fix: skip unallocated files and slack space

lxndrblz · Jun 29, 2021 · f5cfc8d · f5cfc8d
1 parent d0abfb2
commit f5cfc8d
Showing 1 changed file with 7 additions and 3 deletions.
diff --git a/Forensicsim_Parser.py b/Forensicsim_Parser.py
@@ -59,6 +59,7 @@
 from org.sleuthkit.datamodel import BlackboardAttribute
 from org.sleuthkit.datamodel import CommunicationsManager
 from org.sleuthkit.datamodel import TskCoreException
+from org.sleuthkit.datamodel import TskData
 from org.sleuthkit.datamodel.Blackboard import BlackboardException
 from org.sleuthkit.datamodel.blackboardutils import CommunicationArtifactsHelper
 from org.sleuthkit.datamodel.blackboardutils.CommunicationArtifactsHelper import CallMediaType
@@ -179,6 +180,10 @@ def _extract(self, content, path):
             children = content.getChildren()
             for child in children:
                 child_name = child.getName()
+                # Skip any unallocated files
+                if child.isMetaFlagSet(TskData.TSK_FS_META_FLAG_ENUM.UNALLOC) or child.isDirNameFlagSet(
+                        TskData.TSK_FS_NAME_FLAG_ENUM.UNALLOC):
+                    continue
                 child_path = os.path.join(path, child_name)
                 # ignore relative paths
                 if child_name == "." or child_name == "..":
@@ -537,9 +542,8 @@ def process(self, data_source, progress_bar):
 
         file_manager = Case.getCurrentCase().getServices().getFileManager()
         directory = "https_teams.microsoft.com_0.indexeddb.leveldb"
-        # AppData/Roaming/Microsoft/Teams/IndexedDB
-        parent_directory = "IndexedDB"
-        all_ms_teams_leveldbs = file_manager.findFiles(data_source, directory, parent_directory)
+
+        all_ms_teams_leveldbs = file_manager.findFiles(data_source, directory)
 
         # Loop over all the files. On a multi user account these could be multiple one.
         directories_to_process = len(all_ms_teams_leveldbs)