5706: Message attachments.

Core/src/org/sleuthkit/autopsy/corecomponents/DataContentViewerArtifact.java

@@ -56,6 +56,10 @@ import org.sleuthkit.datamodel.Content;
 import org.sleuthkit.datamodel.TskCoreException;
 import org.sleuthkit.datamodel.TskException;
 import org.netbeans.swing.etable.ETable;
+import com.google.gson.Gson;
+import com.google.gson.GsonBuilder;
+import com.google.gson.JsonObject;
+import com.google.gson.JsonParser;
 
 /**
  * Instances of this class display the BlackboardArtifacts associated with the
@@ -552,6 +556,16 @@ public class DataContentViewerArtifact extends javax.swing.JPanel implements Dat
                                 value = dateFormatter.format(new java.util.Date(epoch * 1000));
                             }
                             break;
+                        case JSON: 
+                            // @TODO: 5726 - return a multilevel bulleted list instead of prettyprint JSON 
+                            String jsonVal = attr.getValueString();
+                            
+                            JsonParser parser = new JsonParser();
+                            JsonObject json = parser.parse(jsonVal).getAsJsonObject();
+                            Gson gson = new GsonBuilder().setPrettyPrinting().create();
+                            
+                            value = gson.toJson(json);
+                            break;
                     }
                     /*
                      * Attribute sources column.

Core/src/org/sleuthkit/autopsy/datamodel/ArtifactStringContent.java

@@ -122,6 +122,7 @@ public class ArtifactStringContent implements StringContent {
                         case LONG:
                         case DOUBLE:
                         case BYTE:
+                        case JSON:
                         default:
                             value = attr.getDisplayString();
                             break;

Core/src/org/sleuthkit/autopsy/report/modules/portablecase/PortableCaseReportModule.java

@@ -768,6 +768,7 @@ public class PortableCaseReportModule implements ReportModule {
                             oldAttr.getValueLong()));
                     break;
                 case STRING:
+                case JSON:
                     newAttrs.add(new BlackboardAttribute(newAttributeType, String.join(",", oldAttr.getSources()),
                             oldAttr.getValueString()));
                     break;

Core/src/org/sleuthkit/autopsy/test/CustomArtifactType.java

@@ -50,6 +50,8 @@ final class CustomArtifactType {
     private static final String BYTES_ATTR_DISPLAY_NAME = "Custom Bytes";
     private static final String STRING_ATTR_TYPE_NAME = "CUSTOM_STRING_ATTRIBUTE";
     private static final String STRING_ATTR_DISPLAY_NAME = "Custom String";
+    private static final String JSON_ATTR_TYPE_NAME = "CUSTOM_JSON_ATTRIBUTE";
+    private static final String JSON_ATTR_DISPLAY_NAME = "Custom Json";
     private static BlackboardArtifact.Type artifactType;
     private static BlackboardAttribute.Type intAttrType;
     private static BlackboardAttribute.Type doubleAttrType;
@@ -57,6 +59,7 @@ final class CustomArtifactType {
     private static BlackboardAttribute.Type dateTimeAttrType;
     private static BlackboardAttribute.Type bytesAttrType;
     private static BlackboardAttribute.Type stringAttrType;
+    private static BlackboardAttribute.Type jsonAttrType;
 
     /**
      * Adds the custom artifact type, with its associated custom attribute
@@ -73,6 +76,7 @@ final class CustomArtifactType {
         dateTimeAttrType = blackboard.getOrAddAttributeType(DATETIME_ATTR_TYPE_NAME, BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.DATETIME, DATETIME_ATTR_DISPLAY_NAME);
         bytesAttrType = blackboard.getOrAddAttributeType(BYTES_ATTR_TYPE_NAME, BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.BYTE, BYTES_ATTR_DISPLAY_NAME);
         stringAttrType = blackboard.getOrAddAttributeType(STRING_ATTR_TYPE_NAME, BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING, STRING_ATTR_DISPLAY_NAME);
+        jsonAttrType = blackboard.getOrAddAttributeType(JSON_ATTR_TYPE_NAME, BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.JSON, JSON_ATTR_DISPLAY_NAME);
     }
 
     /**

Experimental/src/org/sleuthkit/autopsy/experimental/autoingest/FileExporterSettingsPanel.java

@@ -244,6 +244,8 @@ public final class FileExporterSettingsPanel extends JPanel {
         comboBoxValueType.addItem(BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.STRING.getLabel());
         comboBoxValueType.addItem(BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.DATETIME.getLabel());
         comboBoxValueType.addItem(BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.BYTE.getLabel());
+        comboBoxValueType.addItem(BlackboardAttribute.TSK_BLACKBOARD_ATTRIBUTE_VALUE_TYPE.JSON.getLabel());
+        
         comboBoxValueType.addItem(UNSET);
 
         load();

InternalPythonModules/android/imo.py

@@ -43,10 +43,14 @@ from org.sleuthkit.datamodel import Content
 from org.sleuthkit.datamodel import TskCoreException
 from org.sleuthkit.datamodel.Blackboard import BlackboardException
 from org.sleuthkit.datamodel import Account
+from org.sleuthkit.datamodel.blackboardutils import FileAttachment
+from org.sleuthkit.datamodel.blackboardutils import URLAttachment
+from org.sleuthkit.datamodel.blackboardutils import MessageAttachments
 from org.sleuthkit.datamodel.blackboardutils import CommunicationArtifactsHelper
 from org.sleuthkit.datamodel.blackboardutils.CommunicationArtifactsHelper import MessageReadStatus
 from org.sleuthkit.datamodel.blackboardutils.CommunicationArtifactsHelper import CommunicationDirection
 
+import json
 import traceback
 import general
 
@@ -66,6 +70,8 @@ class IMOAnalyzer(general.AndroidComponentAnalyzer):
                 -- A messages table which stores the message details
                     --- sender/receiver buid, timestamp, message_type (1: incoming, 0: outgoing), message_read...
                     --- 'imdata' column stores a json structure with all the message details, including attachments
+                    ----  attachment file path may be specified in local_path or original_path.  Original path, if available is a better candidate.
+                    ----  For sent files, files seem to get uploaded to IMO Servers.  There is no URL available in the imdata though.
 
     """
     
@@ -156,7 +162,7 @@ class IMOAnalyzer(general.AndroidComponentAnalyzer):
                             msgReadStatus = MessageReadStatus.UNKNOWN
                                                 
                         timeStamp = messagesResultSet.getLong("timestamp") / 1000000000
-
+                        msgBody = messagesResultSet.getString("last_message")
 
                         messageArtifact = friendsDBHelper.addMessage( 
                                                             self._MESSAGE_TYPE,
@@ -166,12 +172,34 @@ class IMOAnalyzer(general.AndroidComponentAnalyzer):
                                                             timeStamp,
                                                             msgReadStatus,
                                                             "",     # subject
-                                                            messagesResultSet.getString("last_message"),
+                                                            msgBody,
                                                             "")   # thread id
-                                                                                                
-                        # TBD: parse the imdata JSON structure to figure out if there is an attachment.
-                        #      If one exists, add the attachment as a derived file and a child of the message artifact.
 
+                                                                           
+                        # Parse the imdata JSON structure to check if there is an attachment.
+                        # If one exists, create an attachment and add to the message.
+                        fileAttachments = ArrayList()
+                        urlAttachments = ArrayList()
+                          
+                        imdataJsonStr = messagesResultSet.getString("imdata")
+                        if imdataJsonStr is not None:
+                            imdata_dict = json.loads(imdataJsonStr)
+                            
+                            # set to none if the key doesn't exist in the dict
+                            attachmentOriginalPath = imdata_dict.get('original_path', None)
+                            attachmentLocalPath = imdata_dict.get('local_path', None)
+                            if attachmentOriginalPath:
+                                attachmentPath = attachmentOriginalPath
+                            else:
+                                attachmentPath = attachmentLocalPath
+                                
+                            if attachmentPath:
+                                # Create a file attachment with given path
+                                fileAttachment = FileAttachment(current_case.getSleuthkitCase(), friendsDb.getDBFile().getDataSource(), attachmentPath)
+                                fileAttachments.add(fileAttachment)
+                                
+                                msgAttachments = MessageAttachments(fileAttachments, [])
+                                attachmentArtifact = friendsDBHelper.addAttachments(messageArtifact, msgAttachments)
                     
             except SQLException as ex:
                 self._logger.log(Level.WARNING, "Error processing query result for IMO friends", ex)