IPED icon indicating copy to clipboard operation
IPED copied to clipboard

Search in the case and add a link for files referenced by Google Drive database

Open hauck-jvsh opened this issue 1 year ago • 2 comments

Google drive has a sqlite database with the name of the files and its MD5 hash. Files are used cached with a generic name. A parser should create a table with the file name its hash and possibly a link to the actual file if presented in the extraction.

hauck-jvsh avatar Dec 06 '23 17:12 hauck-jvsh

This parser already exists, it was implemented by @mbichara on #267. Its current location is in iped.parsers.gdrive package.

It already does a look up in our CSAM database and tags matched hashes.

But it doesn't search for files in the case neither creates links to them. So, instead of closing this as duplicate, I'll update the title to track the implementation of the linking feature.

lfcnassif avatar Dec 06 '23 18:12 lfcnassif

Maybe Sqlite Parser could also be changed to do this hash linking in a more generic way to link found files. Sqlparser split PR also implements timestamp and locations extraction based on correlated column names.

patrickdalla avatar Dec 07 '23 10:12 patrickdalla