dissect.target 3.20.dev36__py3-none-any.whl → 3.20.dev39__py3-none-any.whl

Sign up to get free protection for your applications and to get access to all the features.
Files changed (124) hide show
  1. dissect/target/filesystems/config.py +1 -1
  2. dissect/target/helpers/compat/path_common.py +5 -5
  3. dissect/target/helpers/configutil.py +31 -29
  4. dissect/target/helpers/cyber.py +2 -0
  5. dissect/target/helpers/docs.py +1 -1
  6. dissect/target/helpers/keychain.py +2 -0
  7. dissect/target/helpers/mount.py +2 -1
  8. dissect/target/plugin.py +15 -13
  9. dissect/target/plugins/apps/av/mcafee.py +2 -0
  10. dissect/target/plugins/apps/av/sophos.py +2 -0
  11. dissect/target/plugins/apps/av/trendmicro.py +2 -0
  12. dissect/target/plugins/apps/browser/chromium.py +27 -6
  13. dissect/target/plugins/apps/editor/editor.py +23 -0
  14. dissect/target/plugins/apps/{texteditor → editor}/windowsnotepad.py +40 -31
  15. dissect/target/plugins/apps/shell/powershell.py +6 -2
  16. dissect/target/plugins/apps/shell/wget.py +1 -1
  17. dissect/target/plugins/apps/ssh/openssh.py +2 -0
  18. dissect/target/plugins/apps/ssh/opensshd.py +2 -0
  19. dissect/target/plugins/apps/vpn/wireguard.py +9 -9
  20. dissect/target/plugins/apps/webhosting/cpanel.py +2 -0
  21. dissect/target/plugins/apps/webserver/caddy.py +2 -0
  22. dissect/target/plugins/apps/webserver/nginx.py +2 -0
  23. dissect/target/plugins/child/esxi.py +3 -1
  24. dissect/target/plugins/child/virtuozzo.py +12 -8
  25. dissect/target/plugins/filesystem/acquire_hash.py +2 -1
  26. dissect/target/plugins/filesystem/icat.py +15 -11
  27. dissect/target/plugins/filesystem/ntfs/mft.py +2 -0
  28. dissect/target/plugins/filesystem/ntfs/mft_timeline.py +3 -1
  29. dissect/target/plugins/filesystem/ntfs/usnjrnl.py +2 -0
  30. dissect/target/plugins/filesystem/ntfs/utils.py +3 -1
  31. dissect/target/plugins/filesystem/unix/suid.py +4 -1
  32. dissect/target/plugins/filesystem/walkfs.py +2 -0
  33. dissect/target/plugins/general/example.py +2 -2
  34. dissect/target/plugins/general/loaders.py +1 -1
  35. dissect/target/plugins/general/network.py +7 -0
  36. dissect/target/plugins/general/osinfo.py +1 -0
  37. dissect/target/plugins/general/plugins.py +4 -0
  38. dissect/target/plugins/os/unix/_os.py +2 -1
  39. dissect/target/plugins/os/unix/bsd/citrix/history.py +2 -0
  40. dissect/target/plugins/os/unix/bsd/osx/network.py +2 -0
  41. dissect/target/plugins/os/unix/bsd/osx/user.py +4 -0
  42. dissect/target/plugins/os/unix/cronjobs.py +8 -4
  43. dissect/target/plugins/os/unix/etc/etc.py +4 -0
  44. dissect/target/plugins/os/unix/generic.py +2 -0
  45. dissect/target/plugins/os/unix/history.py +27 -25
  46. dissect/target/plugins/os/unix/linux/cmdline.py +2 -0
  47. dissect/target/plugins/os/unix/linux/debian/apt.py +4 -1
  48. dissect/target/plugins/os/unix/linux/debian/dpkg.py +3 -3
  49. dissect/target/plugins/os/unix/linux/environ.py +2 -0
  50. dissect/target/plugins/os/unix/linux/fortios/generic.py +2 -0
  51. dissect/target/plugins/os/unix/linux/fortios/locale.py +2 -0
  52. dissect/target/plugins/os/unix/linux/modules.py +2 -0
  53. dissect/target/plugins/os/unix/linux/netstat.py +2 -0
  54. dissect/target/plugins/os/unix/linux/processes.py +2 -0
  55. dissect/target/plugins/os/unix/linux/redhat/yum.py +4 -1
  56. dissect/target/plugins/os/unix/linux/services.py +5 -3
  57. dissect/target/plugins/os/unix/linux/sockets.py +2 -0
  58. dissect/target/plugins/os/unix/linux/suse/zypper.py +4 -1
  59. dissect/target/plugins/os/unix/locale.py +2 -0
  60. dissect/target/plugins/os/unix/locate/gnulocate.py +4 -2
  61. dissect/target/plugins/os/unix/locate/mlocate.py +2 -0
  62. dissect/target/plugins/os/unix/locate/plocate.py +3 -1
  63. dissect/target/plugins/os/unix/log/atop.py +2 -0
  64. dissect/target/plugins/os/unix/log/audit.py +3 -1
  65. dissect/target/plugins/os/unix/log/auth.py +4 -2
  66. dissect/target/plugins/os/unix/log/lastlog.py +5 -3
  67. dissect/target/plugins/os/unix/log/messages.py +2 -0
  68. dissect/target/plugins/os/unix/log/utmp.py +4 -2
  69. dissect/target/plugins/os/unix/packagemanager.py +4 -37
  70. dissect/target/plugins/os/unix/shadow.py +3 -1
  71. dissect/target/plugins/os/unix/trash.py +1 -1
  72. dissect/target/plugins/os/windows/activitiescache.py +9 -4
  73. dissect/target/plugins/os/windows/adpolicy.py +2 -1
  74. dissect/target/plugins/os/windows/amcache.py +16 -13
  75. dissect/target/plugins/os/windows/defender.py +3 -3
  76. dissect/target/plugins/os/windows/dpapi/keyprovider/credhist.py +3 -0
  77. dissect/target/plugins/os/windows/dpapi/keyprovider/empty.py +3 -0
  78. dissect/target/plugins/os/windows/dpapi/keyprovider/keychain.py +3 -0
  79. dissect/target/plugins/os/windows/dpapi/keyprovider/lsa.py +3 -0
  80. dissect/target/plugins/os/windows/env.py +1 -2
  81. dissect/target/plugins/os/windows/exchange/exchange.py +6 -4
  82. dissect/target/plugins/os/windows/generic.py +20 -18
  83. dissect/target/plugins/os/windows/lnk.py +2 -0
  84. dissect/target/plugins/os/windows/locale.py +9 -3
  85. dissect/target/plugins/os/windows/log/etl.py +5 -4
  86. dissect/target/plugins/os/windows/log/evt.py +12 -8
  87. dissect/target/plugins/os/windows/log/evtx.py +9 -7
  88. dissect/target/plugins/os/windows/log/pfro.py +2 -1
  89. dissect/target/plugins/os/windows/network.py +2 -0
  90. dissect/target/plugins/os/windows/notifications.py +6 -4
  91. dissect/target/plugins/os/windows/prefetch.py +7 -2
  92. dissect/target/plugins/os/windows/regf/7zip.py +9 -1
  93. dissect/target/plugins/os/windows/regf/auditpol.py +2 -1
  94. dissect/target/plugins/os/windows/regf/bam.py +3 -1
  95. dissect/target/plugins/os/windows/regf/cit.py +14 -12
  96. dissect/target/plugins/os/windows/regf/clsid.py +6 -3
  97. dissect/target/plugins/os/windows/regf/firewall.py +2 -1
  98. dissect/target/plugins/os/windows/regf/mru.py +9 -8
  99. dissect/target/plugins/os/windows/regf/nethist.py +6 -3
  100. dissect/target/plugins/os/windows/regf/recentfilecache.py +3 -1
  101. dissect/target/plugins/os/windows/regf/regf.py +5 -1
  102. dissect/target/plugins/os/windows/regf/shimcache.py +1 -1
  103. dissect/target/plugins/os/windows/regf/usb.py +2 -1
  104. dissect/target/plugins/os/windows/regf/userassist.py +2 -1
  105. dissect/target/plugins/os/windows/registry.py +11 -0
  106. dissect/target/plugins/os/windows/services.py +3 -2
  107. dissect/target/plugins/os/windows/startupinfo.py +7 -2
  108. dissect/target/plugins/os/windows/syscache.py +3 -1
  109. dissect/target/plugins/os/windows/tasks.py +1 -1
  110. dissect/target/plugins/os/windows/thumbcache.py +11 -5
  111. dissect/target/plugins/os/windows/ual.py +12 -9
  112. dissect/target/plugins/os/windows/wua_history.py +0 -1
  113. dissect/target/tools/dump/utils.py +4 -0
  114. dissect/target/tools/shell.py +2 -1
  115. {dissect.target-3.20.dev36.dist-info → dissect.target-3.20.dev39.dist-info}/METADATA +1 -1
  116. {dissect.target-3.20.dev36.dist-info → dissect.target-3.20.dev39.dist-info}/RECORD +122 -123
  117. dissect/target/plugins/apps/texteditor/texteditor.py +0 -13
  118. dissect/target/plugins/os/unix/etc.py +0 -9
  119. /dissect/target/plugins/apps/{texteditor → editor}/__init__.py +0 -0
  120. {dissect.target-3.20.dev36.dist-info → dissect.target-3.20.dev39.dist-info}/COPYRIGHT +0 -0
  121. {dissect.target-3.20.dev36.dist-info → dissect.target-3.20.dev39.dist-info}/LICENSE +0 -0
  122. {dissect.target-3.20.dev36.dist-info → dissect.target-3.20.dev39.dist-info}/WHEEL +0 -0
  123. {dissect.target-3.20.dev36.dist-info → dissect.target-3.20.dev39.dist-info}/entry_points.txt +0 -0
  124. {dissect.target-3.20.dev36.dist-info → dissect.target-3.20.dev39.dist-info}/top_level.txt +0 -0
@@ -133,7 +133,7 @@ class ConfigurationEntry(FilesystemEntry):
133
133
  Behaves like a ``directory`` when :attr:`parser_items` is a :class:`.ConfigurationParser` or a ``dict``.
134
134
  Behaves like a ``file`` otherwise.
135
135
 
136
- Attributes:
136
+ Args:
137
137
  parser_items: A dict-like object containing all configuration entries and values.
138
138
  In most cases this is either a :class:`.ConfigurationParser` or ``dict``.
139
139
  Otherwise, its the entry's value
@@ -56,11 +56,11 @@ class _DissectScandirIterator:
56
56
 
57
57
  The _DissectScandirIterator provides a context manager, so scandir can be called as:
58
58
 
59
- ```
60
- with scandir(path) as it:
61
- for entry in it
62
- print(entry.name)
63
- ```
59
+ .. code-block:: python
60
+
61
+ with scandir(path) as it:
62
+ for entry in it
63
+ print(entry.name)
64
64
 
65
65
  similar to os.scandir() behaviour since Python 3.6.
66
66
  """
@@ -69,9 +69,7 @@ def _update_dictionary(current: dict[str, Any], key: str, value: Any) -> None:
69
69
 
70
70
 
71
71
  class PeekableIterator:
72
- """Source gotten from:
73
- https://more-itertools.readthedocs.io/en/stable/_modules/more_itertools/more.html#peekable
74
- """
72
+ # https://more-itertools.readthedocs.io/en/stable/_modules/more_itertools/more.html#peekable
75
73
 
76
74
  def __init__(self, iterable):
77
75
  self._iterator = iter(iterable)
@@ -98,9 +96,6 @@ class PeekableIterator:
98
96
  class ConfigurationParser:
99
97
  """A configuration parser where you can configure certain aspects of the parsing mechanism.
100
98
 
101
- Attributes:
102
- parsed_data: The resulting dictionary after parsing.
103
-
104
99
  Args:
105
100
  collapse: A ``bool`` or an ``Iterator``:
106
101
  If ``True``: it will collapse all the resulting dictionary values.
@@ -195,6 +190,8 @@ class Default(ConfigurationParser):
195
190
 
196
191
  This parser splits only on the first ``separator`` it finds:
197
192
 
193
+ .. code-block::
194
+
198
195
  key<separator>value -> {"key": "value"}
199
196
 
200
197
  key<separator>value\n
@@ -316,7 +313,7 @@ class Bin(ConfigurationParser):
316
313
 
317
314
 
318
315
  class Xml(ConfigurationParser):
319
- """Parses an XML file. Ignores any constructor parameters passed from ``ConfigurationParser`."""
316
+ """Parses an XML file. Ignores any constructor parameters passed from ``ConfigurationParser``."""
320
317
 
321
318
  def _tree(self, tree: ElementTree, root: bool = False) -> dict:
322
319
  """Very simple but robust xml -> dict implementation, see comments."""
@@ -395,8 +392,9 @@ class ListUnwrapper:
395
392
  def unwrap(data: Union[dict, list]) -> Union[dict, list]:
396
393
  """Transforms a list with dictionaries to a dictionary.
397
394
 
398
- The order of the list is preserved. If no dictionary is found,
399
- the list remains untouched:
395
+ The order of the list is preserved. If no dictionary is found, the list remains untouched:
396
+
397
+ .. code-block::
400
398
 
401
399
  ["value1", "value2"] -> ["value1", "value2"]
402
400
 
@@ -622,6 +620,8 @@ class Indentation(Default):
622
620
 
623
621
  The parser parses this as the following:
624
622
 
623
+ .. code-block::
624
+
625
625
  key value
626
626
  key2 value2
627
627
  -> {"key value": {"key2": "value2"}}
@@ -644,7 +644,7 @@ class Indentation(Default):
644
644
  Args:
645
645
  manager: A :class:`ScopeManager` that contains the logic to ``push`` and ``pop`` scopes. And keeps state.
646
646
  line: The line to be parsed.
647
- key: The key that should be updated during a :method:`ScopeManager.push``.
647
+ key: The key that should be updated during a :method:`ScopeManager.push`.
648
648
  next_line: The next line to be parsed.
649
649
 
650
650
  Returns:
@@ -694,26 +694,28 @@ class SystemD(Indentation):
694
694
  """A :class:`ConfigurationParser` that specifically parses systemd configuration files.
695
695
 
696
696
  Examples:
697
- >>> systemd_data = textwrap.dedent(
698
- '''
699
- [Section1]
700
- Key=Value
701
- [Section2]
702
- Key2=Value 2\\
703
- Value 2 continued
704
- '''
705
- )
706
- >>> parser = SystemD(io.StringIO(systemd_data))
707
- >>> parser.parser_items
708
- {
709
- "Section1": {
710
- "Key": "Value
711
- },
712
- "Section2": {
713
- "Key2": "Value2 Value 2 continued
714
- }
715
- }
716
697
 
698
+ .. code-block::
699
+
700
+ >>> systemd_data = textwrap.dedent(
701
+ '''
702
+ [Section1]
703
+ Key=Value
704
+ [Section2]
705
+ Key2=Value 2\\
706
+ Value 2 continued
707
+ '''
708
+ )
709
+ >>> parser = SystemD(io.StringIO(systemd_data))
710
+ >>> parser.parser_items
711
+ {
712
+ "Section1": {
713
+ "Key": "Value
714
+ },
715
+ "Section2": {
716
+ "Key2": "Value2 Value 2 continued
717
+ }
718
+ }
717
719
  """
718
720
 
719
721
  def _change_scope(
@@ -52,6 +52,8 @@ MATRIX_REVEAL_SECONDS = 4
52
52
 
53
53
 
54
54
  class Color(Enum):
55
+ """Cyber colors."""
56
+
55
57
  BLACK = 30
56
58
  RED = 31
57
59
  GREEN = 32
@@ -46,7 +46,7 @@ def get_real_func_obj(func: Callable) -> Tuple[Type, Callable]:
46
46
  return (klass, func)
47
47
 
48
48
 
49
- def get_docstring(obj: Any, placeholder=NO_DOCS) -> str:
49
+ def get_docstring(obj: Any, placeholder: str = NO_DOCS) -> str:
50
50
  """Get object's docstring or a placeholder if no docstring found"""
51
51
  # Use of `inspect.cleandoc()` is preferred to `textwrap.dedent()` here
52
52
  # because many multi-line docstrings in the codebase
@@ -8,6 +8,8 @@ log = logging.getLogger(__name__)
8
8
 
9
9
 
10
10
  class KeyType(Enum):
11
+ """Valid key types."""
12
+
11
13
  RAW = "raw"
12
14
  PASSPHRASE = "passphrase"
13
15
  RECOVERY_KEY = "recovery_key"
@@ -8,7 +8,6 @@ from dissect.util.feature import Feature, feature_enabled
8
8
 
9
9
  from dissect.target.filesystem import Filesystem, FilesystemEntry
10
10
 
11
- HAS_FUSE3 = False
12
11
  if feature_enabled(Feature.BETA):
13
12
  from fuse3 import FuseOSError, Operations
14
13
  from fuse3.c_fuse import fuse_config_p, fuse_conn_info_p
@@ -20,6 +19,8 @@ else:
20
19
  fuse_config_p = c_void_p
21
20
  fuse_conn_info_p = c_void_p
22
21
 
22
+ HAS_FUSE3 = False
23
+
23
24
 
24
25
  log = logging.getLogger(__name__)
25
26
 
dissect/target/plugin.py CHANGED
@@ -1,6 +1,6 @@
1
1
  """Dissect plugin system.
2
2
 
3
- See dissect/target/plugins/general/example.py for an example plugin.
3
+ See ``dissect/target/plugins/general/example.py`` for an example plugin.
4
4
  """
5
5
 
6
6
  from __future__ import annotations
@@ -76,18 +76,19 @@ def export(*args, **kwargs) -> Callable:
76
76
  Supported keyword arguments:
77
77
  property (bool): Whether this export should be regarded as a property.
78
78
  Properties are implicitly cached.
79
+
79
80
  cache (bool): Whether the result of this function should be cached.
81
+
80
82
  record (RecordDescriptor): The :class:`flow.record.RecordDescriptor` for the records that this function yields.
81
83
  If the records are dynamically made, use DynamicRecord instead.
82
- output (str): The output type of this function. Can be one of:
83
84
 
85
+ output (str): The output type of this function. Must be one of:
84
86
  - default: Single return value
85
87
  - record: Yields records. Implicit when record argument is given.
86
88
  - yield: Yields printable values.
87
89
  - none: No return value. Plugin is responsible for output formatting and should return ``None``.
88
90
 
89
91
  The ``export`` decorator adds some additional private attributes to an exported method or property:
90
-
91
92
  - ``__output__``: The output type to expect for this function, this is the same as ``output``.
92
93
  - ``__record__``: The type of record to expect, this value is the same as ``record``.
93
94
  - ``__exported__``: set to ``True`` to indicate the method or property is exported.
@@ -173,7 +174,7 @@ class Plugin:
173
174
  class attribute. Namespacing results in your plugin needing to be prefixed
174
175
  with this namespace when being called. For example, if your plugin has
175
176
  specified ``test`` as namespace and a function called ``example``, you must
176
- call your plugin with ``test.example``::
177
+ call your plugin with ``test.example``.
177
178
 
178
179
  A ``Plugin`` class has the following private class attributes:
179
180
 
@@ -430,15 +431,13 @@ def register(plugincls: Type[Plugin]) -> None:
430
431
  """Register a plugin, and put related data inside :attr:`PLUGINS`.
431
432
 
432
433
  This function uses the following private attributes that are set using decorators:
433
-
434
- - ``__exported__``: Set in :func:`export`.
435
- - ``__internal__``: Set in :func:`internal`.
434
+ - ``__exported__``: Set in :func:`export`.
435
+ - ``__internal__``: Set in :func:`internal`.
436
436
 
437
437
  Additionally, ``register`` sets the following private attributes on the `plugincls`:
438
-
439
- - ``__plugin__``: Always set to ``True``.
440
- - ``__functions__``: A list of all the methods and properties that are ``__internal__`` or ``__exported__``.
441
- - ``__exports__``: A list of all the methods or properties that were explicitly exported.
438
+ - ``__plugin__``: Always set to ``True``.
439
+ - ``__functions__``: A list of all the methods and properties that are ``__internal__`` or ``__exported__``.
440
+ - ``__exports__``: A list of all the methods or properties that were explicitly exported.
442
441
 
443
442
  Args:
444
443
  plugincls: A plugin class to register.
@@ -1138,6 +1137,9 @@ class PluginFunction:
1138
1137
  method_name: str
1139
1138
  plugin_desc: PluginDescriptor = field(hash=False)
1140
1139
 
1140
+ def __repr__(self) -> str:
1141
+ return self.path
1142
+
1141
1143
 
1142
1144
  def plugin_function_index(target: Optional[Target]) -> tuple[dict[str, PluginDescriptor], set[str]]:
1143
1145
  """Returns an index-list for plugins.
@@ -1292,7 +1294,7 @@ def find_plugin_functions(
1292
1294
  path=index_name,
1293
1295
  class_object=loaded_plugin_object,
1294
1296
  method_name=method_name,
1295
- output_type=getattr(fobject, "__output__", "text"),
1297
+ output_type=getattr(fobject, "__output__", "none"),
1296
1298
  plugin_desc=func,
1297
1299
  )
1298
1300
  )
@@ -1337,7 +1339,7 @@ def find_plugin_functions(
1337
1339
  path=f"{description['module']}.{funcname}",
1338
1340
  class_object=loaded_plugin_object,
1339
1341
  method_name=funcname,
1340
- output_type=getattr(fobject, "__output__", "text"),
1342
+ output_type=getattr(fobject, "__output__", "none"),
1341
1343
  plugin_desc=description,
1342
1344
  )
1343
1345
  )
@@ -40,6 +40,8 @@ re_strip_tags = re.compile(r"<[^!][^>]*>")
40
40
 
41
41
 
42
42
  class McAfeePlugin(Plugin):
43
+ """McAfee antivirus plugin."""
44
+
43
45
  __namespace__ = "mcafee"
44
46
 
45
47
  DIRS = [
@@ -30,6 +30,8 @@ SophosLogRecord = TargetRecordDescriptor(
30
30
 
31
31
 
32
32
  class SophosPlugin(Plugin):
33
+ """Sophos antivirus plugin."""
34
+
33
35
  __namespace__ = "sophos"
34
36
 
35
37
  LOG_SOPHOS_HOME = "sysvol/ProgramData/Sophos/Clean/Logs/Clean.log"
@@ -51,6 +51,8 @@ c_pfwlog = cstruct().load(pfwlog_def)
51
51
 
52
52
 
53
53
  class TrendMicroPlugin(Plugin):
54
+ """TrendMicro antivirus plugin."""
55
+
54
56
  __namespace__ = "trendmicro"
55
57
 
56
58
  LOG_FOLDER = "sysvol/Program Files (x86)/Trend Micro/Security Agent"
@@ -608,6 +608,15 @@ def remove_padding(decrypted: bytes) -> bytes:
608
608
 
609
609
 
610
610
  def decrypt_v10(encrypted_password: bytes) -> str:
611
+ """Decrypt a version 10 encrypted password.
612
+
613
+ Args:
614
+ encrypted_password: The encrypted password bytes.
615
+
616
+ Returns:
617
+ Decrypted password string.
618
+ """
619
+
611
620
  if not HAS_CRYPTO:
612
621
  raise ValueError("Missing pycryptodome dependency for AES operation")
613
622
 
@@ -625,12 +634,24 @@ def decrypt_v10(encrypted_password: bytes) -> str:
625
634
 
626
635
 
627
636
  def decrypt_v10_2(encrypted_password: bytes, key: bytes) -> str:
628
- """
629
- struct chrome_pass {
630
- byte signature[3] = 'v10';
631
- byte iv[12];
632
- byte ciphertext[EOF];
633
- }
637
+ """Decrypt a version 10 type 2 password.
638
+
639
+ References:
640
+
641
+ .. code-block::
642
+
643
+ struct chrome_pass {
644
+ byte signature[3] = 'v10';
645
+ byte iv[12];
646
+ byte ciphertext[EOF];
647
+ }
648
+
649
+ Args:
650
+ encrypted_password: The encrypted password bytes.
651
+ key: The encryption key.
652
+
653
+ Returns:
654
+ Decrypted password string.
634
655
  """
635
656
 
636
657
  if not HAS_CRYPTO:
@@ -0,0 +1,23 @@
1
+ from dissect.target.plugin import NamespacePlugin, export
2
+
3
+ COMMON_EDITOR_FIELDS = [
4
+ ("datetime", "ts"),
5
+ ("string", "editor"),
6
+ ("path", "source"),
7
+ ]
8
+
9
+
10
+ class EditorPlugin(NamespacePlugin):
11
+ """Editor plugin."""
12
+
13
+ __namespace__ = "editor"
14
+
15
+ @export
16
+ def extensions(self) -> None:
17
+ """Yields installed extensions."""
18
+ raise NotImplementedError
19
+
20
+ @export
21
+ def history(self) -> None:
22
+ """Yields history of files."""
23
+ raise NotImplementedError
@@ -16,11 +16,8 @@ from dissect.target.helpers.record import (
16
16
  WindowsUserRecord,
17
17
  create_extended_descriptor,
18
18
  )
19
- from dissect.target.plugin import export
20
- from dissect.target.plugins.apps.texteditor.texteditor import (
21
- GENERIC_TAB_CONTENTS_RECORD_FIELDS,
22
- TexteditorPlugin,
23
- )
19
+ from dissect.target.plugin import alias, export
20
+ from dissect.target.plugins.apps.editor.editor import COMMON_EDITOR_FIELDS, EditorPlugin
24
21
  from dissect.target.target import Target
25
22
 
26
23
  # Thanks to @Nordgaren, @daddycocoaman, @JustArion and @ogmini for their suggestions and feedback in the PR
@@ -94,16 +91,25 @@ struct options_v2 {
94
91
  };
95
92
  """
96
93
 
97
- WINDOWS_SAVED_TABS_EXTRA_FIELDS = [("datetime", "modification_time"), ("digest", "hashes"), ("path", "saved_path")]
94
+ GENERIC_TAB_CONTENTS_RECORD_FIELDS = [
95
+ ("string", "content"),
96
+ ("path", "path"),
97
+ ("string", "deleted_content"),
98
+ ]
98
99
 
99
100
  WindowsNotepadUnsavedTabRecord = create_extended_descriptor([UserRecordDescriptorExtension])(
100
- "texteditor/windowsnotepad/tab/unsaved",
101
- GENERIC_TAB_CONTENTS_RECORD_FIELDS,
101
+ "application/editor/windowsnotepad/tab/unsaved",
102
+ COMMON_EDITOR_FIELDS + GENERIC_TAB_CONTENTS_RECORD_FIELDS,
102
103
  )
103
104
 
104
105
  WindowsNotepadSavedTabRecord = create_extended_descriptor([UserRecordDescriptorExtension])(
105
- "texteditor/windowsnotepad/tab/saved",
106
- GENERIC_TAB_CONTENTS_RECORD_FIELDS + WINDOWS_SAVED_TABS_EXTRA_FIELDS,
106
+ "application/editor/windowsnotepad/tab/saved",
107
+ COMMON_EDITOR_FIELDS
108
+ + GENERIC_TAB_CONTENTS_RECORD_FIELDS
109
+ + [
110
+ ("digest", "digest"),
111
+ ("path", "saved_path"),
112
+ ],
107
113
  )
108
114
 
109
115
  c_windowstab = cstruct().load(windowstab_def)
@@ -264,7 +270,7 @@ class WindowsNotepadTab:
264
270
  self.deleted_content = deleted_content if deleted_content else None
265
271
 
266
272
 
267
- class WindowsNotepadPlugin(TexteditorPlugin):
273
+ class WindowsNotepadPlugin(EditorPlugin):
268
274
  """Windows notepad tab content plugin."""
269
275
 
270
276
  __namespace__ = "windowsnotepad"
@@ -273,28 +279,27 @@ class WindowsNotepadPlugin(TexteditorPlugin):
273
279
 
274
280
  def __init__(self, target: Target):
275
281
  super().__init__(target)
276
- self.users_tabs: list[TargetPath, UnixUserRecord | WindowsUserRecord] = []
282
+ self.users_tabs: set[TargetPath, UnixUserRecord | WindowsUserRecord] = set()
277
283
  for user_details in self.target.user_details.all_with_home():
278
284
  for tab_file in user_details.home_path.glob(self.GLOB):
279
- # These files seem to contain information on different settings / configurations,
280
- # and are skipped for now
285
+ # These files contain information on different settings / configurations, and are skipped for now.
281
286
  if tab_file.name.endswith(".1.bin") or tab_file.name.endswith(".0.bin"):
282
287
  continue
283
288
 
284
- self.users_tabs.append((tab_file, user_details.user))
289
+ self.users_tabs.add((tab_file, user_details.user))
285
290
 
286
291
  def check_compatible(self) -> None:
287
292
  if not self.users_tabs:
288
293
  raise UnsupportedPluginError("No Windows Notepad tab files found")
289
294
 
295
+ @alias("tabs")
290
296
  @export(record=[WindowsNotepadSavedTabRecord, WindowsNotepadUnsavedTabRecord])
291
- def tabs(self) -> Iterator[WindowsNotepadSavedTabRecord | WindowsNotepadUnsavedTabRecord]:
297
+ def history(self) -> Iterator[WindowsNotepadSavedTabRecord | WindowsNotepadUnsavedTabRecord]:
292
298
  """Return contents from Windows 11 Notepad tabs - and its deleted content if available.
293
299
 
294
300
  Windows Notepad application for Windows 11 is now able to restore both saved and unsaved tabs when you re-open
295
301
  the application.
296
302
 
297
-
298
303
  Resources:
299
304
  - https://github.com/fox-it/dissect.target/pull/540
300
305
  - https://github.com/JustArion/Notepad-Tabs
@@ -304,37 +309,41 @@ class WindowsNotepadPlugin(TexteditorPlugin):
304
309
  - https://github.com/Nordgaren/tabstate-util/issues/1
305
310
  - https://medium.com/@mahmoudsoheem/new-digital-forensics-artifact-from-windows-notepad-527645906b7b
306
311
 
307
- Yields a WindowsNotepadSavedTabRecord or WindowsNotepadUnsavedTabRecord. with fields:
312
+ Yields ``WindowsNotepadSavedTabRecord`` or ``WindowsNotepadUnsavedTabRecord`` records:
308
313
 
309
314
  .. code-block:: text
310
315
 
311
- content (string): The content of the tab.
312
- path (path): The path to the tab file.
313
- deleted_content (string): The deleted content of the tab, if available.
314
- hashes (digest): A digest of the tab content.
315
- saved_path (path): The path where the tab was saved.
316
- modification_time (datetime): The modification time of the tab.
316
+ ts (datetime): The modification time of the tab.
317
+ content (string): The content of the tab.
318
+ path (path): The path to the tab file.
319
+ deleted_content (string): The deleted content of the tab, if available.
320
+ digest (digest): A digest of the tab content.
321
+ saved_path (path): The path where the tab was saved.
317
322
  """
318
323
  for file, user in self.users_tabs:
319
- # Parse the file
320
- tab: WindowsNotepadTab = WindowsNotepadTab(file)
324
+ tab = WindowsNotepadTab(file)
321
325
 
322
326
  if tab.is_saved:
323
327
  yield WindowsNotepadSavedTabRecord(
328
+ ts=wintimestamp(tab.tab_header.timestamp),
329
+ editor="windowsnotepad",
324
330
  content=tab.content,
325
331
  path=tab.file,
326
332
  deleted_content=tab.deleted_content,
327
- hashes=digest((None, None, tab.tab_header.sha256.hex())),
333
+ digest=digest((None, None, tab.tab_header.sha256.hex())),
328
334
  saved_path=tab.tab_header.filePath,
329
- modification_time=wintimestamp(tab.tab_header.timestamp),
330
- _target=self.target,
335
+ source=file,
331
336
  _user=user,
337
+ _target=self.target,
332
338
  )
339
+
333
340
  else:
334
341
  yield WindowsNotepadUnsavedTabRecord(
342
+ editor="windowsnotepad",
335
343
  content=tab.content,
344
+ deleted_content=tab.deleted_content,
336
345
  path=tab.file,
337
- _target=self.target,
346
+ source=file,
338
347
  _user=user,
339
- deleted_content=tab.deleted_content,
348
+ _target=self.target,
340
349
  )
@@ -1,3 +1,5 @@
1
+ from typing import Iterator
2
+
1
3
  from dissect.target.exceptions import UnsupportedPluginError
2
4
  from dissect.target.helpers.descriptor_extensions import UserRecordDescriptorExtension
3
5
  from dissect.target.helpers.record import create_extended_descriptor
@@ -14,6 +16,8 @@ ConsoleHostHistoryRecord = create_extended_descriptor([UserRecordDescriptorExten
14
16
 
15
17
 
16
18
  class PowerShellHistoryPlugin(Plugin):
19
+ """Windows PowerShell history plugin."""
20
+
17
21
  PATHS = [
18
22
  "AppData/Roaming/Microsoft/Windows/PowerShell/psreadline",
19
23
  ".local/share/powershell/PSReadLine",
@@ -35,10 +39,10 @@ class PowerShellHistoryPlugin(Plugin):
35
39
  raise UnsupportedPluginError("No ConsoleHost_history.txt files found")
36
40
 
37
41
  @export(record=ConsoleHostHistoryRecord)
38
- def powershell_history(self):
42
+ def powershell_history(self) -> Iterator[ConsoleHostHistoryRecord]:
39
43
  """Return PowerShell command history for all users.
40
44
 
41
- The PowerShell ConsoleHost_history.txt file contains information about the commands executed with PowerShell in
45
+ The PowerShell ``ConsoleHost_history.txt`` file contains information about the commands executed with PowerShell in
42
46
  a terminal. No data is recorded from terminal-less PowerShell sessions. Commands are saved to disk after the process has completed.
43
47
  PSReadLine does not save commands containing 'password', 'asplaintext', 'token', 'apikey' or 'secret'.
44
48
 
@@ -52,7 +52,7 @@ class WgetPlugin(Plugin):
52
52
  - https://gitlab.com/gnuwget/wget/-/blob/master/src/hsts.c
53
53
  - https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security
54
54
 
55
- Yields ``WgetHstsRecord``s with the following fields:
55
+ Yields ``WgetHstsRecord`` records with the following fields:
56
56
 
57
57
  .. code-block:: text
58
58
 
@@ -31,6 +31,8 @@ def find_sshd_directory(target: Target) -> TargetPath:
31
31
 
32
32
 
33
33
  class OpenSSHPlugin(SSHPlugin):
34
+ """OpenSSH plugin."""
35
+
34
36
  __namespace__ = "openssh"
35
37
 
36
38
  SSHD_DIRECTORIES = ["/sysvol/ProgramData/ssh", "/etc/ssh"]
@@ -74,6 +74,8 @@ SSHD_MULTIPLE_DEFINITIONS_ALLOWED_FIELDS = (
74
74
 
75
75
 
76
76
  class SSHServerPlugin(SSHPlugin):
77
+ """OpenSSHd server plugin."""
78
+
77
79
  __namespace__ = "opensshd"
78
80
 
79
81
  def __init__(self, target: Target):
@@ -52,15 +52,13 @@ class WireGuardPlugin(Plugin):
52
52
 
53
53
  __namespace__ = "wireguard"
54
54
 
55
- """
56
- TODO: NetworkManager uses a different stanza format
57
- "/etc/NetworkManager/system-connections/Wireguard*",
58
- TODO: systemd uses a different stanza format
59
- "/etc/systemd/network/wg*.netdev",
60
- "/etc/systemd/network/*wg*.netdev",
61
- TODO: other locations such as $HOME/.config/wireguard
62
- TODO: parse native network manager formats from MacOS, Ubuntu and Windows.
63
- """
55
+ # TODO: NetworkManager uses a different stanza format
56
+ # "/etc/NetworkManager/system-connections/Wireguard*",
57
+ # TODO: systemd uses a different stanza format
58
+ # "/etc/systemd/network/wg*.netdev",
59
+ # "/etc/systemd/network/*wg*.netdev",
60
+ # TODO: other locations such as $HOME/.config/wireguard
61
+ # TODO: parse native network manager formats from MacOS, Ubuntu and Windows.
64
62
 
65
63
  CONFIG_GLOBS = [
66
64
  # Linux
@@ -160,6 +158,8 @@ def _parse_config(content: str) -> ConfigParser:
160
158
 
161
159
 
162
160
  class MultiDict(OrderedDict):
161
+ """OrderedDict implementation which allows multiple values for the keys ``Peer`` and ``Interface``."""
162
+
163
163
  def __init__(self, *args, **kwargs):
164
164
  self._unique = 0
165
165
  super().__init__(*args, **kwargs)
@@ -23,6 +23,8 @@ CPANEL_LASTLOGIN_PATTERN = re.compile(
23
23
 
24
24
 
25
25
  class CPanelPlugin(Plugin):
26
+ """cPanel webhosting plugin."""
27
+
26
28
  # TODO: Parse other log files https://support.cartika.com/portal/en/kb/articles/whm-cpanel-log-files-and-locations
27
29
  __namespace__ = "cpanel"
28
30
 
@@ -22,6 +22,8 @@ LOG_REGEX = re.compile(
22
22
 
23
23
 
24
24
  class CaddyPlugin(WebserverPlugin):
25
+ """Caddy webserver plugin."""
26
+
25
27
  __namespace__ = "caddy"
26
28
 
27
29
  def __init__(self, target: Target):
@@ -18,6 +18,8 @@ LOG_REGEX = re.compile(
18
18
 
19
19
 
20
20
  class NginxPlugin(WebserverPlugin):
21
+ """Nginx webserver plugin."""
22
+
21
23
  __namespace__ = "nginx"
22
24
 
23
25
  def __init__(self, target: Target):
@@ -1,3 +1,5 @@
1
+ from typing import Iterator
2
+
1
3
  from dissect.target.exceptions import UnsupportedPluginError
2
4
  from dissect.target.helpers.record import ChildTargetRecord
3
5
  from dissect.target.plugin import ChildTargetPlugin
@@ -12,7 +14,7 @@ class ESXiChildTargetPlugin(ChildTargetPlugin):
12
14
  if self.target.os != "esxi":
13
15
  raise UnsupportedPluginError("Not an ESXi operating system")
14
16
 
15
- def list_children(self):
17
+ def list_children(self) -> Iterator[ChildTargetRecord]:
16
18
  for vm in self.target.vm_inventory():
17
19
  yield ChildTargetRecord(
18
20
  type=self.__type__,