Autopsy  4.19.0
Graphical digital forensics platform for The Sleuth Kit and other tools.
Classes | Public Member Functions | Private Member Functions | Private Attributes | Static Private Attributes | List of all members
org.sleuthkit.autopsy.thunderbirdparser.ThunderbirdMboxFileIngestModule Class Reference

Inherits org.sleuthkit.autopsy.ingest.FileIngestModule.


class  AccountFileInstanceCache

Public Member Functions

ProcessResult process (AbstractFile abstractFile)
void shutDown ()
void startUp (IngestJobContext context) throws IngestModuleException

Private Member Functions

BlackboardArtifact addEmailArtifact (EmailMessage email, AbstractFile abstractFile, AccountFileInstanceCache accountFileInstanceCache)
Set< String > findEmailAddresess (String input)
List< Long > findMboxSplitOffset (AbstractFile abstractFile, File file) throws IOException
List< AbstractFile > handleAttachments (List< EmailMessage.Attachment > attachments, AbstractFile abstractFile, BlackboardArtifact messageArtifact)
void processEmails (List< EmailMessage > partialEmailsForThreading, Iterator< EmailMessage > fullMessageIterator, AbstractFile abstractFile)
ProcessResult processEMLFile (AbstractFile abstractFile)
ProcessResult processMBox (AbstractFile abstractFile)
void processMboxFile (File file, AbstractFile abstractFile, String emailFolder)
ProcessResult processPst (AbstractFile abstractFile)
ProcessResult processVcard (AbstractFile abstractFile)

Private Attributes

Blackboard blackboard
CommunicationArtifactsHelper communicationArtifactsHelper
IngestJobContext context
Case currentCase
FileManager fileManager
final IngestServices services = IngestServices.getInstance()

Static Private Attributes

static final Logger logger = Logger.getLogger(ThunderbirdMboxFileIngestModule.class.getName())
static final int MBOX_SIZE_TO_SPLIT = 1048576000

Detailed Description

File-level ingest module that detects MBOX, PST, and vCard files based on signature. Understands Thunderbird folder layout to provide additional structure and metadata.

Definition at line 77 of file

Member Function Documentation

BlackboardArtifact org.sleuthkit.autopsy.thunderbirdparser.ThunderbirdMboxFileIngestModule.addEmailArtifact ( EmailMessage  email,
AbstractFile  abstractFile,
AccountFileInstanceCache  accountFileInstanceCache 

Add a blackboard artifact for the given e-mail message.

emailThe e-mail message.
abstractFileThe associated file.
accountFileInstanceCacheThe current cache of account instances.
The generated e-mail message artifact.

Definition at line 686 of file

References org.sleuthkit.autopsy.coreutils.MessageNotifyUtil.Notify.error(), org.sleuthkit.autopsy.ingest.IngestJobContext.fileIngestIsCancelled(), org.sleuthkit.autopsy.thunderbirdparser.ThunderbirdMboxFileIngestModule.findEmailAddresess(), and org.sleuthkit.autopsy.casemodule.Case.getSleuthkitCase().

Set<String> org.sleuthkit.autopsy.thunderbirdparser.ThunderbirdMboxFileIngestModule.findEmailAddresess ( String  input)

Finds and returns a set of unique email addresses found in the input string

input- input string, like the To/CC line from an email header
Set<String>: set of email addresses found in the input string

Definition at line 665 of file

Referenced by org.sleuthkit.autopsy.thunderbirdparser.ThunderbirdMboxFileIngestModule.addEmailArtifact().

List<Long> org.sleuthkit.autopsy.thunderbirdparser.ThunderbirdMboxFileIngestModule.findMboxSplitOffset ( AbstractFile  abstractFile,
File  file 
) throws IOException
List<AbstractFile> org.sleuthkit.autopsy.thunderbirdparser.ThunderbirdMboxFileIngestModule.handleAttachments ( List< EmailMessage.Attachment >  attachments,
AbstractFile  abstractFile,
BlackboardArtifact  messageArtifact 

Add the given attachments as derived files and reschedule them for ingest.

List of attachments

Definition at line 614 of file


ProcessResult org.sleuthkit.autopsy.thunderbirdparser.ThunderbirdMboxFileIngestModule.process ( AbstractFile  file)

Processes a file. Called between calls to startUp() and shutDown(). Will be called for each file in a data source.

IMPORTANT: In addition to returning ProcessResult.OK or ProcessResult.ERROR, modules should log all errors using methods provided by the org.sleuthkit.autopsy.coreutils.Logger class. Log messages should include the name and object ID of the data being processed. If an exception has been caught by the module, the exception should be sent to the Logger along with the log message so that a stack trace will appear in the application log.

fileThe file to analyze.
A result code indicating success or failure of the processing.

Implements org.sleuthkit.autopsy.ingest.FileIngestModule.

Definition at line 109 of file

References org.sleuthkit.autopsy.ingest.IngestModule.ProcessResult.ERROR, org.sleuthkit.autopsy.ingest.IngestJobContext.fileIngestIsCancelled(), org.sleuthkit.autopsy.casemodule.Case.getSleuthkitCase(), org.sleuthkit.autopsy.ingest.IngestModule.ProcessResult.OK, org.sleuthkit.autopsy.thunderbirdparser.ThunderbirdMboxFileIngestModule.processEMLFile(), org.sleuthkit.autopsy.thunderbirdparser.ThunderbirdMboxFileIngestModule.processMBox(), org.sleuthkit.autopsy.thunderbirdparser.ThunderbirdMboxFileIngestModule.processPst(), and org.sleuthkit.autopsy.thunderbirdparser.ThunderbirdMboxFileIngestModule.processVcard().

void org.sleuthkit.autopsy.thunderbirdparser.ThunderbirdMboxFileIngestModule.processEmails ( List< EmailMessage >  partialEmailsForThreading,
Iterator< EmailMessage >  fullMessageIterator,
AbstractFile  abstractFile 
ProcessResult org.sleuthkit.autopsy.thunderbirdparser.ThunderbirdMboxFileIngestModule.processEMLFile ( AbstractFile  abstractFile)
ProcessResult org.sleuthkit.autopsy.thunderbirdparser.ThunderbirdMboxFileIngestModule.processMBox ( AbstractFile  abstractFile)
void org.sleuthkit.autopsy.thunderbirdparser.ThunderbirdMboxFileIngestModule.processMboxFile ( File  file,
AbstractFile  abstractFile,
String  emailFolder 
ProcessResult org.sleuthkit.autopsy.thunderbirdparser.ThunderbirdMboxFileIngestModule.processPst ( AbstractFile  abstractFile)
ProcessResult org.sleuthkit.autopsy.thunderbirdparser.ThunderbirdMboxFileIngestModule.processVcard ( AbstractFile  abstractFile)

Parse and extract data from a vCard file.

abstractFileThe content to be processed.
'ERROR' whenever a NoCurrentCaseException is encountered; otherwise 'OK'.

Definition at line 442 of file

References org.sleuthkit.autopsy.ingest.IngestModule.ProcessResult.OK.

Referenced by org.sleuthkit.autopsy.thunderbirdparser.ThunderbirdMboxFileIngestModule.process().

void org.sleuthkit.autopsy.thunderbirdparser.ThunderbirdMboxFileIngestModule.shutDown ( )

Invoked by Autopsy when an ingest job is completed (either because the data has been analyzed or because the job was cancelled), before the ingest module instance is discarded. The module should respond by doing things like releasing private resources, submitting final results, and posting a final ingest message.

IMPORTANT: If the module instances must share resources, the modules are responsible for synchronizing access to the shared resources and doing reference counting as required to release those resources correctly. Also, more than one ingest job may be in progress at any given time. This must also be taken into consideration when sharing resources between module instances. See IngestModuleReferenceCounter.

Implements org.sleuthkit.autopsy.ingest.IngestModule.

Definition at line 913 of file

void org.sleuthkit.autopsy.thunderbirdparser.ThunderbirdMboxFileIngestModule.startUp ( IngestJobContext  context) throws IngestModuleException

Invoked by Autopsy to allow an ingest module instance to set up any internal data structures and acquire any private resources it will need during an ingest job. If the module depends on loading any resources, it should do so in this method so that it can throw an exception in the case of an error and alert the user. Exceptions that are thrown from startUp() are logged and stop processing of the data source.

IMPORTANT: If the module instances must share resources, the modules are responsible for synchronizing access to the shared resources and doing reference counting as required to release those resources correctly. Also, more than one ingest job may be in progress at any given time. This must also be taken into consideration when sharing resources between module instances. See IngestModuleReferenceCounter.

contextProvides data and services specific to the ingest job and the ingest pipeline of which the module is a part.

Implements org.sleuthkit.autopsy.ingest.IngestModule.

Definition at line 97 of file

References org.sleuthkit.autopsy.thunderbirdparser.ThunderbirdMboxFileIngestModule.context, org.sleuthkit.autopsy.casemodule.Case.getCurrentCaseThrows(),, and org.sleuthkit.autopsy.casemodule.Case.getServices().

Member Data Documentation

Blackboard org.sleuthkit.autopsy.thunderbirdparser.ThunderbirdMboxFileIngestModule.blackboard

Definition at line 83 of file

CommunicationArtifactsHelper org.sleuthkit.autopsy.thunderbirdparser.ThunderbirdMboxFileIngestModule.communicationArtifactsHelper

Definition at line 84 of file

IngestJobContext org.sleuthkit.autopsy.thunderbirdparser.ThunderbirdMboxFileIngestModule.context
Case org.sleuthkit.autopsy.thunderbirdparser.ThunderbirdMboxFileIngestModule.currentCase

Definition at line 87 of file

FileManager org.sleuthkit.autopsy.thunderbirdparser.ThunderbirdMboxFileIngestModule.fileManager

Definition at line 81 of file

final Logger org.sleuthkit.autopsy.thunderbirdparser.ThunderbirdMboxFileIngestModule.logger = Logger.getLogger(ThunderbirdMboxFileIngestModule.class.getName())

Definition at line 79 of file

final int org.sleuthkit.autopsy.thunderbirdparser.ThunderbirdMboxFileIngestModule.MBOX_SIZE_TO_SPLIT = 1048576000
final IngestServices = IngestServices.getInstance()

Definition at line 80 of file

The documentation for this class was generated from the following file:

Copyright © 2012-2021 Basis Technology. Generated on: Fri Aug 6 2021
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.