Not detecting windows when applying tar loader

[AlonHaviv1]

I've encountered an issue where windows OS plugin wouldn't load when loading from tar.
Following my investigation I have found the issue is resulting of confusion between the loader and windows os plugin:

dissect.target/dissect/target/plugins/os/windows/_os.py

Lines 39 to 42 in aab863c

	def detect(cls, target: Target) -> Filesystem | None:
	for fs in target.filesystems:
	if fs.exists("/windows/system32") or fs.exists("/winnt"):
	return fs

The windows here is lower case, contrasting the real folder name, which is Windows.

In tar loader, when the tar is not from acquire the filesystem will load with case_sensitive=True flag:

dissect.target/dissect/target/loaders/tar.py

Lines 53 to 59 in aab863c

	if not member.name.startswith(("/fs/", "fs/", "/sysvol/", "sysvol/")):
	# Not an acquire tar
	if "/" not in volumes:
	vol = filesystem.VirtualFilesystem(case_sensitive=True)
	vol.tar = self.tar
	volumes["/"] = vol
	target.filesystems.add(vol)

Therefore, there is a contradiction between those.

I would love to open a PR to fix that, but I'm not sure if any change will break other loaders that rely on that condition.

[Miauwkeru]

Hello @AlonHaviv1 thanks for bringing this issue to us.
I have looked into it, and think that changing the default to case_sensitive=False inside the tar loader wouldn't be the best solution as it would also impact those tar files that need to be case sensitive. E.g. information that was on a unix like filesystem.
The reason we use lower case for most windows systems, is because their filesystems are usually case insensitive.
I couldn't quickly identify another workaround within the dissect tooling, so this will be taken up when time allows.

You could however untar it, move everything under a fs/sysvol directory and tar it again. If you do that, the target-* tooling should pick it up.

If you have another suggestion or question please feel free to share.

[AlonHaviv1]

Could you give an example where changing the detection of windows to "Windows" would break loaders?

[Miauwkeru]

Could you give an example where changing the detection of windows to "Windows" would break loaders?

I interpreted your change as a change in the case sensitive nature of the loader. However, it seems you mean a change in the os plugin, right?

I am afraid the change in the os plugin wouldn't end at only changing the windows to Windows. In your case, every path inside your tar file would be interpreted in a case sensitive manner. So none of the plugins will function as intended for windows systems as it expects case insensitive paths for windows filesystems.

as an example, the TasksPlugin wouldn't work as all of its paths are in lowercase, so while trying to find, for example sysvol/windows/system32, it wouldn't be able to find that path inside your tar due to the case_sensitive=True that gets set inside the TarLoader.