Monday, June 13, 2011

Extending gThumb for forensics

I've searched high and low, and many times, for a good image viewer to be used in Linux-based forensics.  In the end, and despite some shortcomings, I always end up using gThumb, a GUI image viewer and browser.  The advantages of gThumb are that it integrates well with the Gnome desktop environment, has a robust search facility, finds files recursively, and can be extended by the user.

The focus of this post is extending gThumb.  Today, many images are rich in EXIF data, much of which gThumb displays in a property window.  However, it misses data like GPS coordinates that can be found in some images like those taken by the iPhone.  My favorite tool for reading EXIF data is exiftool by Phil Harvey, but it's a command line tool.  So, how does one integrate command line data with a GUI tool like gThumb?  Yad!

No, I didn't just utter an explicative.  Yad stands for "yet another dialog" and is a fork of the zenity project.  Zenity is a simple to use GUI front end for command line scripts.  However, yad has many more features and is under active development.  Yad had many stock dialog boxes, and I will illustrate its use here as I extend gThumb with exiftool by displaying the exiftool output in a yad dialog box.

gThumb has the option to run user scripts, accessed through the toolbar: Tools | Personalize.

This opens the "Command" dialog box.  Clicking the "New" button opens the "New Command" dialog where the user command is inputted.

Assuming both yad and exiftool are installed in you operating system, you can create an exiftool extention as follows:

Name: exiftool
Command: exiftool %F | yad --text-info --title="exiftool: %B" --fontname="Monospace 10" --width=600 --height=800
Shortcut: <select from drop down if a shortcut key is desired>
Terminal command (shell script): leave checked
Save the command and close the main Command box.  You can select your new command from the tools menu or by the number pad shortcut you created.

The results appear in a yad "text-info" dialog box:

If you made a mistake, or need to edit your command use the Command window through "Tool | Personalize."

With this basic format, gThumb extensions are only limited by your creativity!