Skip to content

Maite modules batch 2 #1301

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 5 commits into
base: main
Choose a base branch
from
Open

Maite modules batch 2 #1301

wants to merge 5 commits into from

Conversation

@Maite2003
Copy link
Contributor

@Maite2003 Maite2003 commented Oct 8, 2025

Refactoring: Timestamps and Argument Handling

This PR introduces two primary updates:

  1. Timestamp Correction: I removed the database conversion function (datetime(time/1000,'unixepoch')) from the query. Instead, we now pull the raw Unix timestamp and use convert_unix_ts_to_utc() in Python. Is this the approach we should use?
  2. Artifact Arguments: Updated artifact function signatures to accept a context object instead of individual parameters.

@Maite2003
Refactor artifact functions to use context parameter
afa6aad 
Minor adjustments were made to timestamp handling and source path reporting.
@Maite2003
Fix timestamp handling in AMDSQLiteDB_UsageEvents
3015ff9 
Updated the query to select the raw time value instead of converting it to datetime in SQL. The conversion to UTC datetime is now handled in Python using convert_unix_ts_to_utc.
@JamesHabben
Copy link
Collaborator

JamesHabben commented Oct 9, 2025

a couple things:

  1. theres a conflict on appConduit module. looks like @Johann-PLW got some changes in on this one while @Maite2003 was doing the same. this commit has an adjustment to the source_path return value that i think is better than what is currently in place.
  2. have you run the AMDSQLiteDB module against a test data set just to confirm the dates are getting properly converted?

@Maite2003
Copy link
Contributor Author

Maite2003 commented Oct 16, 2025

i don' have any test data for AMDSQLiteDB

@JamesHabben
Copy link
Collaborator

JamesHabben commented Oct 16, 2025

you can see there are some hits in test images here: https://github.com/abrignoni/iLEAPP/blob/main/admin/docs/filepath_search_summary.md

@Maite2003
Copy link
Contributor Author

Maite2003 commented Oct 16, 2025

Thanks for the link! Okay, so I think I'm just missing a step here. I can see the markdown file lists all the important file paths, but where do I find the actual test images or zips that have those files inside them?

@JamesHabben
Copy link
Collaborator

JamesHabben commented Oct 17, 2025

with the US Gov shutdown, some websites arent loading :(

here are a few pages that have lists of test images.

@stark4n6 any other suggestions since NIST is currently down?

@stark4n6
Copy link
Collaborator

stark4n6 commented Oct 17, 2025

@JamesHabben let me look, I think I made this parser so I think I actually had test files (either on my own test devices or from a sample)

@JamesHabben
Copy link
Collaborator

JamesHabben commented Nov 6, 2025

Most of these changes are pretty straight forward. The only parts that concern me are the dates to ensure we are using the correct function based on the source data. Once that is validated, I think this PR is good to merge.

@JamesHabben JamesHabben added the Artifact Module Update related to an artifact module label Nov 6, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

Artifact Module Update related to an artifact module

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Maite2003 @JamesHabben @stark4n6