Yogesh Khatri (@swiftforensics)

In my tests, it appears that the 0x1 may likely be an 'initial_xid'. Putting an initial_xid field before 'formatted_by' and removing the 'unknown' one after 'modified_by' fixes this. Now you...

Got more insight into the 0x1 value. It is not an xid at all. Those 8 bytes store the encryption flags. Bit0 = 1 = Not encrypted For encrypted disks,...

This originates from a change in setuptools. As referenced here and several other places: [https://gitmemory.com/issue/pypa/setuptools/1963/573450730](https://gitmemory.com/issue/pypa/setuptools/1963/573450730) One workaround is to downgrade setuptools to an older version like so: `pip3 uninstall setuptools`...

The workaround suggested `--packages=PIL` results in this error: ``` WARNING: Mach-O header in '/Users/yogesh/Desktop/mac_apt/dist/mac_apt_artifact_only.app/Contents/Resources/lib/python3.8/PIL/.dylibs/liblcms2.2.dylib' may be too large to relocate Traceback (most recent call last): File "build/setup-mac_apt_artifact_only.py", line 27, in...

Or have the search functions tweaked to always look for -wal and -journal files. This is probably easier.

I may be able to get to it before then. I'm going to try the second approach first, so we don't have to modify every single artifact module.

After giving it some thought, it would be best to handle this in regex and every module should take care of it. I will keep this open as I am...

There are a several plugins that just process the first file found `files_found[0]`, which needs to be checked too.

Can you provide more details? Is the input a folder/zip/tar? Is the output also on a network drive? Are you accessing via drive letter or //server/folder path? Is your network...

In general, the project could use a lot more exception handling. I'm going to study this a bit more to try to reproduce and see what the most optimum solution...