PyPI - dissect.target - Versions diffs - 3.20.dev23__py3-none-any.whl → 3.20.dev26__py3-none-any.whl - Mend

dissect.target 3.20.dev23py3-none-any.whl → 3.20.dev26py3-none-any.whl

Files changed (10) hide show

dissect/target/filesystems/btrfs.py CHANGED Viewed

@@ -181,6 +181,9 @@ class BtrfsFilesystemEntry(FilesystemEntry):
         # Add block information of the filesystem
         st_info.st_blksize = entry.btrfs.sector_size
-        st_info.st_blocks = math.ceil(entry.size / st_info.st_blksize)
+        st_info.st_blocks = 0
+        if not self.is_dir():
+            st_info.st_blocks = (st_info.st_blksize // 512) * math.ceil(st_info.st_size / st_info.st_blksize)
         return st_info

dissect/target/filesystems/ntfs.py CHANGED Viewed

@@ -1,5 +1,6 @@
 from __future__ import annotations
+import math
 import stat
 from typing import BinaryIO, Iterator, Optional
@@ -151,12 +152,14 @@ class NtfsFilesystemEntry(FilesystemEntry):
         record = self.dereference()
         size = 0
+        real_size = 0
         if self.is_symlink():
             mode = stat.S_IFLNK
         elif self.is_file():
             mode = stat.S_IFREG
             try:
                 size = record.size(self.ads)
+                real_size = record.size(self.ads, allocated=True)
             except NtfsFileNotFoundError as e:
                 # Occurs when it cannot find the the specific ads inside its attributes
                 raise FileNotFoundError from e
@@ -176,16 +179,29 @@ class NtfsFilesystemEntry(FilesystemEntry):
                 0,
                 size,
                 stdinfo.last_access_time.timestamp(),
-                stdinfo.last_change_time.timestamp(),
+                stdinfo.last_modification_time.timestamp(),
+                # ctime gets set to creation time for python <3.12 purposes
                 stdinfo.creation_time.timestamp(),
             ]
         )
         # Set the nanosecond resolution separately
         st_info.st_atime_ns = stdinfo.last_access_time_ns
-        st_info.st_mtime_ns = stdinfo.last_change_time_ns
+        st_info.st_mtime_ns = stdinfo.last_modification_time_ns
         st_info.st_ctime_ns = stdinfo.creation_time_ns
+        st_info.st_birthtime = stdinfo.creation_time.timestamp()
+        st_info.st_birthtime_ns = stdinfo.creation_time_ns
+        # real_size is none if the size is resident
+        st_info.st_blksize = record.ntfs.cluster_size
+        blocks = 0
+        if not record.resident:
+            blocks = math.ceil(real_size / 512)
+        st_info.st_blocks = blocks
         return st_info
     def attr(self) -> AttributeMap:

dissect/target/plugins/os/windows/regf/shellbags.py CHANGED Viewed

@@ -1,6 +1,10 @@
+from __future__ import annotations
 import io
 import logging
 import uuid
+from datetime import datetime
+from typing import Any, Iterator
 from dissect.cstruct import cstruct
 from dissect.util.ts import dostimestamp
@@ -13,7 +17,9 @@ from dissect.target.helpers.descriptor_extensions import (
     UserRecordDescriptorExtension,
 )
 from dissect.target.helpers.record import create_extended_descriptor
+from dissect.target.helpers.regutil import RegistryKey
 from dissect.target.plugin import Plugin, export
+from dissect.target.target import Target
 log = logging.getLogger(__name__)
@@ -170,30 +176,30 @@ struct SHITEM_MTP_VOLUME_GUID {
 };
 struct SHITEM_MTP_VOLUME {
-    uint16  size;
-    uint8   type;
-    uint8   unk0;
-    uint16  data_size;
-    uint32  data_signature;
-    uint32  unk1;
-    uint16  unk2;
-    uint16  unk3;
-    uint16  unk4;
-    uint16  unk5;
-    uint32  unk6;
-    uint64  unk7;
-    uint32  unk8;
-    uint32  name_size;
-    uint32  identifier_size;
-    uint32  filesystem_size;
-    uint32  num_guid;
-    wchar   name[name_size];
-    wchar   identifier[identifier_size];
-    wchar   filesystem[filesystem_size];
-    SHITEM_MTP_VOLUME_GUID     guids[num_guid];
-    uint32  unk9;
-    char    class_identifier[16];
-    uint32  num_properties;
+    uint16                      size;
+    uint8                       type;
+    uint8                       unk0;
+    uint16                      data_size;
+    uint32                      data_signature;
+    uint32                      unk1;
+    uint16                      unk2;
+    uint16                      unk3;
+    uint16                      unk4;
+    uint16                      unk5;
+    uint32                      unk6;
+    uint64                      unk7;
+    uint32                      unk8;
+    uint32                      name_size;
+    uint32                      identifier_size;
+    uint32                      filesystem_size;
+    uint32                      num_guid;
+    wchar                       name[name_size];
+    wchar                       identifier[identifier_size];
+    wchar                       filesystem[filesystem_size];
+    SHITEM_MTP_VOLUME_GUID      guids[num_guid];
+    uint32                      unk9;
+    char                        class_identifier[16];
+    uint32                      num_properties;
 };
 struct SHITEM_USERS_PROPERTY_VIEW {
@@ -248,267 +254,6 @@ c_bag = cstruct().load(bag_def)
 DELEGATE_ITEM_IDENTIFIER = b"\x74\x1a\x59\x5e\x96\xdf\xd3\x48\x8d\x67\x17\x33\xbc\xee\x28\xba"
-ShellBagRecord = create_extended_descriptor([RegistryRecordDescriptorExtension, UserRecordDescriptorExtension])(
-    "windows/shellbag",
-    [
-        ("path", "path"),
-        ("datetime", "creation_time"),
-        ("datetime", "modification_time"),
-        ("datetime", "access_time"),
-        ("datetime", "regf_modification_time"),
-    ],
-)
-class ShellBagsPlugin(Plugin):
-    """Windows Shellbags plugin.
-    References:
-        - https://github.com/libyal/libfwsi
-    """
-    KEYS = [
-        "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell",
-        "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\ShellNoRoam",
-        "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\Shell",
-        "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\ShellNoRoam",
-        "HKEY_CURRENT_USER\\Software\\Classes\\Wow6432Node\\Local Settings\\Software\\Microsoft\\Windows\\Shell",
-        "HKEY_CURRENT_USER\\Software\\Classes\\Wow6432Node\\Local Settings\\Software\\Microsoft\\Windows\\ShellNoRoam",
-        "HKEY_CURRENT_USER\\Local Settings\\Software\\Microsoft\\Windows\\Shell\\BagMRU",
-    ]
-    def __init__(self, target):
-        super().__init__(target)
-        self.bagkeys = list(self.target.registry.keys(self.KEYS))
-    def check_compatible(self) -> None:
-        if not len(self.bagkeys) > 0:
-            raise UnsupportedPluginError("No shellbags found")
-    @export(record=ShellBagRecord)
-    def shellbags(self):
-        """Return Windows Shellbags.
-        Shellbags are registry keys to improve user experience when using Windows Explorer. It stores information about
-        for example file/folder creation time and access time.
-        References:
-            - https://www.hackingarticles.in/forensic-investigation-shellbags/
-        """
-        for regkey in self.bagkeys:
-            try:
-                bagsmru = regkey.subkey("BagMRU")
-                for r in self._walk_bags(bagsmru, None):
-                    yield r
-            except RegistryKeyNotFoundError:
-                continue
-            except Exception:  # noqa
-                self.target.log.exception("Exception while parsing shellbags")
-                continue
-    def _walk_bags(self, key, path_prefix):
-        path_prefix = [] if path_prefix is None else [path_prefix]
-        user = self.target.registry.get_user(key)
-        for reg_val in key.values():
-            name, value = reg_val.name, reg_val.value
-            if not name.isdigit():
-                continue
-            path = None
-            for item in parse_shell_item_list(value):
-                path = "\\".join(path_prefix + [item.name])
-                yield ShellBagRecord(
-                    path=windows_path(path),
-                    creation_time=item.creation_time,
-                    modification_time=item.modification_time,
-                    access_time=item.access_time,
-                    regf_modification_time=key.ts,
-                    _target=self.target,
-                    _user=user,
-                    _key=key,
-                )
-            for r in self._walk_bags(key.subkey(name), path):
-                yield r
-def parse_shell_item_list(buf):
-    offset = 0
-    end = len(buf)
-    list_buf = memoryview(buf)
-    parent = None
-    while offset < end:
-        size = c_bag.uint16(list_buf[offset : offset + 2])
-        if size == 0:
-            break
-        item_buf = list_buf[offset : offset + size]
-        entry = None
-        if size >= 8:
-            signature = c_bag.uint32(item_buf[4:8])
-            if signature == 0x39DE2184:
-                entry = CONTROL_PANEL_CATEGORY
-            elif signature == 0x4D677541:
-                entry = CDBURN
-            elif signature == 0x49534647:
-                entry = GAME_FOLDER
-            elif signature == 0xFFFFFF38:
-                entry = CONTROL_PANEL_CPL_FILE
-        if size >= 10 and not entry:
-            signature = c_bag.uint32(item_buf[6:10])
-            if signature == 0x07192006:
-                entry = MTP_FILE_ENTRY
-            elif signature == 0x10312005:
-                entry = MTP_VOLUME
-            elif signature in (0x10141981, 0x23A3DFD5, 0x23FEBBEE, 0x3B93AFBB, 0xBEEBEE00):
-                entry = USERS_PROPERTY_VIEW
-            elif signature == 0x46534643:
-                entry = UNKNOWN_0x74
-        if size >= 38 and not entry:
-            if item_buf[size - 32 : size] == DELEGATE_ITEM_IDENTIFIER:
-                entry = DELEGATE
-        if size >= 3 and not entry:
-            class_type = item_buf[2]
-            mask_type = class_type & 0x70
-            if mask_type == 0x00:
-                if class_type == 0x00:
-                    entry = UNKNOWN0
-                elif class_type == 0x01:
-                    entry = UNKNOWN1
-            elif mask_type == 0x10:
-                if class_type == 0x1F:
-                    entry = ROOT_FOLDER
-            elif mask_type == 0x20:
-                if class_type in (0x23, 0x25, 0x29, 0x2A, 0x2E, 0x2F):
-                    entry = VOLUME
-            elif mask_type == 0x30:
-                if class_type in (0x30, 0x31, 0x32, 0x35, 0x36, 0xB1):
-                    entry = FILE_ENTRY
-            elif mask_type == 0x40:
-                if class_type in (0x41, 0x42, 0x46, 0x47, 0x4C, 0xC3):
-                    entry = NETWORK
-            elif mask_type == 0x50:
-                if class_type == 0x52:
-                    entry = COMPRESSED_FOLDER
-            elif mask_type == 0x60:
-                if class_type == 0x61:
-                    entry = URI
-            elif mask_type == 0x70:
-                if class_type == 0x71:
-                    entry = CONTROL_PANEL
-            else:
-                if not entry:
-                    log.debug("No supported shell item found for size 0x%04x and type 0x%02x", size, class_type)
-                    entry = UNKNOWN
-        if not entry:
-            log.debug("No supported shell item found for size 0x%04x", size)
-            entry = UNKNOWN
-        entry = entry(item_buf)
-        entry.parent = parent
-        first_extension_block_offset = c_bag.uint16(item_buf[-2:])
-        if 4 <= first_extension_block_offset < size - 2:
-            extension_offset = first_extension_block_offset
-            while extension_offset < size - 2:
-                extension_size = c_bag.uint16(item_buf[extension_offset : extension_offset + 2])
-                if extension_size == 0:
-                    break
-                if extension_size > size - extension_offset:
-                    log.debug(
-                        "Extension size exceeds item size: 0x%04x > 0x%04x - 0x%04x",
-                        extension_size,
-                        size,
-                        extension_offset,
-                    )
-                    break  # Extension size too large
-                extension_buf = item_buf[extension_offset : extension_offset + extension_size]
-                extension_signature = c_bag.uint32(extension_buf[4:8])
-                ext = None
-                if extension_signature >> 16 != 0xBEEF:
-                    log.debug("Got unsupported extension signature 0x%08x from item %r", extension_signature, entry)
-                    pass  # Unsupported
-                elif extension_signature == 0xBEEF0000:
-                    pass
-                elif extension_signature == 0xBEEF0001:
-                    pass
-                elif extension_signature == 0xBEEF0003:
-                    ext = EXTENSION_BLOCK_BEEF0004
-                elif extension_signature == 0xBEEF0004:
-                    ext = EXTENSION_BLOCK_BEEF0004
-                elif extension_signature == 0xBEEF0005:
-                    ext = EXTENSION_BLOCK_BEEF0005
-                elif extension_signature == 0xBEEF0006:
-                    pass
-                elif extension_signature == 0xBEEF000A:
-                    pass
-                elif extension_signature == 0xBEEF0013:
-                    pass
-                elif extension_signature == 0xBEEF0014:
-                    pass
-                elif extension_signature == 0xBEEF0019:
-                    pass
-                elif extension_signature == 0xBEEF0025:
-                    pass
-                elif extension_signature == 0xBEEF0026:
-                    pass
-                else:
-                    log.debug(
-                        "Got unsupported beef extension signature 0x%08x from item %r", extension_signature, entry
-                    )
-                    pass
-                if ext is None:
-                    ext = EXTENSION_BLOCK
-                    log.debug("Unimplemented extension signature 0x%08x from item %r", extension_signature, entry)
-                ext = ext(extension_buf)
-                entry.extensions.append(ext)
-                extension_offset += extension_size
-        parent = entry
-        yield entry
-        offset += size
 class SHITEM:
     STRUCT = None
@@ -521,43 +266,43 @@ class SHITEM:
         self.parent = None
         self.extensions = []
+    def __repr__(self) -> str:
+        return f"<{self.__class__.__name__}>"
     @property
-    def name(self):
+    def name(self) -> str:
         return f"<SHITEM 0x{self.size:x}>"
     @property
-    def creation_time(self):
+    def creation_time(self) -> None:
         return None
     @property
-    def modification_time(self):
+    def modification_time(self) -> None:
         return None
     @property
-    def access_time(self):
+    def access_time(self) -> None:
         return None
     @property
-    def file_size(self):
+    def file_size(self) -> None:
         return None
     @property
-    def file_reference(self):
+    def file_reference(self) -> None:
         return None
-    def extension(self, cls):
+    def extension(self, cls: Any) -> Any | None:
         for ext in self.extensions:
             if isinstance(ext, cls):
                 return ext
         return None
-    def __repr__(self):
-        return f"<{self.__class__.__name__}>"
 class UNKNOWN(SHITEM):
     @property
-    def name(self):
+    def name(self) -> str:
         type_number = hex(self.type) if self.type else self.type
         return f"<UNKNOWN size=0x{self.size:04x} type={type_number}>"
@@ -573,7 +318,7 @@ class UNKNOWN0(SHITEM):
             self.guid = uuid.UUID(bytes_le=fh.read(16))
     @property
-    def name(self):
+    def name(self) -> str:
         if self.guid:
             GUID_name = shell_folder_ids.DESCRIPTIONS.get(str(self.guid))
             return GUID_name or f"<UNKNOWN0: {{{self.guid}}}>"
@@ -585,11 +330,11 @@ class UNKNOWN1(SHITEM):
     STRUCT = c_bag.SHITEM_UNKNOWN1
     @property
-    def name(self):
+    def name(self) -> str:
         return f"<UNKNOWN1 0x{self.size:x}>"
-class ROOT_FOLDER(SHITEM):  # noqa
+class ROOT_FOLDER(SHITEM):
     STRUCT = c_bag.SHITEM_ROOT_FOLDER
     def __init__(self, fh):
@@ -601,7 +346,7 @@ class ROOT_FOLDER(SHITEM):  # noqa
             self.extension = None
     @property
-    def name(self):
+    def name(self) -> str:
         GUID_name = shell_folder_ids.DESCRIPTIONS.get(str(self.guid))
         return GUID_name or f"{{{self.item.folder_id.name}: {self.guid}}}"
@@ -616,12 +361,12 @@ class VOLUME(SHITEM):
         if self.type == 0x2E:
             self.identifier = uuid.UUID(bytes_le=buf[4:20].tobytes())
         else:
-            self.volume_name = self.fh.read(20).rstrip(b"\x00").decode()
+            self.volume_name = self.fh.read(20).rstrip(b"\x00").decode(errors="surrogateescape")
             if self.size >= 41:
                 self.identifier = uuid.UUID(bytes_le=buf[25:41].tobytes())
     @property
-    def name(self):
+    def name(self) -> str:
         if self.volume_name:
             return self.volume_name
         if self.identifier:
@@ -630,7 +375,7 @@ class VOLUME(SHITEM):
         return f"<VOLUME 0x{self.type:02x}>"
-class FILE_ENTRY(SHITEM):  # noqa
+class FILE_ENTRY(SHITEM):
     STRUCT = c_bag.SHITEM_FILE_ENTRY
     def __init__(self, buf):
@@ -644,7 +389,7 @@ class FILE_ENTRY(SHITEM):  # noqa
             self.primary_name = c_bag.wchar[None](self.fh)
             self.is_unicode = True
         else:
-            self.primary_name = c_bag.char[None](self.fh).decode()
+            self.primary_name = c_bag.char[None](self.fh).decode(errors="surrogateescape")
             self.is_unicode = False
         if self.fh.tell() % 2:
@@ -659,17 +404,17 @@ class FILE_ENTRY(SHITEM):  # noqa
             if self.is_unicode:
                 self.secondary_name = c_bag.wchar[None](self.fh)
             else:
-                self.secondary_name = c_bag.char[None](self.fh).decode()
+                self.secondary_name = c_bag.char[None](self.fh).decode(errors="surrogateescape")
     @property
-    def name(self):
+    def name(self) -> str:
         ext = self.extension(EXTENSION_BLOCK_BEEF0004)
         if ext and ext.long_name:
             return ext.long_name
         return self.primary_name
     @property
-    def modification_time(self):
+    def modification_time(self) -> datetime | None:
         ts = self.item.modification_time
         if ts > 0:
             return dostimestamp(ts, swap=True)
@@ -691,15 +436,15 @@ class NETWORK(SHITEM):
             self.comments = c_bag.char[None](self.fh)
     @property
-    def name(self):
-        return self.item.location.decode()
+    def name(self) -> str:
+        return self.item.location.decode(errors="surrogateescape")
-class COMPRESSED_FOLDER(SHITEM):  # noqa
+class COMPRESSED_FOLDER(SHITEM):
     STRUCT = c_bag.SHITEM_COMPRESSED_FOLDER
     @property
-    def name(self):
+    def name(self) -> str:
         return "<COMPRESSED_FOLDER>"
@@ -714,14 +459,14 @@ class URI(SHITEM):
             if self.item.flags & 0x80:
                 self.uri = c_bag.wchar[None](self.fh)
             else:
-                self.uri = c_bag.char[None](self.fh).decode()
+                self.uri = c_bag.char[None](self.fh).decode(errors="surrogateescape")
     @property
-    def name(self):
+    def name(self) -> str:
         return self.uri or "<URI>"
-class CONTROL_PANEL(SHITEM):  # noqa
+class CONTROL_PANEL(SHITEM):
     STRUCT = c_bag.SHITEM_CONTROL_PANEL
     def __init__(self, buf):
@@ -729,12 +474,12 @@ class CONTROL_PANEL(SHITEM):  # noqa
         self.guid = uuid.UUID(bytes_le=self.item.guid)
     @property
-    def name(self):
+    def name(self) -> str:
         GUID_name = shell_folder_ids.DESCRIPTIONS.get(str(self.guid))
         return GUID_name or f"<CONTROL_PANEL {self.guid}>"
-class CONTROL_PANEL_CATEGORY(SHITEM):  # noqa
+class CONTROL_PANEL_CATEGORY(SHITEM):
     STRUCT = c_bag.SHITEM_CONTROL_PANEL_CATEGORY
     CATEGORIES = {
         0: "All Control Panel Items",
@@ -752,7 +497,7 @@ class CONTROL_PANEL_CATEGORY(SHITEM):  # noqa
     }
     @property
-    def name(self):
+    def name(self) -> str:
         categ_str = self.CATEGORIES.get(self.item.category)
         if categ_str:
             return categ_str
@@ -763,11 +508,11 @@ class CDBURN(SHITEM):
     STRUCT = c_bag.SHITEM_CDBURN
     @property
-    def name(self):
+    def name(self) -> str:
         return "<CDBURN>"
-class GAME_FOLDER(SHITEM):  # noqa
+class GAME_FOLDER(SHITEM):
     STRUCT = c_bag.SHITEM_GAME_FOLDER
     def __init__(self, buf):
@@ -775,43 +520,43 @@ class GAME_FOLDER(SHITEM):  # noqa
         self.guid = uuid.UUID(bytes_le=self.item.identifier)
     @property
-    def name(self):
+    def name(self) -> str:
         return f"<GAME_FOLDER {{{self.guid}}}>"
-class CONTROL_PANEL_CPL_FILE(SHITEM):  # noqa
+class CONTROL_PANEL_CPL_FILE(SHITEM):
     STRUCT = c_bag.SHITEM_CONTROL_PANEL_CPL_FILE
     @property
-    def name(self):
+    def name(self) -> str:
         return f"<CONTROL_PANEL_CPL_FILE path={self.item.cpl_path} name={self.item.name} comments={self.item.comments}>"
-class MTP_FILE_ENTRY(SHITEM):  # noqa
+class MTP_FILE_ENTRY(SHITEM):
     STRUCT = c_bag.SHITEM_MTP_FILE_ENTRY
     @property
-    def name(self):
+    def name(self) -> str:
         return "<MTP_FILE_ENTRY>"
     @property
-    def creation_time(self):
+    def creation_time(self) -> datetime:
         return self.item.creation_time
     @property
-    def modification_time(self):
+    def modification_time(self) -> datetime:
         return self.item.modification_time
-class MTP_VOLUME(SHITEM):  # noqa
+class MTP_VOLUME(SHITEM):
     STRUCT = c_bag.SHITEM_MTP_FILE_ENTRY
     @property
-    def name(self):
+    def name(self) -> str:
         return "<MTP_VOLUME>"
-class USERS_PROPERTY_VIEW(SHITEM):  # noqa
+class USERS_PROPERTY_VIEW(SHITEM):
     STRUCT = c_bag.SHITEM_USERS_PROPERTY_VIEW
     def __init__(self, buf):
@@ -823,13 +568,13 @@ class USERS_PROPERTY_VIEW(SHITEM):  # noqa
             self.guid = uuid.UUID(bytes_le=self.item.identifier)
     @property
-    def name(self):
+    def name(self) -> str:
         # As we don't know how to handle identifier_size other than 16 bytes, we fall back to data_signature
         property_view = self.guid or self.identifier
         return f"<USERS_PROPERTY_VIEW {{{property_view}}}>"
-class UNKNOWN_0x74(SHITEM):  # noqa
+class UNKNOWN_0x74(SHITEM):
     STRUCT = c_bag.SHITEM_UNKNOWN_0x74
     def __init__(self, buf):
@@ -839,11 +584,11 @@ class UNKNOWN_0x74(SHITEM):  # noqa
             self.subitem = c_bag.SHITEM_UNKNOWN_0x74_SUBITEM(self.fh)
     @property
-    def name(self):
-        return self.subitem.primary_name.decode() if self.subitem else "<UNKNOWN_0x74>"
+    def name(self) -> str:
+        return self.subitem.primary_name.decode(errors="surrogateescape") if self.subitem else "<UNKNOWN_0x74>"
     @property
-    def modification_time(self):
+    def modification_time(self) -> datetime | None:
         if self.subitem.modification_time > 0:
             return dostimestamp(self.subitem.modification_time, swap=True) if self.subitem else None
         return None
@@ -858,38 +603,38 @@ class DELEGATE(SHITEM):
         self.shell_identifier = uuid.UUID(bytes_le=self.item.shell_identifier)
     @property
-    def name(self):
+    def name(self) -> str:
         GUID_name = shell_folder_ids.DESCRIPTIONS.get(str(self.shell_identifier))
         return GUID_name if GUID_name else f"{{{self.shell_identifier}}}"
-class EXTENSION_BLOCK:  # noqa
+class EXTENSION_BLOCK:
     def __init__(self, buf):
         self.buf = buf
         self.fh = io.BytesIO(buf)
         self.header = c_bag.EXTENSION_BLOCK_HEADER(self.fh)
+    def __repr__(self) -> str:
+        return f"<EXTENSION_BLOCK size=0x{self.size:04x} version=0x{self.version:04x} signature=0x{self.signature:08x}>"
     @property
-    def size(self):
+    def size(self) -> int:
         return self.header.size
     @property
-    def data_size(self):
+    def data_size(self) -> int:
         return self.size - 8  # minus header
     @property
-    def version(self):
+    def version(self) -> int:
         return self.header.version
     @property
-    def signature(self):
+    def signature(self) -> int:
         return self.header.signature
-    def __repr__(self):
-        return f"<EXTENSION_BLOCK size=0x{self.size:04x} version=0x{self.version:04x} signature=0x{self.signature:08x}>"
-class EXTENSION_BLOCK_BEEF0004(EXTENSION_BLOCK):  # noqa
+class EXTENSION_BLOCK_BEEF0004(EXTENSION_BLOCK):
     def __init__(self, buf):
         super().__init__(buf)
         fh = self.fh
@@ -923,8 +668,269 @@ class EXTENSION_BLOCK_BEEF0004(EXTENSION_BLOCK):  # noqa
             self.localized_name = c_bag.wchar[None](fh)
-class EXTENSION_BLOCK_BEEF0005(EXTENSION_BLOCK):  # noqa
+class EXTENSION_BLOCK_BEEF0005(EXTENSION_BLOCK):
     def __init__(self, buf):
         super().__init__(buf)
         c_bag.char[16](self.fh)  # GUID?
         self.shell_items = self.fh.read(self.data_size - 18)
+ShellBagRecord = create_extended_descriptor([RegistryRecordDescriptorExtension, UserRecordDescriptorExtension])(
+    "windows/shellbag",
+    [
+        ("datetime", "ts_mtime"),
+        ("datetime", "ts_atime"),
+        ("datetime", "ts_btime"),
+        ("string", "type"),
+        ("path", "path"),
+        ("datetime", "regf_mtime"),
+    ],
+)
+class ShellBagsPlugin(Plugin):
+    """Windows Shellbags plugin."""
+    KEYS = [
+        "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell",
+        "HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\ShellNoRoam",
+        "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\Shell",
+        "HKEY_CURRENT_USER\\Software\\Classes\\Local Settings\\Software\\Microsoft\\Windows\\ShellNoRoam",
+        "HKEY_CURRENT_USER\\Software\\Classes\\Wow6432Node\\Local Settings\\Software\\Microsoft\\Windows\\Shell",
+        "HKEY_CURRENT_USER\\Software\\Classes\\Wow6432Node\\Local Settings\\Software\\Microsoft\\Windows\\ShellNoRoam",
+        "HKEY_CURRENT_USER\\Local Settings\\Software\\Microsoft\\Windows\\Shell\\BagMRU",
+    ]
+    def __init__(self, target: Target):
+        super().__init__(target)
+        self.bagkeys: list[RegistryKey] = list(self.target.registry.keys(self.KEYS))
+    def check_compatible(self) -> None:
+        if not self.bagkeys:
+            raise UnsupportedPluginError("No shellbags found")
+    @export(record=ShellBagRecord)
+    def shellbags(self) -> Iterator[ShellBagRecord]:
+        """Yields Windows Shellbags.
+        Shellbags are registry keys to improve user experience when using Windows Explorer.
+        They contain information such as file and folder creation time and access time.
+        References:
+            - https://github.com/libyal/libfwsi
+            - https://www.giac.org/paper/gcfa/9576/windows-shellbag-forensics-in-depth/128522
+            - https://www.hackingarticles.in/forensic-investigation-shellbags/
+        """
+        for regkey in self.bagkeys:
+            try:
+                yield from self._walk_bags(regkey.subkey("BagMRU"), None)
+            except RegistryKeyNotFoundError:
+                continue
+            except Exception as e:
+                self.target.log.error("Exception while parsing shellbags")
+                self.target.log.debug("", exc_info=e)
+                continue
+    def _walk_bags(self, key: RegistryKey, path_prefix: str | None) -> Iterator[ShellBagRecord]:
+        """Recursively walk shellbags from the given RegistryKey location."""
+        path_prefix = [] if path_prefix is None else [path_prefix]
+        user = self.target.registry.get_user(key)
+        for reg_val in key.values():
+            name, value = reg_val.name, reg_val.value
+            if not name.isdigit():
+                continue
+            path = None
+            for item in parse_shell_item_list(value):
+                path = "\\".join(path_prefix + [item.name])
+                yield ShellBagRecord(
+                    ts_mtime=item.modification_time,
+                    ts_atime=item.access_time,
+                    ts_btime=item.creation_time,
+                    type=item.__class__.__name__,
+                    path=windows_path(path),
+                    regf_mtime=key.ts,
+                    _key=key,
+                    _user=user,
+                    _target=self.target,
+                )
+            yield from self._walk_bags(key.subkey(name), path)
+def parse_shell_item_list(buf: bytes) -> Iterator[SHITEM]:
+    """Parse a shellbag item from the given bytes."""
+    offset = 0
+    end = len(buf)
+    list_buf = memoryview(buf)
+    parent = None
+    while offset < end:
+        size = c_bag.uint16(list_buf[offset : offset + 2])
+        if size == 0:
+            break
+        item_buf = list_buf[offset : offset + size]
+        entry = None
+        if size >= 8:
+            signature = c_bag.uint32(item_buf[4:8])
+            if signature == 0x39DE2184:
+                entry = CONTROL_PANEL_CATEGORY
+            elif signature == 0x4D677541:
+                entry = CDBURN
+            elif signature == 0x49534647:
+                entry = GAME_FOLDER
+            elif signature == 0xFFFFFF38:
+                entry = CONTROL_PANEL_CPL_FILE
+        if size >= 10 and not entry:
+            signature = c_bag.uint32(item_buf[6:10])
+            if signature == 0x07192006:
+                entry = MTP_FILE_ENTRY
+            elif signature == 0x10312005:
+                entry = MTP_VOLUME
+            elif signature in (0x10141981, 0x23A3DFD5, 0x23FEBBEE, 0x3B93AFBB, 0xBEEBEE00):
+                entry = USERS_PROPERTY_VIEW
+            elif signature == 0x46534643:
+                entry = UNKNOWN_0x74
+        if size >= 38 and not entry:
+            if item_buf[size - 32 : size] == DELEGATE_ITEM_IDENTIFIER:
+                entry = DELEGATE
+        if size >= 3 and not entry:
+            class_type = item_buf[2]
+            mask_type = class_type & 0x70
+            if mask_type == 0x00:
+                if class_type == 0x00:
+                    entry = UNKNOWN0
+                elif class_type == 0x01:
+                    entry = UNKNOWN1
+            elif mask_type == 0x10:
+                if class_type == 0x1F:
+                    entry = ROOT_FOLDER
+            elif mask_type == 0x20:
+                if class_type in (0x23, 0x25, 0x29, 0x2A, 0x2E, 0x2F):
+                    entry = VOLUME
+            elif mask_type == 0x30:
+                if class_type in (0x30, 0x31, 0x32, 0x35, 0x36, 0xB1):
+                    entry = FILE_ENTRY
+            elif mask_type == 0x40:
+                if class_type in (0x41, 0x42, 0x46, 0x47, 0x4C, 0xC3):
+                    entry = NETWORK
+            elif mask_type == 0x50:
+                if class_type == 0x52:
+                    entry = COMPRESSED_FOLDER
+            elif mask_type == 0x60:
+                if class_type == 0x61:
+                    entry = URI
+            elif mask_type == 0x70:
+                if class_type == 0x71:
+                    entry = CONTROL_PANEL
+            else:
+                if not entry:
+                    log.debug("No supported shell item found for size 0x%04x and type 0x%02x", size, class_type)
+                    entry = UNKNOWN
+        if not entry:
+            log.debug("No supported shell item found for size 0x%04x", size)
+            entry = UNKNOWN
+        entry = entry(item_buf)
+        entry.parent = parent
+        first_extension_block_offset = c_bag.uint16(item_buf[-2:])
+        if 4 <= first_extension_block_offset < size - 2:
+            extension_offset = first_extension_block_offset
+            while extension_offset < size - 2:
+                extension_size = c_bag.uint16(item_buf[extension_offset : extension_offset + 2])
+                if extension_size == 0:
+                    break
+                if extension_size > size - extension_offset:
+                    log.debug(
+                        "Extension size exceeds item size: 0x%04x > 0x%04x - 0x%04x",
+                        extension_size,
+                        size,
+                        extension_offset,
+                    )
+                    break  # Extension size too large
+                extension_buf = item_buf[extension_offset : extension_offset + extension_size]
+                extension_signature = c_bag.uint32(extension_buf[4:8])
+                ext = None
+                if extension_signature >> 16 != 0xBEEF:
+                    log.debug("Got unsupported extension signature 0x%08x from item %r", extension_signature, entry)
+                    pass  # Unsupported
+                elif extension_signature == 0xBEEF0000:
+                    pass
+                elif extension_signature == 0xBEEF0001:
+                    pass
+                elif extension_signature == 0xBEEF0003:
+                    ext = EXTENSION_BLOCK_BEEF0004
+                elif extension_signature == 0xBEEF0004:
+                    ext = EXTENSION_BLOCK_BEEF0004
+                elif extension_signature == 0xBEEF0005:
+                    ext = EXTENSION_BLOCK_BEEF0005
+                elif extension_signature == 0xBEEF0006:
+                    pass
+                elif extension_signature == 0xBEEF000A:
+                    pass
+                elif extension_signature == 0xBEEF0013:
+                    pass
+                elif extension_signature == 0xBEEF0014:
+                    pass
+                elif extension_signature == 0xBEEF0019:
+                    pass
+                elif extension_signature == 0xBEEF0025:
+                    pass
+                elif extension_signature == 0xBEEF0026:
+                    pass
+                else:
+                    log.debug(
+                        "Got unsupported beef extension signature 0x%08x from item %r", extension_signature, entry
+                    )
+                    pass
+                if ext is None:
+                    ext = EXTENSION_BLOCK
+                    log.debug("Unimplemented extension signature 0x%08x from item %r", extension_signature, entry)
+                ext = ext(extension_buf)
+                entry.extensions.append(ext)
+                extension_offset += extension_size
+        parent = entry
+        offset += size
+        yield entry

{dissect.target-3.20.dev23.dist-info → dissect.target-3.20.dev26.dist-info}/METADATA RENAMED Viewed

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: dissect.target
-Version: 3.20.dev23
+Version: 3.20.dev26
 Summary: This module ties all other Dissect modules together, it provides a programming API and command line tools which allow easy access to various data sources inside disk images or file collections (a.k.a. targets)
 Author-email: Dissect Team <dissect@fox-it.com>
 License: Affero General Public License v3

{dissect.target-3.20.dev23.dist-info → dissect.target-3.20.dev26.dist-info}/RECORD RENAMED Viewed

@@ -23,7 +23,7 @@ dissect/target/containers/vmdk.py,sha256=5fQGkJy4esXONXrKLbhpkQDt8Fwx19YENK2mOm7
 dissect/target/data/autocompletion/target_bash_completion.sh,sha256=wrOQ_ED-h8WFcjCmY6n4qKl84tWJv9l8ShFHDfJqJyA,3592
 dissect/target/filesystems/__init__.py,sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU,0
 dissect/target/filesystems/ad1.py,sha256=nEPzaaRsb6bL4ItFo0uLdmdLvrmK9BjqHeD3FOp3WQI,2413
-dissect/target/filesystems/btrfs.py,sha256=X-eMlKkx88xS2iIWRuq9yaQ82fl0DM435F1sdXkDo8g,6469
+dissect/target/filesystems/btrfs.py,sha256=TotOs0-VOmgSijERZb1pOrIH_E7B1J_DRKqws8ttQTk,6569
 dissect/target/filesystems/cb.py,sha256=6LcoJiwsYu1Han31IUzVpZVDTifhTLTx_gLfNpB_p6k,5329
 dissect/target/filesystems/config.py,sha256=GQOtixIIt-Jjtpl3IVqUTujcBFfWaAZeAtvxgNUNetU,11963
 dissect/target/filesystems/cpio.py,sha256=ssVCjkAtLn2FqmNxeo6U5boyUdSYFxLWfXpytHYGPqs,641
@@ -34,7 +34,7 @@ dissect/target/filesystems/fat.py,sha256=ZSw-wS57vo5eIXJndfI1rZkGu_qh-vyioMzCZFZ
 dissect/target/filesystems/ffs.py,sha256=Wu8sS1jjmD0QXXcAaD2h_zzfvinjco8qvj0hErufZ-4,4555
 dissect/target/filesystems/itunes.py,sha256=w2lcWv6jlBPm84tsGZehxKBMXXyuW3KlmwVTF4ssQec,6395
 dissect/target/filesystems/jffs.py,sha256=Ceqa5Em2pepnXMH_XZFmSNjQyWPo1uWTthBFSMWfKRo,3926
-dissect/target/filesystems/ntfs.py,sha256=fGgCKjdO5GrPC21DDr0SwIxmwR7KruNIqGUzysboirA,7068
+dissect/target/filesystems/ntfs.py,sha256=Losf35q9aLm-YdwVllT5so99s-GqTF1ZXMbLX0PUNC0,7624
 dissect/target/filesystems/overlay.py,sha256=d0BNZcVd3SzBcM1SZO5nX2FrEYcdtVH34BPJQ6Oh4x8,4753
 dissect/target/filesystems/smb.py,sha256=uxfcOWwEoDCw8Qpsa94T5Pn-SKd4WXs4OOrzVVI55d8,6406
 dissect/target/filesystems/squashfs.py,sha256=ehzlThXB7n96XUvQnsK5tWLsA9HIxYN-Zxl7aO9D7ts,3921
@@ -334,7 +334,7 @@ dissect/target/plugins/os/windows/regf/nethist.py,sha256=QHbG9fmZNmjSVhrgqMvMo12
 dissect/target/plugins/os/windows/regf/recentfilecache.py,sha256=goS6ajLIh6ZU-Gq4tupoxBoQCfMDp2qJgg-Nn5qFIsY,1850
 dissect/target/plugins/os/windows/regf/regf.py,sha256=D1GrljF-sV8cWIjWJ3zH7k52i1OWD8poEC_PIeZMEis,3419
 dissect/target/plugins/os/windows/regf/runkeys.py,sha256=-2HcdnVytzCt1xwgAI8rHDnwk8kwLPWURumvhrGnIHU,4278
-dissect/target/plugins/os/windows/regf/shellbags.py,sha256=hXAqThFkHmGPmhNRSXwMNzw25kAyIC6OOZivgpPEwTQ,25679
+dissect/target/plugins/os/windows/regf/shellbags.py,sha256=-8WkdplG0FR37XgpCTd4iDdQvvrgtOk9kZY5qLsW5J8,26984
 dissect/target/plugins/os/windows/regf/shimcache.py,sha256=TY7GEFnxb8h99q12CzM0SwVlUymi4hFPae3uuM0M6kY,9998
 dissect/target/plugins/os/windows/regf/trusteddocs.py,sha256=3yvpBDM-Asg0rvGN2TwALGRm9DYogG6TxRau9D6FBbw,3700
 dissect/target/plugins/os/windows/regf/usb.py,sha256=nSAHB4Cdd0wF2C1EK_XYOfWCyqOgTZCLfDhuSmr7rdM,9709
@@ -368,10 +368,10 @@ dissect/target/volumes/luks.py,sha256=OmCMsw6rCUXG1_plnLVLTpsvE1n_6WtoRUGQbpmu1z
 dissect/target/volumes/lvm.py,sha256=wwQVR9I3G9YzmY6UxFsH2Y4MXGBcKL9aayWGCDTiWMU,2269
 dissect/target/volumes/md.py,sha256=7ShPtusuLGaIv27SvEETtgsuoQyAa4iAAeOR1NEaajI,1689
 dissect/target/volumes/vmfs.py,sha256=-LoUbn9WNwTtLi_4K34uV_-wDw2W5hgaqxZNj4UmqAQ,1730
-dissect.target-3.20.dev23.dist-info/COPYRIGHT,sha256=m-9ih2RVhMiXHI2bf_oNSSgHgkeIvaYRVfKTwFbnJPA,301
-dissect.target-3.20.dev23.dist-info/LICENSE,sha256=DZak_2itbUtvHzD3E7GNUYSRK6jdOJ-GqncQ2weavLA,34523
-dissect.target-3.20.dev23.dist-info/METADATA,sha256=dGuBoIpEp_hKqGr5hAlD6pnyc70LxqqzpOG40g_EeLE,12897
-dissect.target-3.20.dev23.dist-info/WHEEL,sha256=GV9aMThwP_4oNCtvEC2ec3qUYutgWeAzklro_0m4WJQ,91
-dissect.target-3.20.dev23.dist-info/entry_points.txt,sha256=BWuxAb_6AvUAQpIQOQU0IMTlaF6TDht2AIZK8bHd-zE,492
-dissect.target-3.20.dev23.dist-info/top_level.txt,sha256=Mn-CQzEYsAbkxrUI0TnplHuXnGVKzxpDw_po_sXpvv4,8
-dissect.target-3.20.dev23.dist-info/RECORD,,
+dissect.target-3.20.dev26.dist-info/COPYRIGHT,sha256=m-9ih2RVhMiXHI2bf_oNSSgHgkeIvaYRVfKTwFbnJPA,301
+dissect.target-3.20.dev26.dist-info/LICENSE,sha256=DZak_2itbUtvHzD3E7GNUYSRK6jdOJ-GqncQ2weavLA,34523
+dissect.target-3.20.dev26.dist-info/METADATA,sha256=9ta9bS0OqAMhf6vc8zDqGxpXSkY-YRJMAHWRucXo3f8,12897
+dissect.target-3.20.dev26.dist-info/WHEEL,sha256=GV9aMThwP_4oNCtvEC2ec3qUYutgWeAzklro_0m4WJQ,91
+dissect.target-3.20.dev26.dist-info/entry_points.txt,sha256=BWuxAb_6AvUAQpIQOQU0IMTlaF6TDht2AIZK8bHd-zE,492
+dissect.target-3.20.dev26.dist-info/top_level.txt,sha256=Mn-CQzEYsAbkxrUI0TnplHuXnGVKzxpDw_po_sXpvv4,8
+dissect.target-3.20.dev26.dist-info/RECORD,,

{dissect.target-3.20.dev23.dist-info → dissect.target-3.20.dev26.dist-info}/COPYRIGHT RENAMED Viewed

File without changes

{dissect.target-3.20.dev23.dist-info → dissect.target-3.20.dev26.dist-info}/LICENSE RENAMED Viewed

File without changes

{dissect.target-3.20.dev23.dist-info → dissect.target-3.20.dev26.dist-info}/WHEEL RENAMED Viewed

File without changes

{dissect.target-3.20.dev23.dist-info → dissect.target-3.20.dev26.dist-info}/entry_points.txt RENAMED Viewed

File without changes

{dissect.target-3.20.dev23.dist-info → dissect.target-3.20.dev26.dist-info}/top_level.txt RENAMED Viewed

File without changes

dissect.target 3.20.dev23__py3-none-any.whl → 3.20.dev26__py3-none-any.whl

dissect.target 3.20.dev23py3-none-any.whl → 3.20.dev26py3-none-any.whl