent = parent
-        first_extension_block_offset = c_bag.uint16(item_buf[-2:])
-        if 4 <= first_extension_block_offset < size - 2:
-            extension_offset = first_extension_block_offset
-            while extension_offset < size - 2:
-                extension_size = c_bag.uint16(item_buf[extension_offset : extension_offset + 2])
-                if extension_size == 0:
-                    break
-                if extension_size > size - extension_offset:
-                    log.debug(
-                        "Extension size exceeds item size: 0x%04x > 0x%04x - 0x%04x",
-                        extension_size,
-                        size,
-                        extension_offset,
-                    )
-                    break  # Extension size too large
-                extension_buf = item_buf[extension_offset : extension_offset + extension_size]
-                extension_signature = c_bag.uint32(extension_buf[4:8])
-                ext = None
-                if extension_signature >> 16 != 0xBEEF:
-                    log.debug("Got unsupported extension signature 0x%08x from item %r", extension_signature, entry)
-                    pass  # Unsupported
-                elif extension_signature == 0xBEEF0000:
-                    pass
-                elif extension_signature == 0xBEEF0001:
-                    pass
-                elif extension_signature == 0xBEEF0003:
-                    ext = EXTENSION_BLOCK_BEEF0004
-                elif extension_signature == 0xBEEF0004:
-                    ext = EXTENSION_BLOCK_BEEF0004
-                elif extension_signature == 0xBEEF0005:
-                    ext = EXTENSION_BLOCK_BEEF0005
-                elif extension_signature == 0xBEEF0006:
-                    pass
-                elif extension_signature == 0xBEEF000A:
-                    pass
-                elif extension_signature == 0xBEEF0013:
-                    pass
-                elif extension_signature == 0xBEEF0014:
-                    pass
-                elif extension_signature == 0xBEEF0019:
-                    pass
-                elif extension_signature == 0xBEEF0025:
-                    pass
-                elif extension_signature == 0xBEEF0026:
-                    pass
-                else:
-                    log.debug(
-                        "Got unsupported beef extension signature 0x%08x from item %r", extension_signature, entry
-                    )
-                    pass
-                if ext is None:
-                    ext = EXTENSION_BLOCK
-                    log.debug("Unimplemented extension signature 0x%08x from item %r", extension_signature, entry)
-                ext = ext(extension_buf)
-                entry.extensions.append(ext)
-                extension_offset += extension_size
-        parent = entry
-        yield entry
-        offset += size
 class SHITEM:
     STRUCT = None
@@ -521,43 +266,43 @@ class SHITEM:
         self.parent = None
         self.extensions = []
+    def __repr__(self) -> str:
+        return f"<{self.__class__.__name__}>"
     @property
-    def name(self):
+    def name(self) -> str:
         return f"<SHITEM 0x{self.size:x}>"
     @property
-    def creation_time(self):
+    def creation_time(self) -> None:
         return None
     @property
-    def modification_time(self):
+    def modification_time(self) -> None:
         return None
     @property
-    def access_time(self):
+    def access_time(self) -> None:
         return None
     @property
-    def file_size(self):
+    def file_size(self) -> None:
         return None
     @property
-    def file_reference(self):
+    def file_reference(self) -> None:
         return None
-    def extension(self, cls):
+    def extension(self, cls: Any) -> Any | None:
         for ext in self.extensions:
             if isinstance(ext, cls):
                 return ext
         return None
-    def __repr__(self):
-        return f"<{self.__class__.__name__}>"
 class UNKNOWN(SHITEM):
     @property
-    def name(self):
+    def name(self) -> str:
         type_number = hex(self.type) if self.type else self.type
         return f"<UNKNOWN size=0x{self.size:04x} type={type_number}>"
@@ -573,7 +318,7 @@ class UNKNOWN0(SHITEM):
             self.guid = uuid.UUID(bytes_le=fh.read(16))
     @property
-    def name(self):
+    def name(self) -> str:
         if self.guid:
             GUID_name = shell_folder_ids.DESCRIPTIONS.get(str(self.guid))
             return GUID_name or f"<UNKNOWN0: {{{self.guid}}}>"
@@ -585,11 +330,11 @@ class UNKNOWN1(SHITEM):
     STRUCT = c_bag.SHITEM_UNKNOWN1
     @property
-    def name(self):
+    def name(self) -> str:
         return f"<UNKNOWN1 0x{self.size:x}>"
-class ROOT_FOLDER(SHITEM):  # noqa
+class ROOT_FOLDER(SHITEM):
     STRUCT = c_bag.SHITEM_ROOT_FOLDER
     def __init__(self, fh):
@@ -601,7 +346,7 @@ class ROOT_FOLDER(SHITEM):  # noqa
             self.extension = None
     @property
-    def name(self):
+    def name(self) -> str:
         GUID_name = shell_folder_ids.DESCRIPTIONS.get(str(self.guid))
         return GUID_name or f"{{{self.item.folder_id.name}: {self.guid}}}"
@@ -616,12 +361,12 @@ class VOLUME(SHITEM):
         if self.type == 0x2E:
             self.identifier = uuid.UUID(bytes_le=buf[4:20].tobytes())
         else:
-            self.volume_name = self.fh.read(20).rstrip(b"\x00").decode()
+            self.volume_name = self.fh.read(20).rstrip(b"\x00").decode(errors="surrogateescape")
             if self.size >= 41:
                 self.identifier = uuid.UUID(bytes_le=buf[25:41].tobytes())
     @property
-    def name(self):
+    def name(self) -> str:
         if self.volume_name:
             return self.volume_name
         if self.identifier:
@@ -630,7 +375,7 @@ class VOLUME(SHITEM):
         return f"<VOLUME 0x{self.type:02x}>"
-class FILE_ENTRY(SHITEM):  # noqa
+class FILE_ENTRY(SHITEM):
     STRUCT = c_bag.SHITEM_FILE_ENTRY
     def __init__(self, buf):
@@ -644,7 +389,7 @@ class FILE_ENTRY(SHITEM):  # noqa
             self.primary_name = c_bag.wchar[None](self.fh)
             self.is_unicode = True
         else:
-            self.primary_name = c_bag.char[None](self.fh).decode()
+            self.primary_name = c_bag.char[None](self.fh).decode(errors="surrogateescape")
             self.is_unicode = False
         if self.fh.tell() % 2:
@@ -659,17 +404,17 @@ class FILE_ENTRY(SHITEM):  # noqa
             if self.is_unicode:
                 self.secondary_name = c_bag.wchar[None](self.fh)
             else:
-                self.secondary_name = c_bag.char[None](self.fh).decode()
+                self.secondary_name = c_bag.char[None](self.fh).decode(errors="surrogateescape")
     @property
-    def name(self):
+    def name(self) -> str:
         ext = self.extension(EXTENSION_BLOCK_BEEF0004)
         if ext and ext.long_name:
             return ext.long_name
         return self.primary_name
     @property
-    def modification_time(self):
+    def modification_time(self) -> datetime | None:
         ts = self.item.modification_time
         if ts > 0:
             return dostimestamp(ts, swap=True)
@@ -691,15 +436,15 @@ class NETWORK(SHITEM):
             self.comments = c_bag.char[None](self.fh)
     @property
-    def name(self):
-        return self.item.location.decode()
+    def name(self) -> str:
+        return self.item.location.decode(errors="surrogateescape")
-class COMPRESSED_FOLDER(SHITEM):  # noqa
+class COMPRESSED_FOLDER(SHITEM):
     STRUCT = c_bag.SHITEM_COMPRESSED_FOLDER
     @property
-    def name(self):
+    def name(self) -> str:
         return "<COMPRESSED_FOLDER>"
@@ -714,14 +459,14 @@ class URI(SHITEM):
             if self.item.flags & 0x80:
                 self.uri = c_bag.wchar[None](self.fh)
             else:
-                self.uri = c_bag.char[None](self.fh).decode()
+                self.uri = c_bag.char[None](self.fh).decode(errors="surrogateescape")
     @property
-    def name(self):
+    def name(self) -> str:
         return self.uri or "<URI>"
-class CONTROL_PANEL(SHITEM):  # noqa
+class CONTROL_PANEL(SHITEM):
     STRUCT = c_bag.SHITEM_CONTROL_PANEL
     def __init__(self, buf):
@@ -729,12 +474,12 @@ class CONTROL_PANEL(SHITEM):  # noqa
         self.guid = uuid.UUID(bytes_le=self.item.guid)
     @property
-    def name(self):
+    def name(self) -> str:
         GUID_name = shell_folder_ids.DESCRIPTIONS.get(str(self.guid))
         return GUID_name or f"<CONTROL_PANEL {self.guid}>"
-class CONTROL_PANEL_CATEGORY(SHITEM):  # noqa
+class CONTROL_PANEL_CATEGORY(SHITEM):
     STRUCT = c_bag.SHITEM_CONTROL_PANEL_CATEGORY
     CATEGORIES = {
         0: "All Control Panel Items",
@@ -752,7 +497,7 @@ class CONTROL_PANEL_CATEGORY(SHITEM):  # noqa
     }
     @property
-    def name(self):
+    def name(self) -> str:
         categ_str = self.CATEGORIES.get(self.item.category)
         if categ_str:
             return categ_str
@@ -763,11 +508,11 @@ class CDBURN(SHITEM):
     STRUCT = c_bag.SHITEM_CDBURN
     @property
-    def name(self):
+    def name(self) -> str:
         return "<CDBURN>"
-class GAME_FOLDER(SHITEM):  # noqa
+class GAME_FOLDER(SHITEM):
     STRUCT = c_bag.SHITEM_GAME_FOLDER
     def __init__(self, buf):
@@ -775,43 +520,43 @@ class GAME_FOLDER(SHITEM):  # noqa
         self.guid = uuid.UUID(bytes_le=self.item.identifier)
     @property
-    def name(self):
+    def name(self) -> str:
         return f"<GAME_FOLDER {{{self.guid}}}>"
-class CONTROL_PANEL_CPL_FILE(SHITEM):  # noqa
+class CONTROL_PANEL_CPL_FILE(SHITEM):
     STRUCT = c_bag.SHITEM_CONTROL_PANEL_CPL_FILE
     @property
-    def name(self):
+    def name(self) -> str:
         return f"<CONTROL_PANEL_CPL_FILE path={self.item.cpl_path} name={self.item.name} comments={self.item.comments}>"
-class MTP_FILE_ENTRY(SHITEM):  # noqa
+class MTP_FILE_ENTRY(SHITEM):
     STRUCT = c_bag.SHITEM_MTP_FILE_ENTRY
     @property
-    def name(self):
+    def name(self) -> str:
         return "<MTP_FILE_ENTRY>"
     @property
-    def creation_time(self):
+    def creation_time(self) -> datetime:
         return self.item.creation_time
     @property
-    def modification_time(self):
+    def modification_time(self) -> datetime:
         return self.item.modification_time
-class MTP_VOLUME(SHITEM):  # noqa
+class MTP_VOLUME(SHITEM):
     STRUCT = c_bag.SHITEM_MTP_FILE_ENTRY
     @property
-    def name(self):
+    def name(self) -> str:
         return "<MTP_VOLUME>"
-class USERS_PROPERTY_VIEW(SHITEM):  # noqa
+class USERS_PROPERTY_VIEW(SHITEM):
     STRUCT = c_bag.SHITEM_USERS_PROPERTY_VIEW
     def __init__(self, buf):
@@ -823,13 +568,13 @@ class USERS_PROPERTY_VIEW(SHITEM):  # noqa
             self.guid = uuid.UUID(bytes_le=self.item.identifier)
     @property
-    def name(self):
+    def name(self) -> str:
         # As we don't know how to handle identifier_size other than 16 bytes, we fall back to data_signature
         property_view = self.guid or self.identifier
         return f"<USERS_PROPERTY_VIEW {{{property_view}}}>"
-class UNKNOWN_0x74(SHITEM):  # noqa
+class UNKNOWN_0x74(SHITEM):
     STRUCT = c_bag.SHITEM_UNKNOWN_0x74
     def __init__(self, buf):
@@ -839,11 +584,11 @@ class UNKNOWN_0x74(SHITEM):  # noqa
             self.subitem = c_bag.SHITEM_UNKNOWN_0x74_SUBITEM(self.fh)
     @property
-    def name(self):
-        return self.subitem.primary_name.decode() if self.subitem else "<UNKNOWN_0x74>"
+    def name(self) -> str:
+        return self.subitem.primary_name.decode(errors="surrogateescape") if self.subitem else "<UNKNOWN_0x74>"
     @property
-    def modification_time(self):
+    def modification_time(self) -> datetime | None:
         if self.subitem.modification_time > 0:
             return dostimestamp(self.subitem.modification_time, swap=True) if self.subitem else None
         return None
@@ -858,38 +603,38 @@ class DELEGATE(SHITEM):
         self.shell_identifier = uuid.UUID(bytes_le=self.item.shell_identifier)
     @property
-    def name(self):
+    def name(self) -> str:
         GUID_name = shell_folder_ids.DESCRIPTIONS.get(str(self.shell_identifier))
         return GUID_name if GUID_name else f"{{{self.shell_identifier}}}"
-class EXTENSION_BLOCK:  # noqa
+class EXTENSION_BLOCK:
     def __init__(self, buf):
         self.buf = buf
         self.fh = io.BytesIO(buf)
         self.header = c_bag.EXTENSION_BLOCK_HEADER(self.fh)
+    def __repr__(self) -> str:
+        return f"<EXTENSION_BLOCK size=0x{self.size:04x} version=0x{self.version:04x} signature=0x{self.signature:08x}>"
     @property
-    def size(self):
+    def size(self) -> int:
         return self.header.size
     @property
-    def data_size(self):
+    def data_size(self) -> int:
         return self.size - 8  # minus header
     @property
-    def version(self):
+    def version(self) -> int:
         return self.header.version
     @property
-    def signature(self):
+    def signature(self) -> int:
         return self.header.signature
-    def __repr__(self):
-        return f"<EXTENSION_BLOCK size=0x{self.size:04x} version=0x{self.version:04x} signature=0x{self.signature:08x}>"
-class EXTENSION_BLOCK_BEEF0004(EXTENSION_BLOCK):  # noqa
+class EXTENSION_BLOCK_BEEF0004(EXTENSION_BLOCK):
     def __init__(self, buf):
         super().__init__(buf)
         fh = self.fh
@@ -923,8 +668,269 @@ class EXTENSION_BLOCK_BEEF0004(EXTENSION_BLOCK):  # noqa
             self.localized_name = c_bag.wchar[None](fh)
-class EXTENSION_BLOCK_BEEF0005(EXTENSION_BLOCK):  # noqa
+class EXTENSION_BLOCK_BEEF0005(EXTENSION_BLOCK):
     def __init__(self, buf):
         super().__init__(buf)
         c_bag.char[16](self.fh)  # GUID?
         self.shell_items = self.fh.read(self.data_size - 18)
+ShellBagRecord = create_extended_descriptor([RegistryRecordDescriptorExtension, UserRecordDescriptorExtension])(
+    "windows/shellbag",
+    [
+        ("datetime", "ts_mtime"),
+        ("datetime", "ts_atime"),
+        ("datetime", "ts_btime"),
+        ("string", "type"),
+        ("path", "path"),
+        ("datetime", "regf_mtime"),
+    ],
+)
+class ShellBagsPlugin(Plugin):
+    """Windows Shellbags plugin."""
+    KEYS = [
+        "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell",
+        "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\ShellNoRoam",
+        "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\Shell",
+        "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\ShellNoRoam",
+        "HKEY_CURRENT_USER\\Software\\Classes\\Wow6432Node\\Local Settings\\Software\\Microsoft\\Windows\\Shell",
+        "HKEY_CURRENT_USER\\Software\\Classes\\Wow6432Node\\Local Settings\\Software\\Microsoft\\Windows\\ShellNoRoam",
+        "HKEY_CURRENT_USER\\Local Settings\\Software\\Microsoft\\Windows\\Shell\\BagMRU",
+    ]
+    def __init__(self, target: Target):
+        super().__init__(target)
+        self.bagkeys: list[RegistryKey] = list(self.target.registry.keys(self.KEYS))
+    def check_compatible(self) -> None:
+        if not self.bagkeys:
+            raise UnsupportedPluginError("No shellbags found")
+    @export(record=ShellBagRecord)
+    def shellbags(self) -> Iterator[ShellBagRecord]:
+        """Yields Windows Shellbags.
+        Shellbags are registry keys to improve user experience when using Windows Explorer.
+        They contain information such as file and folder creation time and access time.
+        References:
+            - https://github.com/libyal/libfwsi
+            - https://www.giac.org/paper/gcfa/9576/windows-shellbag-forensics-in-depth/128522
+            - https://www.hackingarticles.in/forensic-investigation-shellbags/
+        """
+        for regkey in self.bagkeys:
+            try:
+                yield from self._walk_bags(regkey.subkey("BagMRU"), None)
+            except RegistryKeyNotFoundError:
+                continue
+            except Exception as e:
+                self.target.log.error("Exception while parsing shellbags")
+                self.target.log.debug("", exc_info=e)
+                continue
+    def _walk_bags(self, key: RegistryKey, path_prefix: str | None) -> Iterator[ShellBagRecord]:
+        """Recursively walk shellbags from the given RegistryKey location."""
+        path_prefix = [] if path_prefix is None else [path_prefix]
+        user = self.target.registry.get_user(key)
+        for reg_val in key.values():
+            name, value = reg_val.name, reg_val.value
+            if not name.isdigit():
+                continue
+            path = None
+            for item in parse_shell_item_list(value):
+                path = "\\".join(path_prefix + [item.name])
+                yield ShellBagRecord(
+                    ts_mtime=item.modification_time,
+                    ts_atime=item.access_time,
+                    ts_btime=item.creation_time,
+                    type=item.__class__.__name__,
+                    path=windows_path(path),
+                    regf_mtime=key.ts,
+                    _key=key,
+                    _user=user,
+                    _target=self.target,
+                )
+            yield from self._walk_bags(key.subkey(name), path)
+def parse_shell_item_list(buf: bytes) -> Iterator[SHITEM]:
+    """Parse a shellbag item from the given bytes."""
+    offset = 0
+    end = len(buf)
+    list_buf = memoryview(buf)
+    parent = None
+    while offset < end:
+        size = c_bag.uint16(list_buf[offset : offset + 2])
+        if size == 0:
+            break
+        item_buf = list_buf[offset : offset + size]
+        entry = None
+        if size >= 8:
+            signature = c_bag.uint32(item_buf[4:8])
+            if signature == 0x39DE2184:
+                entry = CONTROL_PANEL_CATEGORY
+            elif signature == 0x4D677541:
+                entry = CDBURN
+            elif signature == 0x49534647:
+                entry = GAME_FOLDER
+            elif signature == 0xFFFFFF38:
+                entry = CONTROL_PANEL_CPL_FILE
+        if size >= 10 and not entry:
+            signature = c_bag.uint32(item_buf[6:10])
+            if signature == 0x07192006:
+                entry = MTP_FILE_ENTRY
+            elif signature == 0x10312005:
+                entry = MTP_VOLUME
+            elif signature in (0x10141981, 0x23A3DFD5, 0x23FEBBEE, 0x3B93AFBB, 0xBEEBEE00):
+                entry = USERS_PROPERTY_VIEW
+            elif signature == 0x46534643:
+                entry = UNKNOWN_0x74
+        if size >= 38 and not entry:
+            if item_buf[size - 32 : size] == DELEGATE_ITEM_IDENTIFIER:
+                entry = DELEGATE
+        if size >= 3 and not entry:
+            class_type = item_buf[2]
+            mask_type = class_type & 0x70
+            if mask_type == 0x00:
+                if class_type == 0x00:
+                    entry = UNKNOWN0
+                elif class_type == 0x01:
+                    entry = UNKNOWN1
+            elif mask_type == 0x10:
+                if class_type == 0x1F:
+                    entry = ROOT_FOLDER
+            elif mask_type == 0x20:
+                if class_type in (0x23, 0x25, 0x29, 0x2A, 0x2E, 0x2F):
+                    entry = VOLUME
+            elif mask_type == 0x30:
+                if class_type in (0x30, 0x31, 0x32, 0x35, 0x36, 0xB1):
+                    entry = FILE_ENTRY
+            elif mask_type == 0x40:
+                if class_type in (0x41, 0x42, 0x46, 0x47, 0x4C, 0xC3):
+                    entry = NETWORK
+            elif mask_type == 0x50:
+                if class_type == 0x52:
+                    entry = COMPRESSED_FOLDER
+            elif mask_type == 0x60:
+                if class_type == 0x61:
+                    entry = URI
+            elif mask_type == 0x70:
+                if class_type == 0x71:
+                    entry = CONTROL_PANEL
+            else:
+                if not entry:
+                    log.debug("No supported shell item found for size 0x%04x and type 0x%02x", size, class_type)
+                    entry = UNKNOWN
+        if not entry:
+            log.debug("No supported shell item found for size 0x%04x", size)
+            entry = UNKNOWN
+        entry = entry(item_buf)
+        entry.parent = parent
+        first_extension_block_offset = c_bag.uint16(item_buf[-2:])
+        if 4 <= first_extension_block_offset < size - 2:
+            extension_offset = first_extension_block_offset
+            while extension_offset < size - 2:
+                extension_size = c_bag.uint16(item_buf[extension_offset : extension_offset + 2])
+                if extension_size == 0:
+                    break
+                if extension_size > size - extension_offset:
+                    log.debug(
+                        "Extension size exceeds item size: 0x%04x > 0x%04x - 0x%04x",
+                        extension_size,
+                        size,
+                        extension_offset,
+                    )
+                    break  # Extension size too large
+                extension_buf = item_buf[extension_offset : extension_offset + extension_size]
+                extension_signature = c_bag.uint32(extension_buf[4:8])
+                ext = None
+                if extension_signature >> 16 != 0xBEEF:
+                    log.debug("Got unsupported extension signature 0x%08x from item %r", extension_signature, entry)
+                    pass  # Unsupported
+                elif extension_signature == 0xBEEF0000:
+                    pass
+                elif extension_signature == 0xBEEF0001:
+                    pass
+                elif extension_signature == 0xBEEF0003:
+                    ext = EXTENSION_BLOCK_BEEF0004
+                elif extension_signature == 0xBEEF0004:
+                    ext = EXTENSION_BLOCK_BEEF0004
+                elif extension_signature == 0xBEEF0005:
+                    ext = EXTENSION_BLOCK_BEEF0005
+                elif extension_signature == 0xBEEF0006:
+                    pass
+                elif extension_signature == 0xBEEF000A:
+                    pass
+                elif extension_signature == 0xBEEF0013:
+                    pass
+                elif extension_signature == 0xBEEF0014:
+                    pass
+                elif extension_signature == 0xBEEF0019:
+                    pass
+                elif extension_signature == 0xBEEF0025:
+                    pass
+                elif extension_signature == 0xBEEF0026:
+                    pass
+                else:
+                    log.debug(
+                        "Got unsupported beef extension signature 0x%08x from item %r", extension_signature, entry
+                    )
+                    pass
+                if ext is None:
+                    ext = EXTENSION_BLOCK
+                    log.debug("Unimplemented extension signature 0x%08x from item %r", extension_signature, entry)
+                ext = ext(extension_buf)
+                entry.extensions.append(ext)
+                extension_offset += extension_size
+        parent = entry
+        offset += size
+        yield entry

{dissect.target-3.20.dev23.dist-info → dissect.target-3.20.dev26.dist-info}/METADATA RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: dissect.target
-Version: 3.20.dev23
+Version: 3.20.dev26
 Summary: This module ties all other Dissect modules together, it provides a programming API and command line tools which allow easy access to various data sources inside disk images or file collections (a.k.a. targets)
 Author-email: Dissect Team <dissect@fox-it.com>
 License: Affero General Public License v3

{dissect.target-3.20.dev23.dist-info → dissect.target-3.20.dev26.dist-info}/RECORD RENAMED Viewed

@@ -23,7 +23,7 @@ dissect/target/containers/vmdk.py,sha256=5fQGkJy4esXONXrKLbhpkQDt8Fwx19YENK2mOm7
 dissect/target/data/autocompletion/target_bash_completion.sh,sha256=wrOQ_ED-h8WFcjCmY6n4qKl84tWJv9l8ShFHDfJqJyA,3592
 dissect/target/filesystems/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 dissect/target/filesystems/ad1.py,sha256=nEPzaaRsb6bL4ItFo0uLdmdLvrmK9BjqHeD3FOp3WQI,2413
-dissect/target/filesystems/btrfs.py,sha256=X-eMlKkx88xS2iIWRuq9yaQ82fl0DM435F1sdXkDo8g,6469
+dissect/target/filesystems/btrfs.py,sha256=TotOs0-VOmgSijERZb1pOrIH_E7B1J_DRKqws8ttQTk,6569
 dissect/target/filesystems/cb.py,sha256=6LcoJiwsYu1Han31IUzVpZVDTifhTLTx_gLfNpB_p6k,5329
 dissect/target/filesystems/config.py,sha256=GQOtixIIt-Jjtpl3IVqUTujcBFfWaAZeAtvxgNUNetU,11963
 dissect/target/filesystems/cpio.py,sha256=ssVCjkAtLn2FqmNxeo6U5boyUdSYFxLWfXpytHYGPqs,641
@@ -34,7 +34,7 @@ dissect/target/filesystems/fat.py,sha256=ZSw-wS57vo5eIXJndfI1rZkGu_qh-vyioMzCZFZ
 dissect/target/filesystems/ffs.py,sha256=Wu8sS1jjmD0QXXcAaD2h_zzfvinjco8qvj0hErufZ-4,4555
 dissect/target/filesystems/itunes.py,sha256=w2lcWv6jlBPm84tsGZehxKBMXXyuW3KlmwVTF4ssQec,6395
 dissect/target/filesystems/jffs.py,sha256=Ceqa5Em2pepnXMH_XZFmSNjQyWPo1uWTthBFSMWfKRo,3926
-dissect/target/filesystems/ntfs.py,sha256=fGgCKjdO5GrPC21DDr0SwIxmwR7KruNIqGUzysboirA,7068
+dissect/target/filesystems/ntfs.py,sha256=Losf35q9aLm-YdwVllT5so99s-GqTF1ZXMbLX0PUNC0,7624
 dissect/target/filesystems/overlay.py,sha256=d0BNZcVd3SzBcM1SZO5nX2FrEYcdtVH34BPJQ6Oh4x8,4753
 dissect/target/filesystems/smb.py,sha256=uxfcOWwEoDCw8Qpsa94T5Pn-SKd4WXs4OOrzVVI55d8,6406
 dissect/target/filesystems/squashfs.py,sha256=ehzlThXB7n96XUvQnsK5tWLsA9HIxYN-Zxl7aO9D7ts,3921
@@ -334,7 +334,7 @@ dissect/target/plugins/os/windows/regf/nethist.py,sha256=QHbG9fmZNmjSVhrgqMvMo12
 dissect/target/plugins/os/windows/regf/recentfilecache.py,sha256=goS6ajLIh6ZU-Gq4tupoxBoQCfMDp2qJgg-Nn5qFIsY,1850
 dissect/target/plugins/os/windows/regf/regf.py,sha256=D1GrljF-sV8cWIjWJ3zH7k52i1OWD8poEC_PIeZMEis,3419
 dissect/target/plugins/os/windows/regf/runkeys.py,sha256=-2HcdnVytzCt1xwgAI8rHDnwk8kwLPWURumvhrGnIHU,4278
-dissect/target/plugins/os/windows/regf/shellbags.py,sha256=hXAqThFkHmGPmhNRSXwMNzw25kAyIC6OOZivgpPEwTQ,25679
+dissect/target/plugins/os/windows/regf/shellbags.py,sha256=-8WkdplG0FR37XgpCTd4iDdQvvrgtOk9kZY5qLsW5J8,26984
 dissect/target/plugins/os/windows/regf/shimcache.py,sha256=TY7GEFnxb8h99q12CzM0SwVlUymi4hFPae3uuM0M6kY,9998
 dissect/target/plugins/os/windows/regf/trusteddocs.py,sha256=3yvpBDM-Asg0rvGN2TwALGRm9DYogG6TxRau9D6FBbw,3700
 dissect/target/plugins/os/windows/regf/usb.py,sha256=nSAHB4Cdd0wF2C1EK_XYOfWCyqOgTZCLfDhuSmr7rdM,9709
@@ -368,10 +368,10 @@ dissect/target/volumes/luks.py,sha256=OmCMsw6rCUXG1_plnLVLTpsvE1n_6WtoRUGQbpmu1z
 dissect/target/volumes/lvm.py,sha256=wwQVR9I3G9YzmY6UxFsH2Y4MXGBcKL9aayWGCDTiWMU,2269
 dissect/target/volumes/md.py,sha256=7ShPtusuLGaIv27SvEETtgsuoQyAa4iAAeOR1NEaajI,1689
 dissect/target/volumes/vmfs.py,sha256=-LoUbn9WNwTtLi_4K34uV_-wDw2W5hgaqxZNj4UmqAQ,1730
-dissect.target-3.20.dev23.dist-info/COPYRIGHT,sha256=m-9ih2RVhMiXHI2bf_oNSSgHgkeIvaYRVfKTwFbnJPA,301
-dissect.target-3.20.dev23.dist-info/LICENSE,sha256=DZak_2itbUtvHzD3E7GNUYSRK6jdOJ-GqncQ2weavLA,34523
-dissect.target-3.20.dev23.dist-info/METADATA,sha256=dGuBoIpEp_hKqGr5hAlD6pnyc70LxqqzpOG40g_EeLE,12897
-dissect.target-3.20.dev23.dist-info/WHEEL,sha256=GV9aMThwP_4oNCtvEC2ec3qUYutgWeAzklro_0m4WJQ,91
-dissect.target-3.20.dev23.dist-info/entry_points.txt,sha256=BWuxAb_6AvUAQpIQOQU0IMTlaF6TDht2AIZK8bHd-zE,492
-dissect.target-3.20.dev23.dist-info/top_level.txt,sha256=Mn-CQzEYsAbkxrUI0TnplHuXnGVKzxpDw_po_sXpvv4,8
-dissect.target-3.20.dev23.dist-info/RECORD,,
+dissect.target-3.20.dev26.dist-info/COPYRIGHT,sha256=m-9ih2RVhMiXHI2bf_oNSSgHgkeIvaYRVfKTwFbnJPA,301
+dissect.target-3.20.dev26.dist-info/LICENSE,sha256=DZak_2itbUtvHzD3E7GNUYSRK6jdOJ-GqncQ2weavLA,34523
+dissect.target-3.20.dev26.dist-info/METADATA,sha256=9ta9bS0OqAMhf6vc8zDqGxpXSkY-YRJMAHWRucXo3f8,12897
+dissect.target-3.20.dev26.dist-info/WHEEL,sha256=GV9aMThwP_4oNCtvEC2ec3qUYutgWeAzklro_0m4WJQ,91
+dissect.target-3.20.dev26.dist-info/entry_points.txt,sha256=BWuxAb_6AvUAQpIQOQU0IMTlaF6TDht2AIZK8bHd-zE,492
+dissect.target-3.20.dev26.dist-info/top_level.txt,sha256=Mn-CQzEYsAbkxrUI0TnplHuXnGVKzxpDw_po_sXpvv4,8
+dissect.target-3.20.dev26.dist-info/RECORD,,

{dissect.target-3.20.dev23.dist-info → dissect.target-3.20.dev26.dist-info}/COPYRIGHT RENAMED Viewed

File without changes

{dissect.target-3.20.dev23.dist-info → dissect.target-3.20.dev26.dist-info}/LICENSE RENAMED Viewed

File without changes

{dissect.target-3.20.dev23.dist-info → dissect.target-3.20.dev26.dist-info}/WHEEL RENAMED Viewed

File without changes

{dissect.target-3.20.dev23.dist-info → dissect.target-3.20.dev26.dist-info}/entry_points.txt RENAMED Viewed

File without changes

{dissect.target-3.20.dev23.dist-info → dissect.target-3.20.dev26.dist-info}/top_level.txt RENAMED Viewed

File without changes

dissect.target 3.20.dev23__py3-none-any.whl → 3.20.dev26__py3-none-any.whl

dissect.target 3.20.dev23py3-none-any.whl → 3.20.dev26py3-none-any.whl