Addition of paths to the emails extracted

2025-07-06 21:00:22 +00:00 · 2012-06-21 16:36:44 -07:00 · 2012-06-21 16:36:44 -07:00 · 325d558303
commit 325d558303
parent 81002342c8
4 changed files with 92 additions and 3 deletions
--- a/thunderbirdparser/nbproject/project.properties
+++ b/thunderbirdparser/nbproject/project.properties
@ -1,3 +1,4 @@
+file.reference.commons-lang-2.4.jar=release/modules/ext/commons-lang-2.4.jar
 file.reference.tika-core-1.1.jar=release/modules/ext/tika-core-1.1.jar
 file.reference.tika-parsers-1.1.jar=release/modules/ext/tika-parsers-1.1.jar
 javac.source=1.6
--- a/thunderbirdparser/nbproject/project.xml
+++ b/thunderbirdparser/nbproject/project.xml
@ -56,6 +56,10 @@
                <runtime-relative-path>ext/tika-core-1.1.jar</runtime-relative-path>
                <binary-origin>release/modules/ext/tika-core-1.1.jar</binary-origin>
            </class-path-extension>
+            <class-path-extension>
+                <runtime-relative-path>ext/jmork-1.0.4.jar</runtime-relative-path>
+                <binary-origin>release/modules/ext/jmork-1.0.4.jar</binary-origin>
+            </class-path-extension>
            <class-path-extension>
                <runtime-relative-path>ext/commons-lang-2.4.jar</runtime-relative-path>
                <binary-origin>release/modules/ext/commons-lang-2.4.jar</binary-origin>
--- a/thunderbirdparser/src/org/sleuthkit/autopsy/thunderbirdparser/ThunderbirdMboxFileIngestService.java
+++ b/thunderbirdparser/src/org/sleuthkit/autopsy/thunderbirdparser/ThunderbirdMboxFileIngestService.java
@ -18,15 +18,25 @@
 */
 package org.sleuthkit.autopsy.thunderbirdparser;

+import java.io.File;
 import java.io.FileNotFoundException;
+import java.io.FileReader;
 import java.io.IOException;
+import java.io.Reader;
+import java.sql.ResultSet;
+import java.sql.SQLException;
+import java.sql.Statement;
 import java.util.ArrayList;
 import java.util.Collection;
 import java.util.HashMap;
+import java.util.List;
 import java.util.Map;
 import java.util.Map.Entry;
 import java.util.logging.Level;
 import java.util.logging.Logger;
+import mork.Dict;
+import mork.MorkDocument;
+import mork.Row;
 import org.apache.tika.exception.TikaException;
 import org.apache.tika.metadata.Metadata;
 import org.sleuthkit.autopsy.ingest.IngestManager;
@ -45,6 +55,11 @@ import org.sleuthkit.datamodel.TskCoreException;
 import org.sleuthkit.datamodel.TskException;
 import org.xml.sax.SAXException;
 import org.apache.commons.lang.StringEscapeUtils;
+import org.sleuthkit.autopsy.casemodule.Case;
+import org.sleuthkit.autopsy.datamodel.ContentUtils;
+import org.sleuthkit.datamodel.Content;
+import org.sleuthkit.datamodel.FsContent;
+import org.sleuthkit.datamodel.SleuthkitCase;

 public class ThunderbirdMboxFileIngestService implements IngestServiceAbstractFile {

@ -77,6 +92,75 @@ public class ThunderbirdMboxFileIngestService implements IngestServiceAbstractFi

        if (isMbox) {
            managerProxy.postMessage(IngestMessage.createMessage(++messageId, MessageType.INFO, this, "Processing " + fsContent.getName()));
+            String mboxName = fsContent.getName();
+            String msfName = mboxName + ".msf";
+            Long mboxId = fsContent.getId();
+            String mboxPath = "";
+            Long msfId = 0L;
+            Case currentCase = Case.getCurrentCase(); // get the most updated case
+            SleuthkitCase tskCase = currentCase.getSleuthkitCase();
+            try {
+                ResultSet rs = tskCase.runQuery("select parent_path from tsk_files where obj_id = '" + mboxId.toString() + "'");
+                mboxPath = rs.getString("parent_path");
+                Statement s = rs.getStatement();
+                rs.close();
+                if (s != null) {
+                    s.close();
+                }
+                rs.close();
+                rs.getStatement().close();
+
+                ResultSet resultset = tskCase.runQuery("select obj_id from tsk_files where parent_path = '" + mboxPath + "' and name = '" + msfName + "'");
+                msfId = resultset.getLong("obj_id");
+                Statement st = resultset.getStatement();
+                resultset.close();
+                if (st != null) {
+                    st.close();
+                }
+                resultset.close();
+                resultset.getStatement().close();
+
+            } catch (SQLException ex) {
+                logger.log(Level.WARNING, "Error while trying to get parent path for:" + this.getClass().getName(), ex);
+            }
+
+            try {
+                Content msfContent = tskCase.getContentById(msfId);
+                ContentUtils.writeToFile(msfContent, new File(currentCase.getTempDirectory() + File.separator + msfName));
+            } catch (IOException ex) {
+                Logger.getLogger(ThunderbirdMboxFileIngestService.class.getName()).log(Level.SEVERE, null, ex);
+            } catch (TskCoreException ex) {
+                logger.log(Level.SEVERE, "Unable to obtain msf file for mbox parsing:" + this.getClass().getName(), ex);
+            }
+           int index = 0;
+           String replace = "";
+            boolean b = mboxPath.indexOf("/Mail/") > 0;
+            if(b == true)
+            {
+             index = mboxPath.indexOf("/Mail/");
+             replace = "/Mail";
+            }
+            else
+            {
+             index = mboxPath.indexOf("/ImapMail/");   
+             replace = "/ImapMail";
+            }
+            String folderPath = mboxPath.substring(index);
+            folderPath = folderPath.replaceAll(replace, "");
+            folderPath = folderPath+mboxName;
+            folderPath = folderPath.replaceAll(".sbd", "");
+//            Reader reader = null;
+//            try {
+//                reader = new FileReader(currentCase.getTempDirectory() + File.separator + msfName);
+//            } catch (FileNotFoundException ex) {
+//                Logger.getLogger(ThunderbirdMboxFileIngestService.class.getName()).log(Level.SEVERE, null, ex);
+//            }
+//            MorkDocument morkDocument = new MorkDocument(reader);
+//            List<Dict> dicts = morkDocument.getDicts();
+//            for(Dict dict : dicts){
+//            String path = dict.getValue("81").toString();
+//             String account = dict.getValue("8D").toString();
+//                    }
            String emailId = "";
            String content = "";
            String from = "";
@ -118,7 +202,7 @@ public class ThunderbirdMboxFileIngestService implements IngestServiceAbstractFi
                    bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_RCVD.getTypeID(), classname, "", date));
                    bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_DATETIME_SENT.getTypeID(), classname, "", date));
                    bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_SUBJECT.getTypeID(), classname, "", subject));
-                    bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH.getTypeID(), classname, "", "/Account1/Folder1"));
+                    bbattributes.add(new BlackboardAttribute(ATTRIBUTE_TYPE.TSK_PATH.getTypeID(), classname, "", folderPath));
                    BlackboardArtifact bbart;
                    try {
                        bbart = fsContent.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_EMAIL_MSG);
--- a/thunderbirdparser/src/org/sleuthkit/autopsy/thunderbirdparser/layer.xml
+++ b/thunderbirdparser/src/org/sleuthkit/autopsy/thunderbirdparser/layer.xml
@ -5,7 +5,7 @@
        <file name="org-sleuthkit-autopsy-thunderbirdparser-ThunderbirdMboxFilervice.instance">
            <attr name="instanceOf" stringvalue="org.sleuthkit.autopsy.ingest.IngestServiceAbstractFile"/>
            <attr name="instanceCreate" methodvalue="org.sleuthkit.autopsy.thunderbirdparser.ThunderbirdMboxFileIngestService.getDefault"/>
-            <attr name="position" intvalue="1100"/>
+            <attr name="position" intvalue="1050"/>
        </file>
    </folder>
-    </filesystem>
+</filesystem>