mstoeck3/autopsy-flatpak
1
0
Fork 0
mirror of https://github.com/overcuriousity/autopsy-flatpak.git synced 2025-07-06 21:00:22 +00:00
Code Issues Packages Projects Releases Wiki Activity

updates to tskdbdiff.py for EFE

Browse Source
This commit is contained in:
Greg DiCristofaro 2021-05-28 08:14:18 -04:00
parent 998c86439a
commit 1d13edfc24
1 changed files with 3 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
test/script/tskdbdiff.py
View File

@ -924,13 +924,9 @@ def normalize_tsk_files_path(guid_util: TskGuidUtils, row: Dict[str, any]) -> Di
if module_output_idx >= 0: if module_output_idx >= 0:
# remove everything up to and including ModuleOutput if ModuleOutput present # remove everything up to and including ModuleOutput if ModuleOutput present
path_parts = path_parts[module_output_idx:] path_parts = path_parts[module_output_idx:]
if len(path_parts) > 1 and path_parts[1] == 'Embedded File Extractor': if len(path_parts) > 2 and path_parts[1] == 'EFE':
# Takes a folder like ModuleOutput\Embedded File Extractor/f_000168_4435\f_000168 # for embedded file extractor, the next folder is the object id and should be omitted
# and fixes the folder after 'Embedded File Extractor', 'f_000168_4435' to remove the last number del path_parts[2]
# to become 'f_000168'
match = re.match(r'^(.+?)_\d*$', path_parts[2])
if match:
path_parts[2] = match.group(1)
row_copy['path'] = os.path.join(*path_parts) if len(path_parts) > 0 else '/' row_copy['path'] = os.path.join(*path_parts) if len(path_parts) > 0 else '/'