Difference between pages "ThumbnailExpert" and "SANS Investigative Forensic Toolkit Workstation"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Created page with '{{Infobox_Software | name = ThumbnailExpert | maintainer = Anisimov Dec | os = {{Windows}} | genre = {{Metadata}} | license = {{Commercial}} | website = http://ww…')
 
m
 
Line 1: Line 1:
{{Infobox_Software |
+
'''The SANS SIFT Workstation''' is a [[VMware]] Appliance that is preconfigured with all the necessary tools to perform a forensic examination. It is compatible with [[Encase | Expert Witness Format]] (E01), Advanced Forensic Format ([[AFF]]), and raw (dd) evidence formats.
  name = ThumbnailExpert |
+
  maintainer = [[Anisimov Dec]] |
+
  os = {{Windows}} |
+
  genre = {{Metadata}} |
+
  license = {{Commercial}} |
+
  website = http://www.thumbnailexpert.com/ |
+
}}
+
  
The program helps to find and analyze information in the thumbnail caches of many programs.
+
== Overview ==
  
== List of supported formats ==
+
SIFT Workstation is based on Ubuntu.
  
* 3D Photo Browser (c) Mootools software - contents.obv
+
Software Includes:
* ABC-View Manager (c) ABC-View - *.abt, *.abc
+
* ACDSee (c) ACD Systems, Ltd. - ImageDB.ddf, ImageDB.dtf, ImageDB.aid
+
* Adobe Photoshop Lightroom (c) Adobe Systems Incorporated - *.lrcat, *.noindex
+
* AhaView (c) Aha-soft - thumb.dat
+
* Alteros 3D (Alteros Viewer) (c) Lighttek Software - thumbs.idx, thumb.dbx
+
* Axialis CursorWorkshop (c) Axialis Software - *.*
+
* Axialis IconWorkshop (c) Axialis Software - *.*
+
* Axialis MediaBrowser (c) Axialis Software - *.*
+
* BraveViewer (c) BraveTech Inc. - brwseimg.brv
+
* CodedColor PhotoStudio(c) 1STEIN GmbH - files.bin, *.dat
+
* Directory Opus (c) GPSoftware - *.db
+
* EF Commander (c) Emil Fickel - ThumbsDB
+
* ExifPro (c) Magda & Michal Kowalski - CacheDb.bin
+
* FastStone Image Viewer (c) FastStone Soft - FSViewer.db
+
* FreshView (c) FreshDevices - FViewer.dat, *.fv
+
* Graphic Workshop Professional (c) Alchemy Mindworks - GWSPRO.TDB, *.THN
+
* HP Photosmart Essential (c) Hewlett-Packard Co. - asset.yos, thumbnail.db, thumbnailSel.db
+
* Image Data Converter SR (c) Sony Corporation - .Sony_ImageDataConverterSR_BrowserDiskCache
+
* Image Eye (c) FMJ-Software - ImageEye.iei
+
* Imagic (c) STOIK Imaging, LTD - FLD*.tmp
+
* OLYMPUS Studio (c) OLYMPUS IMAGING CORP - File.xml, *.dat
+
* One Cat File Manager (c) Keith Leinenbach - cachedirs.txt
+
* One Cat Viewer (c) Keith Leinenbach - cachedirs.txt
+
* Paint Shop Pro (c) Jasc Software, Inc. - pspbrwse.jbf
+
* PaperPort (c) Nuance Communications, Inc. - PP11Thumbs.ptn2, PPThumbs.ptn2, PP11Thumbs.ptn, PPThumbs.ptn
+
* Photo Commander (c) Ashampoo - ash.db, bgs.db, *.dbc, *.dbt
+
* Photo Go (c) Sony Creative Software Inc. - PhotoGo.db
+
* Photo Manager 2008 (c) Proxima Software - PhotoManager.db
+
* PhotoCool (c) Sunwise - photocool.brw
+
* PhotoLine (c) Computerinsel GmbH - Browse.plb
+
* PhotoPhilia (c) Pholix Software - $MOSAICS.MAP, *.phm
+
* PhotoScape (c) MOOII TECH - photothumb.db
+
* Picasa (c) Google, Inc. - thumbindex.db, thumbindex.tid, previews_index.db, bigthumbs_index.db, thumbs_index.db, thumbs2_index.db, index-previews.db, index-bigthumbs.db, index-thumbs2.db, index-thumbs.db, previews_0.db, bigthumbs_0.db, thumbs_0.db, thumbs2_0.db, previews.db, bigthumbs.db, thumbs.db, thumbs2.db
+
* Picture Information Extractor (c) Picmeta Systems - *.album
+
* Picture Motion Browser (c) Sony Corporation - .Sony_PMBrowser1000_BrowserDiskCache, .Sony_PMBrowser1000_BrowserDiskCache.idx
+
* PicViewer 2 (c) Anix Software - PicView.cch
+
* Regards (c) Figuinha Jacques - *.db
+
* Snapact Photo Manager (c) Tecagora Solutions Inc - db.db3
+
* ST Thumbnails Explorer (c) Softfields Technologies - STE.dbs
+
* Turbo Photo Album (c) Stepok Image Lab - TPhoto.prp
+
* Ulead Photo Explorer (c) Ulead Systems, Inc - pecache.idx, pe*.inf, pe*.cah
+
* UltraExplorer (c) Mustangpeak Software - *.album
+
* Vallen JPegger (c) Vallen-Systeme - jpeggeri.dat
+
* ViewNX (c) Nicon Corporation - NkCacheFolder.nki, NkCacheLarge.nki, NkCacheNormal.nki, NkCacheSmall.nki, NkCacheLarge.nkd, NkCacheNormal.nkd, NkCacheSmall.nkd
+
* WildBit Viewer (c) WildBit Software - *.album
+
* Windows (c) Microsoft - IconCache.db, ShellIconCache
+
* Windows Explorer (c) Microsoft - thumbs.db, ehthumbs.db, ehthumbs_vista.db
+
* Windows Seven Explorer (c) Microsoft - thumbcache_idx.db, thumbcache_1024.db, thumbcache_256.db, thumbcache_96.db, thumbcache_32.db
+
* [[Vista thumbcache | Windows Vista Explorer]] (c) Microsoft - thumbcache_idx.db, thumbcache_1024.db, thumbcache_256.db, thumbcache_96.db, thumbcache_32.db
+
* WinNc (c) Dunes MulitMedia, Inc. - WinNcThumbs.db
+
* WS_FTP (c) Ipswitch, Inc - IpsThumb.db
+
* Xentient Thumbnails (c) Ignacio Alvarez Morales - data
+
* XnView (c) Pierre-e Gougelet - XnView.db
+
* XYplorer (c) Donald Lessau - *.dat2
+
* Zoner Photo Studio (c) Zoner Sofware - ZPSCache.dat
+
  
== Links ==
+
# [[The Sleuth Kit]]
 +
# [[ssdeep]] & [[md5deep]]
 +
# [[Foremost]]/[[Scalpel]]
 +
# [[Wireshark]]
 +
# HexEditor
 +
# [[Vinetto]] ([[thumbs.db]] examination)
 +
# Pasco
 +
# Rifiuti
 +
# [[Volatility Framework]]
 +
# DFLabs PTK (GUI Front-End for [[Sleuthkit]])
 +
# [[Autopsy]] (GUI Front-End for [[Sleuthkit]])
  
* [http://www.thumbnailexpert.com/ThumbnailExpertEn.zip Demo Version]
+
The SIFT Workstation will allow evidence to be viewed from a Windows workstation. The /images directory and the evidence mount point, the /mnt/hack directory, can be viewed from the local Windows operating system.
 +
 
 +
== Links ==
  
[[Category:Analysis]]
+
* [http://forensics.sans.org/community/downloads/ Computer Forensics and e-Discovery downloads]
 +
[[Category:VMWare Appliances]]

Latest revision as of 16:55, 15 June 2014

The SANS SIFT Workstation is a VMware Appliance that is preconfigured with all the necessary tools to perform a forensic examination. It is compatible with Expert Witness Format (E01), Advanced Forensic Format (AFF), and raw (dd) evidence formats.

Overview

SIFT Workstation is based on Ubuntu.

Software Includes:

  1. The Sleuth Kit
  2. ssdeep & md5deep
  3. Foremost/Scalpel
  4. Wireshark
  5. HexEditor
  6. Vinetto (thumbs.db examination)
  7. Pasco
  8. Rifiuti
  9. Volatility Framework
  10. DFLabs PTK (GUI Front-End for Sleuthkit)
  11. Autopsy (GUI Front-End for Sleuthkit)

The SIFT Workstation will allow evidence to be viewed from a Windows workstation. The /images directory and the evidence mount point, the /mnt/hack directory, can be viewed from the local Windows operating system.

Links