From d45219448fc177d3036b3d5cab396a30530cd2f4 Mon Sep 17 00:00:00 2001 From: qmadev <190383216+qmadev@users.noreply.github.com> Date: Thu, 14 Aug 2025 01:09:33 +0200 Subject: [PATCH 01/10] Add webserver collection --- acquire/acquire.py | 28 ++++++++++++++++++---------- 1 file changed, 18 insertions(+), 10 deletions(-) diff --git a/acquire/acquire.py b/acquire/acquire.py index 8bc0bcd4..66530b5b 100644 --- a/acquire/acquire.py +++ b/acquire/acquire.py @@ -25,7 +25,7 @@ from dissect.target.filesystems import ntfs from dissect.target.helpers import fsutil from dissect.target.loaders.local import _windows_get_devices -from dissect.target.plugins.apps.webserver import iis +from dissect.target.plugins.apps.webserver import iis, webserver from dissect.target.plugins.os.windows.cam import CamPlugin from dissect.target.plugins.os.windows.log import evt, evtx from dissect.target.tools.utils.cli import args_to_uri @@ -870,15 +870,23 @@ class IIS(Module): @classmethod def get_spec_additions(cls, target: Target, cli_args: argparse.Namespace) -> Iterator[tuple]: - spec = { - ("glob", "sysvol\\Windows\\System32\\LogFiles\\W3SVC*\\*.log"), - ("glob", "sysvol\\Windows.old\\Windows\\System32\\LogFiles\\W3SVC*\\*.log"), - ("glob", "sysvol\\inetpub\\logs\\LogFiles\\*.log"), - ("glob", "sysvol\\inetpub\\logs\\LogFiles\\W3SVC*\\*.log"), - ("glob", "sysvol\\Resources\\Directory\\*\\LogFiles\\Web\\W3SVC*\\*.log"), - } - iis_plugin = iis.IISLogsPlugin(target) - spec.update(("path", log_path) for log_path in chain(*iis_plugin.log_dirs.values())) + warnings.warn( + "--iis is deprecated in favor of --webserver-logs and will be removed in acquire ???", + DeprecationWarning, + stacklevel=2, + ) + return WebserverLog.get_spec_additions(cls, target, cli_args) + + +@register_module("--webserver-log") +class WebserverLog(Module): + DESC = "IIS, Nginx and Apache logs" + + @classmethod + def get_spec_additions(cls, target: Target, cli_args: argparse.Namespace) -> Iterator[tuple]: + spec = set() + webserver_plugin = webserver.WebserverPlugin(target) + spec.update(("path", log_path) for log_path in webserver_plugin._iter_log_paths()) return spec From a95070d9e302e598241ff1d5f6f91408885dbfed Mon Sep 17 00:00:00 2001 From: qmadev <190383216+qmadev@users.noreply.github.com> Date: Sat, 16 Aug 2025 02:37:10 +0200 Subject: [PATCH 02/10] Collect webserver logs from WebserverPlugin subclasses --- acquire/acquire.py | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) diff --git a/acquire/acquire.py b/acquire/acquire.py index 66530b5b..7d8ef2b7 100644 --- a/acquire/acquire.py +++ b/acquire/acquire.py @@ -25,7 +25,7 @@ from dissect.target.filesystems import ntfs from dissect.target.helpers import fsutil from dissect.target.loaders.local import _windows_get_devices -from dissect.target.plugins.apps.webserver import iis, webserver +from dissect.target.plugins.apps.webserver.webserver import WebserverPlugin from dissect.target.plugins.os.windows.cam import CamPlugin from dissect.target.plugins.os.windows.log import evt, evtx from dissect.target.tools.utils.cli import args_to_uri @@ -880,13 +880,21 @@ def get_spec_additions(cls, target: Target, cli_args: argparse.Namespace) -> Ite @register_module("--webserver-log") class WebserverLog(Module): - DESC = "IIS, Nginx and Apache logs" + DESC = "Various webserver logs" @classmethod def get_spec_additions(cls, target: Target, cli_args: argparse.Namespace) -> Iterator[tuple]: spec = set() - webserver_plugin = webserver.WebserverPlugin(target) - spec.update(("path", log_path) for log_path in webserver_plugin._iter_log_paths()) + + for subclass in WebserverPlugin.__subclasses__(): + if not hasattr(subclass, "_log_paths"): + continue + + webserver = subclass(target) + for log_path in webserver._log_paths(): + print(f"NEW PATH: {log_path}") + spec.add(("path", log_path)) + return spec From 4fd19a0cd8ea9a4618a6f2789adfab5995600f2b Mon Sep 17 00:00:00 2001 From: qmadev <190383216+qmadev@users.noreply.github.com> Date: Sat, 16 Aug 2025 03:28:52 +0200 Subject: [PATCH 03/10] Remove debug prints --- acquire/acquire.py | 1 - 1 file changed, 1 deletion(-) diff --git a/acquire/acquire.py b/acquire/acquire.py index 7d8ef2b7..60f2d0c7 100644 --- a/acquire/acquire.py +++ b/acquire/acquire.py @@ -892,7 +892,6 @@ def get_spec_additions(cls, target: Target, cli_args: argparse.Namespace) -> Ite webserver = subclass(target) for log_path in webserver._log_paths(): - print(f"NEW PATH: {log_path}") spec.add(("path", log_path)) return spec From 39e82b8b8da8aa43d4c2ea557e35fd35b73193d2 Mon Sep 17 00:00:00 2001 From: qmadev <190383216+qmadev@users.noreply.github.com> Date: Mon, 18 Aug 2025 13:38:54 +0200 Subject: [PATCH 04/10] Use `_get_paths()` for log file retrieval --- acquire/acquire.py | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/acquire/acquire.py b/acquire/acquire.py index 60f2d0c7..f053c1f0 100644 --- a/acquire/acquire.py +++ b/acquire/acquire.py @@ -887,11 +887,14 @@ def get_spec_additions(cls, target: Target, cli_args: argparse.Namespace) -> Ite spec = set() for subclass in WebserverPlugin.__subclasses__(): - if not hasattr(subclass, "_log_paths"): + if subclass.__name__ == "IISLogsPlugin" and target.os != "windows": + continue + + if not hasattr(subclass, "_get_paths"): continue webserver = subclass(target) - for log_path in webserver._log_paths(): + for log_path in webserver._get_paths(): spec.add(("path", log_path)) return spec From 79bbd2b65ebf04f3637b5e292cdd264fa2ed9cbe Mon Sep 17 00:00:00 2001 From: qmadev <190383216+qmadev@users.noreply.github.com> Date: Mon, 18 Aug 2025 18:29:03 +0200 Subject: [PATCH 05/10] Hardcode classes instead of using subclasses method --- acquire/acquire.py | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/acquire/acquire.py b/acquire/acquire.py index f053c1f0..1c4ea18c 100644 --- a/acquire/acquire.py +++ b/acquire/acquire.py @@ -25,7 +25,10 @@ from dissect.target.filesystems import ntfs from dissect.target.helpers import fsutil from dissect.target.loaders.local import _windows_get_devices -from dissect.target.plugins.apps.webserver.webserver import WebserverPlugin +from dissect.target.plugins.apps.webserver.apache import ApachePlugin +from dissect.target.plugins.apps.webserver.caddy import CaddyPlugin +from dissect.target.plugins.apps.webserver.iis import IISLogsPlugin +from dissect.target.plugins.apps.webserver.nginx import NginxPlugin from dissect.target.plugins.os.windows.cam import CamPlugin from dissect.target.plugins.os.windows.log import evt, evtx from dissect.target.tools.utils.cli import args_to_uri @@ -885,8 +888,14 @@ class WebserverLog(Module): @classmethod def get_spec_additions(cls, target: Target, cli_args: argparse.Namespace) -> Iterator[tuple]: spec = set() + subclasses = [ + ApachePlugin, + CaddyPlugin, + IISLogsPlugin, + NginxPlugin, + ] - for subclass in WebserverPlugin.__subclasses__(): + for subclass in subclasses: if subclass.__name__ == "IISLogsPlugin" and target.os != "windows": continue From addaa41640ffc6231f3b95d30fdd7dafaebb0adb Mon Sep 17 00:00:00 2001 From: qmadev <190383216+qmadev@users.noreply.github.com> Date: Fri, 24 Oct 2025 16:15:41 +0200 Subject: [PATCH 06/10] Process feedback --- acquire/acquire.py | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/acquire/acquire.py b/acquire/acquire.py index 1c4ea18c..1b9a176e 100644 --- a/acquire/acquire.py +++ b/acquire/acquire.py @@ -899,11 +899,8 @@ def get_spec_additions(cls, target: Target, cli_args: argparse.Namespace) -> Ite if subclass.__name__ == "IISLogsPlugin" and target.os != "windows": continue - if not hasattr(subclass, "_get_paths"): - continue - webserver = subclass(target) - for log_path in webserver._get_paths(): + for log_path in webserver.get_all_paths(): spec.add(("path", log_path)) return spec From a5a26d82dbec64999bdde24678fdd488adddf125 Mon Sep 17 00:00:00 2001 From: qmadev <190383216+qmadev@users.noreply.github.com> Date: Fri, 24 Oct 2025 17:08:07 +0200 Subject: [PATCH 07/10] Add version number --- acquire/acquire.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/acquire/acquire.py b/acquire/acquire.py index 1b9a176e..bea2ed5a 100644 --- a/acquire/acquire.py +++ b/acquire/acquire.py @@ -874,7 +874,7 @@ class IIS(Module): @classmethod def get_spec_additions(cls, target: Target, cli_args: argparse.Namespace) -> Iterator[tuple]: warnings.warn( - "--iis is deprecated in favor of --webserver-logs and will be removed in acquire ???", + "--iis is deprecated in favor of --webserver-logs and will be removed in acquire 3.22", DeprecationWarning, stacklevel=2, ) From aae4b6a4db13e4a21ab4a7ba7a928479f096ddca Mon Sep 17 00:00:00 2001 From: qmadev <190383216+qmadev@users.noreply.github.com> Date: Wed, 19 Nov 2025 16:22:13 +0100 Subject: [PATCH 08/10] Update acquire/acquire.py Co-authored-by: twiggler <12800443+twiggler@users.noreply.github.com> --- acquire/acquire.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/acquire/acquire.py b/acquire/acquire.py index bea2ed5a..6c2d7da6 100644 --- a/acquire/acquire.py +++ b/acquire/acquire.py @@ -883,7 +883,7 @@ def get_spec_additions(cls, target: Target, cli_args: argparse.Namespace) -> Ite @register_module("--webserver-log") class WebserverLog(Module): - DESC = "Various webserver logs" + DESC = "Various webserver logs and configuration files" @classmethod def get_spec_additions(cls, target: Target, cli_args: argparse.Namespace) -> Iterator[tuple]: From 922446375db15e9a4d5aa9ae0a858199fd218ec4 Mon Sep 17 00:00:00 2001 From: qmadev <190383216+qmadev@users.noreply.github.com> Date: Mon, 24 Nov 2025 00:31:06 +0100 Subject: [PATCH 09/10] Update acquire/acquire.py Co-authored-by: Erik Schamper <1254028+Schamper@users.noreply.github.com> --- acquire/acquire.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/acquire/acquire.py b/acquire/acquire.py index 6c2d7da6..b19c9a2a 100644 --- a/acquire/acquire.py +++ b/acquire/acquire.py @@ -881,8 +881,8 @@ def get_spec_additions(cls, target: Target, cli_args: argparse.Namespace) -> Ite return WebserverLog.get_spec_additions(cls, target, cli_args) -@register_module("--webserver-log") -class WebserverLog(Module): +@register_module("--webserver") +class Webserver(Module): DESC = "Various webserver logs and configuration files" @classmethod From e06ac425c92bb00514734f88e6213824d0440062 Mon Sep 17 00:00:00 2001 From: qmadev <190383216+qmadev@users.noreply.github.com> Date: Thu, 4 Dec 2025 16:41:25 +0100 Subject: [PATCH 10/10] Process feedback --- acquire/acquire.py | 4 ++-- pyproject.toml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/acquire/acquire.py b/acquire/acquire.py index b19c9a2a..bfdcd85b 100644 --- a/acquire/acquire.py +++ b/acquire/acquire.py @@ -17,7 +17,7 @@ import urllib.request import warnings from collections import defaultdict -from itertools import chain, product +from itertools import product from pathlib import Path from typing import TYPE_CHECKING, BinaryIO, NamedTuple, NoReturn @@ -878,7 +878,7 @@ def get_spec_additions(cls, target: Target, cli_args: argparse.Namespace) -> Ite DeprecationWarning, stacklevel=2, ) - return WebserverLog.get_spec_additions(cls, target, cli_args) + return Webserver.get_spec_additions(cls, target, cli_args) @register_module("--webserver") diff --git a/pyproject.toml b/pyproject.toml index 36d7e334..9032ab7f 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -26,7 +26,7 @@ classifiers = [ ] dependencies = [ "dissect.cstruct>=4,<5", - "dissect.target>=3.24,<4", + "dissect.target>=3.25.dev,<4", # TODO: update on release ] dynamic = ["version"] @@ -47,7 +47,7 @@ full = [ dev = [ "acquire[full]", "dissect.cstruct>=4.0.dev,<5.0.dev", - "dissect.target[dev]>=3.24.dev,<4.0.dev", + "dissect.target[dev]>=3.25.dev,<4.0.dev", ] [dependency-groups]