Difference between revisions of "Retain BLOB Extraction Tool"
From GWAVA Technologies Training
(→Retain Blob Extraction Tool v1.0.1.51) |
|||
| (3 intermediate revisions by one user not shown) | |||
| Line 1: | Line 1: | ||
==Retain Blob Extraction Tool v1.0.1.51== | ==Retain Blob Extraction Tool v1.0.1.51== | ||
| − | + | Sometimes you need to find a file on disk and extract it when you cannot do that in the search message interface. You can run this on a Windows Server or Windows workstation. | |
| − | This is used in conjunction with the kb | + | The [ftp://download.gwava.com/outgoing/BlobExtractionTool/BlobExtractionTool.zip BLOB Extraction Tool] allows you to convert the BLOBs on disk into a human readable form. |
| + | |||
| + | This is used in conjunction with the kb [http://support.gwava.com/kb/?View=entry&EntryID=2420 How to Find An Archived Message's Corresponding File on Disk] | ||
===Help Screen=== | ===Help Screen=== | ||
| Line 13: | Line 15: | ||
BlobExtractionTool.exe options /output dirspec /input dirspec | BlobExtractionTool.exe options /output dirspec /input dirspec | ||
Options | Options | ||
| − | /input = Required. A directory to start looking at for content file. If recurse mode not activated and the directory contains no content file, exit with error. Otherwise recurse down any subdirectories, looking for blobs to extract. | + | /input = Required. A directory to start looking at for content file. |
| − | /output = Required. Create the output under this directory. If recurse mode is activate, a directory tree is created under this directory. | + | If recurse mode not activated and the directory contains no content file, exit with error. |
| + | Otherwise recurse down any subdirectories, looking for blobs to extract. | ||
| + | /output = Required. Create the output under this directory. | ||
| + | If recurse mode is activate, a directory tree is created under this directory. | ||
/version = Optional. Program version is printed to output and program exits. | /version = Optional. Program version is printed to output and program exits. | ||
| − | /recurse = Optional. Enable recursive extraction. If this switch exists, continue going down through all child directories of the input directory, decrypting each item. | + | /recurse = Optional. Enable recursive extraction. |
| + | If this switch exists, continue going down through all child directories of the input directory, decrypting each item. | ||
/xml = Optional. Export the XML header to same location of final file. File will have .xml extension added to filename. | /xml = Optional. Export the XML header to same location of final file. File will have .xml extension added to filename. | ||
/help = Optional. Print this info screen and exit. | /help = Optional. Print this info screen and exit. | ||
Example: | Example: | ||
BlobExtractionTool.exe /input C:\Retain\archive\ /output c:\extract /recurse /xml | BlobExtractionTool.exe /input C:\Retain\archive\ /output c:\extract /recurse /xml | ||
| + | |||
| + | ===Single Item Usage=== | ||
| + | After finding the location of an item on disk from the hash. For example, | ||
| + | 000008FABCF0B5AC1A5C1E910072C28925A06AC9266404E9CB5366D8B165B4FF | ||
| + | |||
| + | You can use the extractor to make it readable. This command will extract all items in the C:\Retain\archive\00\00\08 folder, save them to the C:\Users\Administrator\Desktop\blob extractor\output folder, and download the item header data for those files into XML files | ||
| + | BlobExtractionTool.exe /input "C:\Retain\archive\00\00\08" /output "C:\Users\Administrator\Desktop\blob extractor\output" /xml | ||
| + | |||
| + | The files will be named after what it is, it might be a Mime.822, email or attachment. The XML file will have the same name as the corresponding item name. | ||
| + | |||
| + | ===Multi-item Usage=== | ||
| + | If you have copied multiple items to a workstation and wish to extract all of them at once you can use the /recurse option to have the tool extract all items. | ||
| + | |||
| + | BlobExtractionTool.exe /input "C:\Users\Administrator\Desktop\Retain\archive" /output "C:\Users\Administrator\Desktop\blob extractor\output" /recurse | ||
| + | |||
| + | This will extract all files into a directory or in matching directories if there are more than one directories with items. | ||
| + | |||
| + | ===Output=== | ||
| + | The extraction tool will show which items are being extracted. | ||
| + | For example, | ||
| + | BlobExtractionTool.exe /input "C:\Retain\archive\00\00" /output "C:\Users\Administrator\Desktop\blob extractor\output" /xml /recurse | ||
| + | Retain Blob Extraction Tool v1.0.1.51 | ||
| + | |||
| + | 0000000781BC40B9702A65CB527425474AF733B0616B80CCECCE49099636ECE9 | ||
| + | File extracted | ||
| + | 000008FABCF0B5AC1A5C1E910072C28925A06AC9266404E9CB5366D8B165B4FF | ||
| + | File extracted | ||
| + | 00001A58F0D46AB536C2ECB725497F969F381CE29C15664920C40FF81D1CA470 | ||
| + | File extracted | ||
| + | 00001DE51564FF7B2753B44E0850D43ADC6FBA24C66898E78807020D3520462C | ||
| + | File extracted | ||
| + | 0000201C908183CED3642C095143546531218DD57C5F60C7B3E67B9F6E5C0D89 | ||
| + | File extracted | ||
| + | 000020785C84165C0C8CD3DA6400FAB562CBE31047127B4F5E27D6086327D550 | ||
| + | File extracted | ||
Latest revision as of 17:58, 20 March 2017
Contents |
[edit] Retain Blob Extraction Tool v1.0.1.51
Sometimes you need to find a file on disk and extract it when you cannot do that in the search message interface. You can run this on a Windows Server or Windows workstation.
The BLOB Extraction Tool allows you to convert the BLOBs on disk into a human readable form.
This is used in conjunction with the kb How to Find An Archived Message's Corresponding File on Disk
[edit] Help Screen
Typing either of the following commands into the command line will return the help screen.
BlobExtractionTool.exe BlobExtractionTool.exe /help
Retain Blob Extraction Tool v1.0.1.51 Usage: BlobExtractionTool.exe options /output dirspec /input dirspec Options /input = Required. A directory to start looking at for content file. If recurse mode not activated and the directory contains no content file, exit with error. Otherwise recurse down any subdirectories, looking for blobs to extract. /output = Required. Create the output under this directory. If recurse mode is activate, a directory tree is created under this directory. /version = Optional. Program version is printed to output and program exits. /recurse = Optional. Enable recursive extraction. If this switch exists, continue going down through all child directories of the input directory, decrypting each item. /xml = Optional. Export the XML header to same location of final file. File will have .xml extension added to filename. /help = Optional. Print this info screen and exit. Example: BlobExtractionTool.exe /input C:\Retain\archive\ /output c:\extract /recurse /xml
[edit] Single Item Usage
After finding the location of an item on disk from the hash. For example,
000008FABCF0B5AC1A5C1E910072C28925A06AC9266404E9CB5366D8B165B4FF
You can use the extractor to make it readable. This command will extract all items in the C:\Retain\archive\00\00\08 folder, save them to the C:\Users\Administrator\Desktop\blob extractor\output folder, and download the item header data for those files into XML files
BlobExtractionTool.exe /input "C:\Retain\archive\00\00\08" /output "C:\Users\Administrator\Desktop\blob extractor\output" /xml
The files will be named after what it is, it might be a Mime.822, email or attachment. The XML file will have the same name as the corresponding item name.
[edit] Multi-item Usage
If you have copied multiple items to a workstation and wish to extract all of them at once you can use the /recurse option to have the tool extract all items.
BlobExtractionTool.exe /input "C:\Users\Administrator\Desktop\Retain\archive" /output "C:\Users\Administrator\Desktop\blob extractor\output" /recurse
This will extract all files into a directory or in matching directories if there are more than one directories with items.
[edit] Output
The extraction tool will show which items are being extracted. For example,
BlobExtractionTool.exe /input "C:\Retain\archive\00\00" /output "C:\Users\Administrator\Desktop\blob extractor\output" /xml /recurse Retain Blob Extraction Tool v1.0.1.51 0000000781BC40B9702A65CB527425474AF733B0616B80CCECCE49099636ECE9 File extracted 000008FABCF0B5AC1A5C1E910072C28925A06AC9266404E9CB5366D8B165B4FF File extracted 00001A58F0D46AB536C2ECB725497F969F381CE29C15664920C40FF81D1CA470 File extracted 00001DE51564FF7B2753B44E0850D43ADC6FBA24C66898E78807020D3520462C File extracted 0000201C908183CED3642C095143546531218DD57C5F60C7B3E67B9F6E5C0D89 File extracted 000020785C84165C0C8CD3DA6400FAB562CBE31047127B4F5E27D6086327D550 File extracted
