Saturday, 7 July 2012

vinetto and ubuntu

Vinetto is an open source software for viewing/extracting thumbnail information from Thumbs.db files. It is listed in the ubuntu repository and installing it from Ubuntu Software Centre is as easy as installing an application from the Apple App Store (or Google Play Store), meaning it requires no knowledge of linux! So far so good!

However out of the box, vinetto seems to have an issue running on certain types of Thumbs.db files (which it calls Type 1a files). For certain Thumbs.db files, you  may encounter an error that halts on line 338 of vinetto at im.split(). It seems to originate from the python imaging library (PIL) complaining about a null image object. This is using vinetto 0.07 and all the latest libraries, PIL 1.1.7 and Python 2.7 with ubuntu 11.04. The problem stems from a bug in PIL which does not load the image file on demand (as it should) when operation are performed on the image. The fix involves explicitly calling the load() function. We will need to edit vinetto's source and compile/install it. Since its a small python script, there isn't much of a compilation process (phew!). Download the vinetto source from here.

On line 338 (of file vinetto), you should see the im.split() function being called. You will need to insert an additional line here and add the line im.load(), so it looks like this:

This should fix the PIL error. Now re-install using the procedure mentioned in the vinetto INSTALL file.

This did solve the crash issue for the problematic Thumbs.db files, but for those files vinetto's extracted thumbnails were in the negative (inverted). Another few lines of code had to be added to fix this and the final edited file can be downloaded here.

I would be interested to know if anyone else has encountered similar issues. There is another unrelated issue, which has to do with Windows 7 generated Thumbs.db files. This I have documented in another post here.

Windows 7 generated Thumbs.db

Windows 7 does not use the Thumbs.db file for folder thumbnail caching. However when accessing remote or mapped drives, it does create a Thumbs.db file in the remote folder when it viewed in explorer.

A quick way to create this file would be to browse your own C drive using the path '\\localhost\c$' and see explorer drop Thumbs.db everywhere as you click around into folders. You may have to change the folder view to Icons or Large Icons for it to trigger.

The format is slightly different and no tool seems to handle it correctly as of now. The new format is still an OLE document, however microsoft have gotten rid of the 'Catalog' stream, and the names of other streams are strings which include the resolution (96, 256, ..) and a 64bit hex number. The stream contains a regular jpeg file, which usually begins at 0x18 (on xp this was 0x0c). The stream header also begins with 0x18, a likely indication of the beginning of data.

Regular carving for JPG files will work against it. The good news for investigators is that the behavior of this file is similar to xp Thumbs.db, ie, the thumbnails do not get deleted once the file (image) is moved/deleted from that folder. This is different from usual windows 7 behavior where deleted files are quickly removed from the Thumbcaches.