Retain BLOB Extraction Tool

From GWAVA Technologies Training
Revision as of 17:57, 20 March 2017 by Stephanf (Talk | contribs)

Jump to: navigation, search

Contents

Retain Blob Extraction Tool v1.0.1.51

Sometimes you need to find a file on disk and extract it when you cannot do that in the search message interface. You can run this on a Windows Server or Windows workstation.

The BLOB Extraction Tool allows you to convert the BLOBs on disk into a human readable form.

This is used in conjunction with the kb How to Find An Archived Message's Corresponding File on Disk

Help Screen

Typing either of the following commands into the command line will return the help screen. 

BlobExtractionTool.exe 
BlobExtractionTool.exe /help

Retain Blob Extraction Tool v1.0.1.51
Usage:
  BlobExtractionTool.exe options /output dirspec /input dirspec
Options
/input = Required. A directory to start looking at for content file. 
  If recurse mode not activated and the directory contains no content file, exit with error. 
  Otherwise recurse down any subdirectories, looking for blobs to extract.
/output = Required. Create the output under this directory. 
  If recurse mode is activate, a directory tree is created under this directory.
/version = Optional. Program version is printed to output and program exits.
/recurse = Optional. Enable recursive extraction. 
  If this switch exists, continue going down through all child directories of the input directory, decrypting each item.
/xml = Optional. Export the XML header to same location of final file. File will have .xml extension added to filename.
/help = Optional. Print this info screen and exit.
Example: 
  BlobExtractionTool.exe /input C:\Retain\archive\ /output c:\extract /recurse /xml

Single Item Usage

After finding the location of an item on disk from the hash. For example, 

000008FABCF0B5AC1A5C1E910072C28925A06AC9266404E9CB5366D8B165B4FF

You can use the extractor to make it readable. This command will extract all items in the C:\Retain\archive\00\00\08 folder, save them to the C:\Users\Administrator\Desktop\blob extractor\output folder, and download the item header data for those files into XML files 

BlobExtractionTool.exe /input "C:\Retain\archive\00\00\08" /output "C:\Users\Administrator\Desktop\blob extractor\output" /xml

The files will be named after what it is, it might be a Mime.822, email or attachment. The XML file will have the same name as the corresponding item name.

Multi-item Usage

If you have copied multiple items to a workstation and wish to extract all of them at once you can use the /recurse option to have the tool extract all items. 

BlobExtractionTool.exe /input "C:\Users\Administrator\Desktop\Retain\archive" /output "C:\Users\Administrator\Desktop\blob extractor\output" /recurse

This will extract all files into a directory or in matching directories if there are more than one directories with items.

Output

The extraction tool will show which items are being extracted. For example, 

BlobExtractionTool.exe /input "C:\Retain\archive\00\00" /output "C:\Users\Administrator\Desktop\blob extractor\output" /xml /recurse
Retain Blob Extraction Tool v1.0.1.51

0000000781BC40B9702A65CB527425474AF733B0616B80CCECCE49099636ECE9
File extracted
000008FABCF0B5AC1A5C1E910072C28925A06AC9266404E9CB5366D8B165B4FF
File extracted
00001A58F0D46AB536C2ECB725497F969F381CE29C15664920C40FF81D1CA470
File extracted
00001DE51564FF7B2753B44E0850D43ADC6FBA24C66898E78807020D3520462C
File extracted
0000201C908183CED3642C095143546531218DD57C5F60C7B3E67B9F6E5C0D89
File extracted
000020785C84165C0C8CD3DA6400FAB562CBE31047127B4F5E27D6086327D550
File extracted
Retrieved from "https://traininggwava.microfocus.net/index.php?title=Retain_BLOB_Extraction_Tool&oldid=314302"
Personal tools
Namespaces

Variants
Actions
Home
Exchange
GroupWise
JAVA
Linux
MTK
Retain
GW Monitoring and Reporting (Redline)
GW Disaster Recovery (Reload)
GW Forensics (Reveal)
GWAVA
Secure Messaging Gateway
GW Mailbox Management (Vertigo)
Windows
Other
User Experience
Toolbox
Languages
Toolbox