From 063754951ded254f349d967ac6b66af66162f6b0 Mon Sep 17 00:00:00 2001 From: Kelly Kelly Date: Thu, 19 Sep 2019 14:28:17 -0400 Subject: [PATCH 1/3] Fixed duplicate vcard issue --- .../Bundle.properties-MERGED | 1 + .../thunderbirdparser/VcardParser.java | 106 +++++++++--------- 2 files changed, 55 insertions(+), 52 deletions(-) diff --git a/thunderbirdparser/src/org/sleuthkit/autopsy/thunderbirdparser/Bundle.properties-MERGED b/thunderbirdparser/src/org/sleuthkit/autopsy/thunderbirdparser/Bundle.properties-MERGED index cdfd241886..aa01a19072 100755 --- a/thunderbirdparser/src/org/sleuthkit/autopsy/thunderbirdparser/Bundle.properties-MERGED +++ b/thunderbirdparser/src/org/sleuthkit/autopsy/thunderbirdparser/Bundle.properties-MERGED @@ -1,3 +1,4 @@ +MboxParser.handleAttch.noOpenCase.errMsg=Exception while getting open case. MimeJ4MessageParser.handleAttch.noOpenCase.errMsg=Exception while getting open case. OpenIDE-Module-Display-Category=Ingest Module OpenIDE-Module-Long-Description=Email Parser ingest module.\n\nThe module extracts MBOX and PST e-mail files and posts the results to the blackboard.\nIt knows about the Thunderbird folder structure for MBOX files. diff --git a/thunderbirdparser/src/org/sleuthkit/autopsy/thunderbirdparser/VcardParser.java b/thunderbirdparser/src/org/sleuthkit/autopsy/thunderbirdparser/VcardParser.java index 84f4cd92c8..bbb72ae53e 100755 --- a/thunderbirdparser/src/org/sleuthkit/autopsy/thunderbirdparser/VcardParser.java +++ b/thunderbirdparser/src/org/sleuthkit/autopsy/thunderbirdparser/VcardParser.java @@ -397,34 +397,34 @@ final class VcardParser { if (telephoneTypes.isEmpty()) { ThunderbirdMboxFileIngestModule.addArtifactAttribute(telephone.getText(), BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PHONE_NUMBER, attributes); } else { - for (TelephoneType type : telephoneTypes) { - /* - * Unfortunately, if the types are lower-case, they don't - * get separated correctly into individual TelephoneTypes by - * ez-vcard. Therefore, we must read them manually - * ourselves. - */ - List splitTelephoneTypes = Arrays.asList( - type.getValue().toUpperCase().replaceAll("\\s+","").split(",")); + TelephoneType type = telephoneTypes.get(0); + /* + * Unfortunately, if the types are lower-case, they don't + * get separated correctly into individual TelephoneTypes by + * ez-vcard. Therefore, we must read them manually + * ourselves. + */ + List splitTelephoneTypes = Arrays.asList( + type.getValue().toUpperCase().replaceAll("\\s+","").split(",")); - for (String splitType : splitTelephoneTypes) { - String attributeTypeName = "TSK_PHONE_NUMBER_" + splitType; - try { - BlackboardAttribute.Type attributeType = tskCase.getAttributeType(attributeTypeName); - if (attributeType == null) { - // Add this attribute type to the case database. - attributeType = tskCase.addArtifactAttributeType(attributeTypeName, - BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, - String.format("Phone (%s)", StringUtils.capitalize(splitType.toLowerCase()))); - } - ThunderbirdMboxFileIngestModule.addArtifactAttribute(telephone.getText(), attributeType, attributes); - } catch (TskCoreException ex) { - logger.log(Level.SEVERE, String.format("Unable to retrieve attribute type '%s' for file '%s' (id=%d).", attributeTypeName, abstractFile.getName(), abstractFile.getId()), ex); - } catch (TskDataException ex) { - logger.log(Level.SEVERE, String.format("Unable to add custom attribute type '%s' for file '%s' (id=%d).", attributeTypeName, abstractFile.getName(), abstractFile.getId()), ex); + if (splitTelephoneTypes.size() > 0) { + String splitType = splitTelephoneTypes.get(0); + String attributeTypeName = "TSK_PHONE_NUMBER_" + splitType; + try { + BlackboardAttribute.Type attributeType = tskCase.getAttributeType(attributeTypeName); + if (attributeType == null) { + // Add this attribute type to the case database. + attributeType = tskCase.addArtifactAttributeType(attributeTypeName, + BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, + String.format("Phone (%s)", StringUtils.capitalize(splitType.toLowerCase()))); } + ThunderbirdMboxFileIngestModule.addArtifactAttribute(telephone.getText(), attributeType, attributes); + } catch (TskCoreException ex) { + logger.log(Level.SEVERE, String.format("Unable to retrieve attribute type '%s' for file '%s' (id=%d).", attributeTypeName, abstractFile.getName(), abstractFile.getId()), ex); + } catch (TskDataException ex) { + logger.log(Level.SEVERE, String.format("Unable to add custom attribute type '%s' for file '%s' (id=%d).", attributeTypeName, abstractFile.getName(), abstractFile.getId()), ex); } - } + } } } @@ -447,34 +447,36 @@ final class VcardParser { if (emailTypes.isEmpty()) { ThunderbirdMboxFileIngestModule.addArtifactAttribute(email.getValue(), BlackboardAttribute.ATTRIBUTE_TYPE.TSK_EMAIL, attributes); } else { - for (EmailType type : emailTypes) { - /* - * Unfortunately, if the types are lower-case, they don't - * get separated correctly into individual EmailTypes by - * ez-vcard. Therefore, we must read them manually - * ourselves. - */ - List splitEmailTypes = Arrays.asList( - type.getValue().toUpperCase().replaceAll("\\s+","").split(",")); + EmailType type = emailTypes.get(0); /* + * Unfortunately, if the types are lower-case, they don't + * get separated correctly into individual EmailTypes by + * ez-vcard. Therefore, we must read them manually + * ourselves. + */ + List splitEmailTypes = Arrays.asList( + type.getValue().toUpperCase().replaceAll("\\s+","").split(",")); - for (String splitType : splitEmailTypes) { - String attributeTypeName = "TSK_EMAIL_" + splitType; - try { - BlackboardAttribute.Type attributeType = tskCase.getAttributeType(attributeTypeName); - if (attributeType == null) { - // Add this attribute type to the case database. - attributeType = tskCase.addArtifactAttributeType(attributeTypeName, - BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, - String.format("Email (%s)", StringUtils.capitalize(splitType.toLowerCase()))); - } - ThunderbirdMboxFileIngestModule.addArtifactAttribute(email.getValue(), attributeType, attributes); - } catch (TskCoreException ex) { - logger.log(Level.SEVERE, String.format("Unable to retrieve attribute type '%s' for file '%s' (id=%d).", attributeTypeName, abstractFile.getName(), abstractFile.getId()), ex); - } catch (TskDataException ex) { - logger.log(Level.SEVERE, String.format("Unable to add custom attribute type '%s' for file '%s' (id=%d).", attributeTypeName, abstractFile.getName(), abstractFile.getId()), ex); - } - } - } + if (splitEmailTypes.size() > 0) { + String splitType = splitEmailTypes.get(0); + String attributeTypeName = "TSK_EMAIL_" + splitType; + if(splitType.isEmpty()) { + attributeTypeName = "TSK_EMAIL"; + } + try { + BlackboardAttribute.Type attributeType = tskCase.getAttributeType(attributeTypeName); + if (attributeType == null) { + // Add this attribute type to the case database. + attributeType = tskCase.addArtifactAttributeType(attributeTypeName, + BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, + String.format("Email (%s)", StringUtils.capitalize(splitType.toLowerCase()))); + } + ThunderbirdMboxFileIngestModule.addArtifactAttribute(email.getValue(), attributeType, attributes); + } catch (TskCoreException ex) { + logger.log(Level.SEVERE, String.format("Unable to retrieve attribute type '%s' for file '%s' (id=%d).", attributeTypeName, abstractFile.getName(), abstractFile.getId()), ex); + } catch (TskDataException ex) { + logger.log(Level.SEVERE, String.format("Unable to add custom attribute type '%s' for file '%s' (id=%d).", attributeTypeName, abstractFile.getName(), abstractFile.getId()), ex); + } + } } } From 1083316d4f85585fecf460ade638c3ef4bb28829 Mon Sep 17 00:00:00 2001 From: Kelly Kelly Date: Fri, 20 Sep 2019 11:09:21 -0400 Subject: [PATCH 2/3] merged in release and fixed bug --- .../relationships/ContactNode.java | 29 ++++++++++--------- .../thunderbirdparser/VcardParser.java | 21 +++++++------- 2 files changed, 26 insertions(+), 24 deletions(-) diff --git a/Core/src/org/sleuthkit/autopsy/communications/relationships/ContactNode.java b/Core/src/org/sleuthkit/autopsy/communications/relationships/ContactNode.java index 985351ce10..140bb89c85 100755 --- a/Core/src/org/sleuthkit/autopsy/communications/relationships/ContactNode.java +++ b/Core/src/org/sleuthkit/autopsy/communications/relationships/ContactNode.java @@ -18,6 +18,7 @@ */ package org.sleuthkit.autopsy.communications.relationships; +import java.util.ArrayList; import java.util.HashMap; import java.util.List; import java.util.Map; @@ -89,30 +90,30 @@ final class ContactNode extends BlackboardArtifactNode { // are used so that all attributed of that type are found, including // ones that are not predefined as part of BlackboardAttributes try { - HashMap phoneNumMap = new HashMap<>(); - HashMap emailMap = new HashMap<>(); - HashMap nameMap = new HashMap<>(); - HashMap otherMap = new HashMap<>(); + List phoneNumList = new ArrayList<>(); + List emailList = new ArrayList<>(); + List nameList = new ArrayList<>(); + List otherList = new ArrayList<>(); for (BlackboardAttribute bba : artifact.getAttributes()) { if (bba.getAttributeType().getTypeName().startsWith("TSK_PHONE")) { - phoneNumMap.put(bba.getDisplayString(), bba); + phoneNumList.add(bba); } else if (bba.getAttributeType().getTypeName().startsWith("TSK_EMAIL")) { - emailMap.put(bba.getDisplayString(), bba); + emailList.add(bba); } else if (bba.getAttributeType().getTypeName().startsWith("TSK_NAME")) { - nameMap.put(bba.getDisplayString(), bba); + nameList.add(bba); } else { - otherMap.put(bba.getDisplayString(), bba); + otherList.add(bba); } } addPropertiesToSheet(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_NAME.getLabel(), - sheetSet, nameMap); + sheetSet, nameList); addPropertiesToSheet(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PHONE_NUMBER.getLabel(), - sheetSet, phoneNumMap); + sheetSet, phoneNumList); addPropertiesToSheet(BlackboardAttribute.ATTRIBUTE_TYPE.TSK_EMAIL.getLabel(), - sheetSet, emailMap); + sheetSet, emailList); - for (BlackboardAttribute bba : otherMap.values()) { + for (BlackboardAttribute bba : otherList) { sheetSet.put(new NodeProperty<>(bba.getAttributeType().getTypeName(), bba.getAttributeType().getDisplayName(), "", bba.getDisplayString())); } @@ -138,9 +139,9 @@ final class ContactNode extends BlackboardArtifactNode { return sheet; } - private void addPropertiesToSheet(String propertyID, Sheet.Set sheetSet, Map attributeMap) { + private void addPropertiesToSheet(String propertyID, Sheet.Set sheetSet, List attributeList) { int count = 0; - for (BlackboardAttribute bba : attributeMap.values()) { + for (BlackboardAttribute bba : attributeList) { if (count++ > 0) { sheetSet.put(new NodeProperty<>(propertyID + "_" + count, bba.getAttributeType().getDisplayName(), "", bba.getDisplayString())); } else { diff --git a/thunderbirdparser/src/org/sleuthkit/autopsy/thunderbirdparser/VcardParser.java b/thunderbirdparser/src/org/sleuthkit/autopsy/thunderbirdparser/VcardParser.java index 71dbcf6bd2..d662c5f5e6 100755 --- a/thunderbirdparser/src/org/sleuthkit/autopsy/thunderbirdparser/VcardParser.java +++ b/thunderbirdparser/src/org/sleuthkit/autopsy/thunderbirdparser/VcardParser.java @@ -419,19 +419,20 @@ final class VcardParser { try { BlackboardAttribute.Type attributeType = tskCase.getAttributeType(attributeTypeName); if (attributeType == null) { - // Add this attribute type to the case database. - attributeType = tskCase.addArtifactAttributeType(attributeTypeName, - BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, - String.format("Phone Number (%s)", StringUtils.capitalize(splitType.toLowerCase()))); - + try{ + // Add this attribute type to the case database. + attributeType = tskCase.addArtifactAttributeType(attributeTypeName, + BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, + String.format("Phone Number (%s)", StringUtils.capitalize(splitType.toLowerCase()))); + }catch (TskDataException ex) { + attributeType = tskCase.getAttributeType(attributeTypeName); + } } - ThunderbirdMboxFileIngestModule.addArtifactAttribute(telephone.getText(), attributeType, attributes); + ThunderbirdMboxFileIngestModule.addArtifactAttribute(telephoneText, attributeType, attributes); } catch (TskCoreException ex) { - logger.log(Level.SEVERE, String.format("Unable to retrieve attribute type '%s' for file '%s' (id=%d).", attributeTypeName, abstractFile.getName(), abstractFile.getId()), ex); - } catch (TskDataException ex) { - logger.log(Level.SEVERE, String.format("Unable to add custom attribute type '%s' for file '%s' (id=%d).", attributeTypeName, abstractFile.getName(), abstractFile.getId()), ex); + logger.log(Level.WARNING, String.format("Unable to retrieve attribute type '%s' for file '%s' (id=%d).", attributeTypeName, abstractFile.getName(), abstractFile.getId()), ex); } - } + } } } From 63aa281529f09ef06e4c410facb238a660e7863d Mon Sep 17 00:00:00 2001 From: Kelly Kelly Date: Tue, 24 Sep 2019 10:12:33 -0400 Subject: [PATCH 3/3] Removed unused imports --- .../autopsy/communications/relationships/ContactNode.java | 2 -- 1 file changed, 2 deletions(-) diff --git a/Core/src/org/sleuthkit/autopsy/communications/relationships/ContactNode.java b/Core/src/org/sleuthkit/autopsy/communications/relationships/ContactNode.java index 140bb89c85..8dbf58acef 100755 --- a/Core/src/org/sleuthkit/autopsy/communications/relationships/ContactNode.java +++ b/Core/src/org/sleuthkit/autopsy/communications/relationships/ContactNode.java @@ -19,9 +19,7 @@ package org.sleuthkit.autopsy.communications.relationships; import java.util.ArrayList; -import java.util.HashMap; import java.util.List; -import java.util.Map; import java.util.TimeZone; import java.util.logging.Level; import org.openide.nodes.Sheet;