1 Vinetto 2 3 http://vinetto.sourceforge.net 4 5 Michel Roukine <rukin@users.sf.net> 6 7 8 9Version beta 0.07 (June 14 2007) 10------------------ 11 12Introduction 13------------ 14 15Vinetto is a forensics tool to examine Thumbs.db files. 16It is a command line python script that works on Linux, Mac OS X and 17Cygwin(win32). 18 19 20License 21------- 22 23This program is distributed under the GNU General Public License - see the 24accompanying COPYING file for more details. 25 26 27Thanks 28------ 29Many thanks to Christophe Monniez (d-fence.be) for the idea of this tool and 30for his encouragements. 31 32The vinetto code was written with grateful thanks to Martin Schwartz, author of 33Laola and its Hacking guide to the binary structure of Ole / Compound Documents. 34 35 36Project overview 37---------------- 381 - Context : The Windows systems (98, ME, 2000 and XP) can store thumbnails 39and metadata of the picture files contained in the directories of its FAT32 or 40NTFS filesystems. 41Thumbnails and associated metadata are stored in Thumbs.db files. 42Thumbs.db files are undocumented OLE structured files. 43 44Once a picture file has been deleted from the filesystem, the related thumbnail 45and associated metada remain stored in the Thumbs.db file. So, the data 46contained in those thumbs.db files are an helpful source of information for the 47forensics investigator. 48 492 - What the software is intended to do : Vinetto extracts thumbnails and 50associated metadata from the Thumbs.db files. 51 52Moreover [when vinetto will be 0.98 beta] it will function according to three 53modes: 54 -> elementary mode : in this mode vinetto will only extract thumbnails and 55 metadata from chosen Thumbs.db file. 56 -> directory mode : in this mode vinetto will check for consistency between 57 directory content and related Thumbs.db file i.e. it will report 58 thumbnails that have a missing associated file into the directory. 59 -> filesystem mode : in this mode vinetto will process whole FAT or NTFS 60 partition. 61 623 - What purpose it will serve : Vinetto will help *nix-based forensics 63investigators to : 64 -> easily preview thumbnails of deleted pictures on Windows systems, 65 -> obtain informations (dates, path, ...) about those deleted images. 66 674 - Misc. : Vinetto is intended to be integrated into forensics liveCD like 68FCCU GNU/Linux Forensic Boot CD. 69 70 71Requirements 72------------ 73 74Python-2.3 or later. 75 76PIL (Python Imaging Library) 1.1.5 or later. PIL is used to attempt correct 77reconstitution the Type 1 thumbnails. 78 79 80Current known limitations 81------------------------- 82 83AFAIK Windows(R)(TM) uses two format types to store thumbnails in its Thumbs.db 84files. 85I called these formats Type 1 and Type 2. 86Type 2 is compliant to jpeg format. But Type 1 seems to be a family of 87jpeg-alike formats with special headers, huffman and quantization tables. 88 89*** Currently, vinetto does not manage to reconstitute correctly some Type 1 90thumbnails. *** 91 92 93Usage 94----- 95 96usage: vinetto [OPTIONS] [-s] [-U] [-o DIR] file 97 98options: 99 --version show program's version number and exit 100 -h, --help show this help message and exit 101 -o DIR write thumbnails to DIR 102 -H write html report to DIR 103 -U use utf8 encodings 104 -s create symlink of the image realname to the numbered name in 105 DIR/.thumbs 106 107 108 Metadata list will be written on standard output. 109 110-------------- 111June 14 2007 112Michel Roukine 113