search

puffyCid / artemis

A cross platform forensic parser written in Rust!
MIT License
65 stars 8 forks source link

Initial implementation for Outlook parser #173

Closed puffyCid closed 1 month ago

puffyCid commented 1 month ago

This very large PR adds initial support for parsing Outlook OST files. The parser is implemented in pure Rust, does not use any Windows APIs, and runs on Linux, macOS, and Windows.

Currently this parser supports extracting the following:

Due to the complexity of the Outlook format there some limitations for this parser currently.

  1. Only OST is supported. PST files are not supported yet.
  2. No support for encrypted/password protected OST files. Decryption is not supported yet
  3. No TypeScript API yet
  4. Only emails, attachments, and calendar meetings are exported right now. Exporting other data will be possible once the TypeScript API is created

In addition, some parts of the parser are incomplete and will be added in a future PR:

  1. Scanning messages and/or attachments using Yara-X
  2. Exporting messages before and/or after specific dates
  3. Exporting the message store
  4. Combine the Name to ID Map with properties
  5. Add properties to the output
codecov[bot] commented 1 month ago

Codecov Report

Attention: Patch coverage is 82.47387% with 1006 lines in your changes missing coverage. Please review.

Project coverage is 84.99%. Comparing base (3295711) to head (dc0b437). Report is 1 commits behind head on main.

Files with missing lines Patch % Lines
...src/artifacts/os/windows/outlook/tables/context.rs 62.19% 313 Missing :warning:
...rc/artifacts/os/windows/outlook/tables/property.rs 79.40% 139 Missing :warning:
core/src/artifacts/os/windows/outlook/parser.rs 75.00% 97 Missing :warning:
core/src/artifacts/os/windows/outlook/helper.rs 90.55% 66 Missing :warning:
...re/src/artifacts/os/windows/outlook/pages/btree.rs 88.57% 45 Missing :warning:
.../src/artifacts/os/windows/outlook/items/message.rs 86.68% 39 Missing :warning:
core/src/artifacts/collection.rs 33.92% 37 Missing :warning:
...e/src/artifacts/os/windows/outlook/blocks/block.rs 77.01% 37 Missing :warning:
...artifacts/os/windows/outlook/blocks/descriptors.rs 79.88% 35 Missing :warning:
.../src/artifacts/os/windows/outlook/tables/header.rs 83.62% 28 Missing :warning:
... and 19 more
Additional details and impacted files ```diff @@ Coverage Diff @@ ## main #173 +/- ## ========================================== + Coverage 84.70% 84.99% +0.28% ========================================== Files 486 508 +22 Lines 54943 62124 +7181 ========================================== + Hits 46541 52801 +6260 - Misses 8402 9323 +921 ```

:umbrella: View full report in Codecov by Sentry.
:loudspeaker: Have feedback on the report? Share it here.