Difference between pages "Document Metadata Extraction" and "Shell Item"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
m (PDF Files)
 
(Created page with "The Windows Shell uses Shell Items (or Shell Item list) to identify items within the Windows Folder Hierarchy. A Shell Item is much like a "path", and is unique to its parent fol...")
 
Line 1: Line 1:
Here are tools that will extract metadata from document files.
+
The Windows Shell uses Shell Items (or Shell Item list) to identify items within the Windows Folder Hierarchy. A
 +
Shell Item is much like a "path", and is unique to its parent folder. The format of the Shell Item
 +
is undocumented and varies between Windows versions.
  
=Office Files=
+
The Shell Item is used in [[LNK | Windows Shortcut (LNK)]] file and the ShellBags key in the [[Windows Registry]].
  
; [[antiword]]
+
== Format ==
: http://www.winfield.demon.nl/
+
  
; [[catdoc]]
+
The basic format is a list, consisting of a (shell item) entry size value (field) and entry data.
: http://www.45.free.net/~vitus/software/catdoc/
+
  
; [[laola]]
+
There are multiple types of entries to specify different parts of the "path":
: http://user.cs.tu-berlin.de/~schwartz/pmh/index.html
+
* volume
 +
* network share
 +
* file and directory
 +
* URI
  
; [[word2x]]
+
Some shell item entries contain date and time values which can be used in [[Timeline Analysis]].
: http://word2x.sourceforge.net/
+
  
; [[wvWare]]
+
== External Links ==
: http://wvware.sourceforge.net/
+
: Extracts metadata from various [[Microsoft]] Word files ([[doc]]). Can also convert doc files to other formats such as HTML or plain text.
+
  
=PDF Files=
+
* [http://downloads.sourceforge.net/project/liblnk/Documentation/Windows%20Shell%20Item%20format/Windows%20Shell%20Item%20format.pdf Windows Shell Item format (work in progress)]
  
; [[xpdf]]
+
[[Category:Data Formats]]
: http://www.foolabs.com/xpdf/
+
: [[pdfinfo]] (part of the [[xpdf]] package) displays some metadata of [[PDF]] files.
+
 
+
 
+
; [[pdfimages]]
+
: Part of [http://www.foolabs.com/xpdf xpdf], this program will strip all of the images out of a PDF file and put each in its own file.
+
 
+
=Images=
+
 
+
; [[jhead]]
+
: http://www.sentex.net/~mwandel/jhead/
+
: Displays or modifies [[Exif]] data in [[JPEG]] files.
+
 
+
; [[vinetto]]
+
: http://vinetto.sourceforge.net/
+
: Examines [[Thumbs.db]] files.
+
 
+
;[[libexif]]
+
: http://sourceforge.net/projects/libexif EXIF tag Parsing Library
+
 
+
=General=
+
These general-purpose programs frequently work when the special-purpose programs fail, but they generally provide less detailed information.
+
 
+
; [[Metadata Assistant]]
+
: http://www.payneconsulting.com/products/metadataent/
+
 
+
; [[hachoir|hachoir-metadata]]
+
: Extraction tool, part of '''[[Hachoir]]''' project
+
 
+
; [[file]]
+
: The UNIX '''file''' program can extract some metadata
+
 
+
; [[GNU libextractor]]
+
: http://gnunet.org/libextractor/ The libextractor library is a plugable system for extracting metadata
+
 
+
[[Category:Tools]]
+

Revision as of 03:09, 12 January 2011

The Windows Shell uses Shell Items (or Shell Item list) to identify items within the Windows Folder Hierarchy. A Shell Item is much like a "path", and is unique to its parent folder. The format of the Shell Item is undocumented and varies between Windows versions.

The Shell Item is used in Windows Shortcut (LNK) file and the ShellBags key in the Windows Registry.

Format

The basic format is a list, consisting of a (shell item) entry size value (field) and entry data.

There are multiple types of entries to specify different parts of the "path":

  • volume
  • network share
  • file and directory
  • URI

Some shell item entries contain date and time values which can be used in Timeline Analysis.

External Links

Retrieved from "http://www.forensicswiki.org/w/index.php?title=Document_Metadata_Extraction&oldid=10679"
Personal tools
Namespaces

Variants
Actions
Navigation:
About forensicswiki.org:
Toolbox