diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 3847bd0..99756f3 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -12,7 +12,7 @@ jobs: runs-on: ubuntu-latest strategy: matrix: - python-version: ["3.8", "3.9", "3.10"] + python-version: ["3.8", "3.9", "3.10", "3.11"] steps: - name: Check out repository uses: "actions/checkout@v2" diff --git a/README.md b/README.md index bbadee6..d63461b 100644 --- a/README.md +++ b/README.md @@ -76,6 +76,7 @@ optional arguments: (recovers all files by default) -b, --bulkextractor Run Bulk Extractor on source --ssn_mode SSN_MODE Specify ssn_mode for Bulk Extractor (0, 1, or 2) + --disable_carvers Disable Bulk Extractor file carvers --regex REGEX Specify path to regex file -d, --diskimage Use disk image instead of dir as input (Linux and macOS only) @@ -217,6 +218,8 @@ SSN recognition: you are now able to specify one of three SSN recognition modes: -S ssn_mode=2 No dashes required. Allow any 9-digit number that matches SSN allocation range. ``` +In Brunnhilde 1.9.7+, pass "--disable_carvers" instruct bulk_extractor to disable file carving. + ### Using disk images as input In `-d` mode, Brunnhilde uses SleuthKit's tsk_recover to export files from a disk image into a "carved files" directory for analysis. This works with raw images by default. In BitCurator or any other environment where libewf has been compiled into SleuthKit, Brunnhilde's -d mode also supports forensic disk image formats, including aff and ewf (E01). Due to the limitations of SleuthKit, Brunnhilde does not yet support characterizing disks that use the UDF filesystem. diff --git a/brunnhilde.py b/brunnhilde.py index db7d395..9ff3149 100644 --- a/brunnhilde.py +++ b/brunnhilde.py @@ -34,7 +34,7 @@ import sys -BRUNNHILDE_VERSION = "brunnhilde 1.9.6" +BRUNNHILDE_VERSION = "brunnhilde 1.9.7" CSS = """ body { @@ -240,6 +240,28 @@ def run_bulk_extractor(args, source_dir, ssn_mode): if args.regex: cmd.insert(1, "-F") cmd.insert(2, args.regex) + + carve_mode_flags = [ + "evtx_carved_carve_mode=0", + "jpeg_carve_mode=0", + "kml_carved_carve_mode=0", + "ntfsindx_carved_carve_mode=0", + "ntfslogfile_carved_carve_mode=0", + "ntfsmft_carved_carve_mode=0", + "ntfsusn_carved_carve_mode=0", + "rar_carve_mode=0", + "sqlite_carved_carve_mode=0", + "unrar_carved_carve_mode=0", + "utmp_carved_carve_mode=0", + "vcard_carve_mode=0", + "winpe_carved_carve_mode=0", + "zip_carve_mode=0" + ] + if args.disable_carvers: + for carve_flag in carve_mode_flags: + cmd.insert(3, "-S") + cmd.insert(4, carve_flag) + try: if sys.version_info > (3, 0): log_file = open(bulk_extractor_log, "w", encoding="utf-8") @@ -1065,6 +1087,11 @@ def _make_parser(): action="store", type=int, ) + parser.add_argument( + "--disable_carvers", + help="Disable Bulk Extractor file carvers", + action="store_true", + ) parser.add_argument("--regex", help="Specify path to regex file", action="store") parser.add_argument( "-d", diff --git a/setup.py b/setup.py index 0dcae03..6f2d6d3 100644 --- a/setup.py +++ b/setup.py @@ -2,7 +2,7 @@ setup( name="brunnhilde", - version="1.9.6", + version="1.9.7", url="https://github.com/tw4l/brunnhilde", author="Tessa Walsh", author_email="tessa@bitarchivist.net", @@ -28,6 +28,9 @@ "Programming Language :: Python :: 3.6", "Programming Language :: Python :: 3.7", "Programming Language :: Python :: 3.8", + "Programming Language :: Python :: 3.9", + "Programming Language :: Python :: 3.10", + "Programming Language :: Python :: 3.11", "Topic :: System :: Archiving", "Topic :: System :: Filesystems", "Topic :: Utilities",