From ForensicsWiki
Revision as of 05:00, 15 October 2007 by Simsong (Talk | contribs)

Jump to: navigation, search

Thumbs.db is a file created by windows when thumbnail view is used. It is a hidden file not viewed by most users and not updated when files are moved from a folder which images have passed through or deleted. This gives a secondary chance that someone will leave behind at least partial evidence of an image in their windows folders.

The thumbnails in Thumbs.db are stored in a OLE 2 Compound Document format. It's the same format that MS Office uses.

There is a forensic application developed under the open source project over at sourceforge called vinetto at that can extract them. It does require a python enviornment. Additionally there are several other java solutions based around the Jakarta project that is apart of Apache. Additional resources about thumbs.db can be found in a white paper at

Windows Vista

Thumbs.db no longer exists in Vista. This data has been moved to User Profile/Application Data/Microsoft Internet Explorer/Thumbscache32, 96 and 128'