From 49f45682d5f5f6d373759747f4e5ee33fac857e6 Mon Sep 17 00:00:00 2001 From: Tessa Walsh Date: Sun, 15 Dec 2024 10:59:54 -0500 Subject: [PATCH 1/3] Add --disable_carvers option to disable BE file carving --- brunnhilde.py | 27 +++++++++++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/brunnhilde.py b/brunnhilde.py index db7d395..cc91b3f 100644 --- a/brunnhilde.py +++ b/brunnhilde.py @@ -240,6 +240,28 @@ def run_bulk_extractor(args, source_dir, ssn_mode): if args.regex: cmd.insert(1, "-F") cmd.insert(2, args.regex) + + carve_mode_flags = [ + "evtx_carved_carve_mode=0", + "jpeg_carve_mode=0", + "kml_carved_carve_mode=0", + "ntfsindx_carved_carve_mode=0", + "ntfslogfile_carved_carve_mode=0", + "ntfsmft_carved_carve_mode=0", + "ntfsusn_carved_carve_mode=0", + "rar_carve_mode=0", + "sqlite_carved_carve_mode=0", + "unrar_carved_carve_mode=0", + "utmp_carved_carve_mode=0", + "vcard_carve_mode=0", + "winpe_carved_carve_mode=0", + "zip_carve_mode=0" + ] + if args.disable_carvers: + for carve_flag in carve_mode_flags: + cmd.insert(3, "-S") + cmd.insert(4, carve_flag) + try: if sys.version_info > (3, 0): log_file = open(bulk_extractor_log, "w", encoding="utf-8") @@ -1065,6 +1087,11 @@ def _make_parser(): action="store", type=int, ) + parser.add_argument( + "--disable_carvers", + help="Disable Bulk Extractor file carvers", + action="store_true", + ) parser.add_argument("--regex", help="Specify path to regex file", action="store") parser.add_argument( "-d", From 9eeaadb6abd4ffd6409eb3336c2e944973e90488 Mon Sep 17 00:00:00 2001 From: Tessa Walsh Date: Sun, 15 Dec 2024 11:08:46 -0500 Subject: [PATCH 2/3] Add docs and bump version to 1.9.7 --- .github/workflows/test.yml | 2 +- README.md | 3 +++ brunnhilde.py | 2 +- setup.py | 9 ++++----- 4 files changed, 9 insertions(+), 7 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 3847bd0..99756f3 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -12,7 +12,7 @@ jobs: runs-on: ubuntu-latest strategy: matrix: - python-version: ["3.8", "3.9", "3.10"] + python-version: ["3.8", "3.9", "3.10", "3.11"] steps: - name: Check out repository uses: "actions/checkout@v2" diff --git a/README.md b/README.md index bbadee6..d63461b 100644 --- a/README.md +++ b/README.md @@ -76,6 +76,7 @@ optional arguments: (recovers all files by default) -b, --bulkextractor Run Bulk Extractor on source --ssn_mode SSN_MODE Specify ssn_mode for Bulk Extractor (0, 1, or 2) + --disable_carvers Disable Bulk Extractor file carvers --regex REGEX Specify path to regex file -d, --diskimage Use disk image instead of dir as input (Linux and macOS only) @@ -217,6 +218,8 @@ SSN recognition: you are now able to specify one of three SSN recognition modes: -S ssn_mode=2 No dashes required. Allow any 9-digit number that matches SSN allocation range. ``` +In Brunnhilde 1.9.7+, pass "--disable_carvers" instruct bulk_extractor to disable file carving. + ### Using disk images as input In `-d` mode, Brunnhilde uses SleuthKit's tsk_recover to export files from a disk image into a "carved files" directory for analysis. This works with raw images by default. In BitCurator or any other environment where libewf has been compiled into SleuthKit, Brunnhilde's -d mode also supports forensic disk image formats, including aff and ewf (E01). Due to the limitations of SleuthKit, Brunnhilde does not yet support characterizing disks that use the UDF filesystem. diff --git a/brunnhilde.py b/brunnhilde.py index cc91b3f..9ff3149 100644 --- a/brunnhilde.py +++ b/brunnhilde.py @@ -34,7 +34,7 @@ import sys -BRUNNHILDE_VERSION = "brunnhilde 1.9.6" +BRUNNHILDE_VERSION = "brunnhilde 1.9.7" CSS = """ body { diff --git a/setup.py b/setup.py index 0dcae03..5e8927b 100644 --- a/setup.py +++ b/setup.py @@ -2,7 +2,7 @@ setup( name="brunnhilde", - version="1.9.6", + version="1.9.7", url="https://github.com/tw4l/brunnhilde", author="Tessa Walsh", author_email="tessa@bitarchivist.net", @@ -23,11 +23,10 @@ "Operating System :: MacOS :: MacOS X", "Operating System :: POSIX :: Linux", "Operating System :: Microsoft :: Windows", - "Programming Language :: Python :: 2.7", - "Programming Language :: Python :: 3.5", - "Programming Language :: Python :: 3.6", - "Programming Language :: Python :: 3.7", "Programming Language :: Python :: 3.8", + "Programming Language :: Python :: 3.9", + "Programming Language :: Python :: 3.10", + "Programming Language :: Python :: 3.11", "Topic :: System :: Archiving", "Topic :: System :: Filesystems", "Topic :: Utilities", From 81a84c62ab01d252e1a935efc02cd1a4679227a7 Mon Sep 17 00:00:00 2001 From: Tessa Walsh Date: Sun, 15 Dec 2024 11:10:30 -0500 Subject: [PATCH 3/3] Add older Python versions back to classifiers --- setup.py | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/setup.py b/setup.py index 5e8927b..6f2d6d3 100644 --- a/setup.py +++ b/setup.py @@ -23,6 +23,10 @@ "Operating System :: MacOS :: MacOS X", "Operating System :: POSIX :: Linux", "Operating System :: Microsoft :: Windows", + "Programming Language :: Python :: 2.7", + "Programming Language :: Python :: 3.5", + "Programming Language :: Python :: 3.6", + "Programming Language :: Python :: 3.7", "Programming Language :: Python :: 3.8", "Programming Language :: Python :: 3.9", "Programming Language :: Python :: 3.10",