Difference between revisions of "Thumbs.db"

From Forensics Wiki
Jump to: navigation, search
m
m
Line 1: Line 1:
Thumbs.db is a file created by windows when [[Thumbnails|thumbnail]] view is used.  It is a hidden file not viewed by most users and not updated when files are moved from a folder which images have passed through or deleted. This gives a secondary chance that someone will leave behind at least partial evidence of an image in their windows folders.
+
Thumbs.db is a file created by [[Windows]] when [[Thumbnails|thumbnail]] view is used.  It is a hidden file not viewed by most users and not updated when files are moved from a folder which images have passed through or deleted. This gives a secondary chance that someone will leave behind at least partial evidence of an image in their [[Windows]] folders.
  
 
The [[thumbnails]] in Thumbs.db are stored in a OLE 2 Compound Document format. It's the same format that MS Office uses.  
 
The [[thumbnails]] in Thumbs.db are stored in a OLE 2 Compound Document format. It's the same format that MS Office uses.  
  
There is a forensic application developed under the open source project over at sourceforge called vinetto at http://sourceforge.net/projects/vinetto that can extract them.  It does require a python enviornment.  Additionally there are several other java solutions based around the Jakarta project that is apart of Apache.  Additional resources about thumbs.db can be found in a white paper at http://www.accessdata.com/media/en_US/print/papers/wp.Thumbs_DB_Files.en_us.pdf.
+
There is a forensic open source application developed at sourceforge called [[vinetto]] at http://sourceforge.net/projects/vinetto that can extract them.  It does require a python enviornment.  Additionally, there are several other Java solutions based around the Jakarta project that is apart of Apache.  Additional resources about thumbs.db can be found in a white paper at http://www.accessdata.com/media/en_US/print/papers/wp.Thumbs_DB_Files.en_us.pdf.
  
MiTeC Windows File Analyzer [http://www.mitec.cz/wfa.html] is a tool for forensic analysis of Thumbnail Databases, Prefetch files, shortcuts, IExplore Index.DAT files and Recycle Bin contents on a Windows system. It will print a report of analyzed files.
+
MiTeC Windows File Analyzer [http://www.mitec.cz/wfa.html] is a tool for forensic analysis of Thumbnail Databases, [[Prefetch]] files, [[LNK | shortcuts]], IExplore Index.DAT files and Recycle Bin contents on a [[Windows]] system. It will print a report of analyzed files.
  
=Windows Vista=
+
= Windows Vista =
Thumbs.db no longer exists in Vista. This data has been moved to ''\Users\\AppData\Local\Microsoft\Windows\Explorer''
+
Thumbs.db no longer exists in Vista. This data has been moved to ''\Users\\AppData\Local\Microsoft\Windows\Explorer''

Revision as of 14:37, 29 November 2008

Thumbs.db is a file created by Windows when thumbnail view is used. It is a hidden file not viewed by most users and not updated when files are moved from a folder which images have passed through or deleted. This gives a secondary chance that someone will leave behind at least partial evidence of an image in their Windows folders.

The thumbnails in Thumbs.db are stored in a OLE 2 Compound Document format. It's the same format that MS Office uses.

There is a forensic open source application developed at sourceforge called vinetto at http://sourceforge.net/projects/vinetto that can extract them. It does require a python enviornment. Additionally, there are several other Java solutions based around the Jakarta project that is apart of Apache. Additional resources about thumbs.db can be found in a white paper at http://www.accessdata.com/media/en_US/print/papers/wp.Thumbs_DB_Files.en_us.pdf.

MiTeC Windows File Analyzer [1] is a tool for forensic analysis of Thumbnail Databases, Prefetch files, shortcuts, IExplore Index.DAT files and Recycle Bin contents on a Windows system. It will print a report of analyzed files.

Windows Vista

Thumbs.db no longer exists in Vista. This data has been moved to \Users\\AppData\Local\Microsoft\Windows\Explorer