Test of VINETTO

Introduction

Vinetto is a forensics tool to examine Thumbs.db files written by Michel ROUKINE.

The program is distributed under the GNU General Public License - see the accompanying COPYING file for more details.

The Windows systems (98, ME, 2000 and XP) can store thumbnails and metadata of the picture files contained in the directories of its FAT32 or NTFS filesystems.
Thumbnails and associated metadata are stored in Thumbs.db files. Thumbs.db files are undocumented OLE structured files.

Once a picture file has been deleted from the filesystem, the related thumbnail and associated metada remain stored in the Thumbs.db file. So, the data contained in those thumbs.db files are an helpful source of information for the forensics investigator.

Creation of thumbs.db

I created a folder on my Winbox and placed 24 pictures.
all pictures - preview

A Thumbs.db is created by the system and now I will delete some of the files, folder content : 15 pictures.
show rest - preview

Test vinetto

After reboot in Linux, mount of the Win partition, I can test vinetto.
First of all, get and install vinetto on the system ! DOWNLOAD Requirements :
- Python-2.3 or later.
- PIL (Python Imaging Library) 1.1.5 or later. PIL is used to attempt correct reconstitution the Type 1 thumbnails.

To install vinetto, run the following commands as a super user:
tar xvzf vinetto-XXX.tar.gz
cd vinetto-XXX
python setup.py install

This will install vinetto in appropriated path and resource files in /usr/share/vinetto

Verify if it work :
lnx:/vinetto # vinetto -h
usage: vinetto [OPTIONS] [-o DIR] file

options:
  --version   show program's version number and exit
  -h, --help  show this help message and exit
  -o DIR      write thumbnails to DIR
  -H          write html report to DIR

I mount the Win partition and create a destination directory to save my thumbs : thumbs_my-shoot.
Ok, now let's vinetto extract the thumbs to "thumbs_my-shoot" and produce a HTML report of the :
"/Documents and Settings/jfbeckers/Desktop/my_shoots/Thumbs.db".

vinetto -H -o thumbs_my-shoot /Documents and Settings/jfbeckers/Desktop/my_shoots/Thumbs.db

Take a look at the report ! It's good and will also display informations relatieve to the pictures : Output report

Jean-Francois BECKERS : jf.beckers@fccu.be
12 May 2006