• Home
  • History
  • Annotate
Name Date Size #Lines LOC

..03-May-2022-

res/H03-May-2022-

CHANGELOGH A D03-Mar-20070

COPYINGH A D03-Mar-200714.8 KiB281237

INSTALLH A D03-Mar-2007648 3617

READMEH A D14-Jun-20073.4 KiB11377

TODOH A D03-Mar-20070

setup.pyH A D03-May-2022559 1615

vinettoH A D03-May-202215.3 KiB389289

vinreport.pyH A D03-May-20228.3 KiB228180

vinutils.pyH A D03-Mar-20074.3 KiB162123

README

1                                  Vinetto
2
3                       http://vinetto.sourceforge.net
4
5                     Michel Roukine <rukin@users.sf.net>
6
7
8
9Version beta 0.07 (June 14 2007)
10------------------
11
12Introduction
13------------
14
15Vinetto is a forensics tool to examine Thumbs.db files.
16It is a command line python script that works on Linux, Mac OS X and
17Cygwin(win32).
18
19
20License
21-------
22
23This program is distributed under the GNU General Public License - see the
24accompanying COPYING file for more details.
25
26
27Thanks
28------
29Many thanks to Christophe Monniez (d-fence.be) for the idea of this tool and
30for his encouragements.
31
32The vinetto code was written with grateful thanks to Martin Schwartz, author of
33Laola and its Hacking guide to the binary structure of Ole / Compound Documents.
34
35
36Project overview
37----------------
381 - Context : The Windows systems (98, ME, 2000 and XP) can store thumbnails
39and metadata of the picture files contained in the directories of its FAT32 or
40NTFS filesystems.
41Thumbnails and associated metadata are stored in Thumbs.db files.
42Thumbs.db files are undocumented OLE structured files.
43
44Once a picture file has been deleted from the filesystem, the related thumbnail
45and associated metada remain stored in the Thumbs.db file. So, the data
46contained in those thumbs.db files are an helpful source of information for the
47forensics investigator.
48
492 - What the software is intended to do : Vinetto extracts thumbnails and
50associated metadata from the Thumbs.db files.
51
52Moreover [when vinetto will be 0.98 beta] it will function according to three
53modes:
54  -> elementary mode : in this mode vinetto will only extract thumbnails and
55     metadata from chosen Thumbs.db file.
56  -> directory mode : in this mode vinetto will check for consistency between
57     directory content and related Thumbs.db file i.e. it will report
58     thumbnails that have a missing associated file into the directory.
59  -> filesystem mode : in this mode vinetto will process whole FAT or NTFS
60     partition.
61
623 - What purpose it will serve : Vinetto will help *nix-based forensics
63investigators to :
64  -> easily preview thumbnails of deleted pictures on Windows systems,
65  -> obtain informations (dates, path, ...) about those deleted images.
66
674 - Misc. : Vinetto is intended to be integrated into forensics liveCD like
68FCCU GNU/Linux Forensic Boot CD.
69
70
71Requirements
72------------
73
74Python-2.3 or later.
75
76PIL (Python Imaging Library) 1.1.5 or later. PIL is used to attempt correct
77reconstitution the Type 1 thumbnails.
78
79
80Current known limitations
81-------------------------
82
83AFAIK Windows(R)(TM) uses two format types to store thumbnails in its Thumbs.db
84files.
85I called these formats Type 1 and Type 2.
86Type 2 is compliant to jpeg format. But Type 1 seems to be a family of
87jpeg-alike formats with special headers, huffman and quantization tables.
88
89*** Currently, vinetto does not manage to reconstitute correctly some Type 1
90thumbnails. ***
91
92
93Usage
94-----
95
96usage: vinetto [OPTIONS] [-s] [-U] [-o DIR] file
97
98options:
99  --version   show program's version number and exit
100  -h, --help  show this help message and exit
101  -o DIR      write thumbnails to DIR
102  -H          write html report to DIR
103  -U          use utf8 encodings
104  -s          create symlink of the image realname to the numbered name in
105              DIR/.thumbs
106
107
108	Metadata list will be written on standard output.
109
110--------------
111June 14 2007
112Michel Roukine
113