Difference between pages "Libewf" and "Vista thumbcache"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Tools)
 
(Linking thumbnails with original files)
 
Line 1: Line 1:
{{Infobox_Software |
+
== Overview ==
  name = libewf |
+
  maintainer = [[Joachim Metz]], [[David Loveall]] |
+
  os = [[Linux]], [[FreeBSD]], [[NetBSD]], [[OpenBSD]], [[Mac OS X]], [[Windows]] |
+
  genre = {{Disk imaging}} |
+
  license = {{LGPL}} |
+
  website = [http://libewf.sourceforge.net libewf.sourceforge.net] |
+
}}
+
  
The '''libewf''' package contains [[Linux]] based library and applications to read and write EnCase E0* and SMART s0* storage media bitstream copies.
+
[[Windows]] Vista stores [[Thumbnails | thumbnails]] in the following directory: ''\Users\\AppData\Local\Microsoft\Windows\Explorer''
  
It has been ported to other platforms like [[FreeBSD]], [[NetBSD]], [[OpenBSD]], [[Mac OS X]], and [[Windows]] as well.
+
This directory contains following files:
  
== History ==
+
* thumbcache_idx.db
 +
* thumbcache_32.db, thumbcache_96.db, thumbcache_256.db, and thumbcache_1024.db
 +
* thumbcache_sr.db
  
Libewf was created by [[Joachim Metz]] in 2006, while working for [http://en.hoffmannbv.nl/ Hoffmann Investigations].
+
Thumbnails are stored in ''thumbcache_NN.db'' files in different formats (e.g. [[BMP]]) and can be extracted using [[File Carving | file carving]]. There are several tools that can work with Vista Thumbcache: [http://www.dmthumbs.com/ dmThumbs], [http://www.janusware.com/fetch.php?page=412,2 Thumbs.db Viewer], [http://www.simplecarver.com/tool.php?toolname=WinThumbs%20Extractor WinThumbs] and [[FTK]]. Unfortunately, there is no information in the thumbcache that can easily link thumbnails with original files in all cases. One of the ways to link thumbnails with original files is to use Windows Indexer (Windows.edb) database.
  
Libewf is a rewrite of earlier work on the EnCase 4 file format by [[Michael Cohen]] part of [[PyFlag]] and the [http://www.asrdata.com/SMART/whitepaper.html Expert Witness Compression Format Specification] by [[Andrew Rosen]]. It has been updated to read and write EnCase version 1 to 6 E01 files and SMART s01 files (EWF files). Libewf has initiated an Extended EWF (EWF-X) specifications to bypass limitations on the format imposed by EnCase.
+
== Thumbcache Format ==
  
libewf also has read support for the EnCase L01 format.
+
''Thumbcache format is described [http://www.noxa.org/blog/?p=5 here].''
  
In 2007 [[David Loveall]] contributed mount_ewf.py to the libewf project. This application allows a [[fuse]] based mount of the storage media data in the EWF files to be mounted.
+
In general, every thumbnail in cache is associated with two 64-bit variables. First variable (sometimes called ''Unique ID'', ''Secret'', ''File ID'') associates data in file ''thumbcache_idx.db'' with thumbnail data in ''thumbcache_NN.db'' files; the purpose of this variable is unclear. Another variable is ''Thumbnail Cache ID'' (sometimes called ''Thumbnail filename'' (in [[FTK]]), ''File Ref'') is used to link thumbnails with original files. Actually, ''Thumbnail Cache ID'' is represented as Unicode string of HEX encoding.
  
== Tools ==  
+
== Thumbnail Creation Process ==
The '''libewf''' package contains the following tools:
+
* '''ewfacquire''', which writes storage media data from devices and files to EWF files.
+
* '''ewfacquirestream''', which writes data from stdin to EWF files.
+
* '''ewfexport''', which exports storage media data in EWF files to (split) RAW format or a specific version of EWF files.
+
* '''ewfinfo''', which shows the metadata in EWF files.
+
* '''ewfverify''', which verifies the storage media data in EWF files.
+
  
Provided as separate tools on the libewf project site:
+
[[Windows]] Vista creates thumbnails for files on different media types, including:
* '''mount_ewf.py''', which allows the storage media data in a EWF files to be mounted, contributed by [[David Loveall]] in 2007.
+
* '''libewf-java''', Java (JNA) bindings were contributed by [[Bradley Schatz]] in 2009.
+
* '''delphi imdisk proxy''', Borland Delphi imdisk proxy, as an alternative to mount_ewf.py for Windows, contributed by [[Brendan Berney]] in 2010.
+
* '''jlibewf''', native Java EWF reader contributed by [[Bruce Allen]] in 2010.
+
  
A menu based interface for ewfacquirestream called pyEWF, contributed by [[Dennis Schreiber]], was originally also available on the project site. However this is currently no longer maintained. Instead the name pyewf was reused for the libewf Python bindings created by [[David Collett]] which is now included in the libewf package.
+
* Removable devices
 +
* Network drives
 +
* Encrypted containers (e.g. [[PGP]] Desktop, [[TrueCrypt]], [[BestCrypt]])
  
== Examples ==
+
[[Windows]] Vista doesn't create thumbnails for files encrypted using [[EFS]] unless thumbcache directory is encrypted too; [[Windows]] Vista doesn't delete thumbnails for files after they were encrypted using [[EFS]].
  
Imaging a device on a Unix-based system:
+
Some programs may generate thumbnails for some file types which are displayed in Windows Explorer, but not stored in the thumbcache (e.g. Ascon Kompas).
<pre>
+
ewfacquire /dev/sda
+
</pre>
+
  
Imaging a device on a Windows system:
+
== Linking thumbnails with original files ==
<pre>
+
ewfacquire \\.\PhysicalDrive0
+
</pre>
+
  
Converting a split RAW into an EWF image
+
=== Using Windows Indexer ===
<pre>
+
ewfacquire split.raw.???
+
</pre>
+
  
or
+
[[Image:WindowsPowerShellThumbnails.jpg|thumb|right|Windows PowerShell displays association between files and ThumbnailCacheIDs]]
  
<pre>
+
One way to link thumbnails with original files is to use Windows Indexer database, which stores association between '''indexed''' files and ''ThumbnailCacheIDs'' with some metadata. The windows.edb database file contents can be extracted using [http://www.simplecarver.com/tool.php?toolname=Windows%20Search%20Index%20Extractor Windows Search Index Extractor]
cat split.raw.??? | ewfacquirestream
+
</pre>
+
  
Converting an EWF into another EWF format or a (split) RAW image
+
==== Using Windows PowerShell ====
<pre>
+
ewfexport image.E01
+
</pre>
+
  
Exporting files from a logical image (L01)
+
Windows PowerShell provides easy way to access this database using SQL queries. Note that most forensic tools (like [[FTK]]) display ''ThumbnailCacheID'' ([[FTK]] calls it ''Thumbnail filename'') in hexademical, but Windows PowerShell returns the result in decimal.
<pre>
+
 
ewfexport image.L01
+
==== Vista Photo Gallery ====
</pre>
+
 
 +
Windows Vista includes a builtin picture previewing tool called Windows Photo Gallery (the LIVE edition may also be installed by the user).  Both of these programs create the files ''pictures.pd4'' and ''pictures.pd5'' respectively containing the ''ThumbnailCacheID'' and file path information of previewed pictures and videos. The contents of the pictures.pd4 and pictures.pd5 can be extracted using [http://www.simplecarver.com/tool.php?toolname=WPG%20Viewer WPG Viewer]
 +
 
 +
==== Using HEX editor ====
 +
 
 +
You can also search for ''ThumbnailCacheID'' value in ''Windows.edb'' file using your favorite HEX editor.
  
 
== External Links ==
 
== External Links ==
  
* [http://libewf.sourceforge.net libewf project site]
+
* [http://www.whereisyourdata.co.uk/data/modules/wfdownloads/visit.php?cid=4&lid=9 Forensic Implications of Windows Vista, Barrie Stewart, 2007]
 +
 
 +
=== Non-English ===
 +
 
 +
* [http://itdefence.ru/content/articles/Thumbnails.Suhanov/ Использование централизованных баз данных эскизов для исследования графических файлов на зашифрованных разделах], ITDefence, 2009 ([http://www.securitylab.ru/analytics/370474.php extended version])

Revision as of 04:26, 3 August 2009

Overview

Windows Vista stores thumbnails in the following directory: \Users\\AppData\Local\Microsoft\Windows\Explorer

This directory contains following files:

  • thumbcache_idx.db
  • thumbcache_32.db, thumbcache_96.db, thumbcache_256.db, and thumbcache_1024.db
  • thumbcache_sr.db

Thumbnails are stored in thumbcache_NN.db files in different formats (e.g. BMP) and can be extracted using file carving. There are several tools that can work with Vista Thumbcache: dmThumbs, Thumbs.db Viewer, WinThumbs and FTK. Unfortunately, there is no information in the thumbcache that can easily link thumbnails with original files in all cases. One of the ways to link thumbnails with original files is to use Windows Indexer (Windows.edb) database.

Thumbcache Format

Thumbcache format is described here.

In general, every thumbnail in cache is associated with two 64-bit variables. First variable (sometimes called Unique ID, Secret, File ID) associates data in file thumbcache_idx.db with thumbnail data in thumbcache_NN.db files; the purpose of this variable is unclear. Another variable is Thumbnail Cache ID (sometimes called Thumbnail filename (in FTK), File Ref) is used to link thumbnails with original files. Actually, Thumbnail Cache ID is represented as Unicode string of HEX encoding.

Thumbnail Creation Process

Windows Vista creates thumbnails for files on different media types, including:

Windows Vista doesn't create thumbnails for files encrypted using EFS unless thumbcache directory is encrypted too; Windows Vista doesn't delete thumbnails for files after they were encrypted using EFS.

Some programs may generate thumbnails for some file types which are displayed in Windows Explorer, but not stored in the thumbcache (e.g. Ascon Kompas).

Linking thumbnails with original files

Using Windows Indexer

Windows PowerShell displays association between files and ThumbnailCacheIDs

One way to link thumbnails with original files is to use Windows Indexer database, which stores association between indexed files and ThumbnailCacheIDs with some metadata. The windows.edb database file contents can be extracted using Windows Search Index Extractor

Using Windows PowerShell

Windows PowerShell provides easy way to access this database using SQL queries. Note that most forensic tools (like FTK) display ThumbnailCacheID (FTK calls it Thumbnail filename) in hexademical, but Windows PowerShell returns the result in decimal.

Vista Photo Gallery

Windows Vista includes a builtin picture previewing tool called Windows Photo Gallery (the LIVE edition may also be installed by the user). Both of these programs create the files pictures.pd4 and pictures.pd5 respectively containing the ThumbnailCacheID and file path information of previewed pictures and videos. The contents of the pictures.pd4 and pictures.pd5 can be extracted using WPG Viewer

Using HEX editor

You can also search for ThumbnailCacheID value in Windows.edb file using your favorite HEX editor.

External Links

Non-English