.TH vinetto "1" "Dec 2014" "VINETTO 0.07" "extract thumbnails and associated metadata from Thumbs.db files" .\"Text automatically generated by txt2man .SH NAME \fBvinetto \fP- extract thumbnails and associated metadata from Thumbs.db files \fB .SH SYNOPSIS .nf .fam C \fBvinetto\fP [\fIOPTION\fP] [\fB-o\fP \fIDIR\fP] \fIfile\fP .fam T .fi .fam T .fi .SH DESCRIPTION \fBvinetto\fP extracts the thumbnails and associated metadata from the Thumbs.db files. .PP The MS Windows systems (98, ME, 2000, XP and 2003 Server) can store thumbnails and metadata of the picture files contained in directories. The thumbnails and associated metadata are stored in Thumbs.db files (that are undocumented OLE structured files). Once a picture \fIfile\fP has been deleted from the filesystem, the related thumbnail and associated metadata remain stored in the Thumbs.db file. So, the data contained in Thumbs.db files are a helpful source of information for the forensics investigators. .PP \fBvinetto\fP will help *nix-based forensics investigators to: .RS .IP \(bu 3 easily preview thumbnails of deleted pictures on Windows systems; .IP \(bu 3 obtain information (dates, path, \.\.\.) about these deleted pictures. .SH OPTIONS .TP .B \fB--version\fP Show program's version number and exit. .TP .B \fB-h\fP, \fB--help\fP Show help message and exit. .TP .B \fB-o\fP \fIDIR\fP Write thumbnails to \fIDIR\fP .TP .B \fB-H\fP Write html report to \fIDIR\fP .TP .B \fB-U\fP Use utf8 encodings. .TP .B \fB-s\fP Create symlink of the picture realname to the numbered name in \fIDIR\fP/.thumbs. .SH EXAMPLES Display metadata contained within a Thumbs.db \fIfile\fP: .PP .nf .fam C $ vinetto /path/to/Thumbs.db .fam T .fi Extract the related thumbnails to a directory: .PP .nf .fam C $ vinetto \-o /tmp/vinetto_output /path/to/Thumbs.db .fam T .fi Extract the related thumbnails to a directory and produce a HTML report to preview these thumbnails through your favorite browser: .PP .nf .fam C $ vinetto \-Ho /tmp/vinetto_output /path/to/Thumbs.db .fam T .fi Get a metadata report on all non deleted Thumbs.db files contained within a partition: .PP .nf .fam C $ find /mnt/sda2 \-iname thumbs.db \-printf "\\n==\\n %p \\n\\n" \-exec vinetto {} \\; 2>/tmp/vinetto_err.log >/tmp/vinetto_sda2.txt .fam T .fi .SH TIP \fBvinetto\fP can generate its results in hidden directories, as .thumbs. .SH BUGS MS Windows stores thumbnails in its Thumbs.db files, according to various formats. At present, \fBvinetto\fP does not produce an excellent reconstruction of Type 1a thumbnails. See more details and examples here[1]. .PP [1] http://vinetto.sf.net/docs.html .PP In 0.07 version, \fBvinetto\fP can crash when used without '\fB-o\fP' option. If this command crashes: .PP .nf .fam C $ vinetto /path/to/Thumbs.db .fam T .fi Please, try this: .PP .nf .fam C $ vinetto \-o . /path/to/Thumbs.db .fam T .fi It will show metadata and extract the thumbs (maybe an undesirable result). But it won't crash. .SH AUTHOR \fBvinetto\fP was written by Michel Roukine . .PP This manual page was written by Danny van der Meeren and updated by Joao Eriberto Mota Filho for Debian project (but may be used by others).