fox-it · Schamper · Jan 30, 2025 · Jan 7, 2025 · Jan 9, 2025 · Jan 16, 2025
diff --git a/dissect/target/loaders/kape.py b/dissect/target/loaders/kape.py
@@ -1,8 +1,11 @@
 from __future__ import annotations
 
 from pathlib import Path
-from typing import TYPE_CHECKING
+from typing import TYPE_CHECKING, Iterator
 
+from dissect.target import filesystem, volume
+from dissect.target.containers.vhdx import VhdxContainer
+from dissect.target.filesystem import Filesystem
 from dissect.target.loaders.dir import DirLoader, find_and_map_dirs, find_dirs
 from dissect.target.plugin import OperatingSystem
 
@@ -15,6 +18,32 @@
 USNJRNL_PATHS = ["$Extend/$J", "$Extend/$UsnJrnl$J"]
 
 
+def open_vhdx(path: Path) -> Iterator[Filesystem]:
+    container = VhdxContainer(path)
+    volume_system = volume.open(container)
+    for vol in volume_system.volumes:
+        yield filesystem.open(vol)
+
+
+def is_valid_kape_dir(path: Path) -> bool:
+    os_type, dirs = find_dirs(path)
+    if os_type == OperatingSystem.WINDOWS:
+        for dir_path in dirs:
+            for path in USNJRNL_PATHS:
+                if dir_path.joinpath(path).exists():
+                    return True
+
+    return False
+
+
+def is_valid_kape_vhdx(path: Path) -> bool:
+    if path.suffix == ".vhdx":
+        for fs in open_vhdx(path):
+            return is_valid_kape_dir(fs.path())
+
+    return False
+
+
 class KapeLoader(DirLoader):
     """Load KAPE forensic image format files.
 
@@ -24,19 +53,17 @@
 
     @staticmethod
     def detect(path: Path) -> bool:
-        os_type, dirs = find_dirs(path)
-        if os_type == OperatingSystem.WINDOWS:
-            for dir_path in dirs:
-                for path in USNJRNL_PATHS:
-                    if dir_path.joinpath(path).exists():
-                        return True
-
-        return False
+        if path.is_dir():
+            return is_valid_kape_dir(path)
+        if path.suffix.lower() == ".vhdx":
+            return is_valid_kape_vhdx(path)
 
     def map(self, target: Target) -> None:
+        path = self.path if self.path.is_dir() else next(open_vhdx(self.path)).path()
+
         find_and_map_dirs(
             target,
-            self.path,
+            path,
             sds_path="$Secure_$SDS",
             usnjrnl_path=USNJRNL_PATHS,
         )
diff --git a/tests/_data/loaders/kape/test.vhdx b/tests/_data/loaders/kape/test.vhdx
diff --git a/tests/loaders/test_kape.py b/tests/loaders/test_kape.py
@@ -1,11 +1,13 @@
+from pathlib import Path
 from unittest.mock import patch
 
+from dissect.target import Target
 from dissect.target.loaders.kape import KapeLoader
 from tests._utils import absolute_path, mkdirs
 
 
 @patch("dissect.target.filesystems.dir.DirectoryFilesystem.ntfs", None, create=True)
-def test_kape_loader(target_bare, tmp_path):
+def test_kape_dir_loader(target_bare, tmp_path):
     root = tmp_path
     mkdirs(root, ["C/windows/system32", "C/$Extend", "D/test", "E/test"])
 
@@ -37,3 +39,16 @@ def test_kape_loader(target_bare, tmp_path):
     # The 3 found drive letters + sysvol + the fake NTFS filesystem at /$fs$
     assert len(target_bare.fs.mounts) == 5
     assert len(list(target_bare.fs.mounts["c:"].ntfs.usnjrnl.records())) == 1
+
+
+def test_kape_vhdx_loader(target_bare: Target) -> None:
+    p = Path(absolute_path("_data/loaders/kape/test.vhdx"))
+
+    assert KapeLoader.detect(p)
+
+    loader = KapeLoader(p)
+    loader.map(target_bare)
+    target_bare.apply()
+
+    assert "sysvol" in target_bare.fs.mounts
+    assert "c:" in target_bare.fs.mounts