Forensics with Matriux – Part 2

June 8, 2011, by | Start Discussion

In the Part I of the article on Forensics with Matriux, we had highlighted the forensic acquisitiontechniques using Matriux distribution. In this second part, we will cover the tools that focus on analysis techniques.
 
Forensic Analysis techniques can be used to discover Deleted Files, Cloaked files, Encrypted files, Fragmented files,PDF,Browser,Virtualisation,Memory and etc.
 

Vinetto:

 
This is a basic introduction more advanced details can be found in official vinetto documentation.
 
Vinetto can be seen in Aresenal> Digital Forensics >Analysis> vinetto
 
Windows Systems stores images as Jpeg, Jpg, png, Gif etc. image file format and html as thumb nails.Windows creates thumbs.db files to store these entries to minimize the CPU usage to process the images. Thumbs.db file stores images previews as an Alternate Data stream in the file system;the file size depending on the number of images stored in the folder. We can enable / disable the feature of thumbnail caching from folder options in Windows Explorer. Thumbs.db files are created every time when a file added to the folder.
 
Even if folder/files is encrypted by Microsoft EFS an image preview will be available in thumbs.db and hence these can be analysed.
Figure 1

Vinetto works in three modes as:

 
Elementary mode
It extracts thumbnails information from a thumbs.db file
 
Directory mode
It will report the thumbnails that are not associated to a file into the directory. 
 
File System mode 
It will check for the data in whole File system (FAT/NTFS)
 
How vinetto can be useful for a forensics expert:
While carrying out an investigation, the forensics expert can have a quick review of all the images in a browser and can proceed further easily. Mostly investigations into Thumbs.db files are used in Child pornography cases.
 

Installation in ubuntu:

Through synaptic
sudo apt-get install vinetto
Pre requisite :Python, Python Imaging Library
 
Usage:
vinetto path of thumbs.db
vinetto–version   shows version number of vinetto
vinetto -h, –help show this help message and exit
vinetto -o DIR path to the thumbs.db     write thumbnails to DIR
vinetto -H write html report to DIR
 
Figure 2
 
ex:

vinetto /home/matriux/Desktop/Thumbs.db 

vinetto–o/home/matriux/Desktop/vinetto_output  /home/matriux/thumbs.db 

vinnetto -H-O /home/matriux/html    /home/matriux/Thumbs.db

  

Figure 3
 
Fig. 3 represents the Report generated, it consists of  Report date the report generated date
File Metadata information of the thumbs.db file as directory and modification, Filesize
Root Entry modified timestamp – this is the time stamp of the thumbs.db file modified 
And thumbnail previews with time stamps
Other Analysis tools will be covered in next issue.

References

For any further details/queries mail @ [email protected] .
 

TEAM MATRIUX

http://www.matriux.com/

 

 

 

Author bio not avialable

Leave a Reply