Difference between revisions of "Thumbnails"

From ForensicsWiki
Jump to: navigation, search
m
 
(2 intermediate revisions by the same user not shown)
Line 9: Line 9:
 
== [[Windows]] Vista ==
 
== [[Windows]] Vista ==
  
[[Thumbs.db]] no longer exists in Vista. This data has been moved to ''\Users\\AppData\Local\Microsoft\Windows\Explorer''. This directory contains following files:
+
''See [[Vista thumbcache]]''
  
* thumbcache_idx.db
+
Thumbs.db no longer exists in Vista. This data has been moved to ''\Users\\AppData\Local\Microsoft\Windows\Explorer''
* thumbcache_32.db, thumbcache_96.db, thumbcache_256.db, and thumbcache_1024.db
+
* thumbcache_sr.db
+
  
Thumbnails are stored in ''thumbcache_NN.db'' files in different formats (e.g. [[BMP]]) and can be extracted using [[File Carving | file carving]]. There are several tools that can work with Vista Thumbcache: [http://www.dmthumbs.com/ dmThumbs], [http://www.janusware.com/fetch.php?page=412,2 Thumbs.db Viewer]. Unfortunately, there is no information in the thumbcache that can easily link thumbnails with original files in all cases. One of the ways to link thumbnails with original files is to use Windows Indexer (Windows.edb) database.
+
[[Windows]] Vista will save thumbnails for files on mounted encrypted file systems (except [[Windows Encrypted File System | EFS]]).
 
+
Thumbcache format is described [http://www.noxa.org/blog/?p=5 here].
+
 
+
[[Windows]] Vista will save thumbnails for files on a mounted encrypted filesystems (except [[Windows Encrypted File System | EFS]]).
+
  
 
== KDE & GNOME ==
 
== KDE & GNOME ==
Line 46: Line 40:
  
 
GNOME will save thumbnails for files on mounted encrypted filesystems.
 
GNOME will save thumbnails for files on mounted encrypted filesystems.
 +
 +
Example thumbnail in KDE:
 +
 +
<pre>
 +
$ hachoir-metadata .thumbnails/normal/2e4bc7bf05bd57e19c6f2a01cf4a8f71.png
 +
Metadata:
 +
- Image width: 96 pixels
 +
- Image height: 128 pixels
 +
- Bits/pixel: 24
 +
- Pixel format: RGB
 +
- Compression rate: 1.6x
 +
- Compression: deflate
 +
- Producer: KDE Thumbnail Generator
 +
- Comment: Thumb::MTime=1236952299
 +
- Comment: Thumb::Mimetype=image/jpeg
 +
- Comment: Thumb::Size=827837
 +
- Comment: Thumb::URI=file:///home/fuf/10032009(002).jpg
 +
- MIME type: image/png
 +
- Endian: Big endian
 +
</pre>
  
 
== External Links ==
 
== External Links ==
Line 51: Line 65:
 
=== Non-English ===
 
=== Non-English ===
  
* [http://itdefence.ru/content/articles/Thumbnails.Suhanov/ Использование централизованных баз данных экскизов для исследования графических файлов на зашифрованных разделах], ITDefence, 2009
+
* [http://itdefence.ru/content/articles/Thumbnails.Suhanov/ Использование централизованных баз данных эскизов для исследования графических файлов на зашифрованных разделах], ITDefence, 2009

Latest revision as of 16:39, 24 March 2009

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Thumbnails are reduced-size versions of pictures, serving the same role for images as a normal text index does for words.

Windows

See Thumbs.db.

Windows Vista

See Vista thumbcache

Thumbs.db no longer exists in Vista. This data has been moved to \Users\\AppData\Local\Microsoft\Windows\Explorer

Windows Vista will save thumbnails for files on mounted encrypted file systems (except EFS).

KDE & GNOME

KDE and GNOME are popular desktop environments for Linux and UNIX platforms. They are storing thumbnails in ~/.thumbnails.

Example thumbnail in GNOME:

$ hachoir-metadata .thumbnails/normal/0d97afdc637ac86d75d13e72172dc77c.png
Metadata:
- Image width: 128 pixels
- Image height: 122 pixels
- Bits/pixel: 24
- Pixel format: RGB
- Compression rate: 1.6x
- Compression: deflate
- Producer: GNOME::ThumbnailFactory
- Comment: Thumb::Image::Width=779
- Comment: Thumb::Image::Height=744
- Comment: Thumb::URI=file:///media/truecrypt1/123.jpg
- Comment: Thumb::MTime=1216153400
- MIME type: image/png
- Endian: Big endian

GNOME will save thumbnails for files on mounted encrypted filesystems.

Example thumbnail in KDE:

$ hachoir-metadata .thumbnails/normal/2e4bc7bf05bd57e19c6f2a01cf4a8f71.png
Metadata:
- Image width: 96 pixels
- Image height: 128 pixels
- Bits/pixel: 24
- Pixel format: RGB
- Compression rate: 1.6x
- Compression: deflate
- Producer: KDE Thumbnail Generator
- Comment: Thumb::MTime=1236952299
- Comment: Thumb::Mimetype=image/jpeg
- Comment: Thumb::Size=827837
- Comment: Thumb::URI=file:///home/fuf/10032009(002).jpg
- MIME type: image/png
- Endian: Big endian

External Links

Non-English