Difference between pages "Thumbnails" and "File:13-4-EpoxyCleanup.jpg"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
Line 1: Line 1:
'''Thumbnails''' are reduced-size versions of pictures, serving the same role for images as a normal text index does for words.
== [[Windows]] ==
See [[Thumbs.db]].
== [[Windows]] Vista ==
[[Thumbs.db]] no longer exists in Vista. This data has been moved to ''\Users\\AppData\Local\Microsoft\Windows\Explorer''. This directory contains following files:
* thumbcache_idx.db
* thumbcache_32.db, thumbcache_96.db, thumbcache_256.db, and thumbcache_1024.db
* thumbcache_sr.db
Thumbnails are stored in ''thumbcache_NN.db'' files in different formats (e.g. [[BMP]]) and can be extracted using [[File Carving | file carving]]. There are several tools that can work with Vista Thumbcache: [http://www.dmthumbs.com/ dmThumbs], [http://www.janusware.com/fetch.php?page=412,2 Thumbs.db Viewer]. Unfortunately, there is no information in the thumbcache that can easily link thumbnails with original files in all cases. One of the ways to link thumbnails with original files is to use Windows Indexer (Windows.edb) database.
Thumbcache format is described [http://www.noxa.org/blog/?p=5 here].
[[Windows]] Vista will save thumbnails for files on a mounted encrypted filesystems (except [[Windows Encrypted File System | EFS]]).
== KDE & GNOME ==
KDE and GNOME are popular desktop environments for [[Linux]] and [[UNIX]] platforms. They are storing thumbnails in ''~/.thumbnails''.
Example thumbnail in GNOME:
$ hachoir-metadata .thumbnails/normal/0d97afdc637ac86d75d13e72172dc77c.png
- Image width: 128 pixels
- Image height: 122 pixels
- Bits/pixel: 24
- Pixel format: RGB
- Compression rate: 1.6x
- Compression: deflate
- Producer: GNOME::ThumbnailFactory
- Comment: Thumb::Image::Width=779
- Comment: Thumb::Image::Height=744
- Comment: Thumb::URI=file:///media/truecrypt1/123.jpg
- Comment: Thumb::MTime=1216153400
- MIME type: image/png
- Endian: Big endian
GNOME will save thumbnails for files on mounted encrypted filesystems.
== External Links ==
=== Non-English ===
* [http://itdefence.ru/content/articles/Thumbnails.Suhanov/ Использование централизованных баз данных экскизов для исследования графических файлов на зашифрованных разделах], ITDefence, 2009

Latest revision as of 23:13, 7 August 2013