ALEAPP
ALEAPP copied to clipboard
abrignoni
Zip/tar modes will not process -wal or -journal files for sqlite databases
The regex expressions that target a particular database will only extract that db from a zip/tar ignoring the accompanying -wal or -journal file, which will result in missing out on data. Currently only the Wellbeing (wellbeing.py) module does it correctly.
All other modules need to have their regex tweaked similarly and code adjusted to account for this.
Or have the search functions tweaked to always look for -wal and -journal files. This is probably easier.
I'll try to change the regex over the weekend. Will do a PR so we can test.
I may be able to get to it before then. I'm going to try the second approach first, so we don't have to modify every single artifact module.
After giving it some thought, it would be best to handle this in regex and every module should take care of it. I will keep this open as I am not sure if all modules are doing this correctly.
I agree. I was planning on addressing it as you described.
On Sat, May 23, 2020, 12:29 AM Yogesh Khatri (@swiftforensics) < [email protected]> wrote:
After giving it some thought, it would be best to handle this in regex and every module should take care of it. I will keep this open as I am not sure if all modules are doing this correctly.
— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/abrignoni/ALEAPP/issues/14#issuecomment-632983189, or unsubscribe https://github.com/notifications/unsubscribe-auth/AG3DPCYU6IKXSG57TLFBIA3RS5GLBANCNFSM4LFGDXQQ .
There are a several plugins that just process the first file found files_found[0], which needs to be checked too.