Difference between pages "Cellebrite" and "Vista thumbcache"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
(Added info from Cellebrite website as well as link to vendor.)
 
(Overview)
 
Line 1: Line 1:
{{expand}}
+
== Overview ==
  
[[Category:Vendors]]
+
[[Windows]] Vista stores [[Thumbnails | thumbnails]] in the following directory: ''\Users\\AppData\Local\Microsoft\Windows\Explorer''
Founded in 1999 by a team of highly experienced telecom and mobile telephony professionals, Cellebrite is a global company known for its technological breakthroughs in the cellular industry.
+
Wireless Retailers
+
  
The pioneers in mobile phone to phone content transfer, today Cellebrite provides a complete range of solutions for the mobile retail industry, from stand-alone content transfer at the POS to OTA applications for subscriber content management.
+
This directory contains following files:
  
With proven ability to impact sales of phones, upgrades, and services, Cellebrite customers include the world’s largest mobile operators and deployments by more than 140 major carriers.
+
* thumbcache_idx.db
Mobile Forensics
+
* thumbcache_32.db, thumbcache_96.db, thumbcache_256.db, and thumbcache_1024.db
 +
* thumbcache_sr.db
  
Building on its expertise in mobile data technology, in 2007, Cellebrite introduced a new line of products targeted to the mobile forensics industry.
+
Thumbnails are stored in ''thumbcache_NN.db'' files in different formats (e.g. [[BMP]]) and can be extracted using [[File Carving | file carving]]. There are several tools that can work with Vista Thumbcache: [http://www.dmthumbs.com/ dmThumbs], [http://www.janusware.com/fetch.php?page=412,2 Thumbs.db Viewer], [http://www.simplecarver.com/tool.php?toolname=WinThumbs%20Extractor WinThumbs] and [[FTK]]. Unfortunately, there is no information in the thumbcache that can easily link thumbnails with original files in all cases. One of the ways to link thumbnails with original files is to use Windows Indexer (Windows.edb) database.
  
Cellebrite’s solution enables extraction and analysis of evidentiary data from more than 3,000 mobile phones and GPS devices.
+
== Thumbcache Format ==
  
The most complete mobile forensics experience available on the market today, Cellebrite technology is in use by military, law enforcement, and government agencies across the world.
+
''Thumbcache format is described [http://www.noxa.org/blog/?p=5 here].''
  
Cellebrite is a fully-owned subsidiary of the Sun Corporation, a listed Japanese company (6736/JQ).
+
In general, every thumbnail in cache is associated with two 64-bit variables. First variable (sometimes called ''Unique ID'', ''Secret'', ''File ID'') associates data in file ''thumbcache_idx.db'' with thumbnail data in ''thumbcache_NN.db'' files; the purpose of this variable is unclear. Another variable is ''Thumbnail Cache ID'' (sometimes called ''Thumbnail filename'' (in [[FTK]]), ''File Ref'') is used to link thumbnails with original files. Actually, ''Thumbnail Cache ID'' is represented as Unicode string of HEX encoding.
  
--
+
== Thumbnail Creation Process ==
Universal Forensic Extraction Device
+
  
*    Logical and physical data extraction
+
[[Windows]] Vista creates thumbnails for files on different media types, including:
*    Supports more than 3000 handset models
+
*    Standalone kit - portable and easy to use
+
  
 +
* Removable devices
 +
* Network drives
 +
* Encrypted containers (e.g. [[PGP]] Desktop, [[TrueCrypt]], [[BestCrypt]])
  
 +
[[Windows]] Vista doesn't create thumbnails for files encrypted using [[EFS]] unless thumbcache directory is encrypted too; [[Windows]] Vista doesn't delete thumbnails for files after they were encrypted using [[EFS]].
  
[http://www.cellebrite.com/]
+
Some programs may generate thumbnails for some file types which are displayed in Windows Explorer, but not stored in the thumbcache (e.g. Ascon Kompas).
 +
 
 +
== Linking thumbnails with original files ==
 +
 
 +
=== Using Windows Indexer ===
 +
 
 +
[[Image:WindowsPowerShellThumbnails.jpg|thumb|right|Windows PowerShell displays association between files and ThumbnailCacheIDs]]
 +
 
 +
One way to link thumbnails with original files is to use Windows Indexer database, which stores association between '''indexed''' files and ''ThumbnailCacheIDs'' with some metadata.
 +
 
 +
==== Using Windows PowerShell ====
 +
 
 +
Windows PowerShell provides easy way to access this database using SQL queries. Note that most forensic tools (like [[FTK]]) display ''ThumbnailCacheID'' ([[FTK]] calls it ''Thumbnail filename'') in hexademical, but Windows PowerShell returns the result in decimal.
 +
 
 +
==== Using HEX editor ====
 +
 
 +
You can also search for ''ThumbnailCacheID'' value in ''Windows.edb'' file using your favorite HEX editor.
 +
 
 +
== External Links ==
 +
 
 +
* [http://www.whereisyourdata.co.uk/data/modules/wfdownloads/visit.php?cid=4&lid=9 Forensic Implications of Windows Vista, Barrie Stewart, 2007]
 +
 
 +
=== Non-English ===
 +
 
 +
* [http://itdefence.ru/content/articles/Thumbnails.Suhanov/ Использование централизованных баз данных эскизов для исследования графических файлов на зашифрованных разделах], ITDefence, 2009 ([http://www.securitylab.ru/analytics/370474.php extended version])

Revision as of 03:15, 3 August 2009

Contents

Overview

Windows Vista stores thumbnails in the following directory: \Users\\AppData\Local\Microsoft\Windows\Explorer

This directory contains following files:

  • thumbcache_idx.db
  • thumbcache_32.db, thumbcache_96.db, thumbcache_256.db, and thumbcache_1024.db
  • thumbcache_sr.db

Thumbnails are stored in thumbcache_NN.db files in different formats (e.g. BMP) and can be extracted using file carving. There are several tools that can work with Vista Thumbcache: dmThumbs, Thumbs.db Viewer, WinThumbs and FTK. Unfortunately, there is no information in the thumbcache that can easily link thumbnails with original files in all cases. One of the ways to link thumbnails with original files is to use Windows Indexer (Windows.edb) database.

Thumbcache Format

Thumbcache format is described here.

In general, every thumbnail in cache is associated with two 64-bit variables. First variable (sometimes called Unique ID, Secret, File ID) associates data in file thumbcache_idx.db with thumbnail data in thumbcache_NN.db files; the purpose of this variable is unclear. Another variable is Thumbnail Cache ID (sometimes called Thumbnail filename (in FTK), File Ref) is used to link thumbnails with original files. Actually, Thumbnail Cache ID is represented as Unicode string of HEX encoding.

Thumbnail Creation Process

Windows Vista creates thumbnails for files on different media types, including:

Windows Vista doesn't create thumbnails for files encrypted using EFS unless thumbcache directory is encrypted too; Windows Vista doesn't delete thumbnails for files after they were encrypted using EFS.

Some programs may generate thumbnails for some file types which are displayed in Windows Explorer, but not stored in the thumbcache (e.g. Ascon Kompas).

Linking thumbnails with original files

Using Windows Indexer

Windows PowerShell displays association between files and ThumbnailCacheIDs

One way to link thumbnails with original files is to use Windows Indexer database, which stores association between indexed files and ThumbnailCacheIDs with some metadata.

Using Windows PowerShell

Windows PowerShell provides easy way to access this database using SQL queries. Note that most forensic tools (like FTK) display ThumbnailCacheID (FTK calls it Thumbnail filename) in hexademical, but Windows PowerShell returns the result in decimal.

Using HEX editor

You can also search for ThumbnailCacheID value in Windows.edb file using your favorite HEX editor.

External Links

Non-English