Vinetto

Vinetto is a forensics tool to examine Thumbs.db files.
It is a command line python script that works on Linux, Mac OS X and Cygwin(win32).
 

Project overview
Known limitations / issues / bugs
Requirements
Usage
Examples
Thanks
License
Download
Documentation

News

2 jan 2008: 14 jun 2007: 12 may 2006: 8 may 2006: 25 apr 2006: 23 apr 2006: 18 apr 2006:

Project overview

1 - Context : The Windows systems (98, ME, 2000, XP and 2003 Server) can store thumbnails and metadata of the picture files contained in the directories of its FAT32 or NTFS filesystems.
The thumbnails and associated metadata are stored in Thumbs.db files.
The Thumbs.db files are undocumented OLE structured files.

Once a picture file has been deleted from the filesystem, the related thumbnail and associated metada remain stored in the Thumbs.db file. So, the data contained in those thumbs.db files are an helpful source of information for the forensics investigator.

2 - What the software is intended to do : Vinetto extracts the thumbnails and associated metadata from the Thumbs.db files.

Moreover [when vinetto will be 0.98 beta] it runs according to three modes:
  -> elementary mode : in this mode vinetto extracts thumbnails and metadata from a chosen Thumbs.db file.
  -> directory mode : in this mode vinetto checks for consistency between the content of the directory and the related Thumbs.db file i.e. it will report the thumbnails that are not associated to a file into the directory.
  -> filesystem mode : in this mode vinetto will process the whole FAT or NTFS partition.

3 - What purpose it will serve : Vinetto will help *nix-based forensics investigators to :
  -> easily preview thumbnails of deleted pictures on Windows systems,
  -> obtain informations (dates, path, ...) about those deleted images.

4 - Misc. : Vinetto is intended to be integrated into forensics liveCD like FCCU GNU/Linux Forensic Boot CD.


Known limitations / issues / bugs

1 - Windows(R)(TM) stores thumbnails in its Thumbs.db files according to various formats (see docs page).
At present, vinetto does not produce an excellent reconstruction of Type 1a thumbnails.
-> If you have some hints or experience with proprietary JPEG-based formats and would like to help, please don't hesitate to mail to rukin at users dot sourceforge dot net. Thanks a lot.

Please note : vinetto is currently distributed as an alpha version. That means it is mainly released for testing or experimenting purposes. It can be helpful during the computer investigation process, but its results must be confirmed with results from other tools/methods.

Please report bugs to rukin at users dot sourceforge dot net.


Requirements

-> Python-2.3 or later.
-> PIL (Python Imaging Library) 1.1.5 or later. PIL is used to attempt correct reconstitution of the Type 1 thumbnails.

Usage

Usage: vinetto [OPTIONS] [-s] [-U] [-o DIR] file
options:
  --version   show program's version number and exit
  -h, --help  show this help message and exit
  -o DIR      write thumbnails to DIR
  -H          write html report to DIR
  -U          use utf8 encodings
  -s          create symlink of the image realname to the numbered name in
              DIR/.thumbs

    Metadata list will be written on standard output.

Examples

Here are a few examples of how to use the vinetto command :

How to display metadata contained within a Thumbs.db file
    $ vinetto /path/to/Thumbs.db
How to extract the related thumbnails to a directory
    $ vinetto -o /tmp/vinetto_output /path/to/Thumbs.db
How to extract the related thumbnails to a directory and produce an html report to preview these thumbnails through your favorite browser.
    $ vinetto -Ho /tmp/vinetto_output /path/to/Thumbs.db
How to get a metadata report on all non deleted Thumbs.db files contained within a partition
    $ find /mnt/hda2 -iname thumbs.db -printf "\n==\n %p \n\n" -exec vinetto {} \; 2>/tmp/vinetto_err.log >/tmp/vinetto_hda2.txt

Thanks

Many thanks to Christophe Monniez (d-fence.be) for the idea of this tool and for his encouragements.

The vinetto code was written with grateful thanks to Martin Schwartz, author of Laola and its Hacking guide to the binary structure of Ole / Compound Documents.


License

This program is distributed under the GNU General Public License - see the accompanying COPYING file for more details.

Download

http://sourceforge.net/projects/vinetto/
Author : Michel Roukine
e-mail: rukin at users dot sourceforge dot net
SourceForge Logo This page was last updated on