Difference between pages "Plaso" and "Vista thumbcache"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(SQLite database file formats)
 
m (typo)
 
Line 1: Line 1:
{{Infobox_Software |
+
== Overview ==
  name = plaso |
+
  maintainer = [[Kristinn Gudjonsson]], [[Joachim Metz]] |
+
  os = [[Linux]], [[Mac OS X]], [[Windows]] |
+
  genre = {{Analysis}} |
+
  license = {{APL}} |
+
  website = [https://code.google.com/p/plaso/ code.google.com/p/plaso/] |
+
}}
+
  
Plaso (plaso langar að safna öllu) is the Python based back-end engine used by tools such as log2timeline for automatic creation of a super timelines. The goal of log2timeline (and thus plaso) is to provide a single tool that can parse various log files and forensic artifacts from computers and related systems, such as network equipment to produce a single correlated timeline. This timeline can then be easily analysed by forensic investigators/analysts, speeding up investigations by correlating the vast amount of information found on an average computer system. Plaso is intended to be applied for creating super timelines but also supports creating [http://blog.kiddaland.net/2013/02/targeted-timelines-part-i.html targeted timelines].
+
[[Windows]] Vista stores [[Thumbnails | thumbnails]] in the following directory:
 +
<pre>
 +
\Users\%username%\AppData\Local\Microsoft\Windows\Explorer
 +
</pre>
  
The Plaso project site also provides [[4n6time]], formerly "l2t_Review", which is a cross-platform forensic tool for timeline creation and review by [[David Nides]].
+
This directory contains following files:
  
== Supported Formats ==
+
* thumbcache_idx.db
 +
* thumbcache_32.db, thumbcache_96.db, thumbcache_256.db, and thumbcache_1024.db
 +
* thumbcache_sr.db
  
=== Storage Media Image File Formats ===
+
Thumbnails are stored in ''thumbcache_NN.db'' files in different formats (e.g. [[BMP]]) and can be extracted using [[File Carving | file carving]]. There are several tools that can work with Vista Thumbcache: [http://www.dmthumbs.com/ dmThumbs], [http://www.janusware.com/fetch.php?page=412,2 Thumbs.db Viewer], [http://www.simplecarver.com/tool.php?toolname=WinThumbs%20Extractor WinThumbs], [http://code.google.com/p/thumbcache-viewer thumbcache-viewer], and [[FTK]]. Unfortunately, there is no information in the thumbcache that can easily link thumbnails with original files in all cases. One of the ways to link thumbnails with original files is to use Windows Indexer (Windows.edb) database.
Storage Medis Image File Format support is provided by [[dfvfs]].
+
  
=== Volume System Formats ===
+
== Thumbcache Format ==
Volume System Format support is provided by [[dfvfs]].
+
  
=== File System Formats ===
+
''Thumbcache format is described [http://www.noxa.org/blog/?p=5 here].''
File System Format support is provided by [[dfvfs]].
+
  
=== File formats ===
+
In general, every thumbnail in cache is associated with two 64-bit variables. First variable (sometimes called ''Unique ID'', ''Secret'', ''File ID'') associates data in file ''thumbcache_idx.db'' with thumbnail data in ''thumbcache_NN.db'' files; the purpose of this variable is unclear. Another variable is ''Thumbnail Cache ID'' (sometimes called ''Thumbnail filename'' (in [[FTK]]), ''File Ref'') is used to link thumbnails with original files. Actually, ''Thumbnail Cache ID'' is represented as Unicode string of HEX encoding.
<b>TODO expand this list</b>
+
  
* Apple System Log (ASL)
+
== Thumbnail Creation Process ==
* Basic Security Module (BSM)
+
* Bencode files
+
* [[Google Chrome|Chrome cache files]]
+
* [[Extensible Storage Engine (ESE) Database File (EDB) format]] using [[libesedb]]
+
* [[Internet Explorer History File Format]] (also known as MSIE 4 - 9 Cache Files or index.dat) using [[libmsiecf]]
+
* Java IDX
+
* [[OLE Compound File]] using [[libolecf]]
+
* OpenXML
+
* Pcap files
+
* [[Property list (plist)|Property list (plist) format]] using [[binplist]]
+
* SELinux audit logs
+
* SkyDrive log and error log files
+
* SQLite databases
+
* Symantec AV logs
+
* Syslog
+
* [[Windows Event Log (EVT)]] using [[libevt]]
+
* Windows Firewall
+
* Windows Job files (also known as "at jobs")
+
* Windows Prefetch files
+
* Windows Recycle bin (INFO2 and $I/$R)
+
* [[Windows NT Registry File (REGF)]] using [[libregf]]
+
* [[LNK|Windows Shortcut File (LNK) format]] using [[liblnk]]
+
* [[Windows XML Event Log (EVTX)]] using [[libevtx]]
+
* Xchat and Xchat scrollback files
+
  
=== Bencode file formats ===
+
[[Windows]] Vista creates thumbnails for files on different media types, including:
* Transmission
+
* uTorrent
+
  
=== ESE database file formats ===
+
* Removable devices
* Internet Explorer WebCache format
+
* Network drives
 +
* Encrypted containers (e.g. [[PGP]] Desktop, [[TrueCrypt]], [[BestCrypt]])
  
=== OLE Compound File formats ===
+
[[Windows]] Vista doesn't create thumbnails for files encrypted using [[EFS]] unless thumbcache directory is encrypted too; [[Windows]] Vista doesn't delete thumbnails for files after they were encrypted using [[EFS]].
* Document summary information
+
* Summary information (top-level only)
+
  
=== Property list (plist) formats ===
+
Some programs may generate thumbnails for some file types which are displayed in Windows Explorer, but not stored in the thumbcache (e.g. Ascon Kompas).
* Airport
+
* Apple Account
+
* Bluetooth
+
* Install History
+
* iPod/iPhone
+
* Mac User
+
* Safari history
+
* Software Update
+
* Spotlight
+
* Spotlight Volume Information
+
* Timemachine
+
  
=== SQLite database file formats ===
+
== Linking thumbnails with original files ==
* Android call logs
+
* Android SMS
+
* Chrome cookies
+
* [[Google Chrome|Chrome browsing and downloads history]]
+
* [[Mozilla Firefox|Firefox browsing and downloads history]]
+
* Google Drive
+
* Launch services quarantine events
+
* MacKeeper cache
+
* Mac OS X document versions
+
* Skype text conversations
+
* [[Zeitgeist|Zeitgeist activity database]]
+
  
=== Windows Registry formats ===
+
=== Using Windows Indexer ===
<b>TODO expand this list</b>
+
* [[Windows Application Compatibility|AppCompatCache]]
+
* CCleaner
+
* MountPoints2
+
* MSIE Zone
+
* MSIE Zone Software
+
  
== History ==
+
[[Image:WindowsPowerShellThumbnails.jpg|thumb|right|Windows PowerShell displays association between files and ThumbnailCacheIDs]]
Plaso is a Python-based rewrite of the Perl-based [[log2timeline]] initially created by [[Kristinn Gudjonsson]]. Plaso builds upon the [[SleuthKit]], [[libyal]], [[dfvfs]] and various other projects.
+
  
== See Also ==
+
One way to link thumbnails with original files is to use Windows Indexer database, which stores association between '''indexed''' files and ''ThumbnailCacheIDs'' with some metadata.  The windows.edb database file contents can be extracted using [http://www.simplecarver.com/tool.php?toolname=Windows%20Search%20Index%20Extractor Windows Search Index Extractor]
* [[dfvfs]]
+
 
* [[log2timeline]]
+
==== Using Windows PowerShell ====
 +
 
 +
Windows PowerShell provides easy way to access this database using SQL queries. Note that most forensic tools (like [[FTK]]) display ''ThumbnailCacheID'' ([[FTK]] calls it ''Thumbnail filename'') in hexadecimal, but Windows PowerShell returns the result in decimal.
 +
 
 +
==== Using HEX editor ====
 +
 
 +
You can also search for ''ThumbnailCacheID'' value in ''Windows.edb'' file using your favorite HEX editor.
 +
 
 +
=== Vista Windows Photo Gallery ===
 +
 
 +
Windows Vista includes a built-in picture previewing tool called Windows Photo Gallery (the LIVE edition may also be installed by the user).  Both of these programs create the files ''pictures.pd4'' and ''pictures.pd5'' respectively containing the ''ThumbnailCacheID'' and file path information of previewed pictures and videos. The contents of the pictures.pd4 and pictures.pd5 can be extracted using [http://www.simplecarver.com/tool.php?toolname=WPG%20Viewer WPG Viewer]
  
 
== External Links ==
 
== External Links ==
* [https://code.google.com/p/plaso/ Project site]
+
* [http://www.whereisyourdata.co.uk/data/modules/wfdownloads/visit.php?cid=4&lid=9 Forensic Implications of Windows Vista, Barrie Stewart, 2007]
* [https://sites.google.com/a/kiddaland.net/plaso/home Project documentation]
+
* [http://code.google.com/p/libwtcdb/downloads/detail?name=Windows%20Explorer%20Thumbnail%20Cache%20database%20format.pdf Windows Explorer Thumbnail Cache database (thumbcache.db) format], by the [[libwtcdb|libwtcdb project]]
* [http://blog.kiddaland.net/ Project blog]
+
 
* [https://sites.google.com/a/kiddaland.net/plaso/usage/4n6time 4n6time]
+
=== ThumbnailCacheId ===
 +
* [http://msdn.microsoft.com/en-us/library/windows/desktop/bb787580(v=vs.85).aspx System.ThumbnailCacheId]
 +
* [http://msdn.microsoft.com/en-us/library/bb774628(VS.85).aspx IThumbnailCache interface]
 +
 
 +
=== Non-English ===
 +
* [http://itdefence.ru/content/articles/Thumbnails.Suhanov/ Использование централизованных баз данных эскизов для исследования графических файлов на зашифрованных разделах], ITDefence, 2009 ([http://www.securitylab.ru/analytics/370474.php extended version])
 +
 
 +
== Tools ==
 +
* [http://code.google.com/p/thumbcache-viewer/ Thumbcache-viewer]

Latest revision as of 06:31, 3 June 2014

Overview

Windows Vista stores thumbnails in the following directory:

\Users\%username%\AppData\Local\Microsoft\Windows\Explorer

This directory contains following files:

  • thumbcache_idx.db
  • thumbcache_32.db, thumbcache_96.db, thumbcache_256.db, and thumbcache_1024.db
  • thumbcache_sr.db

Thumbnails are stored in thumbcache_NN.db files in different formats (e.g. BMP) and can be extracted using file carving. There are several tools that can work with Vista Thumbcache: dmThumbs, Thumbs.db Viewer, WinThumbs, thumbcache-viewer, and FTK. Unfortunately, there is no information in the thumbcache that can easily link thumbnails with original files in all cases. One of the ways to link thumbnails with original files is to use Windows Indexer (Windows.edb) database.

Thumbcache Format

Thumbcache format is described here.

In general, every thumbnail in cache is associated with two 64-bit variables. First variable (sometimes called Unique ID, Secret, File ID) associates data in file thumbcache_idx.db with thumbnail data in thumbcache_NN.db files; the purpose of this variable is unclear. Another variable is Thumbnail Cache ID (sometimes called Thumbnail filename (in FTK), File Ref) is used to link thumbnails with original files. Actually, Thumbnail Cache ID is represented as Unicode string of HEX encoding.

Thumbnail Creation Process

Windows Vista creates thumbnails for files on different media types, including:

Windows Vista doesn't create thumbnails for files encrypted using EFS unless thumbcache directory is encrypted too; Windows Vista doesn't delete thumbnails for files after they were encrypted using EFS.

Some programs may generate thumbnails for some file types which are displayed in Windows Explorer, but not stored in the thumbcache (e.g. Ascon Kompas).

Linking thumbnails with original files

Using Windows Indexer

Windows PowerShell displays association between files and ThumbnailCacheIDs

One way to link thumbnails with original files is to use Windows Indexer database, which stores association between indexed files and ThumbnailCacheIDs with some metadata. The windows.edb database file contents can be extracted using Windows Search Index Extractor

Using Windows PowerShell

Windows PowerShell provides easy way to access this database using SQL queries. Note that most forensic tools (like FTK) display ThumbnailCacheID (FTK calls it Thumbnail filename) in hexadecimal, but Windows PowerShell returns the result in decimal.

Using HEX editor

You can also search for ThumbnailCacheID value in Windows.edb file using your favorite HEX editor.

Vista Windows Photo Gallery

Windows Vista includes a built-in picture previewing tool called Windows Photo Gallery (the LIVE edition may also be installed by the user). Both of these programs create the files pictures.pd4 and pictures.pd5 respectively containing the ThumbnailCacheID and file path information of previewed pictures and videos. The contents of the pictures.pd4 and pictures.pd5 can be extracted using WPG Viewer

External Links

ThumbnailCacheId

Non-English

Tools