Skip to content

Commit d6230f9

Browse files
author
Zawadi Done
authored
Add the option to collect Recycle Bin data files (#86)
1 parent 7155ee4 commit d6230f9

File tree

1 file changed

+34
-7
lines changed

1 file changed

+34
-7
lines changed

acquire/acquire.py

Lines changed: 34 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -662,19 +662,46 @@ class Recents(Module):
662662
]
663663

664664

665+
def recyclebin_filter(path: fsutil.TargetPath) -> bool:
666+
return bool(path.stat().st_size >= (10 * 1024 * 1024)) # 10MB
667+
668+
665669
@register_module("--recyclebin")
670+
@module_arg(
671+
"--large-files",
672+
action="store_true",
673+
help="Collect files larger than 10MB in the Recycle Bin",
674+
default=False,
675+
)
676+
@module_arg(
677+
"--no-data-files",
678+
action="store_true",
679+
help="Skip collection of data files in the Recycle Bin",
680+
default=False,
681+
)
666682
class RecycleBin(Module):
667-
DESC = "recycle bin metadata"
683+
DESC = "recycle bin metadata and data files"
668684

669685
@classmethod
670686
def _run(cls, target: Target, cli_args: argparse.Namespace, collector: Collector) -> None:
671-
for fs, name, mountpoints in iter_ntfs_filesystems(target):
672-
log.info("Acquiring recycle bin metadata from %s (%s)", fs, mountpoints)
687+
large_files_filter = None if cli_args.large_files else recyclebin_filter
688+
689+
if large_files_filter:
690+
log.info("Skipping files in Recycle Bin that are larger than 10MB.")
691+
692+
patterns = ["$Recycle.bin/*/$I*", "Recycler/*/INFO2", "Recycled/INFO2"]
693+
694+
if not cli_args.no_data_files:
695+
patterns.extend(["$Recycle.Bin/$R*", "$Recycle.Bin/*/$R*", "RECYCLE*/D*"])
696+
697+
with collector.file_filter(large_files_filter):
698+
for fs, name, mountpoints in iter_ntfs_filesystems(target):
699+
log.info("Acquiring recycle bin from %s (%s)", fs, mountpoints)
673700

674-
patterns = ["$Recycle.bin/**/$I*", "Recycler/*/INFO2", "Recycled/INFO2"]
675-
for pattern in patterns:
676-
for entry in fs.path().glob(pattern):
677-
collector.collect_file(entry, outpath=fsutil.join(name, str(entry)))
701+
for pattern in patterns:
702+
for entry in fs.path().glob(pattern):
703+
if entry.is_file():
704+
collector.collect_file(entry, outpath=fsutil.join(name, str(entry)))
678705

679706

680707
@register_module("--drivers")

0 commit comments

Comments
 (0)