Add --disable_carvers option to disable BE file carving

tw4l · Dec 15, 2024 · 49f4568 · 49f4568
1 parent 94e5e2c
commit 49f4568
Showing 1 changed file with 27 additions and 0 deletions.
diff --git a/brunnhilde.py b/brunnhilde.py
@@ -240,6 +240,28 @@ def run_bulk_extractor(args, source_dir, ssn_mode):
     if args.regex:
         cmd.insert(1, "-F")
         cmd.insert(2, args.regex)
+
+    carve_mode_flags = [
+        "evtx_carved_carve_mode=0",
+        "jpeg_carve_mode=0",
+        "kml_carved_carve_mode=0",
+        "ntfsindx_carved_carve_mode=0",
+        "ntfslogfile_carved_carve_mode=0",
+        "ntfsmft_carved_carve_mode=0",
+        "ntfsusn_carved_carve_mode=0",
+        "rar_carve_mode=0",
+        "sqlite_carved_carve_mode=0",
+        "unrar_carved_carve_mode=0",
+        "utmp_carved_carve_mode=0",
+        "vcard_carve_mode=0",
+        "winpe_carved_carve_mode=0",
+        "zip_carve_mode=0"
+    ]
+    if args.disable_carvers:
+        for carve_flag in carve_mode_flags:
+            cmd.insert(3, "-S")
+            cmd.insert(4, carve_flag)
+
     try:
         if sys.version_info > (3, 0):
             log_file = open(bulk_extractor_log, "w", encoding="utf-8")
@@ -1065,6 +1087,11 @@ def _make_parser():
         action="store",
         type=int,
     )
+    parser.add_argument(
+        "--disable_carvers",
+        help="Disable Bulk Extractor file carvers",
+        action="store_true",
+    )
     parser.add_argument("--regex", help="Specify path to regex file", action="store")
     parser.add_argument(
         "-d",