1 VINETTO
Vinetto is a forensics tool to examine Thumbs.db files.It is
a command line python script that works on Linux, Mac OS X and Cygwin(win32).
Vinetto uses the thumbs.db database file. If a windows user
select the thumbnail view, a small database file called thumbs.db caches
picture information to speed up the viewing of the picture files within a
folder, this file changes in windows vista as it is called thumbcache.db
instead of thumbs.db.
The Windows systems (98, ME, 2000, XP and 2003 Server) can
store thumbnails and metadata of the picture files contained in the directories
of its FAT32 or NTFS filesystems. The thumbnails and associated metadata are
stored in Thumbs.db files.
Once a picture file has been deleted from the filesystem,
the related thumbnail and associated metada remain stored in the Thumbs.db
file. So, the data contained in those thumbs.db files are an helpful source of
information for the forensics investigator.
Vinetto will help *nix-based forensics investigators to :
-> easily preview
thumbnails of deleted pictures on Windows systems,
-> obtain
informations (dates, path, ...) about those deleted images.
Usage:
vinetto [OPTIONS] [-s] [-U] [-o DIR] file
options:
--version show program's version number and exit
-h, --help show this help message and exit
-o DIR write thumbnails to DIR
-H write html report to DIR
-U use utf8 encodings
-s create symlink of the image realname
to the numbered name in
DIR/.thumbs
Examples
Here are a few examples of how to use the vinetto command :
How to display metadata contained within a Thumbs.db file
$ vinetto
/path/to/Thumbs.db
How to extract the related thumbnails to a directory
$ vinetto -o
/tmp/vinetto_output /path/to/Thumbs.db
How to extract the related thumbnails to a directory and
produce an html report to preview these thumbnails through your favorite
browser.
$ vinetto -Ho
/tmp/vinetto_output /path/to/Thumbs.db
2 PASCO
Many computer crime investigations require the reconstruction
of a subject's internet activity. Since this analysis technique is executed
regularly, we researched the structure of the data found in Internet Explorer
activity files (index.dat files). Pasco, the latin word meaning
"browse", was developed to examine the contents of Internet
Explorer's cache files.
Pasco is a forensic tool for reading the index.dat file that
are created by Internet Explorer. Other browser like Firefox and Safari don’t
use the index.dat file. The index.dat file leaves traces of a user’s browsing
history.
Command:
find /mnt/had –name index.dat # to find the index.dat file #
pasco “/mnt/hda/Documents and Settings/baduser/Local
Settings/History/History.IE5/index.dat”>/mnt/win/share/forensic/browserhistory.txt
# redirecting the index.dat file to a text file #
No comments:
Post a Comment