mstoeck3/autopsy-flatpak
1
0
Fork 0
mirror of https://github.com/overcuriousity/autopsy-flatpak.git synced 2025-07-12 07:56:16 +00:00
Code Issues Packages Projects Releases Wiki Activity

Changed the tsk_event_decription other descriptions to have a place holder instead of artifactID

Browse Source
This commit is contained in:
Kelly Kelly 2021-01-11 11:12:47 -05:00
parent 6d3d1bdbd5
commit 267121aa40
1 changed files with 12 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
test/script/tskdbdiff.py
View File

@ -627,11 +627,23 @@ def normalize_db_entry(line, files_table, vs_parts_table, vs_info_table, fs_info
fields_list[4] = files_table[object_id] fields_list[4] = files_table[object_id]
if legacy_artifact_id != 'NULL' and legacy_artifact_id in artifact_table.keys(): if legacy_artifact_id != 'NULL' and legacy_artifact_id in artifact_table.keys():
fields_list[6] = artifact_table[legacy_artifact_id] fields_list[6] = artifact_table[legacy_artifact_id]
fields_list[1] = cleanupEventDescription(fields_list[1])
fields_list[2] = cleanupEventDescription(fields_list[2])
fields_list[3] = cleanupEventDescription(fields_list[3])
newLine = ('INSERT INTO "tsk_event_descriptions" VALUES(' + ','.join(fields_list[1:]) + ');') # remove report_id newLine = ('INSERT INTO "tsk_event_descriptions" VALUES(' + ','.join(fields_list[1:]) + ');') # remove report_id
return newLine return newLine
else: else:
return line return line
def cleanupEventDescription(description):
test = re.search("\D+:\d+", description)
if test is not None:
return re.sub(":\d+", ":<artifact_id>", description)
else:
return description
def getAssociatedArtifactType(cur, artifact_id, isMultiUser): def getAssociatedArtifactType(cur, artifact_id, isMultiUser):
if isMultiUser: if isMultiUser:
cur.execute("SELECT tsk_files.parent_path, blackboard_artifact_types.display_name FROM blackboard_artifact_types INNER JOIN blackboard_artifacts ON blackboard_artifact_types.artifact_type_id = blackboard_artifacts.artifact_type_id INNER JOIN tsk_files ON tsk_files.obj_id = blackboard_artifacts.obj_id WHERE artifact_id=%s",[artifact_id]) cur.execute("SELECT tsk_files.parent_path, blackboard_artifact_types.display_name FROM blackboard_artifact_types INNER JOIN blackboard_artifacts ON blackboard_artifact_types.artifact_type_id = blackboard_artifacts.artifact_type_id INNER JOIN tsk_files ON tsk_files.obj_id = blackboard_artifacts.obj_id WHERE artifact_id=%s",[artifact_id])