fox-it / dissect Goto Github PK

Dissect is a digital forensics & incident response framework and toolset that allows you to quickly access and analyse forensic artefacts from various disk and file formats, developed by Fox-IT (part of NCC Group).

Home Page: https://docs.dissect.tools/en/latest/

License: GNU Affero General Public License v3.0

dfir dissect python

dissect's Introduction

dissect

This project is a meta package, it will install all other Dissect modules with the right combination of versions. For more information, please see the documentation.

What is Dissect?

Dissect is an incident response framework build from various parsers and implementations of file formats. Tying this all together, Dissect allows you to work with tools named target-query and target-shell to quickly gain access to forensic artefacts, such as Runkeys, Prefetch files, and Windows Event Logs, just to name a few!

Singular approach

And the best thing: all in a singular way, regardless of underlying container (E01, VMDK, QCoW), filesystem (NTFS, ExtFS, FFS), or Operating System (Windows, Linux, ESXi) structure / combination. You no longer have to bother extracting files from your forensic container, mount them (in case of VMDKs and such), retrieve the MFT, and parse it using a separate tool, to finally create a timeline to analyse. This is all handled under the hood by Dissect in a user-friendly manner.

If we take the example above, you can start analysing parsed MFT entries by just using a command like target-query -f mft <PATH_TO_YOUR_IMAGE>!

Create a lightweight container using Acquire

Dissect also provides you with a tool called acquire. You can deploy this tool on endpoint(s) to create a lightweight container of these machine(s). What is convenient as well, is that you can deploy acquire on a hypervisor to quickly create lightweight containers of all the (running) virtual machines on there! All without having to worry about file-locks. These lightweight containers can then be analysed using the tools like target-query and target-shell, but feel free to use other tools as well.

A modular setup

Dissect is made with a modular approach in mind. This means that each individual project can be used on its own (or in combination) to create a completely new tool for your engagement or future use!

Try it out now!

Interested in trying it out for yourself? You can simply pip install dissect and start using the target-* tooling right away. Or you can use the interactive playground at https://try.dissect.tools to try Dissect in your browser.

Don’t know where to start? Check out the introduction page.

Want to get a detailed overview? Check out the overview page.

Want to read everything? Check out the documentation.

Projects

Dissect currently consists of the following projects.

These projects are closely related to Dissect, but not installed by this meta package.

Requirements

This project is part of the Dissect framework and requires Python.

Information on the supported Python versions can be found in the Getting Started section of the documentation.

Installation

dissect is available on PyPI.

pip install dissect

Build and test instructions

This project uses tox to build source and wheel distributions. Run the following command from the root folder to build these:

tox -e build

The build artifacts can be found in the dist/ directory.

tox is also used to run linting and unit tests in a self-contained environment. To run both linting and unit tests using the default installed Python version, run:

tox

For a more elaborate explanation on how to build and test the project, please see the documentation.

Contributing

The Dissect project encourages any contribution to the codebase. To make your contribution fit into the project, please refer to the development guide.

Copyright and license

Dissect is released as open source by Fox-IT (https://www.fox-it.com) part of NCC Group Plc (https://www.nccgroup.com).

Developed by the Dissect Team ([email protected]) and made available at https://github.com/fox-it/dissect.

License terms: AGPL3 (https://www.gnu.org/licenses/agpl-3.0.html). For more information, see the LICENSE file.

dissect's People

Contributors

Stargazers

Watchers

Forkers

raphajohnsec ad-blokker patreuze javdl cvlabsio mrjvb cephurs th3xace gtrikoilis righard mrezqi frndlyy wellalb jojopg blue-infosec timb-machine-mirrors ejfree silocityit cybermonitor haclabs kayusme sulaimanzai bezouwenr stefanaustin r03n3h powerpress stnert jrandomsage jaratai xfreed0m gabbelebab c0de-sin chriskuipers munjurhasan444 vinaysundar os-ahmed glyle bluesidestrongside blue-infosec sima456 arpitjain799 crispud narimantos mthcht noorahsmith marienmare nicholas-souza 43n51c phxsecio fishermavis techris45 orinocoz a1swartz 5l1v3r1 tony7466 boydfields lanaenre airbus-forks conspiracy98

dissect's Issues

task plugin issue

dear team ,
im facing an issue while execute the following command
target-query test.tar -f tasks after extract some event i get the following
File "/usr/local/bin/target-query", line 8, in
sys.exit(main())
File "/usr/local/lib/python3.10/dist-packages/dissect/target/tools/query.py", line 234, in main
for record_entries in entry:
File "/usr/local/lib/python3.10/dist-packages/dissect/target/plugins/os/windows/tasks.py", line 390, in tasks
for entry in self.parse_task(f):
File "/usr/local/lib/python3.10/dist-packages/dissect/target/plugins/os/windows/tasks.py", line 397, in parse_task
raise InvalidTaskError()
dissect.target.exceptions.InvalidTaskError: None

note that the .tar was part of acquire output

https://try.dissect.tools/ Broken

When loading the demo in chrome, the following error occurs within the browser. It appears there is a permission issue for https://try.dissect.tools/pyodide/pyodide.js.map as it is returning a 403. Reproducible on windows 10 and 11 running chrome on different ISPs.

Loading distutils
pyodide.asm.js:10 Loaded distutils
worker.ts:228 Python initialization complete
pyodide.asm.js:10 distutils already loaded from default channel
pyodide.asm.js:10 Loading micropip, pyparsing, packaging
pyodide.asm.js:10 Loaded micropip, packaging, pyparsing
pyodide.asm.js:10 Loading pyyaml
pyodide.asm.js:10 Loaded pyyaml
pyodide.asm.js:10 Loading msgpack
pyodide.asm.js:10 Loaded msgpack
pyodide.asm.js:10 Uncaught (in promise) PythonError: Traceback (most recent call last):
File "/lib/python3.10/site-packages/_pyodide/_base.py", line 435, in eval_code
.run(globals, locals)
File "/lib/python3.10/site-packages/_pyodide/_base.py", line 304, in run
coroutine = eval(self.code, globals, locals)
File "", line 11, in
File "/lib/python3.10/site-packages/dissect/target/tools/utils.py", line 15, in
from dissect.target.loaders.targetd import TargetdLoader
File "/lib/python3.10/site-packages/dissect/target/loaders/targetd.py", line 4, in
import ssl
File "/lib/python3.10/site-packages/_pyodide/_importhook.py", line 174, in find_spec
raise ModuleNotFoundError(
ModuleNotFoundError: The module 'ssl' is unvendored from the Python standard library in the Pyodide distribution, you can install it by calling: await micropip.install("ssl"). See https://pyodide.org/en/stable/usage/wasm-constraints.html for more details.

at new_error (pyodide.asm.js:10:218127)
at pyodide.asm.wasm:0xdef7c
at pyodide.asm.wasm:0xdf077
at Module._pythonexc2js (pyodide.asm.js:10:900305)
at Module.callPyObjectKwargs (pyodide.asm.js:10:119175)
at Module.callPyObject (pyodide.asm.js:10:119387)
at PyProxyClass.apply (pyodide.asm.js:10:126775)
at Object.apply (pyodide.asm.js:10:125862)
at Object.runPython (pyodide.asm.js:10:149972)
at worker.ts:245:1

DevTools failed to load source map: Could not load content for https://try.dissect.tools/pyodide/pyodide.js.map: Fetch through target failed: Target not supported; Fallback: HTTP error: status code 403, net::ERR_HTTP_RESPONSE_CODE_FAILURE

Invalid or reserved field name in linux service

When I run the 'services()' function on an opened Target image, I get thrown out of the generator eventually after running into the 'Unit_X-Snappy' service. The error itself is as follows: "Field 'Unit_X-Snappy' is an invalid or reserved field name".

When looking at the Dissect code I see the error is thrown at the creation of a 'TargetRecordDescriptor' of the 'ServicesPlugin' function, which is located in the following file: dissect\target\plugins\os\unix\linux\services.py.

In the mean time I can kind of fix it by putting a try-except block around de record creation, but I still miss any services after 'Unit_X-Snappy'. Anybody that can help me with this issue?

Unix Config Parser: TOML

Add support for TOML-files inside the configuration parser

Failed to load target

Hi,
i recently started trying dissect but i get error messages all the time. My command was:

target-query /mnt/SCHARDT.001 -f hostname,domain,os,version,ips -d ';'
2023-12-12T13:19:53.452782Z [error ] Unable to import dissect.target.plugins.filesystem.yara [dissect.target.plugin]
2023-12-12T13:19:53.605162Z [error ] /mnt/SCHARDT.001: Failed to load target with loader RawLoader('/mnt/SCHARDT.001')

TargetError: Failed to load target: /mnt/SCHARDT.001

Traceback (most recent call last):
File "/usr/local/bin/target-query", line 8, in
sys.exit(main())
^^^^^^
File "/usr/local/lib/python3.11/dist-packages/dissect/target/tools/utils.py", line 250, in wrapper
return func(*args, **kwargs)
^^^^^^^^^^^^^^^^^^^^^
File "/usr/local/lib/python3.11/dist-packages/dissect/target/tools/query.py", line 243, in main
for target in Target.open_all(args.targets, args.children):
File "/usr/local/lib/python3.11/dist-packages/dissect/target/target.py", line 307, in open_all
raise TargetError(f"Failed to find any loader for targets: {paths}")
dissect.target.exceptions.TargetError: Failed to find any loader for targets: ['/mnt/SCHARDT.001']

Do you have any ideas, what I'm doing wrong?
Thanks for your help.

p.s.: There is a longer and more detailed error output if you need it.

ReFS support

ReFS is currently not supported and therefor gives us a hard time investigating systems we encounter with it.

More information can be found on https://docs.microsoft.com/en-us/windows-server/storage/refs/refs-overview.

cstruct patching 21 projects

Branch the below projects with cstruct patches and dependency on >=4.0.dev <=5.0.dev

No.    | Project              | Size                 | Files to check       | Est. type fixes      | Est. failing structs    
-------+----------------------+----------------------+----------------------+----------------------+-------------------------
#1     | acquire              | 1                    | 1                    | 0                    | 0                   
#2     | foxhound             | 1                    | 1                    | 0                    | 0                   
#3     | dissect.ole          | 5                    | 1                    | 0                    | 0                   
#4     | dissect.ffs          | 6                    | 1                    | 0                    | 0                   
#5     | dissect.regf         | 6                    | 1                    | 0                    | 0                   
#6     | dissect.btrfs        | 7                    | 1                    | 0                    | 0                   
#7     | dissect.shellitem    | 8                    | 1                    | 0                    | 0                   
#8     | dissect.sql          | 8                    | 1                    | 0                    | 0                   
#9     | dissect.esedb        | 9                    | 1                    | 0                    | 0                   
#10    | dissect.vmfs         | 10                   | 1                    | 0                    | 0                   
#11    | dissect.cim          | 12                   | 1                    | 0                    | 0                   
#12    | dissect.fat          | 7                    | 2                    | 0                    | 0                   
#13    | dissect.executable   | 10                   | 2                    | 0                    | 0                   
#14    | dissect.fve          | 17                   | 2                    | 0                    | 0                   
#15    | dissect.thumbcache   | 7                    | 3                    | 0                    | 0                   
#16    | dissect.evidence     | 8                    | 3                    | 0                    | 0                   
#17    | dissect.eventlog     | 4                    | 6                    | 0                    | 0                   
#18    | dissect.squashfs     | 6                    | 2                    | 1                    | 0                   
#19    | dissect.ntfs         | 11                   | 4                    | 2                    | 0                   
#20    | dissect.xfs          | 6                    | 2                    | 4                    | 0                   
#21    | dissect.extfs        | 6                    | 4                    | 7                    | 0

sam plugin issue

It seems that the sam plugin provides the wrong user creation timestamps, or it's intended by design, and instead provides the last modification timestamp, e.g. a users last password change. The expected creation time of the user should be "2021-12-28 06:57:23 UTC"

See below comparison with x-ways forensics and dissect, all timestamps in UTC.

x-ways

Registry report:

User ID of | 0x000003EA (1002) | | 2021-12-28 06:57:23

Registry viewer:
Screenshot shows last password change, which is the "creation" timestamp of dissect output below

dissect
target-query -q TestImage.E01 -f sam -j | jq . -C | less -r

{
  "hostname": "<redacted>",
  "domain": "<redacted>",
  "rid": 1002,
  "fullname": "<redacted>",
  "username": "<redacted>",
  "comment": "",
  "lockout": "1601-01-01T00:00:00.000000",
  "creation": "2021-12-28T07:41:13.536482",
  "lastlogin": "1601-01-01T00:00:00.000000",
  "flags": 528,
  "failedlogins": 0,
  "logins": 0,
  "lm": "<redacted>",
  "ntlm": "<redacted>",
  "_source": "TestImage.E01",
  "_classification": null,
  "_generated": "2022-12-28T03:27:52.017157",
  "_version": 1,
  "_type": "record",
  "_recorddescriptor": [
    "windows/registry/sam",
    1346789399
  ]
}

If this is by design, I would suggest to change "creation" timestamp to "last modified" or similar wording to avoid any confusions.

Dependency conflict with dissect.target

Currently dissect requires dissect.ntfs==3.3 but dissect.target requires dissect.ntfs>=3.4.dev,<4.0.dev

This causes a ResolutionImpossible dependency conflict when installing with pip.

https://github.com/fox-it/dissect.target/blob/main/setup.py#L61
https://github.com/fox-it/dissect/blob/main/setup.py#L18

TypeError 'type' object is not subscriptable

I'm getting with every command the error: TtypeError 'type' object is not subscriptable.
In installed dissect with pip install dissect on a fully patch Ubuntu 20.04 LTS system with python 3.8.10

Any idea what can be wrong?

What about custom artifacts?

Hi!
I really like acquire bc of the ease of dealing with images / vmdks.
Can you state what is the go-to way if I want to acquire my own artifacts? As far as I have seen, there is no option to provide a list of paths or similar. In this case, I will have to implement my own module, isn't it?
Thanks in advance for answering!

RDTag Ignored when Forwarding to Splunk via Rdump

Hello,

I have attempted to forward output via RDump to Splunk using the following command:

$ target-query [PATH_OF_IMAGE] -f users | rdump -w splunk://172.20.32.126:3000?rdtag=test123
[reading from stdin]
$

I do not observe the RDTag in the output being sent to Splunk in transit (Following screenshot is from a PCAP of data sent in transit).

I also do not observe the RDTag in the data that is received by Splunk.

I only came across the ability to add the RDTag in the source code (https://github.com/fox-it/flow.record/blob/e234f617a4aab625808598385f4f5a4a4f68eea6/flow/record/adapter/splunk.py#L12).
Should the RDTag I specified be taking effect or have I done something wrong when executing the command?

PS: The version of the software I am using is as follows:

$ rdump --version
flow.record version 3.5