Difference between revisions of "Retain BLOB Extraction Tool"
From GWAVA Technologies Training
| Line 1: | Line 1: | ||
==Retain Blob Extraction Tool v1.0.1.51== | ==Retain Blob Extraction Tool v1.0.1.51== | ||
| + | Sometimes you need to find a file on disk and extract it when you cannot do that in the search message interface. You can run this on a Windows Server or Windows workstation. | ||
| + | |||
The BLOB extraction tool allows you to convert the BLOBs on disk into a human readable form. | The BLOB extraction tool allows you to convert the BLOBs on disk into a human readable form. | ||
| Line 13: | Line 15: | ||
BlobExtractionTool.exe options /output dirspec /input dirspec | BlobExtractionTool.exe options /output dirspec /input dirspec | ||
Options | Options | ||
| − | /input = Required. A directory to start looking at for content file. If recurse mode not activated and the directory contains no content file, exit with error. Otherwise recurse down any subdirectories, looking for blobs to extract. | + | /input = Required. A directory to start looking at for content file. |
| − | /output = Required. Create the output under this directory. If recurse mode is activate, a directory tree is created under this directory. | + | If recurse mode not activated and the directory contains no content file, exit with error. |
| + | Otherwise recurse down any subdirectories, looking for blobs to extract. | ||
| + | /output = Required. Create the output under this directory. | ||
| + | If recurse mode is activate, a directory tree is created under this directory. | ||
/version = Optional. Program version is printed to output and program exits. | /version = Optional. Program version is printed to output and program exits. | ||
| − | /recurse = Optional. Enable recursive extraction. If this switch exists, continue going down through all child directories of the input directory, decrypting each item. | + | /recurse = Optional. Enable recursive extraction. |
| + | If this switch exists, continue going down through all child directories of the input directory, decrypting each item. | ||
/xml = Optional. Export the XML header to same location of final file. File will have .xml extension added to filename. | /xml = Optional. Export the XML header to same location of final file. File will have .xml extension added to filename. | ||
/help = Optional. Print this info screen and exit. | /help = Optional. Print this info screen and exit. | ||
Example: | Example: | ||
BlobExtractionTool.exe /input C:\Retain\archive\ /output c:\extract /recurse /xml | BlobExtractionTool.exe /input C:\Retain\archive\ /output c:\extract /recurse /xml | ||
| + | |||
| + | ===Single Item Usage=== | ||
| + | After finding the location of an item on disk from the hash. For example, | ||
| + | 000008FABCF0B5AC1A5C1E910072C28925A06AC9266404E9CB5366D8B165B4FF | ||
| + | |||
| + | You can use the extractor to make it readable. This command will extract all items in the C:\Retain\archive\00\00\08 folder, save them to the C:\Users\Administrator\Desktop\blob extractor\output folder, and download the item header data for those files into XML files | ||
| + | BlobExtractionTool.exe /input "C:\Retain\archive\00\00\08" /output "C:\Users\Administrator\Desktop\blob extractor\output" /xml | ||
| + | |||
| + | The files will be named after what it is, it might be a Mime.822, email or attachment. The XML file will have the same name as the corresponding item name. | ||
| + | |||
| + | ===Multi-itme Usage=== | ||
| + | If you have copied multiple items to a workstation and wish to extract all of them at once you can use the /recurse option to have the tool extract all items. | ||
| + | |||
| + | BlobExtractionTool.exe /input "C:\Users\Administrator\Desktop\Retain\archive" /output "C:\Users\Administrator\Desktop\blob extractor\output" /recurse | ||
| + | |||
| + | This will extract all files into a directory or in matching directories if there are more than one directories with items. | ||
Revision as of 17:49, 20 March 2017
Contents |
Retain Blob Extraction Tool v1.0.1.51
Sometimes you need to find a file on disk and extract it when you cannot do that in the search message interface. You can run this on a Windows Server or Windows workstation.
The BLOB extraction tool allows you to convert the BLOBs on disk into a human readable form.
This is used in conjunction with the kb How to Find An Archived Message's Corresponding File on Disk
Help Screen
Typing either of the following commands into the command line will return the help screen.
BlobExtractionTool.exe BlobExtractionTool.exe /help
Retain Blob Extraction Tool v1.0.1.51 Usage: BlobExtractionTool.exe options /output dirspec /input dirspec Options /input = Required. A directory to start looking at for content file. If recurse mode not activated and the directory contains no content file, exit with error. Otherwise recurse down any subdirectories, looking for blobs to extract. /output = Required. Create the output under this directory. If recurse mode is activate, a directory tree is created under this directory. /version = Optional. Program version is printed to output and program exits. /recurse = Optional. Enable recursive extraction. If this switch exists, continue going down through all child directories of the input directory, decrypting each item. /xml = Optional. Export the XML header to same location of final file. File will have .xml extension added to filename. /help = Optional. Print this info screen and exit. Example: BlobExtractionTool.exe /input C:\Retain\archive\ /output c:\extract /recurse /xml
Single Item Usage
After finding the location of an item on disk from the hash. For example,
000008FABCF0B5AC1A5C1E910072C28925A06AC9266404E9CB5366D8B165B4FF
You can use the extractor to make it readable. This command will extract all items in the C:\Retain\archive\00\00\08 folder, save them to the C:\Users\Administrator\Desktop\blob extractor\output folder, and download the item header data for those files into XML files
BlobExtractionTool.exe /input "C:\Retain\archive\00\00\08" /output "C:\Users\Administrator\Desktop\blob extractor\output" /xml
The files will be named after what it is, it might be a Mime.822, email or attachment. The XML file will have the same name as the corresponding item name.
Multi-itme Usage
If you have copied multiple items to a workstation and wish to extract all of them at once you can use the /recurse option to have the tool extract all items.
BlobExtractionTool.exe /input "C:\Users\Administrator\Desktop\Retain\archive" /output "C:\Users\Administrator\Desktop\blob extractor\output" /recurse
This will extract all files into a directory or in matching directories if there are more than one directories with items.
