Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Usn reason timestamp #2231

Merged
merged 13 commits into from
May 27, 2024
Merged

Usn reason timestamp #2231

merged 13 commits into from
May 27, 2024

Conversation

patrickdalla
Copy link
Collaborator

Closes #1503 .

lfcnassif
lfcnassif requested changes May 24, 2024
View reviewed changes
Copy link
Member

@lfcnassif lfcnassif left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @patrickdalla!

I think there are failing tests in UsnJrnlParserTest, could you update them?

@patrickdalla
Copy link
Collaborator Author

sure

@lfcnassif
Copy link
Member

Hi @patrickdalla, thanks for the Unit test fixes.

Could you implement the ParserConfig.xml config files merging idea? So we would be able to turn records extraction on in forensic and pedo profiles without duplicating ParserConfig.xml into them.

@patrickdalla
Copy link
Collaborator Author

patrickdalla commented May 27, 2024 via email

@lfcnassif
Copy link
Member

There is already the ParsersConfig class in iped.engine.config package, it may be used for that.

@patrickdalla
Copy link
Collaborator Author

patrickdalla commented May 27, 2024
edited
Loading

Hi @lfcnassif . I have created the merging code for ParserConfig.xml from profile. It replaces completely all the parser tag with the same class attribute from default config with the configured in profile. As it was implemented, only changes and additions can be done (no removal).

It works in master and can be merged, but maybe I have to make some changes to avoid conflict in UI config, in which branch i will start working now. There, as the the user can use the UI to select which Parsers to use (including removing some), I replace completely the ParserConfig. So, I will make some distinctions to inform if the config is to be merged ou replaced completely. Maybe a simple attribute in parsers tag. But I will change it in UI config branch, right?

@patrickdalla
Copy link
Collaborator Author

I remembered that the additional profiles created through UI config are saved in binary form. So, maybe, no conflicts will exists. But I will test it.

@lfcnassif
Copy link
Member

lfcnassif commented May 27, 2024
edited
Loading

Thanks @patrickdalla! Parser removal while merging multiple ParserConfig.xml files is not needed for this feature, it is fine. When it is needed, I think a new enabled attribute in xml parser element would be enough to flag the merging code it should be removed.

@lfcnassif
Copy link
Member

@patrickdalla, I think you enabled a wrong parser in forensic and pedo profiles. It should be UsnJrnlParser with an enabled extractEntries param right?

@patrickdalla
Copy link
Collaborator Author

Sorry. It is correct now.

lfcnassif
lfcnassif approved these changes May 27, 2024
View reviewed changes
Copy link
Member

@lfcnassif lfcnassif left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @patrickdalla! I did minor changes and updated the properties prefix to a shorter one.

@lfcnassif lfcnassif merged commit b56fd6e into master May 27, 2024
2 checks passed
@lfcnassif lfcnassif deleted the USN_REASON_TIMESTAMP branch May 27, 2024 20:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@lfcnassif lfcnassif lfcnassif approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Expand timestamp events from UsnJrnlParser to populate the timeline in forensic and pedo profiles
2 participants
@patrickdalla @lfcnassif