Autopsy  4.15.0
Graphical digital forensics platform for The Sleuth Kit and other tools.
Go to the documentation of this file.
1 /*
2  * Autopsy Forensic Browser
3  *
4  * Copyright 2019 Basis Technology Corp.
5  * Contact: carrier <at> sleuthkit <dot> org
6  *
7  * Licensed under the Apache License, Version 2.0 (the "License");
8  * you may not use this file except in compliance with the License.
9  * You may obtain a copy of the License at
10  *
11  *
12  *
13  * Unless required by applicable law or agreed to in writing, software
14  * distributed under the License is distributed on an "AS IS" BASIS,
15  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16  * See the License for the specific language governing permissions and
17  * limitations under the License.
18  */
19 package org.sleuthkit.autopsy.thunderbirdparser;
21 import ezvcard.Ezvcard;
22 import ezvcard.VCard;
23 import ezvcard.parameter.EmailType;
24 import ezvcard.parameter.TelephoneType;
25 import;
26 import;
27 import;
28 import;
29 import;
30 import;
31 import;
32 import;
33 import java.nio.file.Paths;
34 import java.util.ArrayList;
35 import java.util.Arrays;
36 import java.util.Collection;
37 import java.util.HashMap;
38 import java.util.List;
39 import java.util.Map;
40 import java.util.logging.Level;
41 import org.apache.commons.lang3.StringUtils;
42 import org.openide.util.NbBundle;
51 import static org.sleuthkit.autopsy.thunderbirdparser.ThunderbirdMboxFileIngestModule.getRelModuleOutputPath;
52 import org.sleuthkit.datamodel.AbstractFile;
53 import org.sleuthkit.datamodel.Account;
54 import org.sleuthkit.datamodel.AccountFileInstance;
55 import org.sleuthkit.datamodel.Blackboard;
56 import org.sleuthkit.datamodel.BlackboardArtifact;
57 import org.sleuthkit.datamodel.BlackboardAttribute;
58 import org.sleuthkit.datamodel.Content;
59 import org.sleuthkit.datamodel.DataSource;
60 import org.sleuthkit.datamodel.ReadContentInputStream;
61 import org.sleuthkit.datamodel.Relationship;
62 import org.sleuthkit.datamodel.SleuthkitCase;
63 import org.sleuthkit.datamodel.TskCoreException;
64 import org.sleuthkit.datamodel.TskData;
65 import org.sleuthkit.datamodel.TskDataException;
66 import org.sleuthkit.datamodel.TskException;
72 final class VcardParser {
73  private static final String VCARD_HEADER = "BEGIN:VCARD";
74  private static final long MIN_FILE_SIZE = 22;
76  private static final String PHOTO_TYPE_BMP = "bmp";
77  private static final String PHOTO_TYPE_GIF = "gif";
78  private static final String PHOTO_TYPE_JPEG = "jpeg";
79  private static final String PHOTO_TYPE_PNG = "png";
80  private static final Map<String, String> photoTypeExtensions;
81  static {
82  photoTypeExtensions = new HashMap<>();
83  photoTypeExtensions.put(PHOTO_TYPE_BMP, ".bmp");
84  photoTypeExtensions.put(PHOTO_TYPE_GIF, ".gif");
85  photoTypeExtensions.put(PHOTO_TYPE_JPEG, ".jpg");
86  photoTypeExtensions.put(PHOTO_TYPE_PNG, ".png");
87  }
89  private static final Logger logger = Logger.getLogger(VcardParser.class.getName());
91  private final IngestServices services = IngestServices.getInstance();
92  private final FileManager fileManager;
93  private final IngestJobContext context;
94  private final Blackboard blackboard;
95  private final Case currentCase;
96  private final SleuthkitCase tskCase;
101  VcardParser(Case currentCase, IngestJobContext context) {
102  this.context = context;
103  this.currentCase = currentCase;
104  tskCase = currentCase.getSleuthkitCase();
105  blackboard = tskCase.getBlackboard();
106  fileManager = currentCase.getServices().getFileManager();
107  }
116  static boolean isVcardFile(Content content) {
117  try {
118  if (content.getSize() > MIN_FILE_SIZE) {
119  byte[] buffer = new byte[VCARD_HEADER.length()];
120  int byteRead =, 0, VCARD_HEADER.length());
121  if (byteRead > 0) {
122  String header = new String(buffer);
123  return header.equalsIgnoreCase(VCARD_HEADER);
124  }
125  }
126  } catch (TskException ex) {
127  logger.log(Level.WARNING, String.format("Exception while detecting if the file '%s' (id=%d) is a vCard file.",
128  content.getName(), content.getId())); //NON-NLS
129  }
131  return false;
132  }
145  void parse(AbstractFile abstractFile) throws IOException, NoCurrentCaseException {
146  for (VCard vcard: Ezvcard.parse(new ReadContentInputStream(abstractFile)).all()) {
147  addContactArtifact(vcard, abstractFile);
148  }
149  }
163  @NbBundle.Messages({"VcardParser.addContactArtifact.indexError=Failed to index the contact artifact for keyword search."})
164  private BlackboardArtifact addContactArtifact(VCard vcard, AbstractFile abstractFile) throws NoCurrentCaseException {
165  List<BlackboardAttribute> attributes = new ArrayList<>();
166  List<AccountFileInstance> accountInstances = new ArrayList<>();
168  String name = "";
169  if (vcard.getFormattedName() != null) {
170  name = vcard.getFormattedName().getValue();
171  } else {
172  if (vcard.getStructuredName() != null) {
173  // Attempt to put the name together if there was no formatted version
174  for (String prefix:vcard.getStructuredName().getPrefixes()) {
175  name += prefix + " ";
176  }
177  if (vcard.getStructuredName().getGiven() != null) {
178  name += vcard.getStructuredName().getGiven() + " ";
179  }
180  if (vcard.getStructuredName().getFamily() != null) {
181  name += vcard.getStructuredName().getFamily() + " ";
182  }
183  for (String suffix:vcard.getStructuredName().getSuffixes()) {
184  name += suffix + " ";
185  }
186  if (! vcard.getStructuredName().getAdditionalNames().isEmpty()) {
187  name += "(";
188  for (String addName:vcard.getStructuredName().getAdditionalNames()) {
189  name += addName + " ";
190  }
191  name += ")";
192  }
193  }
194  }
195  ThunderbirdMboxFileIngestModule.addArtifactAttribute(name, BlackboardAttribute.ATTRIBUTE_TYPE.TSK_NAME, attributes);
197  for (Telephone telephone : vcard.getTelephoneNumbers()) {
198  addPhoneAttributes(telephone, abstractFile, attributes);
199  addPhoneAccountInstances(telephone, abstractFile, accountInstances);
200  }
202  for (Email email : vcard.getEmails()) {
203  addEmailAttributes(email, abstractFile, attributes);
204  addEmailAccountInstances(email, abstractFile, accountInstances);
205  }
207  for (Url url : vcard.getUrls()) {
208  ThunderbirdMboxFileIngestModule.addArtifactAttribute(url.getValue(), BlackboardAttribute.ATTRIBUTE_TYPE.TSK_URL, attributes);
209  }
211  for (Organization organization : vcard.getOrganizations()) {
212  List<String> values = organization.getValues();
213  if (values.isEmpty() == false) {
214  ThunderbirdMboxFileIngestModule.addArtifactAttribute(values.get(0), BlackboardAttribute.ATTRIBUTE_TYPE.TSK_ORGANIZATION, attributes);
215  }
216  }
218  AccountFileInstance deviceAccountInstance = addDeviceAccountInstance(abstractFile);
220  BlackboardArtifact artifact = null;
221  org.sleuthkit.datamodel.Blackboard tskBlackboard = tskCase.getBlackboard();
222  try {
223  // Create artifact if it doesn't already exist.
224  if (!tskBlackboard.artifactExists(abstractFile, BlackboardArtifact.ARTIFACT_TYPE.TSK_CONTACT, attributes)) {
225  artifact = abstractFile.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_CONTACT);
226  artifact.addAttributes(attributes);
228  extractPhotos(vcard, abstractFile, artifact);
230  // Add account relationships.
231  if (deviceAccountInstance != null) {
232  try {
233  currentCase.getSleuthkitCase().getCommunicationsManager().addRelationships(
234  deviceAccountInstance, accountInstances, artifact, Relationship.Type.CONTACT, abstractFile.getCrtime());
235  } catch (TskDataException ex) {
236  logger.log(Level.SEVERE, String.format("Failed to create phone and e-mail account relationships (fileName='%s'; fileId=%d; accountId=%d).",
237  abstractFile.getName(), abstractFile.getId(), deviceAccountInstance.getAccount().getAccountID()), ex); //NON-NLS
238  }
239  }
241  // Index the artifact for keyword search.
242  try {
243  blackboard.postArtifact(artifact, EmailParserModuleFactory.getModuleName());
244  } catch (Blackboard.BlackboardException ex) {
245  logger.log(Level.SEVERE, "Unable to index blackboard artifact " + artifact.getArtifactID(), ex); //NON-NLS
246  MessageNotifyUtil.Notify.error(Bundle.VcardParser_addContactArtifact_indexError(), artifact.getDisplayName());
247  }
248  }
249  } catch (TskCoreException ex) {
250  logger.log(Level.SEVERE, String.format("Failed to create contact artifact for vCard file '%s' (id=%d).",
251  abstractFile.getName(), abstractFile.getId()), ex); //NON-NLS
252  }
254  return artifact;
255  }
265  private void extractPhotos(VCard vcard, AbstractFile abstractFile, BlackboardArtifact artifact) throws NoCurrentCaseException {
266  String parentFileName = getUniqueName(abstractFile);
267  // Skip files that already have been extracted.
268  try {
269  String outputPath = getOutputFolderPath(parentFileName);
270  if (new File(outputPath).exists()) {
271  List<Photo> vcardPhotos = vcard.getPhotos();
272  List<AbstractFile> derivedFilesCreated = new ArrayList<>();
273  for (int i=0; i < vcardPhotos.size(); i++) {
274  Photo photo = vcardPhotos.get(i);
276  if (photo.getUrl() != null) {
277  // Skip this photo since its data is not embedded.
278  continue;
279  }
281  String type = photo.getType();
282  if (type == null) {
283  // Skip this photo since no type is defined.
284  continue;
285  }
287  // Get the file extension for the subtype.
288  type = type.toLowerCase();
289  if (type.startsWith("image/")) {
290  type = type.substring(6);
291  }
292  String extension = photoTypeExtensions.get(type);
294  // Read the photo data and create a derived file from it.
295  byte[] data = photo.getData();
296  String extractedFileName = String.format("photo_%d%s", i, extension == null ? "" : extension);
297  String extractedFilePath = Paths.get(outputPath, extractedFileName).toString();
298  try {
299  writeExtractedImage(extractedFilePath, data);
300  derivedFilesCreated.add(fileManager.addDerivedFile(extractedFileName, getFileRelativePath(parentFileName, extractedFileName), data.length,
301  abstractFile.getCtime(), abstractFile.getCrtime(), abstractFile.getAtime(), abstractFile.getAtime(),
302  true, artifact, null, EmailParserModuleFactory.getModuleName(), EmailParserModuleFactory.getModuleVersion(), "", TskData.EncodingType.NONE));
303  } catch (IOException | TskCoreException ex) {
304  logger.log(Level.WARNING, String.format("Could not write image to '%s' (id=%d).", extractedFilePath, abstractFile.getId()), ex); //NON-NLS
305  }
306  }
307  if (!derivedFilesCreated.isEmpty()) {
308  services.fireModuleContentEvent(new ModuleContentEvent(abstractFile));
309  context.addFilesToJob(derivedFilesCreated);
310  }
311  }
312  else {
313  logger.log(Level.INFO, String.format("Skipping photo extraction for file '%s' (id=%d), because it has already been processed.",
314  abstractFile.getName(), abstractFile.getId())); //NON-NLS
315  }
316  } catch (SecurityException ex) {
317  logger.log(Level.WARNING, String.format("Could not create extraction folder for '%s' (id=%d).", parentFileName, abstractFile.getId()));
318  }
319  }
328  private void writeExtractedImage(String outputPath, byte[] data) throws IOException {
329  File outputFile = new File(outputPath);
330  FileOutputStream outputStream = new FileOutputStream(outputFile);
331  outputStream.write(data);
332  }
342  private String getUniqueName(AbstractFile file) {
343  return file.getName() + "_" + file.getId();
344  }
355  private String getFileRelativePath(String parentFileName, String fileName) throws NoCurrentCaseException {
356  // Used explicit FWD slashes to maintain DB consistency across operating systems.
357  return Paths.get(getRelModuleOutputPath(), parentFileName, fileName).toString();
358  }
370  private String getOutputFolderPath(String parentFileName) throws NoCurrentCaseException {
371  String outputFolderPath = ThunderbirdMboxFileIngestModule.getModuleOutputPath() + File.separator + parentFileName;
372  File outputFilePath = new File(outputFolderPath);
373  if (!outputFilePath.exists()) {
374  outputFilePath.mkdirs();
375  }
376  return outputFolderPath;
377  }
387  private void addPhoneAttributes(Telephone telephone, AbstractFile abstractFile, Collection<BlackboardAttribute> attributes) {
388  String telephoneText = telephone.getText();
390  if (telephoneText == null || telephoneText.isEmpty()) {
391  telephoneText = telephone.getUri().getNumber();
392  if (telephoneText == null || telephoneText.isEmpty()) {
393  return;
394  }
395  }
397  // Add phone number to collection for later creation of TSK_CONTACT.
398  List<TelephoneType> telephoneTypes = telephone.getTypes();
399  if (telephoneTypes.isEmpty()) {
400  ThunderbirdMboxFileIngestModule.addArtifactAttribute(telephone.getText(), BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PHONE_NUMBER, attributes);
401  } else {
402  TelephoneType type = telephoneTypes.get(0);
403  /*
404  * Unfortunately, if the types are lower-case, they don't
405  * get separated correctly into individual TelephoneTypes by
406  * ez-vcard. Therefore, we must read them manually
407  * ourselves.
408  */
409  List<String> splitTelephoneTypes = Arrays.asList(
410  type.getValue().toUpperCase().replaceAll("\\s+","").split(","));
412  if (splitTelephoneTypes.size() > 0) {
413  String splitType = splitTelephoneTypes.get(0);
414  String attributeTypeName = "TSK_PHONE_NUMBER";
415  if (splitType != null && !splitType.isEmpty()) {
416  attributeTypeName = "TSK_PHONE_NUMBER_" + splitType;
417  }
419  try {
420  BlackboardAttribute.Type attributeType = tskCase.getAttributeType(attributeTypeName);
421  if (attributeType == null) {
422  try{
423  // Add this attribute type to the case database.
424  attributeType = tskCase.addArtifactAttributeType(attributeTypeName,
426  String.format("Phone Number (%s)", StringUtils.capitalize(splitType.toLowerCase())));
427  }catch (TskDataException ex) {
428  attributeType = tskCase.getAttributeType(attributeTypeName);
429  }
430  }
431  ThunderbirdMboxFileIngestModule.addArtifactAttribute(telephoneText, attributeType, attributes);
432  } catch (TskCoreException ex) {
433  logger.log(Level.WARNING, String.format("Unable to retrieve attribute type '%s' for file '%s' (id=%d).", attributeTypeName, abstractFile.getName(), abstractFile.getId()), ex);
434  }
435  }
436  }
437  }
447  private void addEmailAttributes(Email email, AbstractFile abstractFile, Collection<BlackboardAttribute> attributes) {
448  String emailValue = email.getValue();
449  if (emailValue == null || emailValue.isEmpty()) {
450  return;
451  }
453  // Add phone number to collection for later creation of TSK_CONTACT.
454  List<EmailType> emailTypes = email.getTypes();
455  if (emailTypes.isEmpty()) {
456  ThunderbirdMboxFileIngestModule.addArtifactAttribute(email.getValue(), BlackboardAttribute.ATTRIBUTE_TYPE.TSK_EMAIL, attributes);
457  } else {
458  EmailType type = emailTypes.get(0); /*
459  * Unfortunately, if the types are lower-case, they don't
460  * get separated correctly into individual EmailTypes by
461  * ez-vcard. Therefore, we must read them manually
462  * ourselves.
463  */
464  List<String> splitEmailTypes = Arrays.asList(
465  type.getValue().toUpperCase().replaceAll("\\s+","").split(","));
467  if (splitEmailTypes.size() > 0) {
468  String splitType = splitEmailTypes.get(0);
469  String attributeTypeName = "TSK_EMAIL_" + splitType;
470  if(splitType.isEmpty()) {
471  attributeTypeName = "TSK_EMAIL";
472  }
473  try {
474  BlackboardAttribute.Type attributeType = tskCase.getAttributeType(attributeTypeName);
475  if (attributeType == null) {
476  // Add this attribute type to the case database.
477  attributeType = tskCase.addArtifactAttributeType(attributeTypeName,
479  String.format("Email (%s)", StringUtils.capitalize(splitType.toLowerCase())));
480  }
481  ThunderbirdMboxFileIngestModule.addArtifactAttribute(email.getValue(), attributeType, attributes);
482  } catch (TskCoreException ex) {
483  logger.log(Level.SEVERE, String.format("Unable to retrieve attribute type '%s' for file '%s' (id=%d).", attributeTypeName, abstractFile.getName(), abstractFile.getId()), ex);
484  } catch (TskDataException ex) {
485  logger.log(Level.SEVERE, String.format("Unable to add custom attribute type '%s' for file '%s' (id=%d).", attributeTypeName, abstractFile.getName(), abstractFile.getId()), ex);
486  }
487  }
488  }
489  }
500  private void addPhoneAccountInstances(Telephone telephone, AbstractFile abstractFile, Collection<AccountFileInstance> accountInstances) {
501  String telephoneText = telephone.getText();
502  if (telephoneText == null || telephoneText.isEmpty()) {
503  telephoneText = telephone.getUri().getNumber();
504  if (telephoneText == null || telephoneText.isEmpty()) {
505  return;
506  }
508  }
510  // Add phone number as a TSK_ACCOUNT.
511  try {
512  AccountFileInstance phoneAccountInstance = tskCase.getCommunicationsManager().createAccountFileInstance(Account.Type.PHONE,
513  telephoneText, EmailParserModuleFactory.getModuleName(), abstractFile);
514  accountInstances.add(phoneAccountInstance);
515  }
516  catch(TskCoreException ex) {
517  logger.log(Level.WARNING, String.format(
518  "Failed to create account for phone number '%s' (content='%s'; id=%d).",
519  telephoneText, abstractFile.getName(), abstractFile.getId()), ex); //NON-NLS
520  }
521  }
532  private void addEmailAccountInstances(Email email, AbstractFile abstractFile, Collection<AccountFileInstance> accountInstances) {
533  String emailValue = email.getValue();
534  if (emailValue == null || emailValue.isEmpty()) {
535  return;
536  }
538  // Add e-mail as a TSK_ACCOUNT.
539  try {
540  AccountFileInstance emailAccountInstance = tskCase.getCommunicationsManager().createAccountFileInstance(Account.Type.EMAIL,
541  emailValue, EmailParserModuleFactory.getModuleName(), abstractFile);
542  accountInstances.add(emailAccountInstance);
543  }
544  catch(TskCoreException ex) {
545  logger.log(Level.WARNING, String.format(
546  "Failed to create account for e-mail address '%s' (content='%s'; id=%d).",
547  emailValue, abstractFile.getName(), abstractFile.getId()), ex); //NON-NLS
548  }
549  }
558  private AccountFileInstance addDeviceAccountInstance(AbstractFile abstractFile) {
560  AccountFileInstance deviceAccountInstance = null;
561  String deviceId = null;
562  try {
563  long dataSourceObjId = abstractFile.getDataSourceObjectId();
564  DataSource dataSource = tskCase.getDataSource(dataSourceObjId);
565  deviceId = dataSource.getDeviceId();
566  deviceAccountInstance = tskCase.getCommunicationsManager().createAccountFileInstance(Account.Type.DEVICE,
567  deviceId, EmailParserModuleFactory.getModuleName(), abstractFile);
568  }
569  catch (TskCoreException ex) {
570  logger.log(Level.WARNING, String.format(
571  "Failed to create device account for '%s' (content='%s'; id=%d).",
572  deviceId, abstractFile.getName(), abstractFile.getId()), ex); //NON-NLS
573  }
574  catch (TskDataException ex) {
575  logger.log(Level.WARNING, String.format(
576  "Failed to get the data source from the case database (id=%d).",
577  abstractFile.getId()), ex); //NON-NLS
578  }
580  return deviceAccountInstance;
581  }
582 }

Copyright © 2012-2020 Basis Technology. Generated on: Mon Jul 6 2020
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.