ForensicsWiki will continue to operate as it has before and will not be shutting down. Thank you for your continued support of ForensicsWiki.

Difference between revisions of "Thumbs.db"

From ForensicsWiki
Jump to: navigation, search
Line 8: Line 8:
=Windows Vista=
=Windows Vista=
Thumbs.db no longer exists in Vista.  This data has been moved to ''User Profile/Application Data/Microsoft Internet Explorer/Thumbscache32, 96 and 128'''
Thumbs.db no longer exists in Vista.  This data has been moved to ''\Users\AppData\Local\Microsoft\Windows\Explorer''

Revision as of 20:34, 25 November 2008

Thumbs.db is a file created by windows when thumbnail view is used. It is a hidden file not viewed by most users and not updated when files are moved from a folder which images have passed through or deleted. This gives a secondary chance that someone will leave behind at least partial evidence of an image in their windows folders.

The thumbnails in Thumbs.db are stored in a OLE 2 Compound Document format. It's the same format that MS Office uses.

There is a forensic application developed under the open source project over at sourceforge called vinetto at that can extract them. It does require a python enviornment. Additionally there are several other java solutions based around the Jakarta project that is apart of Apache. Additional resources about thumbs.db can be found in a white paper at

MiTeC Windows File Analyzer [1] is a tool for forensic analysis of Thumbnail Databases, Prefetch files, shortcuts, IExplore Index.DAT files and Recycle Bin contents on a Windows system. It will print a report of analyzed files.

Windows Vista

Thumbs.db no longer exists in Vista. This data has been moved to \Users\AppData\Local\Microsoft\Windows\Explorer