Autopsy  4.10.0
Graphical digital forensics platform for The Sleuth Kit and other tools.
VcardParser.java
Go to the documentation of this file.
1 /*
2  * Autopsy Forensic Browser
3  *
4  * Copyright 2019 Basis Technology Corp.
5  * Contact: carrier <at> sleuthkit <dot> org
6  *
7  * Licensed under the Apache License, Version 2.0 (the "License");
8  * you may not use this file except in compliance with the License.
9  * You may obtain a copy of the License at
10  *
11  * http://www.apache.org/licenses/LICENSE-2.0
12  *
13  * Unless required by applicable law or agreed to in writing, software
14  * distributed under the License is distributed on an "AS IS" BASIS,
15  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16  * See the License for the specific language governing permissions and
17  * limitations under the License.
18  */
19 package org.sleuthkit.autopsy.thunderbirdparser;
20 
21 import ezvcard.Ezvcard;
22 import ezvcard.VCard;
23 import ezvcard.parameter.EmailType;
24 import ezvcard.parameter.TelephoneType;
25 import ezvcard.property.Email;
26 import ezvcard.property.Organization;
27 import ezvcard.property.Photo;
28 import ezvcard.property.Telephone;
29 import ezvcard.property.Url;
30 import java.io.File;
31 import java.io.FileOutputStream;
32 import java.io.IOException;
33 import java.nio.file.Paths;
34 import java.util.ArrayList;
35 import java.util.Arrays;
36 import java.util.Collection;
37 import java.util.HashMap;
38 import java.util.List;
39 import java.util.Map;
40 import java.util.logging.Level;
41 import org.apache.commons.lang3.StringUtils;
42 import org.openide.util.NbBundle;
43 import org.sleuthkit.autopsy.casemodule.Case;
44 import org.sleuthkit.autopsy.casemodule.NoCurrentCaseException;
45 import org.sleuthkit.autopsy.casemodule.services.Blackboard;
46 import org.sleuthkit.autopsy.casemodule.services.FileManager;
47 import org.sleuthkit.autopsy.coreutils.Logger;
48 import org.sleuthkit.autopsy.coreutils.MessageNotifyUtil;
49 import org.sleuthkit.autopsy.ingest.IngestJobContext;
50 import org.sleuthkit.autopsy.ingest.IngestServices;
51 import org.sleuthkit.autopsy.ingest.ModuleContentEvent;
52 import org.sleuthkit.autopsy.ingest.ModuleDataEvent;
53 import static org.sleuthkit.autopsy.thunderbirdparser.ThunderbirdMboxFileIngestModule.getRelModuleOutputPath;
54 import org.sleuthkit.datamodel.AbstractFile;
55 import org.sleuthkit.datamodel.Account;
56 import org.sleuthkit.datamodel.AccountFileInstance;
57 import org.sleuthkit.datamodel.BlackboardArtifact;
58 import org.sleuthkit.datamodel.BlackboardAttribute;
59 import org.sleuthkit.datamodel.Content;
60 import org.sleuthkit.datamodel.DataSource;
61 import org.sleuthkit.datamodel.Relationship;
62 import org.sleuthkit.datamodel.SleuthkitCase;
63 import org.sleuthkit.datamodel.TskCoreException;
64 import org.sleuthkit.datamodel.TskData;
65 import org.sleuthkit.datamodel.TskDataException;
66 import org.sleuthkit.datamodel.TskException;
67 
72 final class VcardParser {
73  private static final String VCARD_HEADER = "BEGIN:VCARD";
74  private static final long MIN_FILE_SIZE = 22;
75 
76  private static final String PHOTO_TYPE_BMP = "bmp";
77  private static final String PHOTO_TYPE_GIF = "gif";
78  private static final String PHOTO_TYPE_JPEG = "jpeg";
79  private static final String PHOTO_TYPE_PNG = "png";
80  private static final Map<String, String> photoTypeExtensions;
81  static {
82  photoTypeExtensions = new HashMap<>();
83  photoTypeExtensions.put(PHOTO_TYPE_BMP, ".bmp");
84  photoTypeExtensions.put(PHOTO_TYPE_GIF, ".gif");
85  photoTypeExtensions.put(PHOTO_TYPE_JPEG, ".jpg");
86  photoTypeExtensions.put(PHOTO_TYPE_PNG, ".png");
87  }
88 
89  private static final Logger logger = Logger.getLogger(VcardParser.class.getName());
90 
91  private final IngestServices services = IngestServices.getInstance();
92  private final FileManager fileManager;
93  private final IngestJobContext context;
94  private final Blackboard blackboard;
95  private final Case currentCase;
96  private final SleuthkitCase tskCase;
97 
101  VcardParser(Case currentCase, IngestJobContext context) {
102  this.context = context;
103  this.currentCase = currentCase;
104  tskCase = currentCase.getSleuthkitCase();
105  blackboard = currentCase.getServices().getBlackboard();
106  fileManager = currentCase.getServices().getFileManager();
107  }
108 
116  static boolean isVcardFile(Content content) {
117  try {
118  if (content.getSize() > MIN_FILE_SIZE) {
119  byte[] buffer = new byte[VCARD_HEADER.length()];
120  int byteRead = content.read(buffer, 0, VCARD_HEADER.length());
121  if (byteRead > 0) {
122  String header = new String(buffer);
123  return header.equalsIgnoreCase(VCARD_HEADER);
124  }
125  }
126  } catch (TskException ex) {
127  logger.log(Level.WARNING, String.format("Exception while detecting if the file '%s' (id=%d) is a vCard file.",
128  content.getName(), content.getId())); //NON-NLS
129  }
130 
131  return false;
132  }
133 
145  void parse(File vcardFile, AbstractFile abstractFile) throws IOException, NoCurrentCaseException {
146  VCard vcard = Ezvcard.parse(vcardFile).first();
147  addContactArtifact(vcard, abstractFile);
148  }
149 
150 
151 
162  @NbBundle.Messages({"VcardParser.addContactArtifact.indexError=Failed to index the contact artifact for keyword search."})
163  private BlackboardArtifact addContactArtifact(VCard vcard, AbstractFile abstractFile) throws NoCurrentCaseException {
164  List<BlackboardAttribute> attributes = new ArrayList<>();
165  List<AccountFileInstance> accountInstances = new ArrayList<>();
166 
167  extractPhotos(vcard, abstractFile);
168 
169  String name = "";
170  if (vcard.getFormattedName() != null) {
171  name = vcard.getFormattedName().getValue();
172  } else {
173  if (vcard.getStructuredName() != null) {
174  // Attempt to put the name together if there was no formatted version
175  for (String prefix:vcard.getStructuredName().getPrefixes()) {
176  name += prefix + " ";
177  }
178  if (vcard.getStructuredName().getGiven() != null) {
179  name += vcard.getStructuredName().getGiven() + " ";
180  }
181  if (vcard.getStructuredName().getFamily() != null) {
182  name += vcard.getStructuredName().getFamily() + " ";
183  }
184  for (String suffix:vcard.getStructuredName().getSuffixes()) {
185  name += suffix + " ";
186  }
187  if (! vcard.getStructuredName().getAdditionalNames().isEmpty()) {
188  name += "(";
189  for (String addName:vcard.getStructuredName().getAdditionalNames()) {
190  name += addName + " ";
191  }
192  name += ")";
193  }
194  }
195  }
196  ThunderbirdMboxFileIngestModule.addArtifactAttribute(name, BlackboardAttribute.ATTRIBUTE_TYPE.TSK_NAME_PERSON, attributes);
197 
198  for (Telephone telephone : vcard.getTelephoneNumbers()) {
199  addPhoneAttributes(telephone, abstractFile, attributes);
200  addPhoneAccountInstances(telephone, abstractFile, accountInstances);
201  }
202 
203  for (Email email : vcard.getEmails()) {
204  addEmailAttributes(email, abstractFile, attributes);
205  addEmailAccountInstances(email, abstractFile, accountInstances);
206  }
207 
208  for (Url url : vcard.getUrls()) {
209  ThunderbirdMboxFileIngestModule.addArtifactAttribute(url.getValue(), BlackboardAttribute.ATTRIBUTE_TYPE.TSK_URL, attributes);
210  }
211 
212  for (Organization organization : vcard.getOrganizations()) {
213  List<String> values = organization.getValues();
214  if (values.isEmpty() == false) {
215  ThunderbirdMboxFileIngestModule.addArtifactAttribute(values.get(0), BlackboardAttribute.ATTRIBUTE_TYPE.TSK_ORGANIZATION, attributes);
216  }
217  }
218 
219  AccountFileInstance deviceAccountInstance = addDeviceAccountInstance(abstractFile);
220 
221  BlackboardArtifact artifact = null;
222  org.sleuthkit.datamodel.Blackboard tskBlackboard = tskCase.getBlackboard();
223  try {
224  // Create artifact if it doesn't already exist.
225  if (!tskBlackboard.artifactExists(abstractFile, BlackboardArtifact.ARTIFACT_TYPE.TSK_CONTACT, attributes)) {
226  artifact = abstractFile.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_CONTACT);
227  artifact.addAttributes(attributes);
228  List<BlackboardArtifact> blackboardArtifacts = new ArrayList<>();
229  blackboardArtifacts.add(artifact);
230 
231  // Add account relationships.
232  if (deviceAccountInstance != null) {
233  try {
234  currentCase.getSleuthkitCase().getCommunicationsManager().addRelationships(
235  deviceAccountInstance, accountInstances, artifact, Relationship.Type.CONTACT, abstractFile.getCrtime());
236  } catch (TskDataException ex) {
237  logger.log(Level.SEVERE, String.format("Failed to create phone and e-mail account relationships (fileName='%s'; fileId=%d; accountId=%d).",
238  abstractFile.getName(), abstractFile.getId(), deviceAccountInstance.getAccount().getAccountID()), ex); //NON-NLS
239  }
240  }
241 
242  // Index the artifact for keyword search.
243  try {
244  blackboard.indexArtifact(artifact);
245  } catch (Blackboard.BlackboardException ex) {
246  logger.log(Level.SEVERE, "Unable to index blackboard artifact " + artifact.getArtifactID(), ex); //NON-NLS
247  MessageNotifyUtil.Notify.error(Bundle.VcardParser_addContactArtifact_indexError(), artifact.getDisplayName());
248  }
249 
250  // Fire event to notify UI of this new artifact.
251  IngestServices.getInstance().fireModuleDataEvent(new ModuleDataEvent(
252  EmailParserModuleFactory.getModuleName(), BlackboardArtifact.ARTIFACT_TYPE.TSK_CONTACT,
253  blackboardArtifacts));
254  }
255  } catch (TskCoreException ex) {
256  logger.log(Level.SEVERE, String.format("Failed to create contact artifact for vCard file '%s' (id=%d).",
257  abstractFile.getName(), abstractFile.getId()), ex); //NON-NLS
258  }
259 
260  return artifact;
261  }
262 
271  private void extractPhotos(VCard vcard, AbstractFile abstractFile) throws NoCurrentCaseException {
272  String parentFileName = getUniqueName(abstractFile);
273  // Skip files that already have been extracted.
274  try {
275  String outputPath = getOutputFolderPath(parentFileName);
276  if (new File(outputPath).exists()) {
277  List<Photo> vcardPhotos = vcard.getPhotos();
278  List<AbstractFile> derivedFilesCreated = new ArrayList<>();
279  for (int i=0; i < vcardPhotos.size(); i++) {
280  Photo photo = vcardPhotos.get(i);
281 
282  if (photo.getUrl() != null) {
283  // Skip this photo since its data is not embedded.
284  continue;
285  }
286 
287  String type = photo.getType();
288  if (type == null) {
289  // Skip this photo since no type is defined.
290  continue;
291  }
292 
293  // Get the file extension for the subtype.
294  type = type.toLowerCase();
295  if (type.startsWith("image/")) {
296  type = type.substring(6);
297  }
298  String extension = photoTypeExtensions.get(type);
299 
300  // Read the photo data and create a derived file from it.
301  byte[] data = photo.getData();
302  String extractedFileName = String.format("photo_%d%s", i, extension == null ? "" : extension);
303  String extractedFilePath = Paths.get(outputPath, extractedFileName).toString();
304  try {
305  writeExtractedImage(extractedFilePath, data);
306  derivedFilesCreated.add(fileManager.addDerivedFile(extractedFileName, getFileRelativePath(parentFileName, extractedFileName), data.length,
307  abstractFile.getCtime(), abstractFile.getCrtime(), abstractFile.getAtime(), abstractFile.getAtime(),
308  true, abstractFile, null, EmailParserModuleFactory.getModuleName(), null, null, TskData.EncodingType.NONE));
309  } catch (IOException | TskCoreException ex) {
310  logger.log(Level.WARNING, String.format("Could not write image to '%s' (id=%d).", extractedFilePath, abstractFile.getId()), ex); //NON-NLS
311  }
312  }
313  if (!derivedFilesCreated.isEmpty()) {
314  services.fireModuleContentEvent(new ModuleContentEvent(abstractFile));
315  context.addFilesToJob(derivedFilesCreated);
316  }
317  }
318  else {
319  logger.log(Level.INFO, String.format("Skipping photo extraction for file '%s' (id=%d), because it has already been processed.",
320  abstractFile.getName(), abstractFile.getId())); //NON-NLS
321  }
322  } catch (SecurityException ex) {
323  logger.log(Level.WARNING, String.format("Could not create extraction folder for '%s' (id=%d).", parentFileName, abstractFile.getId()));
324  }
325  }
326 
334  private void writeExtractedImage(String outputPath, byte[] data) throws IOException {
335  File outputFile = new File(outputPath);
336  FileOutputStream outputStream = new FileOutputStream(outputFile);
337  outputStream.write(data);
338  }
339 
348  private String getUniqueName(AbstractFile file) {
349  return file.getName() + "_" + file.getId();
350  }
351 
361  private String getFileRelativePath(String parentFileName, String fileName) throws NoCurrentCaseException {
362  // Used explicit FWD slashes to maintain DB consistency across operating systems.
363  return Paths.get(getRelModuleOutputPath(), parentFileName, fileName).toString();
364  }
365 
376  private String getOutputFolderPath(String parentFileName) throws NoCurrentCaseException {
377  String outputFolderPath = ThunderbirdMboxFileIngestModule.getModuleOutputPath() + File.separator + parentFileName;
378  File outputFilePath = new File(outputFolderPath);
379  if (!outputFilePath.exists()) {
380  outputFilePath.mkdirs();
381  }
382  return outputFolderPath;
383  }
384 
393  private void addPhoneAttributes(Telephone telephone, AbstractFile abstractFile, Collection<BlackboardAttribute> attributes) {
394  String telephoneText = telephone.getText();
395  if (telephoneText == null || telephoneText.isEmpty()) {
396  return;
397  }
398 
399  // Add phone number to collection for later creation of TSK_CONTACT.
400  List<TelephoneType> telephoneTypes = telephone.getTypes();
401  if (telephoneTypes.isEmpty()) {
402  ThunderbirdMboxFileIngestModule.addArtifactAttribute(telephone.getText(), BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PHONE_NUMBER, attributes);
403  } else {
404  for (TelephoneType type : telephoneTypes) {
405  /*
406  * Unfortunately, if the types are lower-case, they don't
407  * get separated correctly into individual TelephoneTypes by
408  * ez-vcard. Therefore, we must read them manually
409  * ourselves.
410  */
411  List<String> splitTelephoneTypes = Arrays.asList(
412  type.getValue().toUpperCase().replaceAll("\\s+","").split(","));
413 
414  for (String splitType : splitTelephoneTypes) {
415  String attributeTypeName = "TSK_PHONE_" + splitType;
416  try {
417  BlackboardAttribute.Type attributeType = tskCase.getAttributeType(attributeTypeName);
418  if (attributeType == null) {
419  // Add this attribute type to the case database.
420  attributeType = tskCase.addArtifactAttributeType(attributeTypeName,
421  BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING,
422  String.format("Phone (%s)", StringUtils.capitalize(splitType.toLowerCase())));
423  }
424  ThunderbirdMboxFileIngestModule.addArtifactAttribute(telephone.getText(), attributeType, attributes);
425  } catch (TskCoreException ex) {
426  logger.log(Level.SEVERE, String.format("Unable to retrieve attribute type '%s' for file '%s' (id=%d).", attributeTypeName, abstractFile.getName(), abstractFile.getId()), ex);
427  } catch (TskDataException ex) {
428  logger.log(Level.SEVERE, String.format("Unable to add custom attribute type '%s' for file '%s' (id=%d).", attributeTypeName, abstractFile.getName(), abstractFile.getId()), ex);
429  }
430  }
431  }
432  }
433  }
434 
443  private void addEmailAttributes(Email email, AbstractFile abstractFile, Collection<BlackboardAttribute> attributes) {
444  String emailValue = email.getValue();
445  if (emailValue == null || emailValue.isEmpty()) {
446  return;
447  }
448 
449  // Add phone number to collection for later creation of TSK_CONTACT.
450  List<EmailType> emailTypes = email.getTypes();
451  if (emailTypes.isEmpty()) {
452  ThunderbirdMboxFileIngestModule.addArtifactAttribute(email.getValue(), BlackboardAttribute.ATTRIBUTE_TYPE.TSK_EMAIL, attributes);
453  } else {
454  for (EmailType type : emailTypes) {
455  /*
456  * Unfortunately, if the types are lower-case, they don't
457  * get separated correctly into individual EmailTypes by
458  * ez-vcard. Therefore, we must read them manually
459  * ourselves.
460  */
461  List<String> splitEmailTypes = Arrays.asList(
462  type.getValue().toUpperCase().replaceAll("\\s+","").split(","));
463 
464  for (String splitType : splitEmailTypes) {
465  String attributeTypeName = "TSK_EMAIL_" + splitType;
466  try {
467  BlackboardAttribute.Type attributeType = tskCase.getAttributeType(attributeTypeName);
468  if (attributeType == null) {
469  // Add this attribute type to the case database.
470  attributeType = tskCase.addArtifactAttributeType(attributeTypeName,
471  BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING,
472  String.format("Email (%s)", StringUtils.capitalize(splitType.toLowerCase())));
473  }
474  ThunderbirdMboxFileIngestModule.addArtifactAttribute(email.getValue(), attributeType, attributes);
475  } catch (TskCoreException ex) {
476  logger.log(Level.SEVERE, String.format("Unable to retrieve attribute type '%s' for file '%s' (id=%d).", attributeTypeName, abstractFile.getName(), abstractFile.getId()), ex);
477  } catch (TskDataException ex) {
478  logger.log(Level.SEVERE, String.format("Unable to add custom attribute type '%s' for file '%s' (id=%d).", attributeTypeName, abstractFile.getName(), abstractFile.getId()), ex);
479  }
480  }
481  }
482  }
483  }
484 
494  private void addPhoneAccountInstances(Telephone telephone, AbstractFile abstractFile, Collection<AccountFileInstance> accountInstances) {
495  String telephoneText = telephone.getText();
496  if (telephoneText == null || telephoneText.isEmpty()) {
497  return;
498  }
499 
500  // Add phone number as a TSK_ACCOUNT.
501  try {
502  AccountFileInstance phoneAccountInstance = tskCase.getCommunicationsManager().createAccountFileInstance(Account.Type.PHONE,
503  telephoneText, EmailParserModuleFactory.getModuleName(), abstractFile);
504  accountInstances.add(phoneAccountInstance);
505  }
506  catch(TskCoreException ex) {
507  logger.log(Level.WARNING, String.format(
508  "Failed to create account for phone number '%s' (content='%s'; id=%d).",
509  telephoneText, abstractFile.getName(), abstractFile.getId()), ex); //NON-NLS
510  }
511  }
512 
522  private void addEmailAccountInstances(Email email, AbstractFile abstractFile, Collection<AccountFileInstance> accountInstances) {
523  String emailValue = email.getValue();
524  if (emailValue == null || emailValue.isEmpty()) {
525  return;
526  }
527 
528  // Add e-mail as a TSK_ACCOUNT.
529  try {
530  AccountFileInstance emailAccountInstance = tskCase.getCommunicationsManager().createAccountFileInstance(Account.Type.EMAIL,
531  emailValue, EmailParserModuleFactory.getModuleName(), abstractFile);
532  accountInstances.add(emailAccountInstance);
533  }
534  catch(TskCoreException ex) {
535  logger.log(Level.WARNING, String.format(
536  "Failed to create account for e-mail address '%s' (content='%s'; id=%d).",
537  emailValue, abstractFile.getName(), abstractFile.getId()), ex); //NON-NLS
538  }
539  }
540 
548  private AccountFileInstance addDeviceAccountInstance(AbstractFile abstractFile) {
549  // Add 'DEVICE' TSK_ACCOUNT.
550  AccountFileInstance deviceAccountInstance = null;
551  String deviceId = null;
552  try {
553  long dataSourceObjId = abstractFile.getDataSourceObjectId();
554  DataSource dataSource = tskCase.getDataSource(dataSourceObjId);
555  deviceId = dataSource.getDeviceId();
556  deviceAccountInstance = tskCase.getCommunicationsManager().createAccountFileInstance(Account.Type.DEVICE,
557  deviceId, EmailParserModuleFactory.getModuleName(), abstractFile);
558  }
559  catch (TskCoreException ex) {
560  logger.log(Level.WARNING, String.format(
561  "Failed to create device account for '%s' (content='%s'; id=%d).",
562  deviceId, abstractFile.getName(), abstractFile.getId()), ex); //NON-NLS
563  }
564  catch (TskDataException ex) {
565  logger.log(Level.WARNING, String.format(
566  "Failed to get the data source from the case database (id=%d).",
567  abstractFile.getId()), ex); //NON-NLS
568  }
569 
570  return deviceAccountInstance;
571  }
572 }
org.sleuthkit.autopsy.ingest.ModuleContentEvent
Definition: ModuleContentEvent.java:27

Copyright © 2012-2018 Basis Technology. Generated on: Fri Mar 22 2019
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.