Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Combo Filter of Hash Alert leaving some Carved by Led out of list #2266

Open
patrickdalla opened this issue Jul 25, 2024 · 6 comments
Open

Combo Filter of Hash Alert leaving some Carved by Led out of list #2266

patrickdalla opened this issue Jul 25, 2024 · 6 comments
Labels
enhancement question

Comments

@patrickdalla
Copy link
Collaborator

The filter Hash\ Alert\ (Child\ Porn) in top left combo filters list, lists some CarveLed* files, but not all of them.
Maybe this happens because not the entire file was carved, as LED carving is based only on first bytes, what leads to a different total file hash.
Any way, this inclomplete files could be listed as well. I almost skiped them.
@lfcnassif
Copy link
Member

lfcnassif commented Jul 25, 2024
edited
Loading

Hi @patrickdalla, yes, the reason you described is correct and this behavior is intentional. Users can also search for carved:true AND name:CarvedLed to find all those files. Current behavior is fine to me, but I'll defer the decision about this to @wladimirleite, since he is the module author.

@wladimirleite
Copy link
Member

Hi @patrickdalla and @lfcnassif!
Well, I think it is possible to change the pre-defined filter to include the search @lfcnassif mentioned, but I am not sure if it can be misleading to the user in some cases (e.g. incomplete videos recovered, from which nothing meaningful can be reproduced).

@patrickdalla
Copy link
Collaborator Author

the current database already have some false positives.

In fact, in the specific case, all led carved, including the not alerted ones, were true positives, while there were false positives for some not carved zero filled files.

any way you decide.

@wladimirleite
Copy link
Member

The current database already have some false positives.
In fact, in the specific case, all led carved, including the not alerted ones, were true positives, while there were false positives for some not carved zero filled files.

That is a valid point.

I see two options:

  1. Change the LedCarveTask to set the property hashDb:status to pedo.
  2. Change the pre-defined filter to include these carved items (adding with an OR the query mentioned by @lfcnassif).

@patrickdalla, which solution do you have in mind?

@patrickdalla
Copy link
Collaborator Author

1

@lfcnassif
Copy link
Member

Well, I would prefer option 2 over 1, and actually almost suggested it. IMHO that hash filter originally intended to flag files which full hash was found into the hash database tagged as child abuse. Creating another predefined filter for LED carved files is another option. Anyway, as I said, @wladimirleite can take the decision here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement question
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@wladimirleite @lfcnassif @patrickdalla