From 45268e4397884a4c38d99c9d7ac3a168141784ed Mon Sep 17 00:00:00 2001
From: "U-BASIS\\dsmyda" <dsmyda@win-dsmyd-4990.basistech.net>
Date: Fri, 26 Oct 2018 15:24:52 -0400
Subject: [PATCH 1/2] Removed zip bomb detection via compression ratio
 heuristic on unallocated files

---
 .../modules/embeddedfileextractor/SevenZipExtractor.java | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/Core/src/org/sleuthkit/autopsy/modules/embeddedfileextractor/SevenZipExtractor.java b/Core/src/org/sleuthkit/autopsy/modules/embeddedfileextractor/SevenZipExtractor.java
index 704bdac4f8..ba40670bac 100644
--- a/Core/src/org/sleuthkit/autopsy/modules/embeddedfileextractor/SevenZipExtractor.java
+++ b/Core/src/org/sleuthkit/autopsy/modules/embeddedfileextractor/SevenZipExtractor.java
@@ -180,6 +180,15 @@ class SevenZipExtractor {
      * @return true if potential zip bomb, false otherwise
      */
     private boolean isZipBombArchiveItemCheck(AbstractFile archiveFile, ISevenZipInArchive inArchive, int inArchiveItemIndex, ConcurrentHashMap<Long, Archive> depthMap, String escapedFilePath) {
+        //If a file is corrupted as a result of reconstructing it from unallocated space, then
+        //7zip does a poor job estimating the original uncompressed file size. 
+        //As a result, many corrupted files have wonky compression ratios and could flood the UI
+        //with false zip bomb notifications. The decision was made to skip compression ratio checks 
+        //for unallocated zip files. Instead, we let the depth be an indicator of a zip bomb.
+        if(archiveFile.isMetaFlagSet(TskData.TSK_FS_META_FLAG_ENUM.UNALLOC)) {
+            return false;
+        }
+        
         try {
             final Long archiveItemSize = (Long) inArchive.getProperty(
                     inArchiveItemIndex, PropID.SIZE);

From 0eb61e552039ae9ef2c066862a7b3822da8b5124 Mon Sep 17 00:00:00 2001
From: "U-BASIS\\dsmyda" <dsmyda@win-dsmyd-4990.basistech.net>
Date: Mon, 29 Oct 2018 08:46:40 -0400
Subject: [PATCH 2/2] Removed useless log message from extractor code

---
 .../autopsy/modules/embeddedfileextractor/SevenZipExtractor.java | 1 -
 1 file changed, 1 deletion(-)

diff --git a/Core/src/org/sleuthkit/autopsy/modules/embeddedfileextractor/SevenZipExtractor.java b/Core/src/org/sleuthkit/autopsy/modules/embeddedfileextractor/SevenZipExtractor.java
index ba40670bac..39e428d233 100644
--- a/Core/src/org/sleuthkit/autopsy/modules/embeddedfileextractor/SevenZipExtractor.java
+++ b/Core/src/org/sleuthkit/autopsy/modules/embeddedfileextractor/SevenZipExtractor.java
@@ -549,7 +549,6 @@ class SevenZipExtractor {
                 inArchive = SevenZip.openInArchive(options, stream, password);
             }
             numItems = inArchive.getNumberOfItems();
-            logger.log(Level.INFO, "Count of items in archive: {0}: {1}", new Object[]{escapedArchiveFilePath, numItems}); //NON-NLS
             progress.start(numItems);
             progressStarted = true;