From 658d4fc0d650c30a1f9ffe4c346c9b29cf424e18 Mon Sep 17 00:00:00 2001
From: Stanislav Golovanov <stgolovanov@gmail.com>
Date: Fri, 18 Oct 2024 13:31:46 +0300
Subject: [PATCH 1/2] Fix AttributeError in syscache plugin

---
 dissect/target/plugins/os/windows/syscache.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/dissect/target/plugins/os/windows/syscache.py b/dissect/target/plugins/os/windows/syscache.py
index 689be227b..9bc658a53 100644
--- a/dissect/target/plugins/os/windows/syscache.py
+++ b/dissect/target/plugins/os/windows/syscache.py
@@ -77,7 +77,8 @@ def syscache(self) -> Iterator[SyscacheRecord]:
                 full_path = None
                 if mft:
                     try:
-                        full_path = self.target.fs.path("\\".join(["sysvol", mft.mft(file_segment).fullpath()]))
+                        if path := mft(file_segment).full_path():
+                            full_path = self.target.fs.path("\\".join(["sysvol", path]))
                     except ntfs.Error:
                         pass
 

From 6b8691d001cab4b86e57872f3bac0475c8d8bc5f Mon Sep 17 00:00:00 2001
From: Stanislav Golovanov <stgolovanov@gmail.com>
Date: Tue, 29 Oct 2024 23:14:53 +0300
Subject: [PATCH 2/2] Add test for AttributeError in syscache plugin

---
 .../os/windows/syscache/Syscache-mft.hve      |  3 +++
 tests/plugins/os/windows/test_syscache.py     | 22 +++++++++++++++++++
 2 files changed, 25 insertions(+)
 create mode 100644 tests/_data/plugins/os/windows/syscache/Syscache-mft.hve

diff --git a/tests/_data/plugins/os/windows/syscache/Syscache-mft.hve b/tests/_data/plugins/os/windows/syscache/Syscache-mft.hve
new file mode 100644
index 000000000..223626d19
--- /dev/null
+++ b/tests/_data/plugins/os/windows/syscache/Syscache-mft.hve
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:e80985a82a3edb23f802148e5eee1a6c462acf5e5a663c80393c9b7ef4a7b11d
+size 786432
diff --git a/tests/plugins/os/windows/test_syscache.py b/tests/plugins/os/windows/test_syscache.py
index 5efd60a8f..69e7231d6 100644
--- a/tests/plugins/os/windows/test_syscache.py
+++ b/tests/plugins/os/windows/test_syscache.py
@@ -1,3 +1,4 @@
+from dissect.target.filesystems.ntfs import NtfsFilesystem
 from dissect.target.plugins.os.windows.syscache import SyscachePlugin
 from tests._utils import absolute_path
 
@@ -10,3 +11,24 @@ def test_syscache_plugin(target_win, fs_win):
 
     results = list(target_win.syscache())
     assert len(results) == 401
+
+
+def test_syscache_plugin_real_mft(target_win, fs_win):
+    filesystem = NtfsFilesystem(mft=open(absolute_path("_data/plugins/filesystem/ntfs/mft/mft.raw"), "rb"))
+
+    # We need to change the type of the mocked filesystem, since syscache.py checks for explicit value
+    target_win.fs.mounts["sysvol"].__type__ = "ntfs"
+    target_win.fs.mounts["sysvol"].ntfs = filesystem.ntfs
+
+    syscache_file = absolute_path("_data/plugins/os/windows/syscache/Syscache-mft.hve")
+    fs_win.map_file("System Volume Information/Syscache.hve", syscache_file)
+
+    target_win.add_plugin(SyscachePlugin)
+
+    results = list(target_win.syscache())
+    assert len(results) == 401
+
+    filepaths = [entry.path for entry in results]
+    assert filepaths.count(None) == 399
+    assert "sysvol\\NamelessDirectory\\totally_normal.txt" in filepaths
+    assert "sysvol\\text_document.txt" in filepaths