dissect.target 3.20.dev64__py3-none-any.whl → 3.20.2.dev11__py3-none-any.whl

dissect/target/plugins/os/unix/log/messages.py

@@ -11,12 +11,18 @@ from dissect.target.helpers.fsutil import open_decompress
 from dissect.target.helpers.record import TargetRecordDescriptor
 from dissect.target.helpers.utils import year_rollover_helper
 from dissect.target.plugin import Plugin, alias, export
+from dissect.target.plugins.os.unix.log.helpers import (
+    RE_LINE,
+    RE_TS,
+    is_iso_fmt,
+    iso_readlines,
+)
 
 MessagesRecord = TargetRecordDescriptor(
     "linux/log/messages",
     [
         ("datetime", "ts"),
-        ("string", "daemon"),
+        ("string", "service"),
         ("varint", "pid"),
         ("string", "message"),
         ("path", "source"),
@@ -24,12 +30,8 @@ MessagesRecord = TargetRecordDescriptor(
 )
 
 DEFAULT_TS_LOG_FORMAT = "%b %d %H:%M:%S"
-RE_TS = re.compile(r"(\w+\s{1,2}\d+\s\d{2}:\d{2}:\d{2})")
-RE_DAEMON = re.compile(r"^[^:]+:\d+:\d+[^\[\]:]+\s([^\[:]+)[\[|:]{1}")
-RE_PID = re.compile(r"\w\[(\d+)\]")
-RE_MSG = re.compile(r"[^:]+:\d+:\d+[^:]+:\s(.*)$")
 RE_CLOUD_INIT_LINE = re.compile(
-    r"^(?P<ts>\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2},\d{3}) - (?P<daemon>.*)\[(?P<log_level>\w+)\]\: (?P<message>.*)$"
+    r"^(?P<ts>\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2},\d{3}) - (?P<service>.*)\[(?P<log_level>\w+)\]\: (?P<message>.*)$"
 )
 
 
@@ -56,7 +58,7 @@ class MessagesPlugin(Plugin):
     def messages(self) -> Iterator[MessagesRecord]:
         """Return contents of /var/log/messages*, /var/log/syslog* and cloud-init logs.
 
-        Due to year rollover detection, the contents of the files are returned in reverse.
+        Due to year rollover detection, the log contents could be returned in reversed or mixed chronological order.
 
         The messages log file holds information about a variety of events such as the system error messages, system
         startups and shutdowns, change in the network configuration, etc. Aims to store valuable, non-debug and
@@ -75,16 +77,23 @@ class MessagesPlugin(Plugin):
                 yield from self._parse_cloud_init_log(log_file, tzinfo)
                 continue
 
-            for ts, line in year_rollover_helper(log_file, RE_TS, DEFAULT_TS_LOG_FORMAT, tzinfo):
-                daemon = dict(enumerate(RE_DAEMON.findall(line))).get(0)
-                pid = dict(enumerate(RE_PID.findall(line))).get(0)
-                message = dict(enumerate(RE_MSG.findall(line))).get(0, line)
+            if is_iso_fmt(log_file):
+                iterable = iso_readlines(log_file)
+
+            else:
+                iterable = year_rollover_helper(log_file, RE_TS, DEFAULT_TS_LOG_FORMAT, tzinfo)
+
+            for ts, line in iterable:
+                match = RE_LINE.search(line)
+
+                if not match:
+                    self.target.log.warning("Unable to parse message line in %s", log_file)
+                    self.target.log.debug("Line %s", line)
+                    continue
 
                 yield MessagesRecord(
                     ts=ts,
-                    daemon=daemon,
-                    pid=pid,
-                    message=message,
+                    **match.groupdict(),
                     source=log_file,
                     _target=self.target,
                 )
@@ -134,7 +143,7 @@ class MessagesPlugin(Plugin):
 
                 yield MessagesRecord(
                     ts=ts,
-                    daemon=values["daemon"],
+                    service=values["service"],
                     pid=None,
                     message=values["message"],
                     source=log_file,

dissect/target/plugins/os/unix/trash.py

@@ -31,15 +31,25 @@ class GnomeTrashPlugin(Plugin):
 
     def __init__(self, target: Target):
         super().__init__(target)
-        self.trashes = list(self._garbage_collector())
+        self.trashes = set(self._garbage_collector())
 
     def _garbage_collector(self) -> Iterator[tuple[UserDetails, TargetPath]]:
         """it aint much, but its honest work"""
+
+        # home trash folders
         for user_details in self.target.user_details.all_with_home():
             for trash_path in self.PATHS:
                 if (path := user_details.home_path.joinpath(trash_path)).exists():
                     yield user_details, path
 
+        # mounted devices trash folders
+        for mount_path in list(self.target.fs.mounts) + ["/mnt", "/media"]:
+            if mount_path == "/":
+                continue
+
+            for mount_trash in self.target.fs.path(mount_path).rglob(".Trash-*"):
+                yield UserDetails(None, None), mount_trash
+
     def check_compatible(self) -> None:
         if not self.trashes:
             raise UnsupportedPluginError("No Trash folder(s) found")
@@ -52,7 +62,8 @@ class GnomeTrashPlugin(Plugin):
         Recovers deleted files and artifacts from ``$HOME/.local/share/Trash``.
         Probably also works with other desktop interfaces as long as they follow the Trash specification from FreeDesktop.
 
-        Currently does not parse media trash locations such as ``/media/$Label/.Trash-1000/*``.
+        Also parses media trash locations such as ``/media/$USER/$Label/.Trash-*``, ``/mnt/$Label/.Trash-*`` and other
+        locations as defined in ``/etc/fstab``.
 
         Resources:
             - https://specifications.freedesktop.org/trash-spec/latest/

dissect/target/plugins/os/windows/activitiescache.py

@@ -116,36 +116,38 @@ class ActivitiesCachePlugin(Plugin):
         for user, cache_file in self.cachefiles:
             fh = cache_file.open()
             db = sqlite3.SQLite3(fh)
-            for r in db.table("Activity").rows():
-                yield ActivitiesCacheRecord(
-                    start_time=mkts(r["[StartTime]"]),
-                    end_time=mkts(r["[EndTime]"]),
-                    last_modified_time=mkts(r["[LastModifiedTime]"]),
-                    last_modified_on_client=mkts(r["[LastModifiedOnClient]"]),
-                    original_last_modified_on_client=mkts(r["[OriginalLastModifiedOnClient]"]),
-                    expiration_time=mkts(r["[ExpirationTime]"]),
-                    app_id=r["[AppId]"],
-                    enterprise_id=r["[EnterpriseId]"],
-                    app_activity_id=r["[AppActivityId]"],
-                    group_app_activity_id=r["[GroupAppActivityId]"],
-                    group=r["[Group]"],
-                    activity_type=r["[ActivityType]"],
-                    activity_status=r["[ActivityStatus]"],
-                    priority=r["[Priority]"],
-                    match_id=r["[MatchId]"],
-                    etag=r["[ETag]"],
-                    tag=r["[Tag]"],
-                    is_local_only=r["[IsLocalOnly]"],
-                    created_in_cloud=r["[CreatedInCloud]"],
-                    platform_device_id=r["[PlatformDeviceId]"],
-                    package_id_hash=r["[PackageIdHash]"],
-                    id=r["[Id]"],
-                    payload=r["[Payload]"],
-                    original_payload=r["[OriginalPayload]"],
-                    clipboard_payload=r["[ClipboardPayload]"],
-                    _target=self.target,
-                    _user=user,
-                )
+
+            if table := db.table("Activity"):
+                for r in table.rows():
+                    yield ActivitiesCacheRecord(
+                        start_time=mkts(r["[StartTime]"]),
+                        end_time=mkts(r["[EndTime]"]),
+                        last_modified_time=mkts(r["[LastModifiedTime]"]),
+                        last_modified_on_client=mkts(r["[LastModifiedOnClient]"]),
+                        original_last_modified_on_client=mkts(r["[OriginalLastModifiedOnClient]"]),
+                        expiration_time=mkts(r["[ExpirationTime]"]),
+                        app_id=r["[AppId]"],
+                        enterprise_id=r["[EnterpriseId]"],
+                        app_activity_id=r["[AppActivityId]"],
+                        group_app_activity_id=r["[GroupAppActivityId]"],
+                        group=r["[Group]"],
+                        activity_type=r["[ActivityType]"],
+                        activity_status=r["[ActivityStatus]"],
+                        priority=r["[Priority]"],
+                        match_id=r["[MatchId]"],
+                        etag=r["[ETag]"],
+                        tag=r["[Tag]"],
+                        is_local_only=r["[IsLocalOnly]"],
+                        created_in_cloud=r["[CreatedInCloud]"],
+                        platform_device_id=r["[PlatformDeviceId]"],
+                        package_id_hash=r["[PackageIdHash]"],
+                        id=r["[Id]"],
+                        payload=r["[Payload]"],
+                        original_payload=r["[OriginalPayload]"],
+                        clipboard_payload=r["[ClipboardPayload]"],
+                        _target=self.target,
+                        _user=user,
+                    )
 
 
 def mkts(ts: int) -> datetime | None:

dissect/target/plugins/os/windows/catroot.py

@@ -217,15 +217,24 @@ class CatrootPlugin(Plugin):
             with ese_file.open("rb") as fh:
                 ese_db = EseDB(fh)
 
-                tables = [table.name for table in ese_db.tables()]
                 for hash_type, table_name in [("sha256", "HashCatNameTableSHA256"), ("sha1", "HashCatNameTableSHA1")]:
-                    if table_name not in tables:
+                    try:
+                        table = ese_db.table(table_name)
+                    except KeyError as e:
+                        self.target.log.warning("EseDB %s has no table %s", ese_file, table_name)
+                        self.target.log.debug("", exc_info=e)
                         continue
 
-                    for record in ese_db.table(table_name).records():
+                    for record in table.records():
                         file_digest = digest()
-                        setattr(file_digest, hash_type, record.get("HashCatNameTable_HashCol").hex())
-                        catroot_names = record.get("HashCatNameTable_CatNameCol").decode().rstrip("|").split("|")
+
+                        try:
+                            setattr(file_digest, hash_type, record.get("HashCatNameTable_HashCol").hex())
+                            catroot_names = record.get("HashCatNameTable_CatNameCol").decode().rstrip("|").split("|")
+                        except Exception as e:
+                            self.target.log.warning("Unable to parse catroot names for %s in %s", record, ese_file)
+                            self.target.log.debug("", exc_info=e)
+                            continue
 
                         for catroot_name in catroot_names:
                             yield CatrootRecord(

dissect/target/plugins/os/windows/lnk.py

@@ -1,4 +1,6 @@
-from typing import Iterator, Optional
+from __future__ import annotations
+
+from typing import Iterator
 
 from dissect.shellitem.lnk import Lnk
 from dissect.util import ts
@@ -34,7 +36,7 @@ LnkRecord = TargetRecordDescriptor(
 )
 
 
-def parse_lnk_file(target: Target, lnk_file: Lnk, lnk_path: TargetPath) -> Iterator[LnkRecord]:
+def parse_lnk_file(target: Target, lnk_file: Lnk, lnk_path: TargetPath) -> LnkRecord:
     # we need to get the active codepage from the system to properly decode some values
     codepage = target.codepage or "ascii"
 
@@ -132,7 +134,7 @@ class LnkPlugin(Plugin):
 
     @arg("--path", "-p", dest="path", default=None, help="Path to directory or .lnk file in target")
     @export(record=LnkRecord)
-    def lnk(self, path: Optional[str] = None) -> Iterator[LnkRecord]:
+    def lnk(self, path: str | None = None) -> Iterator[LnkRecord]:
         """Parse all .lnk files in /ProgramData, /Users, and /Windows or from a specified path in record format.
 
         Yields a LnkRecord record with the following fields:
@@ -160,10 +162,14 @@ class LnkPlugin(Plugin):
         """
 
         for entry in self.lnk_entries(path):
-            lnk_file = Lnk(entry.open())
-            yield parse_lnk_file(self.target, lnk_file, entry)
-
-    def lnk_entries(self, path: Optional[str] = None) -> Iterator[TargetPath]:
+            try:
+                lnk_file = Lnk(entry.open())
+                yield parse_lnk_file(self.target, lnk_file, entry)
+            except Exception as e:
+                self.target.log.warning("Failed to parse link file %s", lnk_file)
+                self.target.log.debug("", exc_info=e)
+
+    def lnk_entries(self, path: str | None = None) -> Iterator[TargetPath]:
         if path:
             target_path = self.target.fs.path(path)
             if not target_path.exists():

dissect/target/plugins/os/windows/network.py

@@ -1,5 +1,6 @@
 from __future__ import annotations
 
+import re
 from enum import IntEnum
 from functools import lru_cache
 from typing import Iterator
@@ -224,11 +225,13 @@ def _try_value(subkey: RegistryKey, value: str) -> str | list | None:
         return None
 
 
-def _get_config_value(key: RegistryKey, name: str) -> set:
+def _get_config_value(key: RegistryKey, name: str, sep: str | None = None) -> set:
     value = _try_value(key, name)
     if not value or value in ("", "0.0.0.0", None, [], ["0.0.0.0"]):
         return set()
-
+    if sep and isinstance(value, str):
+        re_sep = "|".join(map(re.escape, sep))
+        value = re.split(re_sep, value)
     if isinstance(value, list):
         return set(value)
 
@@ -281,7 +284,8 @@ class WindowsNetworkPlugin(NetworkPlugin):
                     pass
 
                 # Extract the rest of the device information
-                device_info["mac"] = _try_value(subkey, "NetworkAddress")
+                if mac_address := _try_value(subkey, "NetworkAddress"):
+                    device_info["mac"] = [mac_address]
                 device_info["vlan"] = _try_value(subkey, "VlanID")
 
                 if timestamp := _try_value(subkey, "NetworkInterfaceInstallTimestamp"):
@@ -354,11 +358,11 @@ class WindowsNetworkPlugin(NetworkPlugin):
             dhcp_config["ip"].update(_get_config_value(key, "DhcpIPAddress"))
             dhcp_config["subnetmask"].update(_get_config_value(key, "DhcpSubnetMask"))
             dhcp_config["search_domain"].update(_get_config_value(key, "DhcpDomain"))
-            dhcp_config["dns"].update(_get_config_value(key, "DhcpNameServer"))
+            dhcp_config["dns"].update(_get_config_value(key, "DhcpNameServer", " ,"))
 
             # Extract static configuration from the registry
             static_config["gateway"].update(_get_config_value(key, "DefaultGateway"))
-            static_config["dns"].update(_get_config_value(key, "NameServer"))
+            static_config["dns"].update(_get_config_value(key, "NameServer", " ,"))
             static_config["search_domain"].update(_get_config_value(key, "Domain"))
             static_config["ip"].update(_get_config_value(key, "IPAddress"))
             static_config["subnetmask"].update(_get_config_value(key, "SubnetMask"))

dissect/target/plugins/os/windows/notifications.py

@@ -442,43 +442,45 @@ class NotificationsPlugin(Plugin):
         """
         for user, wpndatabase in self.wpndb_files:
             db = sqlite3.SQLite3(wpndatabase.open())
-
             handlers = {}
-            for row in db.table("NotificationHandler").rows():
-                handlers[row["[RecordId]"]] = WpnDatabaseNotificationHandlerRecord(
-                    created_time=datetime.datetime.strptime(row["[CreatedTime]"], "%Y-%m-%d %H:%M:%S"),
-                    modified_time=datetime.datetime.strptime(row["[ModifiedTime]"], "%Y-%m-%d %H:%M:%S"),
-                    id=row["[RecordId]"],
-                    primary_id=row["[PrimaryId]"],
-                    wns_id=row["[WNSId]"],
-                    handler_type=row["[HandlerType]"],
-                    wnf_event_name=row["[WNFEventName]"],
-                    system_data_property_set=row["[SystemDataPropertySet]"],
-                    _target=self.target,
-                    _user=user,
-                )
-
-            for row in db.table("Notification").rows():
-                record = WpnDatabaseNotificationRecord(
-                    arrival_time=wintimestamp(row["[ArrivalTime]"]),
-                    expiry_time=wintimestamp(row["[ExpiryTime]"]),
-                    order=row["[Order]"],
-                    id=row["[Id]"],
-                    handler_id=row["[HandlerId]"],
-                    activity_id=UUID(bytes=row["[ActivityId]"]),
-                    type=row["[Type]"],
-                    payload=row["[Payload]"],
-                    payload_type=row["[PayloadType]"],
-                    tag=row["[Tag]"],
-                    group=row["[Group]"],
-                    boot_id=row["[BootId]"],
-                    expires_on_reboot=row["[ExpiresOnReboot]"] != "FALSE",
-                    _target=self.target,
-                    _user=user,
-                )
-                handler = handlers.get(row["[HandlerId]"])
 
-                if handler:
-                    yield GroupedRecord("windows/notification/wpndatabase/grouped", [record, handler])
-                else:
-                    yield record
+            if table := db.table("NotificationHandler"):
+                for row in table.rows():
+                    handlers[row["[RecordId]"]] = WpnDatabaseNotificationHandlerRecord(
+                        created_time=datetime.datetime.strptime(row["[CreatedTime]"], "%Y-%m-%d %H:%M:%S"),
+                        modified_time=datetime.datetime.strptime(row["[ModifiedTime]"], "%Y-%m-%d %H:%M:%S"),
+                        id=row["[RecordId]"],
+                        primary_id=row["[PrimaryId]"],
+                        wns_id=row["[WNSId]"],
+                        handler_type=row["[HandlerType]"],
+                        wnf_event_name=row["[WNFEventName]"],
+                        system_data_property_set=row["[SystemDataPropertySet]"],
+                        _target=self.target,
+                        _user=user,
+                    )
+
+            if table := db.table("Notification"):
+                for row in table.rows():
+                    record = WpnDatabaseNotificationRecord(
+                        arrival_time=wintimestamp(row["[ArrivalTime]"]),
+                        expiry_time=wintimestamp(row["[ExpiryTime]"]),
+                        order=row["[Order]"],
+                        id=row["[Id]"],
+                        handler_id=row["[HandlerId]"],
+                        activity_id=UUID(bytes=row["[ActivityId]"]),
+                        type=row["[Type]"],
+                        payload=row["[Payload]"],
+                        payload_type=row["[PayloadType]"],
+                        tag=row["[Tag]"],
+                        group=row["[Group]"],
+                        boot_id=row["[BootId]"],
+                        expires_on_reboot=row["[ExpiresOnReboot]"] != "FALSE",
+                        _target=self.target,
+                        _user=user,
+                    )
+                    handler = handlers.get(row["[HandlerId]"])
+
+                    if handler:
+                        yield GroupedRecord("windows/notification/wpndatabase/grouped", [record, handler])
+                    else:
+                        yield record

dissect/target/plugins/os/windows/regf/cit.py

@@ -632,8 +632,8 @@ def local_wintimestamp(target, ts):
 class CITPlugin(Plugin):
     """Plugin that parses CIT data from the registry.
 
-    Reference:
-    - https://dfir.ru/2018/12/02/the-cit-database-and-the-syscache-hive/
+    References:
+        - https://dfir.ru/2018/12/02/the-cit-database-and-the-syscache-hive/
     """
 
     __namespace__ = "cit"
@@ -641,7 +641,7 @@ class CITPlugin(Plugin):
     KEY = "HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\CIT"
 
     def check_compatible(self) -> None:
-        if not len(list(self.target.registry.keys(self.KEY))) > 0:
+        if not list(self.target.registry.keys(self.KEY)):
             raise UnsupportedPluginError("No CIT registry key found")
 
     @export(record=get_args(CITRecords))
@@ -770,8 +770,9 @@ class CITPlugin(Plugin):
                         yield from _yield_bitmap_records(
                             self.target, cit, entry.use_data.bitmaps.foreground, CITProgramBitmapForegroundRecord
                         )
-                except Exception:
-                    self.target.log.exception("Failed to parse CIT value: %s", value.name)
+                except Exception as e:
+                    self.target.log.warning("Failed to parse CIT value: %s", value.name)
+                    self.target.log.debug("", exc_info=e)
 
     @export(record=CITPostUpdateUseInfoRecord)
     def puu(self) -> Iterator[CITPostUpdateUseInfoRecord]:
@@ -788,10 +789,16 @@ class CITPlugin(Plugin):
         for reg_key in keys:
             for key in self.target.registry.keys(reg_key):
                 try:
-                    puu = c_cit.CIT_POST_UPDATE_USE_INFO(key.value("PUUActive").value)
+                    key_value = key.value("PUUActive").value
+                    puu = c_cit.CIT_POST_UPDATE_USE_INFO(key_value)
                 except RegistryValueNotFoundError:
                     continue
 
+                except EOFError as e:
+                    self.target.log.warning("Exception reading CIT structure in key %s", key.path)
+                    self.target.log.debug("Unable to parse value %s", key_value, exc_info=e)
+                    continue
+
                 yield CITPostUpdateUseInfoRecord(
                     log_time_start=wintimestamp(puu.LogTimeStart),
                     update_key=puu.UpdateKey,
@@ -852,10 +859,16 @@ class CITPlugin(Plugin):
         for reg_key in keys:
             for key in self.target.registry.keys(reg_key):
                 try:
-                    dp = c_cit.CIT_DP_DATA(key.value("DP").value)
+                    key_value = key.value("DP").value
+                    dp = c_cit.CIT_DP_DATA(key_value)
                 except RegistryValueNotFoundError:
                     continue
 
+                except EOFError as e:
+                    self.target.log.warning("Exception reading CIT structure in key %s", key.path)
+                    self.target.log.debug("Unable to parse value %s", key_value, exc_info=e)
+                    continue
+
                 user = self.target.registry.get_user(key)
                 log_time_start = wintimestamp(dp.LogTimeStart)