dissect.target icon indicating copy to clipboard operation
dissect.target copied to clipboard
verified publisher icon fox-it

Add support for unarchived Acquire directories

Open qmadev opened this issue 3 months ago • 7 comments

Doing this does not work:

(dissect.target) $ tar -xvf MSEDGEWIN10_20220708124036.tar

# Before changes
(dissect.target) $ target-query -f hostname,domain,ips,version fs                                                             [4:58:57]
2025-10-01T02:59:14.990461Z [warning  ] <Target fs>: Failed to find OS plugin, falling back to default [dissect.target.target]
<Target fs> None [] None

# After changes
(dissect.target) $ target-query -f hostname,domain,ips,version fs                                                             [5:01:58]
2025-10-01T03:02:02.396263Z [warning  ] <Target fs>: Unknown drive letter for sysvol [dissect.target.target]
<Target fs> MSEDGEWIN10 ['192.168.150.128'] Windows 10 Enterprise Evaluation (NT 10.0) 17763.379

This PR adds a fix for that. The reason seems to be that Acquire still has both a "windows" and "Windows" folder.

qmadev avatar Oct 01 '25 03:10 qmadev

Hello @qmadev, the change you submitted will not fix the underlying issue that you are experiencing. One reason would be that this change will make it path specific. Where a change inside of the path name will result in dissect not being able to find a specific file. E.g. not being able to find windows/system32 while Windows/System32 exists.

The proper fix for this issue is handling the case sensitivity inside the DirLoader. Where it should "merge" the contents of folders that have the same name if case sensitivity is false (that it is case insensitive). E.g. merging sysvol/windows and sysvol/Windows if both of them exist.

Miauwkeru avatar Oct 29 '25 15:10 Miauwkeru

I'm confused. Is this not handling the case sensitivity in the dir loader?

qmadev avatar Oct 29 '25 15:10 qmadev

I'm confused. Is this not handling the case sensitivity in the dir loader?

No, the change makes the filesystem case sensitive, so a file named File and file would be two different files. Windows systems are usually case insensitive, so asking to read the contents of File or file will result into the same data.

What one would expect from targeting the resulting acquire directory is that you would have similar behaviour as the tar loader.

So using ls on sysvol/windows would yield all the entries of the combined sysvol/windows and sysvol/Windows folder:

target-shell fs
$ ls sysvol/windows
PFRO.log
Temp
appcompat
inf
prefetch
serviceprofiles
system32
tasks

However, the current fix doesn't do this and you get part of the result. For example, the directory sysvol/windows/Temp would be missing.

From some debugging, I feel it might be going wrong inside the DirFilesystem with not being able to handle multiple matches for the same entry (e.g. Windows) : https://github.com/fox-it/dissect.target/blob/69c908a42bf3e988b7e0e18bd16910c7389c77d2/dissect/target/filesystems/dir.py#L42

Miauwkeru avatar Oct 30 '25 16:10 Miauwkeru

Thanks! Starting to understand it a little bit better now. Will look into this further soon.

qmadev avatar Oct 30 '25 16:10 qmadev

I thought about it. Having trouble with merging the paths. Any suggestions?

qmadev avatar Nov 02 '25 01:11 qmadev

@Miauwkeru any suggestions on how to "merge" directories?

qmadev avatar Nov 17 '25 22:11 qmadev

Hi @qmadev, I was unavailable for a bit. I have been looking into this issue and i think it might be a bit deeper than expected. One solution I can think of at the top of my head is adding layers to the root filesystem if it finds more than one entry with the "same" name. But I am not yet sure this is the best way to tackle this issue. I think it requires a bit more research. I will try to get it to be discussed soon

Miauwkeru avatar Nov 18 '25 09:11 Miauwkeru