News

• Mark McKinnon posted a vinetto entry on his blog. In this post, Mark shows us how to have vinetto working under win32.

• Vinetto 0.07 beta released   Added utf8 support and symlinks from real filenames to numbered filenames. Thanks to Kfir Lavi for these patches.

• Test of Vinetto by Jean-François Beckers  This article describes a test in which a Thumbs.db file was created and examined by Vinetto. It comes with an example of output report.

• Vinetto 0.06 alpha released  Fixed issue related to missing entries in the Catalog : A thumbnail that have no corresponding entry in the Catalog didn't show in the html report.

• Vinetto 0.05 alpha released  Fixed bug in filename of extracted thumbnails.
  This bug occured when the order of extraction differs from ther order in the Catalog.
  This bug prevented correct mapping of filename to index number.
  This bug was discovered following a very relevant question of farmerdude. Thanks :)

• Starting a vinetto documentation page :  docs

• Vinetto 0.04 alpha released  New in this release are:
  • Optional HTML report generation for previewing extracted thumbnails [-H option].
  • Port to Mac OS X (PPC).
  • Slight optimizations.

Project overview

1 - Context : The Windows systems (98, ME, 2000, XP and 2003 Server) can store thumbnails and metadata of the picture files contained in the directories of its FAT32 or NTFS filesystems.
The thumbnails and associated metadata are stored in Thumbs.db files.
The Thumbs.db files are undocumented OLE structured files.

Once a picture file has been deleted from the filesystem, the related thumbnail and associated metada remain stored in the Thumbs.db file. So, the data contained in those thumbs.db files are an helpful source of information for the forensics investigator.

2 - What the software is intended to do : Vinetto extracts the thumbnails and associated metadata from the Thumbs.db files.

Moreover [when vinetto will be 0.98 beta] it runs according to three modes:
  -> elementary mode : in this mode vinetto extracts thumbnails and metadata from a chosen Thumbs.db file.
  -> directory mode : in this mode vinetto checks for consistency between the content of the directory and the related Thumbs.db file i.e. it will report the thumbnails that are not associated to a file into the directory.
  -> filesystem mode : in this mode vinetto will process the whole FAT or NTFS partition.

3 - What purpose it will serve : Vinetto will help *nix-based forensics investigators to :
  -> easily preview thumbnails of deleted pictures on Windows systems,
  -> obtain informations (dates, path, ...) about those deleted images.

4 - Misc. : Vinetto is intended to be integrated into forensics liveCD like FCCU GNU/Linux Forensic Boot CD.

Known limitations / issues / bugs

Please report bugs to rukin at users dot sourceforge dot net.

Requirements

Usage

options:
  --version   show program's version number and exit
  -h, --help  show this help message and exit
  -o DIR      write thumbnails to DIR
  -H          write html report to DIR
  -U          use utf8 encodings
  -s          create symlink of the image realname to the numbered name in
              DIR/.thumbs

Examples

    $ vinetto /path/to/Thumbs.db

    $ vinetto -o /tmp/vinetto_output /path/to/Thumbs.db

    $ vinetto -Ho /tmp/vinetto_output /path/to/Thumbs.db

    $ find /mnt/hda2 -iname thumbs.db -printf "\n==\n %p \n\n" -exec vinetto {} \; 2>/tmp/vinetto_err.log >/tmp/vinetto_hda2.txt

Thanks

Many thanks to Christophe Monniez (d-fence.be) for the idea of this tool and for his encouragements.

The vinetto code was written with grateful thanks to Martin Schwartz, author of Laola and its Hacking guide to the binary structure of Ole / Compound Documents.

License

Download

Author : Michel Roukine e-mail: rukin at users dot sourceforge dot net

This page was last updated on