search

ForensicArtifacts / artifacts

Digital Forensics artifact repository
Apache License 2.0
1.03k stars 207 forks source link

Make WindowsRecycleBin use absolute path. #608

Closed The-Briel-Deal closed 7 months ago

The-Briel-Deal commented 7 months ago

Since all other artifacts here resolve to an absolute path, it would be nice if this followed the same convention and included the partition letter as well.

joachimmetz commented 7 months ago

First of all a path starting with \ is absolute (from the volume root)

'%%environ_systemdrive%% only refers to (typical) C: not other drive letters where the recycle bin can also be on other volumes. One alternative approach is to add an indicator to indicate that this should apply to all volumes %%system_all_volumes%% or equiv.

Also see: https://dfvfs.readthedocs.io/en/latest/sources/developer/Helpers.html#windows-path-resolver-helper

codecov[bot] commented 7 months ago

Codecov Report

All modified and coverable lines are covered by tests :white_check_mark:

Comparison is base (6304c2b) 69.85% compared to head (efd9d78) 69.85%.

Additional details and impacted files ```diff @@ Coverage Diff @@ ## main #608 +/- ## ======================================= Coverage 69.85% 69.85% ======================================= Files 9 9 Lines 773 773 ======================================= Hits 540 540 Misses 233 233 ```

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.

The-Briel-Deal commented 7 months ago

First of all a path starting with \ is absolute (from the volume root)

'%%environ_systemdrive%% only refers to (typical) C: not other drive letters where the recycle bin can also be on other volumes. One alternative approach is to add an indicator to indicate that this should apply to all volumes %%system_all_volumes%% or equiv.

Also see: https://dfvfs.readthedocs.io/en/latest/sources/developer/Helpers.html#windows-path-resolver-helper

Thats a good point, we decided to put this in our backlog for now. Once we add a variable in GRR like %%system_all_volumes%% we will come back to this.

Closing for now. We'll reopen once the appropriate variable exists. Thanks for the quick response!

joachimmetz commented 7 months ago

Created https://github.com/ForensicArtifacts/artifacts/issues/609 as a reminder