Author Topic: Installation and usage of Vinetto a quick view  (Read 4724 times)

« on: June 18, 2011, 06:00:54 PM »

   This is a basic introduction more advanced details can be found in official vinetto documentation.

Vinetto can be seen in Arsenal > Digital Forensics >Analysis> vinetto

Windows Systems stores images as Jpeg, Jpg, png , Gif etc image file format and html as thumb nails and creates thumbs.db files to store these entries. to minimise the CPU usage to process the images . Thumbs.db file stores images previews as a Alternate Data stream in the file system, File size absolutely depends on the images stored in the folder. We can enable / disable the feature of thumbnail caching from folder options in windows.Thumbs.db files are created every time when a file added to the folder.
Even if folder / files is encrypted by Microsoft EFS  image preview will be available in thumbs.db ,they can be analysed .

Vinetto works in three modes as :
Elementary mode
      It extracts thumbnails information  from a thumbs.db file
Directory mode
      It will report the thumbnails that are not associated to a file into the directory.
File System mode
      It will check for the data in whole File system (FAT/NTFS)

How vinetto can be useful for a forensics expert :
While investigation expert can have a quick review of all the images in a browser and can proceed further easily.Mostly  Thumbs.db files are used in Child pornography cases, To check Timestamps  

vinetto /home/matriux/Desktop/Thumbs.db    
vinetto -o /home/matriux/Desktop/vinetto_output  /home/matriux/thumbs.db
vinetto -H -o /home/matriux/html  /home/matriux/thumbs.db

The Report generated , it consists of  
Report date the report generated date
File Metadata information of the thumbs.db file as directory and modification ,Filesize
Root Entry modified timestamp  - this is the time stamp of the thumbs.db file modified
And thumbnail previews with time stamps.
« Last Edit: July 13, 2011, 02:05:08 AM by L30 »


Installation and usage of Vinetto a quick view
« Reply #1 on: July 13, 2011, 02:05:58 AM »

