From 8ed0e48efd783f431fc078079ac0848b51e8f2d9 Mon Sep 17 00:00:00 2001 From: "U-BASIS\\dsmyda" Date: Wed, 11 Mar 2020 12:07:15 -0400 Subject: [PATCH] Slightly simplified the XRY parser refactor --- .../xry/XRYCallsFileParser.java | 50 ++++------ .../xry/XRYMessagesFileParser.java | 95 ++++++++++++------- 2 files changed, 82 insertions(+), 63 deletions(-) diff --git a/Core/src/org/sleuthkit/autopsy/datasourceprocessors/xry/XRYCallsFileParser.java b/Core/src/org/sleuthkit/autopsy/datasourceprocessors/xry/XRYCallsFileParser.java index d9a34b4e22..04ab92821a 100755 --- a/Core/src/org/sleuthkit/autopsy/datasourceprocessors/xry/XRYCallsFileParser.java +++ b/Core/src/org/sleuthkit/autopsy/datasourceprocessors/xry/XRYCallsFileParser.java @@ -202,40 +202,24 @@ final class XRYCallsFileParser extends AbstractSingleEntityParser { switch (xryKey) { case TEL: case NUMBER: - //Apply the namespace - switch (xryNamespace) { - case FROM: - if (callerId != null) { - otherAttributes.add(new BlackboardAttribute( - BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PHONE_NUMBER_FROM, - PARSER_NAME, pair.getValue())); - } else { - callerId = pair.getValue(); - } - break; - case TO: - calleeList.add(pair.getValue()); - break; - default: - otherAttributes.add(new BlackboardAttribute( - BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PHONE_NUMBER, - PARSER_NAME, pair.getValue())); + // Apply namespace or direction + if (xryNamespace == XryNamespace.FROM || direction == CommunicationDirection.INCOMING) { + callerId = pair.getValue(); + } else if (xryNamespace == XryNamespace.TO || direction == CommunicationDirection.OUTGOING) { + calleeList.add(pair.getValue()); + } else { + otherAttributes.add(new BlackboardAttribute( + BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PHONE_NUMBER, + PARSER_NAME, pair.getValue())); } break; - //Although confusing, as these are also 'name spaces', it appears - //later versions of XRY realized having standardized lines was easier - //to read. + // Although confusing, as these are also 'name spaces', it appears + // later versions of XRY just made these standardized lines. case TO: calleeList.add(pair.getValue()); break; case FROM: - if (callerId != null) { - otherAttributes.add(new BlackboardAttribute( - BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PHONE_NUMBER_FROM, - PARSER_NAME, pair.getValue())); - } else { - callerId = pair.getValue(); - } + callerId = pair.getValue(); break; case TIME: try { @@ -256,6 +240,14 @@ final class XRYCallsFileParser extends AbstractSingleEntityParser { direction = CommunicationDirection.OUTGOING; } break; + case TYPE: + String typeString = pair.getValue(); + if (typeString.equalsIgnoreCase("received")) { + direction = CommunicationDirection.INCOMING; + } else if (typeString.equalsIgnoreCase("dialed")) { + direction = CommunicationDirection.OUTGOING; + } + break; default: //Otherwise, the XryKey enum contains the correct BlackboardAttribute //type. @@ -295,7 +287,7 @@ final class XRYCallsFileParser extends AbstractSingleEntityParser { // If the DIRECTION check failed, just manually create accounts // for these phones. Note, there is no need to create relationships. // If both callerId and calleeList were non-null/non-empty, then - // the check above would have directed us to the else block. + // it would have been a valid combination. if (callerId != null) { currentCase.getCommunicationsManager().createAccountFileInstance( Account.Type.PHONE, callerId, PARSER_NAME, parent); diff --git a/Core/src/org/sleuthkit/autopsy/datasourceprocessors/xry/XRYMessagesFileParser.java b/Core/src/org/sleuthkit/autopsy/datasourceprocessors/xry/XRYMessagesFileParser.java index 568ba801a1..d29b5238b8 100755 --- a/Core/src/org/sleuthkit/autopsy/datasourceprocessors/xry/XRYMessagesFileParser.java +++ b/Core/src/org/sleuthkit/autopsy/datasourceprocessors/xry/XRYMessagesFileParser.java @@ -40,6 +40,7 @@ import java.util.logging.Level; import org.sleuthkit.autopsy.coreutils.Logger; import org.sleuthkit.datamodel.Account; import org.sleuthkit.datamodel.Blackboard.BlackboardException; +import org.sleuthkit.datamodel.BlackboardArtifact; import org.sleuthkit.datamodel.BlackboardAttribute; import org.sleuthkit.datamodel.Content; import org.sleuthkit.datamodel.SleuthkitCase; @@ -313,37 +314,23 @@ final class XRYMessagesFileParser implements XRYFileParser { switch (key) { case TEL: case NUMBER: - switch (namespace) { - case FROM: - if(senderId != null) { - otherAttributes.add(new BlackboardAttribute( - BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PHONE_NUMBER_FROM, - PARSER_NAME, pair.getValue())); - } else { - senderId = pair.getValue(); - } - break; - case TO: - case PARTICIPANT: - recipientIdsList.add(pair.getValue()); - break; - default: - otherAttributes.add(new BlackboardAttribute( + // Apply namespace or direction + if(namespace == XryNamespace.FROM || direction == CommunicationDirection.INCOMING) { + senderId = pair.getValue(); + } else if(namespace == XryNamespace.TO || direction == CommunicationDirection.OUTGOING) { + recipientIdsList.add(pair.getValue()); + } else { + currentCase.getCommunicationsManager().createAccountFileInstance( + Account.Type.PHONE, pair.getValue(), PARSER_NAME, parent); + otherAttributes.add(new BlackboardAttribute( BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PHONE_NUMBER, PARSER_NAME, pair.getValue())); } break; - //Although confusing, as these are also 'name spaces', it appears - //later versions of XRY realized having standardized lines was easier - //to read. + // Although confusing, as these are also 'name spaces', it appears + // later versions of XRY just made these standardized lines. case FROM: - if(senderId != null) { - otherAttributes.add(new BlackboardAttribute( - BlackboardAttribute.ATTRIBUTE_TYPE.TSK_PHONE_NUMBER_FROM, - PARSER_NAME, pair.getValue())); - } else { - senderId = pair.getValue(); - } + senderId = pair.getValue(); break; case TO: recipientIdsList.add(pair.getValue()); @@ -405,12 +392,16 @@ final class XRYMessagesFileParser implements XRYFileParser { text = pair.getValue(); break; case DIRECTION: - if (normalizedValue.equals("incoming")) { - direction = CommunicationDirection.INCOMING; - } else if (normalizedValue.equals("outgoing")) { - direction = CommunicationDirection.OUTGOING; - } else { - direction = CommunicationDirection.UNKNOWN; + switch (normalizedValue) { + case "incoming": + direction = CommunicationDirection.INCOMING; + break; + case "outgoing": + direction = CommunicationDirection.OUTGOING; + break; + default: + direction = CommunicationDirection.UNKNOWN; + break; } break; default: @@ -428,11 +419,47 @@ final class XRYMessagesFileParser implements XRYFileParser { } } - CommunicationArtifactsHelper helper = new CommunicationArtifactsHelper( + // Make sure we have the required fields. + // This combination is invalid. + if(senderId == null && recipientIdsList.isEmpty()) { + // Create the artifact manually.. + if (direction != CommunicationDirection.UNKNOWN) { + otherAttributes.add(new BlackboardAttribute( + BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DIRECTION, + PARSER_NAME, direction.getDisplayName())); + } + + if (dateTime > 0L) { + otherAttributes.add(new BlackboardAttribute( + BlackboardAttribute.ATTRIBUTE_TYPE.TSK_DATETIME_START, + PARSER_NAME, dateTime)); + } + + if(readStatus != MessageReadStatus.UNKNOWN) { + otherAttributes.add(new BlackboardAttribute( + BlackboardAttribute.ATTRIBUTE_TYPE.TSK_READ_STATUS, + PARSER_NAME, (readStatus == MessageReadStatus.READ) ? 1 : 0)); + } + + if(text != null) { + otherAttributes.add(new BlackboardAttribute( + BlackboardAttribute.ATTRIBUTE_TYPE.TSK_TEXT, + PARSER_NAME, text)); + } + + if (!otherAttributes.isEmpty()) { + BlackboardArtifact artifact = parent.newArtifact(BlackboardArtifact.ARTIFACT_TYPE.TSK_MESSAGE); + artifact.addAttributes(otherAttributes); + + currentCase.getBlackboard().postArtifact(artifact, PARSER_NAME); + } + } else { + CommunicationArtifactsHelper helper = new CommunicationArtifactsHelper( currentCase, PARSER_NAME, parent, Account.Type.PHONE); - helper.addMessage(messageType, direction, senderId, recipientIdsList, + helper.addMessage(messageType, direction, senderId, recipientIdsList, dateTime, readStatus, subject, text, threadId, otherAttributes); + } } }