Tuesday, October 30, 2007

Calling Thumbcache Parser from X-Ways Forensics...

I saw a post on the x-ways forums about carving out data from the thumbscache and thought to myself now why did I not think of making my thumbcache parser able to be called from x-ways. Well now you can. I made a few small modifications to the program and you can now call if from x-ways forensics by right clicking on one of the thumbcache files and picking an external program.

To install it download the zip file from here . Unzip in to the directory of your choice. Take the headersig.txt and put that in the temp folder you have defined in x-ways forensics (this is under options=>general, if you do not do this the program will not work and will just hang). Now define the EXE or perl script (your choice) in the external programs definition section (options=>external programs). That is all that is needed to set it up. To run it right click on one of the thumbcache_??.db files and pick the external program to run. The program will then ask you where you want to put the jpg/bmp/png files that will be exported from the thumbcache file. Once the program has finished you can then import the files into your case.

As always I hope you find this useful. Questions/Comments/Suggestions?

1 comment:

Anonymous said...

