Monday, November 21, 2011

LibreOffice: An Unlikely Image Viewer

I encountered a series of deleted Enhanced Metafiles (EMF) files during the examination of a Window's-based system the other day.  EMF files are second generation Windows Metafiles (WMF), and early on in in most forensics careers, forensics examiners are taught to seek out those files as printer artifacts.  And, it just so happens, the path of these deleted files and a time stamp analysis suggested these files were in fact printer artifacts.

Sidebar: EMF is not only a printer artifact.  In fact, its not really accurate to call it a printer artifact.  Windows applications, like Microsoft Office, use the EMF format to make images portable between applications.  In printing from these applications, the document (even text documents) is converted to an EMF image and sent to the printer.
None of my native Linux image viewers was capable of displaying the EMF files.  I was considering downloading and running XnView, and excellent image viewer with over 400 supported image formats.  The new version being developed, XnViewMP (Multiplatform), is capable but unstable, so I didn't relish using it other than as a last resort. (And, as it turns out, EMF is not on the list of supported formats.)

A little poking around the Internet, and I discovered that OpenOffice supports EMF files.  Open Office, for the uninitiated, is and open office sweet with Microsoft Office document compatibility.  I have a fork of OpenOffice installed, called LibreOffice.  I opened the Draw program (though Writer would have worked as well), and I dragged the EMF into the document window.  Voila!  I had a perfect representation of the document sent to the printer.

LibreOffice can save the image as a PDF for distribution, if required.  While it might seem untenable to process numerous images in this manner (opening one at a time in LibreOffice to covert to another format), you may not be limited to this approach.  The unoconv program can be used to convert any document that can be opened by LibreOffice into any format that can be written by LibreOffice.  Automation, anyone?

No comments:

Post a Comment

Time Perspective

Telling time in forensic computing can be complicated. User interfaces hide the complexity, usually displaying time stamps in a human reada...