Difference between pages "Vista thumbcache" and "GRR"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
(Linking thumbnails with original files)
 
 
Line 1: Line 1:
== Overview ==
+
{{Infobox_Software |
 +
  name = Rekall |
 +
  maintainer = [[Darren Bilby]] and others |
 +
  os = {{Cross-platform}} |
 +
  genre = {{Incident response}} |
 +
  license = {{APL}} |
 +
  website = [https://code.google.com/p/grr/ code.google.com/p/grr/] |
 +
}}
  
[[Windows]] Vista stores [[Thumbnails | thumbnails]] in the following directory: ''\Users\\AppData\Local\Microsoft\Windows\Explorer''
+
GRR is an Incident Response Framework focused on Remote Live Forensics.
  
This directory contains following files:
+
The disk and file system analysis capabilities of GRR are provided by the [[sleuthkit]] and [[pytsk]] projects.
  
* thumbcache_idx.db
+
The memory analysis and acquisition capabilities of GRR are provided by the [[rekall]] project.
* thumbcache_32.db, thumbcache_96.db, thumbcache_256.db, and thumbcache_1024.db
+
* thumbcache_sr.db
+
  
Thumbnails are stored in ''thumbcache_NN.db'' files in different formats (e.g. [[BMP]]) and can be extracted using [[File Carving | file carving]]. There are several tools that can work with Vista Thumbcache: [http://www.dmthumbs.com/ dmThumbs], [http://www.janusware.com/fetch.php?page=412,2 Thumbs.db Viewer], [http://www.simplecarver.com/tool.php?toolname=WinThumbs%20Extractor WinThumbs] and [[FTK]]. Unfortunately, there is no information in the thumbcache that can easily link thumbnails with original files in all cases. One of the ways to link thumbnails with original files is to use Windows Indexer (Windows.edb) database.
+
= See also =
 +
* [[rekall]]
  
== Thumbcache Format ==
+
= External Links =
 +
* [https://code.google.com/p/grr/ Project site]
 +
* [https://code.google.com/p/grr/wiki/ProjectFAQ Project FAQ]
 +
* [http://grr.googlecode.com/git/docs/index.html Documentation]
  
''Thumbcache format is described [http://www.noxa.org/blog/?p=5 here].''
+
== Publications ==
 +
* [http://static.googleusercontent.com/media/research.google.com/en/us/pubs/archive/37237.pdf Distributed forensics and incident response in the enterprise], by [[Michael Cohen]], [[Darren Bilby]], G. Caronni. Digital Investigation, 2011.
 +
* [https://googledrive.com/host/0B9hc84IflFGbN2IwMTUyYTUtMTU0Mi00ZWQ3LWFhNDktM2IyMTg5MmY3OWI0/Hunting%20in%20the%20Enterprise:%20Forensic%20Triage%20and%20Incident%20Response Hunting in the enterprise: Forensic triage and incident response], by [[Andreas Moser]], [[Michael Cohen]], Digital Investigation, 2013.
  
In general, every thumbnail in cache is associated with two 64-bit variables. First variable (sometimes called ''Unique ID'', ''Secret'', ''File ID'') associates data in file ''thumbcache_idx.db'' with thumbnail data in ''thumbcache_NN.db'' files; the purpose of this variable is unclear. Another variable is ''Thumbnail Cache ID'' (sometimes called ''Thumbnail filename'' (in [[FTK]]), ''File Ref'') is used to link thumbnails with original files. Actually, ''Thumbnail Cache ID'' is represented as Unicode string of HEX encoding.
+
== Presentations ==
 +
* [https://googledrive.com/host/0B1wsLqFoT7i2N3hveC1lSEpHUnM/Docs/GRR%20Rapid%20Response%20-%20OSFC%202012.pdf OSDFC 2012 GRR Overview], by [[Darren Bilby]]
  
== Thumbnail Creation Process ==
+
== Workshops ==
 
+
* [https://drive.google.com/?usp=chrome_app#folders/0B1wsLqFoT7i2eU1jU0JldW9JUU0 OSDFC workshop 2013], by [[Darren Bilby]]
[[Windows]] Vista creates thumbnails for files on different media types, including:
+
 
+
* Removable devices
+
* Network drives
+
* Encrypted containers (e.g. [[PGP]] Desktop, [[TrueCrypt]], [[BestCrypt]])
+
 
+
[[Windows]] Vista doesn't create thumbnails for files encrypted using [[EFS]] unless thumbcache directory is encrypted too; [[Windows]] Vista doesn't delete thumbnails for files after they were encrypted using [[EFS]].
+
 
+
Some programs may generate thumbnails for some file types which are displayed in Windows Explorer, but not stored in the thumbcache (e.g. Ascon Kompas).
+
 
+
== Linking thumbnails with original files ==
+
 
+
=== Using Windows Indexer ===
+
 
+
[[Image:WindowsPowerShellThumbnails.jpg|thumb|right|Windows PowerShell displays association between files and ThumbnailCacheIDs]]
+
 
+
One way to link thumbnails with original files is to use Windows Indexer database, which stores association between '''indexed''' files and ''ThumbnailCacheIDs'' with some metadata.  The windows.edb database file contents can be extracted using [http://www.simplecarver.com/tool.php?toolname=Windows%20Search%20Index%20Extractor Windows Search Index Extractor]
+
 
+
==== Using Windows PowerShell ====
+
 
+
Windows PowerShell provides easy way to access this database using SQL queries. Note that most forensic tools (like [[FTK]]) display ''ThumbnailCacheID'' ([[FTK]] calls it ''Thumbnail filename'') in hexademical, but Windows PowerShell returns the result in decimal.
+
 
+
==== Vista Photo Gallery ====
+
 
+
Windows Vista includes a builtin picture previewing tool called Windows Photo Gallery (the LIVE edition may also be installed by the user).  Both of these programs create the files ''pictures.pd4'' and ''pictures.pd5'' respectively containing the ''ThumbnailCacheID'' and file path information of previewed pictures and videos. The contents of the pictures.pd4 and pictures.pd5 can be extracted using [http://www.simplecarver.com/tool.php?toolname=WPG%20Viewer WPG Viewer]
+
 
+
==== Using HEX editor ====
+
 
+
You can also search for ''ThumbnailCacheID'' value in ''Windows.edb'' file using your favorite HEX editor.
+
 
+
== External Links ==
+
 
+
* [http://www.whereisyourdata.co.uk/data/modules/wfdownloads/visit.php?cid=4&lid=9 Forensic Implications of Windows Vista, Barrie Stewart, 2007]
+
 
+
=== Non-English ===
+
 
+
* [http://itdefence.ru/content/articles/Thumbnails.Suhanov/ Использование централизованных баз данных эскизов для исследования графических файлов на зашифрованных разделах], ITDefence, 2009 ([http://www.securitylab.ru/analytics/370474.php extended version])
+

Revision as of 14:36, 12 January 2014

Rekall
Maintainer: Darren Bilby and others
OS: Cross-platform
Genre: Incident Response
License: APL
Website: code.google.com/p/grr/

GRR is an Incident Response Framework focused on Remote Live Forensics.

The disk and file system analysis capabilities of GRR are provided by the sleuthkit and pytsk projects.

The memory analysis and acquisition capabilities of GRR are provided by the rekall project.

Contents

See also

External Links

Publications

Presentations

Workshops