/usr/share/doc/vinetto/README is in vinetto 1:0.07-7.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 | Vinetto
http://vinetto.sourceforge.net
Michel Roukine <rukin@users.sf.net>
Version beta 0.07 (June 14 2007)
------------------
Introduction
------------
Vinetto is a forensics tool to examine Thumbs.db files.
It is a command line python script that works on Linux, Mac OS X and
Cygwin(win32).
License
-------
This program is distributed under the GNU General Public License - see the
accompanying COPYING file for more details.
Thanks
------
Many thanks to Christophe Monniez (d-fence.be) for the idea of this tool and
for his encouragements.
The vinetto code was written with grateful thanks to Martin Schwartz, author of
Laola and its Hacking guide to the binary structure of Ole / Compound Documents.
Project overview
----------------
1 - Context : The Windows systems (98, ME, 2000 and XP) can store thumbnails
and metadata of the picture files contained in the directories of its FAT32 or
NTFS filesystems.
Thumbnails and associated metadata are stored in Thumbs.db files.
Thumbs.db files are undocumented OLE structured files.
Once a picture file has been deleted from the filesystem, the related thumbnail
and associated metada remain stored in the Thumbs.db file. So, the data
contained in those thumbs.db files are an helpful source of information for the
forensics investigator.
2 - What the software is intended to do : Vinetto extracts thumbnails and
associated metadata from the Thumbs.db files.
Moreover [when vinetto will be 0.98 beta] it will function according to three
modes:
-> elementary mode : in this mode vinetto will only extract thumbnails and
metadata from chosen Thumbs.db file.
-> directory mode : in this mode vinetto will check for consistency between
directory content and related Thumbs.db file i.e. it will report
thumbnails that have a missing associated file into the directory.
-> filesystem mode : in this mode vinetto will process whole FAT or NTFS
partition.
3 - What purpose it will serve : Vinetto will help *nix-based forensics
investigators to :
-> easily preview thumbnails of deleted pictures on Windows systems,
-> obtain informations (dates, path, ...) about those deleted images.
4 - Misc. : Vinetto is intended to be integrated into forensics liveCD like
FCCU GNU/Linux Forensic Boot CD.
Requirements
------------
Python-2.3 or later.
PIL (Python Imaging Library) 1.1.5 or later. PIL is used to attempt correct
reconstitution the Type 1 thumbnails.
Current known limitations
-------------------------
AFAIK Windows(R)(TM) uses two format types to store thumbnails in its Thumbs.db
files.
I called these formats Type 1 and Type 2.
Type 2 is compliant to jpeg format. But Type 1 seems to be a family of
jpeg-alike formats with special headers, huffman and quantization tables.
*** Currently, vinetto does not manage to reconstitute correctly some Type 1
thumbnails. ***
Usage
-----
usage: vinetto [OPTIONS] [-s] [-U] [-o DIR] file
options:
--version show program's version number and exit
-h, --help show this help message and exit
-o DIR write thumbnails to DIR
-H write html report to DIR
-U use utf8 encodings
-s create symlink of the image realname to the numbered name in
DIR/.thumbs
Metadata list will be written on standard output.
--------------
June 14 2007
Michel Roukine
|