19 package org.sleuthkit.autopsy.thunderbirdparser;
22 import java.io.IOException;
23 import java.util.ArrayList;
24 import java.util.List;
25 import java.util.logging.Level;
26 import org.openide.util.NbBundle;
27 import org.openide.util.NbBundle.Messages;
45 import org.
sleuthkit.datamodel.BlackboardAttribute.ATTRIBUTE_TYPE;
79 if (abstractFile.getKnown().equals(TskData.FileKnown.KNOWN)) {
84 if (abstractFile.getType().equals(TskData.TSK_DB_FILES_TYPE_ENUM.UNALLOC_BLOCKS)) {
88 if ((abstractFile.isFile() ==
false)) {
93 boolean isMbox =
false;
95 byte[] t =
new byte[64];
96 if (abstractFile.getSize() > 64) {
97 int byteRead = abstractFile.read(t, 0, 64);
99 isMbox = MboxParser.isValidMimeTypeMbox(t);
102 }
catch (TskException ex) {
103 logger.log(Level.WARNING, null, ex);
110 if (PstParser.isPstFile(abstractFile)) {
124 @Messages({
"ThunderbirdMboxFileIngestModule.processPst.indexError.message=Failed to index encryption detected artifact for keyword search."})
126 String fileName =
getTempPath() + File.separator + abstractFile.getName()
127 +
"-" + String.valueOf(abstractFile.getId());
128 File file =
new File(fileName);
132 logger.log(Level.WARNING,
"Not enough disk space to write file to disk.");
134 NbBundle.getMessage(this.getClass(),
135 "ThunderbirdMboxFileIngestModule.processPst.errMsg.outOfDiskSpace",
136 abstractFile.getName()));
143 }
catch (IOException ex) {
144 logger.log(Level.WARNING,
"Failed writing pst file to disk.", ex);
148 PstParser parser =
new PstParser(services);
149 PstParser.ParseResult result = parser.parse(file, abstractFile.getId());
151 if (result == PstParser.ParseResult.OK) {
154 }
else if (result == PstParser.ParseResult.ENCRYPT) {
157 BlackboardArtifact artifact = abstractFile.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_ENCRYPTION_DETECTED);
158 artifact.addAttribute(
new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_NAME,
EmailParserModuleFactory.getModuleName(), NbBundle.getMessage(this.getClass(),
"ThunderbirdMboxFileIngestModule.encryptionFileLevel")));
165 logger.log(Level.SEVERE,
"Unable to index blackboard artifact " + artifact.getArtifactID(), ex);
169 }
catch (TskCoreException ex) {
170 logger.log(Level.INFO,
"Failed to add encryption attribute to file: {0}", abstractFile.getName());
175 NbBundle.getMessage(
this.getClass(),
"ThunderbirdMboxFileIngestModule.processPst.errProcFile.msg",
176 abstractFile.getName()),
177 NbBundle.getMessage(
this.getClass(),
178 "ThunderbirdMboxFileIngestModule.processPst.errProcFile.details"));
179 logger.log(Level.INFO,
"PSTParser failed to parse {0}", abstractFile.getName());
183 if (file.delete() ==
false) {
184 logger.log(Level.INFO,
"Failed to delete temp file: {0}", file.getName());
187 String errors = parser.getErrors();
188 if (errors.isEmpty() ==
false) {
190 NbBundle.getMessage(
this.getClass(),
"ThunderbirdMboxFileIngestModule.processPst.errProcFile.msg2",
191 abstractFile.getName()), errors);
205 String mboxFileName = abstractFile.getName();
206 String mboxParentDir = abstractFile.getParentPath();
208 String emailFolder =
"";
210 if (mboxParentDir.contains(
"/Mail/")) {
211 emailFolder = mboxParentDir.substring(mboxParentDir.indexOf(
"/Mail/") + 5);
212 }
else if (mboxParentDir.contains(
"/ImapMail/")) {
213 emailFolder = mboxParentDir.substring(mboxParentDir.indexOf(
"/ImapMail/") + 9);
215 emailFolder = emailFolder + mboxFileName;
216 emailFolder = emailFolder.replaceAll(
".sbd",
"");
218 String fileName =
getTempPath() + File.separator + abstractFile.getName()
219 +
"-" + String.valueOf(abstractFile.getId());
220 File file =
new File(fileName);
224 logger.log(Level.WARNING,
"Not enough disk space to write file to disk.");
226 NbBundle.getMessage(
this.getClass(),
"ThunderbirdMboxFileIngestModule.processMBox.errProcFile.msg",
227 abstractFile.getName()),
228 NbBundle.getMessage(
this.getClass(),
229 "ThunderbirdMboxFileIngestModule.processMBox.errProfFile.details"));
235 }
catch (IOException ex) {
236 logger.log(Level.WARNING,
"Failed writing mbox file to disk.", ex);
240 MboxParser parser =
new MboxParser(services, emailFolder);
241 List<EmailMessage> emails = parser.parse(file, abstractFile.getId());
244 if (file.delete() ==
false) {
245 logger.log(Level.INFO,
"Failed to delete temp file: {0}", file.getName());
248 String errors = parser.getErrors();
249 if (errors.isEmpty() ==
false) {
251 NbBundle.getMessage(
this.getClass(),
"ThunderbirdMboxFileIngestModule.processMBox.errProcFile.msg2",
252 abstractFile.getName()), errors);
266 File dir =
new File(tmpDir);
267 if (dir.exists() ==
false) {
276 File dir =
new File(outDir);
277 if (dir.exists() ==
false) {
295 private void processEmails(List<EmailMessage> emails, AbstractFile abstractFile) {
296 List<AbstractFile> derivedFiles =
new ArrayList<>();
297 for (EmailMessage email : emails) {
298 if (email.hasAttachment()) {
304 if (derivedFiles.isEmpty() ==
false) {
305 for (AbstractFile derived : derivedFiles) {
322 private List<AbstractFile>
handleAttachments(List<EmailMessage.Attachment> attachments, AbstractFile abstractFile) {
323 List<AbstractFile> files =
new ArrayList<>();
324 for (EmailMessage.Attachment attach : attachments) {
325 String filename = attach.getName();
326 long crTime = attach.getCrTime();
327 long mTime = attach.getmTime();
328 long aTime = attach.getaTime();
329 long cTime = attach.getcTime();
330 String relPath = attach.getLocalPath();
331 long size = attach.getSize();
332 TskData.EncodingType encodingType = attach.getEncodingType();
336 size, cTime, crTime, aTime, mTime,
true, abstractFile,
"",
339 }
catch (TskCoreException ex) {
341 NbBundle.getMessage(
this.getClass(),
"ThunderbirdMboxFileIngestModule.handleAttch.errMsg",
342 abstractFile.getName()),
343 NbBundle.getMessage(
this.getClass(),
344 "ThunderbirdMboxFileIngestModule.handleAttch.errMsg.details", filename));
345 logger.log(Level.INFO,
"", ex);
357 @Messages({
"ThunderbirdMboxFileIngestModule.addArtifact.indexError.message=Failed to index email message detected artifact for keyword search."})
358 private void addArtifact(EmailMessage email, AbstractFile abstractFile) {
359 List<BlackboardAttribute> bbattributes =
new ArrayList<>();
360 String to = email.getRecipients();
361 String cc = email.getCc();
362 String bcc = email.getBcc();
363 String from = email.getSender();
364 long dateL = email.getSentDate();
365 String body = email.getTextBody();
366 String bodyHTML = email.getHtmlBody();
367 String rtf = email.getRtfBody();
368 String subject = email.getSubject();
369 long id = email.getId();
370 String localPath = email.getLocalPath();
372 if (to.isEmpty() ==
false) {
373 bbattributes.add(
new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_EMAIL_TO,
EmailParserModuleFactory.getModuleName(), to));
375 if (cc.isEmpty() ==
false) {
376 bbattributes.add(
new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_EMAIL_CC,
EmailParserModuleFactory.getModuleName(), cc));
378 if (bcc.isEmpty() ==
false) {
379 bbattributes.add(
new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_EMAIL_BCC,
EmailParserModuleFactory.getModuleName(), bcc));
381 if (from.isEmpty() ==
false) {
382 bbattributes.add(
new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_EMAIL_FROM,
EmailParserModuleFactory.getModuleName(), from));
385 bbattributes.add(
new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_RCVD,
EmailParserModuleFactory.getModuleName(), dateL));
386 bbattributes.add(
new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_SENT,
EmailParserModuleFactory.getModuleName(), dateL));
388 if (body.isEmpty() ==
false) {
389 bbattributes.add(
new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_EMAIL_CONTENT_PLAIN,
EmailParserModuleFactory.getModuleName(), body));
391 if (bodyHTML.isEmpty() ==
false) {
392 bbattributes.add(
new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_EMAIL_CONTENT_HTML,
EmailParserModuleFactory.getModuleName(), bodyHTML));
394 if (rtf.isEmpty() ==
false) {
395 bbattributes.add(
new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_EMAIL_CONTENT_RTF,
EmailParserModuleFactory.getModuleName(), rtf));
397 bbattributes.add(
new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_MSG_ID,
EmailParserModuleFactory.getModuleName(), ((
id < 0L) ? NbBundle
398 .getMessage(this.getClass(),
"ThunderbirdMboxFileIngestModule.notAvail") : String.valueOf(
id))));
399 if (subject.isEmpty() ==
false) {
400 bbattributes.add(
new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_SUBJECT,
EmailParserModuleFactory.getModuleName(), subject));
402 if (localPath.isEmpty() ==
false) {
403 bbattributes.add(
new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH,
EmailParserModuleFactory.getModuleName(), localPath));
405 bbattributes.add(
new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH,
EmailParserModuleFactory.getModuleName(),
"/foo/bar"));
409 BlackboardArtifact bbart;
410 bbart = abstractFile.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_EMAIL_MSG);
411 bbart.addAttributes(bbattributes);
417 logger.log(Level.SEVERE,
"Unable to index blackboard artifact " + bbart.getArtifactID(), ex);
420 }
catch (TskCoreException ex) {
421 logger.log(Level.WARNING, null, ex);
425 void postErrorMessage(String subj, String details) {
430 IngestServices getServices() {
String getModuleOutputDirectoryRelativePath()
static final Logger logger
FileManager getFileManager()
String getTempDirectory()
static IngestMessage createErrorMessage(String source, String subject, String detailsHtml)
static< T > long writeToFile(Content content, java.io.File outputFile, ProgressHandle progress, Future< T > worker, boolean source)
ProcessResult processMBox(AbstractFile abstractFile)
static final int DISK_FREE_SPACE_UNKNOWN
void processEmails(List< EmailMessage > emails, AbstractFile abstractFile)
void addFilesToJob(List< AbstractFile > files)
void addArtifact(EmailMessage email, AbstractFile abstractFile)
static String getModuleOutputPath()
void postMessage(final IngestMessage message)
void fireModuleDataEvent(ModuleDataEvent moduleDataEvent)
ProcessResult process(AbstractFile abstractFile)
String getModuleDirectory()
ProcessResult processPst(AbstractFile abstractFile)
void startUp(IngestJobContext context)
Blackboard getBlackboard()
void fireModuleContentEvent(ModuleContentEvent moduleContentEvent)
synchronized DerivedFile addDerivedFile(String fileName, String localPath, long size, long ctime, long crtime, long atime, long mtime, boolean isFile, AbstractFile parentFile, String rederiveDetails, String toolName, String toolVersion, String otherDetails, TskData.EncodingType encodingType)
static void error(String title, String message)
static String getRelModuleOutputPath()
synchronized void indexArtifact(BlackboardArtifact artifact)
static Case getCurrentCase()
synchronized static Logger getLogger(String name)
static String getTempPath()
List< AbstractFile > handleAttachments(List< EmailMessage.Attachment > attachments, AbstractFile abstractFile)
static synchronized IngestServices getInstance()