Autopsy  4.1
Graphical digital forensics platform for The Sleuth Kit and other tools.
PstParser.java
Go to the documentation of this file.
1 /*
2  * Autopsy Forensic Browser
3  *
4  * Copyright 2011-2014 Basis Technology Corp.
5  * Contact: carrier <at> sleuthkit <dot> org
6  *
7  * Licensed under the Apache License, Version 2.0 (the "License");
8  * you may not use this file except in compliance with the License.
9  * You may obtain a copy of the License at
10  *
11  * http://www.apache.org/licenses/LICENSE-2.0
12  *
13  * Unless required by applicable law or agreed to in writing, software
14  * distributed under the License is distributed on an "AS IS" BASIS,
15  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16  * See the License for the specific language governing permissions and
17  * limitations under the License.
18  */
19 package org.sleuthkit.autopsy.thunderbirdparser;
20 
21 import com.pff.PSTAttachment;
22 import com.pff.PSTException;
23 import com.pff.PSTFile;
24 import com.pff.PSTFolder;
25 import com.pff.PSTMessage;
26 import java.io.File;
27 import java.io.FileOutputStream;
28 import java.io.IOException;
29 import java.io.InputStream;
30 import java.nio.ByteBuffer;
31 import java.util.ArrayList;
32 import java.util.List;
33 import java.util.logging.Level;
34 import org.sleuthkit.autopsy.coreutils.Logger;
35 import org.openide.util.NbBundle;
36 import org.sleuthkit.autopsy.ingest.IngestMonitor;
37 import org.sleuthkit.autopsy.ingest.IngestServices;
38 import static org.sleuthkit.autopsy.thunderbirdparser.ThunderbirdMboxFileIngestModule.getRelModuleOutputPath;
39 import org.sleuthkit.datamodel.AbstractFile;
40 import org.sleuthkit.datamodel.EncodedFileOutputStream;
41 import org.sleuthkit.datamodel.TskCoreException;
42 import org.sleuthkit.datamodel.TskData;
43 
49 class PstParser {
50 
51  private static final Logger logger = Logger.getLogger(PstParser.class.getName());
55  private static int PST_HEADER = 0x2142444E;
56  private IngestServices services;
61  private List<EmailMessage> results;
62  private StringBuilder errors;
63 
64  PstParser(IngestServices services) {
65  results = new ArrayList<>();
66  this.services = services;
67  errors = new StringBuilder();
68  }
69 
70  enum ParseResult {
71 
72  OK, ERROR, ENCRYPT;
73  }
74 
83  ParseResult parse(File file, long fileID) {
84  PSTFile pstFile;
85  long failures;
86  try {
87  pstFile = new PSTFile(file);
88  failures = processFolder(pstFile.getRootFolder(), "\\", true, fileID);
89  if (failures > 0) {
90  addErrorMessage(
91  NbBundle.getMessage(this.getClass(), "PstParser.parse.errMsg.failedToParseNMsgs", failures));
92  }
93  return ParseResult.OK;
94  } catch (PSTException | IOException ex) {
95  String msg = file.getName() + ": Failed to create internal java-libpst PST file to parse:\n" + ex.getMessage(); //NON-NLS
96  logger.log(Level.WARNING, msg);
97  return ParseResult.ERROR;
98  } catch (IllegalArgumentException ex) {
99  logger.log(Level.INFO, "Found encrypted PST file."); //NON-NLS
100  return ParseResult.ENCRYPT;
101  }
102  }
103 
109  List<EmailMessage> getResults() {
110  return results;
111  }
112 
113  String getErrors() {
114  return errors.toString();
115  }
116 
129  private long processFolder(PSTFolder folder, String path, boolean root, long fileID) {
130  String newPath = (root ? path : path + "\\" + folder.getDisplayName());
131  long failCount = 0L; // Number of emails that failed
132  if (folder.hasSubfolders()) {
133  List<PSTFolder> subFolders;
134  try {
135  subFolders = folder.getSubFolders();
136  } catch (PSTException | IOException ex) {
137  subFolders = new ArrayList<>();
138  logger.log(Level.INFO, "java-libpst exception while getting subfolders: {0}", ex.getMessage()); //NON-NLS
139  }
140 
141  for (PSTFolder f : subFolders) {
142  failCount += processFolder(f, newPath, false, fileID);
143  }
144  }
145 
146  if (folder.getContentCount() != 0) {
147  PSTMessage email;
148  // A folder's children are always emails, never other folders.
149  try {
150  while ((email = (PSTMessage) folder.getNextChild()) != null) {
151  results.add(extractEmailMessage(email, newPath, fileID));
152  }
153  } catch (PSTException | IOException ex) {
154  failCount++;
155  logger.log(Level.INFO, "java-libpst exception while getting emails from a folder: {0}", ex.getMessage()); //NON-NLS
156  }
157  }
158 
159  return failCount;
160  }
161 
170  private EmailMessage extractEmailMessage(PSTMessage msg, String localPath, long fileID) {
171  EmailMessage email = new EmailMessage();
172  email.setRecipients(msg.getDisplayTo());
173  email.setCc(msg.getDisplayCC());
174  email.setBcc(msg.getDisplayBCC());
175  email.setSender(getSender(msg.getSenderName(), msg.getSenderEmailAddress()));
176  email.setSentDate(msg.getMessageDeliveryTime());
177  if(msg.getTransportMessageHeaders().isEmpty()) {
178  email.setTextBody(msg.getBody());
179  } else {
180  email.setTextBody(msg.getBody() + "\n-----HEADERS-----\n\n" + msg.getTransportMessageHeaders() + "\n\n---END HEADERS--\n\n");
181  }
182 
183  email.setHtmlBody(msg.getBodyHTML());
184  String rtf = "";
185  try {
186  rtf = msg.getRTFBody();
187  } catch (PSTException | IOException ex) {
188  logger.log(Level.INFO, "Failed to get RTF content from pst email."); //NON-NLS
189  }
190  email.setRtfBody(rtf);
191  email.setLocalPath(localPath);
192  email.setSubject(msg.getSubject());
193  email.setId(msg.getDescriptorNodeId());
194 
195  if (msg.hasAttachments()) {
196  extractAttachments(email, msg, fileID);
197  }
198 
199  return email;
200  }
201 
208  private void extractAttachments(EmailMessage email, PSTMessage msg, long fileID) {
209  int numberOfAttachments = msg.getNumberOfAttachments();
210  String outputDirPath = ThunderbirdMboxFileIngestModule.getModuleOutputPath() + File.separator;
211  for (int x = 0; x < numberOfAttachments; x++) {
212  String filename = "";
213  try {
214  PSTAttachment attach = msg.getAttachment(x);
215  long size = attach.getAttachSize();
216  long freeSpace = services.getFreeDiskSpace();
217  if ((freeSpace != IngestMonitor.DISK_FREE_SPACE_UNKNOWN) && (size >= freeSpace)) {
218  continue;
219  }
220  // both long and short filenames can be used for attachments
221  filename = attach.getLongFilename();
222  if (filename.isEmpty()) {
223  filename = attach.getFilename();
224  }
225  String uniqueFilename = fileID + "-" + msg.getDescriptorNodeId() + "-" + attach.getContentId() + "-" + filename;
226  String outPath = outputDirPath + uniqueFilename;
227  saveAttachmentToDisk(attach, outPath);
228 
229  EmailMessage.Attachment attachment = new EmailMessage.Attachment();
230 
231  long crTime = attach.getCreationTime() != null ? attach.getCreationTime().getTime() / 1000 : 0;
232  long mTime = attach.getModificationTime() != null ? attach.getModificationTime().getTime() / 1000 : 0;
233  String relPath = getRelModuleOutputPath() + File.separator + uniqueFilename;
234  attachment.setName(filename);
235  attachment.setCrTime(crTime);
236  attachment.setmTime(mTime);
237  attachment.setLocalPath(relPath);
238  attachment.setSize(attach.getFilesize());
239  attachment.setEncodingType(TskData.EncodingType.XOR1);
240  email.addAttachment(attachment);
241  } catch (PSTException | IOException | NullPointerException ex) {
246  addErrorMessage(
247  NbBundle.getMessage(this.getClass(), "PstParser.extractAttch.errMsg.failedToExtractToDisk",
248  filename));
249  logger.log(Level.WARNING, "Failed to extract attachment from pst file.", ex); //NON-NLS
250  }
251  }
252  }
253 
265  private void saveAttachmentToDisk(PSTAttachment attach, String outPath) throws IOException, PSTException {
266  try (InputStream attachmentStream = attach.getFileInputStream();
267  EncodedFileOutputStream out = new EncodedFileOutputStream(new FileOutputStream(outPath), TskData.EncodingType.XOR1)) {
268  // 8176 is the block size used internally and should give the best performance
269  int bufferSize = 8176;
270  byte[] buffer = new byte[bufferSize];
271  int count = attachmentStream.read(buffer);
272 
273  if (count == -1) {
274  throw new IOException("attachmentStream invalid (read() fails). File " + attach.getLongFilename() + " skipped");
275  }
276 
277  while (count == bufferSize) {
278  out.write(buffer);
279  count = attachmentStream.read(buffer);
280  }
281  if (count != -1) {
282  byte[] endBuffer = new byte[count];
283  System.arraycopy(buffer, 0, endBuffer, 0, count);
284  out.write(endBuffer);
285  }
286  }
287  }
288 
297  private String getSender(String name, String addr) {
298  if (name.isEmpty() && addr.isEmpty()) {
299  return "";
300  } else if (name.isEmpty()) {
301  return addr;
302  } else if (addr.isEmpty()) {
303  return name;
304  } else {
305  return name + ": " + addr;
306  }
307  }
308 
316  public static boolean isPstFile(AbstractFile file) {
317  byte[] buffer = new byte[4];
318  try {
319  int read = file.read(buffer, 0, 4);
320  if (read != 4) {
321  return false;
322  }
323  ByteBuffer bb = ByteBuffer.wrap(buffer);
324  return bb.getInt() == PST_HEADER;
325  } catch (TskCoreException ex) {
326  logger.log(Level.WARNING, "Exception while detecting if a file is a pst file."); //NON-NLS
327  return false;
328  }
329  }
330 
331  private void addErrorMessage(String msg) {
332  errors.append("<li>").append(msg).append("</li>"); //NON-NLS
333  }
334 }

Copyright © 2012-2016 Basis Technology. Generated on: Mon Apr 24 2017
This work is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.