Skip to content

Commit

Permalink
sepinf-inc#2286: better handling InstantMessages with 2 attachments
Browse files Browse the repository at this point in the history
  • Loading branch information
@aberenguel
aberenguel committed Aug 17, 2024
1 parent c26e10e commit ce4898f
Show file tree
Hide file tree
Showing 2 changed files with 37 additions and 29 deletions.
42 changes: 22 additions & 20 deletions iped-engine/src/main/java/iped/engine/datasource/UfedXmlReader.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1139,30 +1139,32 @@ else if ("Participants".equalsIgnoreCase(role)) {
processItem(item);
}
// If item is a MESSAGE with seen attachments, try to process them
List<Item> seenAttachs = seenAttachsPerId.get(item.getId());
if (seenAttachs != null && numInstantMsgAttachs > 1) {
// If msg has more than 1 (seen/added) attach, add all of them to the case again for now.
// This duplicates those attachs, but today we can't update indexed items properties.
itemSeq.add(item);
for (Item attach : seenAttachs) {
processItem(attach);
}
itemSeq.remove(itemSeq.size() - 1);
} else if (seenAttachs != null && seenAttachs.size() == 1) {
Item attach = seenAttachs.get(0);
item.getMetadata().add(ExtraProperties.LINKED_ITEMS, ESCAPED_UFED_ID + ":" + prevUfedId);
// Since this attach was already seen/added to case, skip it, but copy its props to parent message
for (String key : attach.getMetadata().names()) {
if (key.startsWith(ExtraProperties.UFED_META_PREFIX) && item.getMetadata().get(key) == null) {
for (String value : attach.getMetadata().getValues(key)) {
item.getMetadata().add(key, value);
List<Item> seenAttachs = seenAttachsPerId.remove(item.getId());
if (seenAttachs != null) {
if (numInstantMsgAttachs > 1) {
// If msg has more than 1 (seen/added) attach, add seen of them to the case
itemSeq.add(item);
for (Item attach : seenAttachs) {
processItem(attach);
}
itemSeq.remove(itemSeq.size() - 1);
} else if (seenAttachs.size() == 1) {
// Since this attach was already seen, skip it and copy its props to parent message
Item attach = seenAttachs.get(0);
for (String key : attach.getMetadata().names()) {
if (key.startsWith(ExtraProperties.UFED_META_PREFIX) && item.getMetadata().get(key) == null
|| ExtraProperties.LINKED_ITEMS.equals(ExtraProperties.LINKED_ITEMS)) {
for (String value : attach.getMetadata().getValues(key)) {
item.getMetadata().add(key, value);
}
}
}
item.setHasChildren(false);

// attach was skipped, decrement counter
caseData.incDiscoveredEvidences(-1);
}
// item skipped, decrement counter
caseData.incDiscoveredEvidences(-1);
}
seenAttachsPerId.remove(item.getId());
} else {
// item skipped, decrement counter
caseData.incDiscoveredEvidences(-1);
Expand Down
24 changes: 15 additions & 9 deletions iped-parsers/iped-parsers-impl/src/main/java/iped/parsers/ufed/UFEDChatParser.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,6 @@
import java.util.Date;
import java.util.HashMap;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
Expand Down Expand Up @@ -140,27 +139,34 @@ public void parse(InputStream inputStream, ContentHandler handler, Metadata meta

if (itemMgs != null) {
for (IItemReader msg : itemMgs) {
Iterator<IItemReader> subItems = null;
ArrayList<IItemReader> subitems = new ArrayList<IItemReader>();
String[] attachRefs = msg.getMetadata().getValues(ExtraProperties.LINKED_ITEMS);
if (attachRefs.length > 0) {
// look for attachments in linkedItems, excluding replied message reference
String attachQuery = Arrays.asList(attachRefs).stream().collect(Collectors.joining(" ")); //$NON-NLS-1$
String attachQuery = "(" + Arrays.asList(attachRefs).stream().collect(Collectors.joining(") (")) + ")";
attachQuery += " && -" + BasicProps.CONTENTTYPE + ":\"" + MediaTypes.UFED_MESSAGE_MIME.toString() + "\"";
subItems = searcher.searchIterable(attachQuery).iterator();
searcher.searchIterable(attachQuery).forEach(subitems::add);
}
if ((subItems == null || !subItems.hasNext()) && msg.hasChildren()) {
if (msg.hasChildren()) {
// look for attachments in children, considering contacts and attachment items
String contactQuery = BasicProps.PARENTID + ":" + msg.getId() + " && " + BasicProps.CONTENTTYPE + ":(\""
+ MediaTypes.UFED_CONTACT_MIME.toString() + "\" \"" + MediaTypes.UFED_MESSAGE_ATTACH_MIME.toString() + "\")";
subItems = searcher.searchIterable(contactQuery).iterator();
for (IItemReader attach : searcher.searchIterable(contactQuery)) {
String[] subitemRefs = attach.getMetadata().getValues(ExtraProperties.LINKED_ITEMS);
if (subitemRefs.length > 0) {
String subitemRefsQuery = "(" + Arrays.asList(subitemRefs).stream().collect(Collectors.joining(") (")) + ")";
searcher.searchIterable(subitemRefsQuery).forEach(subitems::add);
} else {
subitems.add(attach);
}
}
}
if (subItems == null || !subItems.hasNext()) {
if (subitems.isEmpty()) {
UfedMessage m = createMessage(msg);
messages.add(m);
} else {
HashSet<String> uuids = new HashSet<>();
while (subItems.hasNext()) {
IItemReader subitem = subItems.next();
for (IItemReader subitem : subitems) {
if (uuids.add(subitem.getMetadata().get(ExtraProperties.UFED_META_PREFIX + "id"))) {
UfedMessage m = createMessage(msg, subitem);
messages.add(m);
Expand Down

0 comments on commit ce4898f

Please sign in to comment.