SOPIA Suite Help Files
SIPHON.py
Description
SIPHON uses the libesedb library to read in a Windows.edb file. SIPHON reads the 'SystemIndex_0A.2' structure that Joachims libesedb library rips out of the Windows.edb file. SIPHON then looks for a user-specified thumbcache and then creates a csv file containing all the headers and all of the rows of information for a unique thumbcacheID.
Dependancies
- python-tk (Install: sudo apt-get install python-tk)
- Working installation of Joachim Metz's libesedb library
- Windows.edb file
- Linux Machine (Only tested on Ubuntu)*
*Due to the way some distros of Linux work with executable files, SIPHON may or may not work with them.
SIPHON has been built and tested extensively on Ubuntu 13.10.
How To Use
Once python-tk is installed and libesedb has been built and installed, open up a terminal and browse to the SIPHON folder within SopiaSuite and from the terminal, type: python SIPHON.py You should see the following screens:
CD to where siphon.py is located and ensure that the Windows.edb file you wish to examiner resides in the 'evidence' folder.
Step 2:
Run the script using python siphon.py. You will be asked to provide the thumbcache ID of the file in question.
Step 3:
SIPHON will now list all the files in the libesedb folder (to confirm that it is in the correct folder). You may be required to enter the root password to continue running the script.
Step 4:
Joachim Metz's Libesedb script will read in the database. You should now navigate to the Windows.edb.export folder: /home/si/Desktop/siphonDir/libesedb-20120102/esedbtools/Windows.edb.export (make sure you're inside the folder) then click OK.
Step 5:
SIPHON will look for the thumbcache within the SystemIndex_0A.? file and then ask you to save the file. You should type in something like: /home/si/Desktop/evidence.csv (you should manually type in where you wish to save the results and end with the csv ext).
Step 6:
Open the CSV file in LibreOffice or preferably Microsoft Excel to see results.
Thank you for using SIPHON.py!
About
When analyzed, Thumbcache files in Windows Vista and newer operating systems store
a list of photographs that were viewed in thumbnail view. Some of these photographs may
be deleted and as a result, all that is left is the thumbcache file. Finding out where the original photograph was located, along with the dimensions and other metadata gives strength to the evidence.
Prior to SIPHON being created, the process of finding a thumbcache was fairly time consuming
and once the relevant info was found, it was very difficult to interpret. SIPHON fixes this
issue by creating a csv file in a format which makes for easy analysis.