abrignoni · Johann-PLW · May 25, 2026 · May 25, 2026
diff --git a/aleapp.py b/aleapp.py
@@ -11,9 +11,10 @@
 
 from scripts.search_files import *
 from scripts.ilapfuncs import *
-from scripts.version_info import aleapp_version
+from scripts.version_info import leapp_version
 from time import process_time, gmtime, strftime, perf_counter
 from scripts.lavafuncs import *
+from scripts.context import Context
 
 def validate_args(args):
     if args.artifact_paths or args.create_profile_casedata:
@@ -287,14 +288,15 @@ def main():
         if output_path[1] == ':': output_path = '\\\\?\\' + output_path.replace('/', '\\')
 
     out_params = OutputParameters(output_path, custom_output_folder)
+    Context.set_output_params(out_params)
 
     selected_plugins = plugins_parsed_first + selected_plugins
 
-    initialize_lava(input_path, out_params.report_folder_base, extracttype)
+    initialize_lava(input_path, out_params.output_folder_base, extracttype)
 
     crunch_artifacts(selected_plugins, extracttype, input_path, out_params, wrap_text, loader, casedata, profile_filename)
 
-    lava_finalize_output(out_params.report_folder_base)
+    lava_finalize_output(out_params.output_folder_base)
 
 def crunch_artifacts(
         plugins: typing.Sequence[plugin_loader.PluginSpec], extracttype, input_path, out_params, wrap_text,
@@ -305,7 +307,7 @@ def crunch_artifacts(
     logfunc('Processing started. Please wait. This may take a few minutes...')
 
     logfunc('\n--------------------------------------------------------------------------------------')
-    logfunc(f'ALEAPP v{aleapp_version}: ALEAPP Logs, Events, and Protobuf Parser')
+    logfunc(f'ALEAPP v{leapp_version}: ALEAPP Logs, Events, and Protobuf Parser')
     logfunc('Objective: Triage Android Full System Extractions.')
     logfunc('By: Alexis Brignoni | @AlexisBrignoni | abrignoni.com')
     logfunc('By: Yogesh Khatri   | @SwiftForensics | swiftforensics.com\n')
@@ -341,24 +343,30 @@ def crunch_artifacts(
     logfunc(f'File/Directory selected: {input_path}')
     logfunc('\n--------------------------------------------------------------------------------------')
 
-    log = open(os.path.join(out_params.report_folder_base, 'Script Logs', 'ProcessedFilesLog.html'), 'w+', encoding='utf8')
+    log = open(os.path.join(out_params.output_folder_base, '_HTML', '_Script_Logs', 'ProcessedFilesLog.html'), 'w+', encoding='utf8')
     log.write(f'Extraction/Path selected: {input_path}<br><br>')
 
     parsed_modules = 0
+    artifact_search_pattern_id = 0
+    file_path_ids = set()
+
 
     # Search for the files per the arguments
-    for plugin in plugins:
+    for plugin_number, plugin in enumerate(plugins, start=1):
         logfunc()
-        logfunc('{} [{}] artifact started'.format(plugin.name, plugin.module_name))
+        logfunc('[{}/{}] {} [{}] artifact started'.format(plugin_number, len(plugins),
+                                                              plugin.name, plugin.module_name))
         if isinstance(plugin.search, list) or isinstance(plugin.search, tuple):
             search_regexes = plugin.search
         else:
             search_regexes = [plugin.search]
-        parsed_modules += 1
-        GuiWindow.SetProgressBar(parsed_modules, len(plugins))
         files_found = []
         log.write(f'<b>For {plugin.name} module</b>')
         for artifact_search_regex in search_regexes:
+            artifact_search_pattern_id += 1
+            lava_insert_sqlite_artifact_search_pattern(
+                artifact_search_pattern_id, plugin.module_name, plugin.name, artifact_search_regex)
+            pattern_already_searched = artifact_search_regex in seeker.searched
             found = seeker.search(artifact_search_regex)
             if not found:
                 log.write(f'<ul><li>No file found for regex <i>{artifact_search_regex}</i></li></ul>')
@@ -368,10 +376,16 @@ def crunch_artifacts(
                     if pathh.startswith('\\\\?\\'):
                         pathh = pathh[4:]
                     log.write(f'<ul><li>{pathh}</li></ul>')
+                    if seeker.file_infos.get(pathh):
+                        file_path_id = id(seeker.file_infos.get(pathh))
+                        if not pattern_already_searched and file_path_id not in file_path_ids:
+                            lava_insert_sqlite_file_path(file_path_id,seeker.file_infos.get(pathh).source_path)
+                            file_path_ids.add(file_path_id)
+                        lava_insert_sqlite_artifact_link_pattern_to_file(artifact_search_pattern_id, file_path_id)
                 log.write(f'</li></ul>')
                 files_found.extend(found)
         if files_found:
-            category_folder = os.path.join(out_params.report_folder_base, '_HTML', plugin.category)
+            category_folder = os.path.join(out_params.output_folder_base, '_HTML', plugin.category)
             if not os.path.exists(category_folder):
                 try:
                     os.makedirs(category_folder)
@@ -389,6 +403,9 @@ def crunch_artifacts(
         else:
             logfunc(f"No file found")
         logfunc('{} [{}] artifact completed'.format(plugin.name, plugin.module_name))
+        parsed_modules += 1
+        GuiWindow.SetProgressBar(parsed_modules, len(plugins))
+        log.flush()
     log.close()
 
     write_device_info()
@@ -407,15 +424,15 @@ def crunch_artifacts(
     logfunc('Report generation started.')
     # remove the \\?\ prefix we added to input and output paths, so it does not reflect in report
     if is_platform_windows(): 
-        if out_params.report_folder_base.startswith('\\\\?\\'):
-            out_params.report_folder_base = out_params.report_folder_base[4:]
+        if out_params.output_folder_base.startswith('\\\\?\\'):
+            out_params.output_folder_base = out_params.output_folder_base[4:]
         if input_path.startswith('\\\\?\\'):
             input_path = input_path[4:]
 
-    report.generate_report(out_params.report_folder_base, run_time_secs, run_time_HMS, extracttype, input_path, casedata, profile_filename, icons)
+    report.generate_report(out_params.output_folder_base, run_time_secs, run_time_HMS, extracttype, input_path, casedata, profile_filename, icons)
     logfunc('Report generation Completed.')
     logfunc('')
-    logfunc(f'Report location: {out_params.report_folder_base}')
+    logfunc(f'Report location: {out_params.output_folder_base}')
 
     return True
 

diff --git a/aleappGUI.py b/aleappGUI.py
@@ -9,10 +9,11 @@
 
 from PIL import Image, ImageTk
 from tkinter import ttk, filedialog as tk_filedialog, messagebox as tk_msgbox
-from scripts.version_info import aleapp_version
+from scripts.version_info import leapp_version
 from scripts.search_files import *
 from scripts.modules_to_exclude import modules_to_exclude
 from scripts.lavafuncs import *
+from scripts.context import Context
 
 
 def pickModules():
@@ -206,6 +207,7 @@ def process(casedata):
         progress_bar.config(maximum=len(selected_modules))
         casedata = {key: value.get() for key, value in casedata.items()}
         out_params = OutputParameters(output_folder)
+        Context.set_output_params(out_params)
         wrap_text = True
 
         bottom_frame.pack_forget()
@@ -215,16 +217,16 @@ def process(casedata):
         logtext_frame.pack(padx=8, pady=4, expand=True, fill='both')
         progress_bar_frame.pack(padx=2, pady=2, ipady=2, fill='x')
 
-        initialize_lava(input_path, out_params.report_folder_base, extracttype)
+        initialize_lava(input_path, out_params.output_folder_base, extracttype)
 
         crunch_successful = aleapp.crunch_artifacts(
             selected_modules, extracttype, input_path, out_params, wrap_text, loader, 
             casedata, profile_filename)
 
-        lava_finalize_output(out_params.report_folder_base)
+        lava_finalize_output(out_params.output_folder_base)
 
         if crunch_successful:
-            report_path = os.path.join(out_params.report_folder_base, 'index.html')
+            report_path = os.path.join(out_params.output_folder_base, 'index.html')
             if report_path.startswith('\\\\?\\'):  # windows
                 report_path = report_path[4:]
             if report_path.startswith('\\\\'):  # UNC path
@@ -452,7 +454,7 @@ def add_agency_logo():
 
 ## Main window properties
 main_window.minsize(890, 690)
-main_window.title(f'ALEAPP version {aleapp_version}')
+main_window.title(f'ALEAPP version {leapp_version}')
 main_window.configure(bg=theme_bgcolor)
 logo_icon = tk.PhotoImage(file=icon)
 main_window.iconphoto(True, logo_icon)

diff --git a/scripts/artifact_report.py b/scripts/artifact_report.py
@@ -2,7 +2,7 @@
 import os
 import sys
 from scripts.html_parts import *
-from scripts.version_info import aleapp_version
+from scripts.version_info import leapp_version
 
 class ArtifactHtmlReport:
 
@@ -21,7 +21,7 @@ def start_artifact_report(self, report_folder, artifact_file_name, artifact_desc
         '''Creates the report HTML file and writes the artifact name as a heading'''
         self.report_file = open(os.path.join(report_folder, f'{artifact_file_name}.temphtml'), 'w', encoding='utf8')
         self.report_file.write(page_header.format(f'ALEAPP - {self.artifact_name} report'))
-        self.report_file.write(body_start.format(f'ALEAPP {aleapp_version}'))
+        self.report_file.write(body_start.format(f'ALEAPP {leapp_version}'))
         self.report_file.write(body_sidebar_setup)
         self.report_file.write(body_sidebar_dynamic_data_placeholder) # placeholder for sidebar data
         self.report_file.write(body_sidebar_trailer)

diff --git a/scripts/artifacts/DuckDuckGo.py b/scripts/artifacts/DuckDuckGo.py
@@ -343,10 +343,6 @@ def duckduckgo_opentabs(files_found, report_folder, seeker, wrap_text):
             thumb_path = thumb_lookup.get(cached_filename)
             if thumb_path:
                 tab_thumbnail_media = check_in_media(
-                    artifact_info,
-                    report_folder,
-                    seeker,
-                    files_found,
                     thumb_path,
                     cached_filename
                 )
@@ -474,7 +470,7 @@ def duckduckgo_thumbnails(files_found, report_folder, seeker, wrap_text):
         filepath = str(media_path.parents[1])
 
         timestamp = (datetime.datetime.utcfromtimestamp(utctime/1000).strftime('%Y-%m-%d %H:%M:%S'))
-        media_item = check_in_media(artifact_info, report_folder, seeker, files_found, file_found, filename)
+        media_item = check_in_media(file_found, filename)
 
         if media_item:
             tab_status = 'Open' if filename in open_preview_files else 'Closed'

diff --git a/scripts/artifacts/Grok.py b/scripts/artifacts/Grok.py
@@ -180,10 +180,6 @@ def grok_generatedvideos(files_found, report_folder, seeker, wrap_text):
         missing_flag = "Present"
 
         media_item = check_in_media(
-            artifact_info,
-            report_folder,
-            seeker,
-            files_found,
             file_found,
             filename
         )

diff --git a/scripts/artifacts/OrnetBrowser.py b/scripts/artifacts/OrnetBrowser.py
@@ -326,10 +326,6 @@ def is_sqlite_db(path):
             thumb_path = thumb_lookup.get(cached_filename)
             if thumb_path:
                 tab_thumbnail_media = check_in_media(
-                    artifact_info,
-                    report_folder,
-                    seeker,
-                    files_found,
                     thumb_path,
                     cached_filename
                 )
@@ -451,7 +447,7 @@ def ornetbrowser_thumbnails(files_found, report_folder, seeker, wrap_text):
         filepath = str(media_path.parents[1])
 
         timestamp = (datetime.datetime.utcfromtimestamp(utctime/1000).strftime('%Y-%m-%d %H:%M:%S'))
-        media_item = check_in_media(artifact_info, report_folder, seeker, files_found, file_found, filename)
+        media_item = check_in_media(file_found, filename)
 
         if media_item:
             data_list.append((timestamp, media_item, filename, str(file_found)))

diff --git a/scripts/artifacts/SamsungTrash.py b/scripts/artifacts/SamsungTrash.py
@@ -71,7 +71,7 @@ def samsungTrash(files_found, report_folder, seeker, _wrap_text):
 
             if matched_media_path:
                 media_item = check_in_media(
-                    artifact_info, report_folder, seeker, files_found + [matched_media_path], matched_media_path, Path(matched_media_path).name
+                    matched_media_path, Path(matched_media_path).name
                 )
 
             data_list.append((

diff --git a/scripts/artifacts/TorBrowser.py b/scripts/artifacts/TorBrowser.py
@@ -67,13 +67,7 @@ def torbrowser_thumbnails(files_found, report_folder, seeker, wrap_text):
         modified_ts = os.path.getmtime(file_found)
         modifiedtime = datetime.datetime.utcfromtimestamp(int(modified_ts)).strftime('%Y-%m-%d %H:%M:%S')
 
-        media_item = check_in_media(
-            artifact_info,
-            report_folder,
-            seeker,
-            files_found,
-            filename
-        )
+        media_item = check_in_media(filename)
 
         if media_item:
             data_list.append((modifiedtime, media_item, filename, location))

diff --git a/scripts/artifacts/ZangiChats.py b/scripts/artifacts/ZangiChats.py
@@ -109,7 +109,7 @@ def zangichats(files_found, _report_folder, _seeker, _wrap_text):
                 media_path = f"files/zangi/Zangi Files/{msgId}.*"
             try:
                 attach_file_name = Path(media_path).name
-                attach_file = check_in_media(artifact_info, _report_folder, _seeker, files_found, media_path, attach_file_name)
+                attach_file = check_in_media(media_path, attach_file_name)
             except TypeError:
                 attach_file = ""
         else:

diff --git a/scripts/artifacts/appicons.py b/scripts/artifacts/appicons.py
@@ -100,12 +100,12 @@ def appIcons(files_found, report_folder, seeker, wrap_text):
         other_icons = []
         if app.icon:
             # main_icon = check_in_embedded_media(artifact_info, report_folder, seeker, source_path, app.icon[1], app.icon[0], app.icon[2])
-            main_icon = check_in_embedded_media(artifact_info, report_folder, seeker, source_path, app.icon[1], app.icon[0])
+            main_icon = check_in_embedded_media(source_path, app.icon[1], app.icon[0])
         for k, v in app.icons.items():
             if v[1]: # sometimes icon is NULL in db
                 # other_icon = check_in_embedded_media(artifact_info, report_folder, seeker, source_path, v[1], v[0], v[2])
-                other_icon = check_in_embedded_media(artifact_info, report_folder, seeker, source_path, v[1], v[0])
+                other_icon = check_in_embedded_media(source_path, v[1], v[0])
                 other_icons.append(other_icon)
-        data_list.append((escape(app.name), escape(app.package), main_icon, other_icons ))
+        data_list.append((escape(app.name), escape(app.package), main_icon, other_icons))
 
     return data_headers, data_list, source_path
diff --git a/scripts/artifacts/googleVoice.py b/scripts/artifacts/googleVoice.py
@@ -251,7 +251,7 @@ def googlevoice_calls(files_found, report_folder, seeker, wrap_text):
                                 # get the audio file
                                 for audio_file in files_found:
                                     if "audio" in audio_file and message_id in audio_file:
-                                        recording = check_in_media(artifact_info, report_folder, seeker, files_found, audio_file)
+                                        recording = check_in_media(audio_file)
                                         break
 
                                 data_list.append((timestamp,account_number,direction,from_num,to_num,call_status,voicemail,duration,recording))
@@ -364,7 +364,7 @@ def googlevoice_voicemails(files_found, report_folder, seeker, wrap_text):
                             # get the voicemail audio file
                             for audio_file in files_found:
                                 if "audio" in audio_file and message_id in audio_file:
-                                    audio = check_in_media(artifact_info, report_folder, seeker, files_found, audio_file)
+                                    audio = check_in_media(audio_file)
                                     break
 
                             data_list.append((timestamp,account_number,from_num,to_num,duration,read_status,transcript,audio))
@@ -469,7 +469,7 @@ def googlevoice_messages(files_found, report_folder, seeker, wrap_text):
                                     # image file resides in Photo MMS images folder
                                     # filename: message_id + "-14" + extension
                                     if "Photo MMS images" in image and message_id in image and "-14" in image:
-                                        thumb = check_in_media(artifact_info, report_folder, seeker, files_found, image)
+                                        thumb = check_in_media(image)
                                         data_list.append((timestamp,account_number,conversation_id,direction,from_num,to_num,read_status,message_content,thumb))
                                         break
 
@@ -543,7 +543,7 @@ def googlevoice_messages(files_found, report_folder, seeker, wrap_text):
                                     # image file resides in Photo MMS images folder
                                     # filename: message_id + "-14" + extension
                                     if "Photo MMS images" in image and message_id in image and "-14" in image:
-                                        thumb = check_in_media(artifact_info, report_folder, seeker, files_found, image)
+                                        thumb = check_in_media(image)
                                         data_list.append((timestamp,account_number,conversation_id,direction,from_num,to_nums,read_status,message_content,thumb))
                                         break