Add support for unarchived Acquire directories

[qmadev]

Doing this does not work:

(dissect.target) $ tar -xvf MSEDGEWIN10_20220708124036.tar

# Before changes
(dissect.target) $ target-query -f hostname,domain,ips,version fs                                                             [4:58:57]
2025-10-01T02:59:14.990461Z [warning  ] <Target fs>: Failed to find OS plugin, falling back to default [dissect.target.target]
<Target fs> None [] None

# After changes
(dissect.target) $ target-query -f hostname,domain,ips,version fs                                                             [5:01:58]
2025-10-01T03:02:02.396263Z [warning  ] <Target fs>: Unknown drive letter for sysvol [dissect.target.target]
<Target fs> MSEDGEWIN10 ['192.168.150.128'] Windows 10 Enterprise Evaluation (NT 10.0) 17763.379

This PR adds a fix for that. The reason seems to be that Acquire still has both a "windows" and "Windows" folder.

[Miauwkeru]

Hello @qmadev, the change you submitted will not fix the underlying issue that you are experiencing. One reason would be that this change will make it path specific. Where a change inside of the path name will result in dissect not being able to find a specific file. E.g. not being able to find windows/system32 while Windows/System32 exists.

The proper fix for this issue is handling the case sensitivity inside the DirLoader. Where it should "merge" the contents of folders that have the same name if case sensitivity is false (that it is case insensitive). E.g. merging sysvol/windows and sysvol/Windows if both of them exist.

[qmadev]

I'm confused. Is this not handling the case sensitivity in the dir loader?

[Miauwkeru]

I'm confused. Is this not handling the case sensitivity in the dir loader?

No, the change makes the filesystem case sensitive, so a file named File and file would be two different files.
Windows systems are usually case insensitive, so asking to read the contents of File or file will result into the same data.

What one would expect from targeting the resulting acquire directory is that you would have similar behaviour as the tar loader.

So using ls on sysvol/windows would yield all the entries of the combined sysvol/windows and sysvol/Windows folder:

target-shell fs
$ ls sysvol/windows
PFRO.log
Temp
appcompat
inf
prefetch
serviceprofiles
system32
tasks

However, the current fix doesn't do this and you get part of the result. For example, the directory sysvol/windows/Temp would be missing.

From some debugging, I feel it might be going wrong inside the DirFilesystem with not being able to handle multiple matches for the same entry (e.g. Windows) :

dissect.target/dissect/target/filesystems/dir.py

Line 42 in 69c908a

if not match or len(match) > 1:

[qmadev]

Thanks! Starting to understand it a little bit better now. Will look into this further soon.

[qmadev]

I thought about it. Having trouble with merging the paths. Any suggestions?