Monday, June 13, 2011

Extending gThumb for forensics

I've searched high and low, and many times, for a good image viewer to be used in Linux-based forensics.  In the end, and despite some shortcomings, I always end up using gThumb, a GUI image viewer and browser.  The advantages of gThumb are that it integrates well with the Gnome desktop environment, has a robust search facility, finds files recursively, and can be extended by the user.

The focus of this post is extending gThumb.  Today, many images are rich in EXIF data, much of which gThumb displays in a property window.  However, it misses data like GPS coordinates that can be found in some images like those taken by the iPhone.  My favorite tool for reading EXIF data is exiftool by Phil Harvey, but it's a command line tool.  So, how does one integrate command line data with a GUI tool like gThumb?  Yad!

No, I didn't just utter an explicative.  Yad stands for "yet another dialog" and is a fork of the zenity project.  Zenity is a simple to use GUI front end for command line scripts.  However, yad has many more features and is under active development.  Yad had many stock dialog boxes, and I will illustrate its use here as I extend gThumb with exiftool by displaying the exiftool output in a yad dialog box.

gThumb has the option to run user scripts, accessed through the toolbar: Tools | Personalize.


This opens the "Command" dialog box.  Clicking the "New" button opens the "New Command" dialog where the user command is inputted.


Assuming both yad and exiftool are installed in you operating system, you can create an exiftool extention as follows:

Name: exiftool
Command: exiftool %F | yad --text-info --title="exiftool: %B" --fontname="Monospace 10" --width=600 --height=800
Shortcut: <select from drop down if a shortcut key is desired>
Terminal command (shell script): leave checked
Save the command and close the main Command box.  You can select your new command from the tools menu or by the number pad shortcut you created.


The results appear in a yad "text-info" dialog box:



If you made a mistake, or need to edit your command use the Command window through "Tool | Personalize."


With this basic format, gThumb extensions are only limited by your creativity!

5 comments:

  1. try this

    exiftool %F | sed -r "s/:/\n/" | yad --list --column tag --column data --title="exiftool: %B" --width=600 --height=800

    ReplyDelete
  2. Hi Ananas, I agree that a yad list is a much prettier window, but I chose the text box so the content could be easily copied and pasted into a report. But I thank you for pointing out that there is more than one way to produce the results, and some users might prefer your setup to mine!

    ReplyDelete
  3. How can I select just the data I want and not show the rest?

    ReplyDelete
  4. The command is calling exiftool. You can change the command to call just the EXIF fields you desire. You'll find all you need to know here: https://exiftool.org/.

    ReplyDelete
  5. Super helpful, thanks. Didn't expect this obscure bit of knowledge to be available online with gthumb's scarce documentation. 10 years later gthumb is still not perfect, and some parts look identical as they did 10 years ago, but the functionality still makes it a great photo viewer. Gthumb does show exif data now; however, it doesn't like some exif formats, I've found exiftool to be a robust way to get exif data.

    ReplyDelete

Time Perspective

Telling time in forensic computing can be complicated. User interfaces hide the complexity, usually displaying time stamps in a human reada...