Difference between revisions of "Thumbs.db"

From ForensicsWiki
Jump to: navigation, search
m
(Windows Vista)
 
(12 intermediate revisions by 3 users not shown)
Line 1: Line 1:
Thumbs.db is a file created by windows when [[Thumbnails|thumbnail]] view is used.  It is a hidden file not viewed by most users and not updated when files are moved from a folder which images have passed through or deleted. This gives a secondary chance that someone will leave behind at least partial evidence of an image in their windows folders.
+
Thumbs.db is a file created by [[Windows]] when [[Thumbnails|thumbnail]] view is used.  It is a hidden file not viewed by most users and not updated when files are moved from a folder which images have passed through or deleted. This gives a secondary chance that someone will leave behind at least partial evidence of an image in their [[Windows]] folders.
  
The [[thumbnails]] in Thumbs.db are stored in a OLE 2 Compound Document format. It's the same format that MS Office uses.  
+
The [[thumbnails]] in Thumbs.db are stored in the [[OLE Compound File]] format. It's the same format that [[Microsoft Office]] uses.
  
There is a forensic application developed under the open source project over at sourceforge called vinetto at http://sourceforge.net/projects/vinetto that can extract them.  It does require a python enviornment.  Additionally there are several other java solutions based around the Jakarta project that is apart of Apache.  Additional resources about thumbs.db can be found in a white paper at http://www.accessdata.com/media/en_US/print/papers/wp.Thumbs_DB_Files.en_us.pdf.
+
There is a forensic open source application developed at sourceforge called [[vinetto]] at http://sourceforge.net/projects/vinetto that can extract them.  It does require a python environment.  Additionally, there are several other Java solutions based around the Jakarta project that is apart of Apache.  Additional resources about thumbs.db can be found in a white paper at http://www.accessdata.com/media/en_US/print/papers/wp.Thumbs_DB_Files.en_us.pdf.
  
MiTeC Windows File Analyzer [http://www.mitec.cz/wfa.html] is a tool for forensic analysis of Thumbnail Databases, Prefetch files, shortcuts, IExplore Index.DAT files and Recycle Bin contents on a Windows system. It will print a report of analyzed files.
+
MiTeC Windows File Analyzer [http://www.mitec.cz/wfa.html] is a tool for forensic analysis of Thumbnail Databases, [[Prefetch]] files, [[LNK | shortcuts]], IExplore Index.DAT files and Recycle Bin contents on a [[Windows]] system. It will print a report of analyzed files.
  
=Windows Vista=
+
= Windows Vista/7 =
Thumbs.db no longer exists in Vista. This data has been moved to ''\Users\AppData\Local\Microsoft\Windows\Explorer''
+
 
 +
''See [[Vista thumbcache]]''
 +
 
 +
Thumbs.db no longer exists in Vista/7 as individual files. This data has been moved to a centralized database located in ''\Users\%username%\AppData\Local\Microsoft\Windows\Explorer''
 +
 
 +
[[Windows]] Vista will save thumbnails for files on mounted encrypted file systems (except [[Windows Encrypted File System | EFS]]).
 +
 
 +
== External Links ==
 +
 
 +
* [http://www.thumbnailexpert.com/en/formats/windows-thumbnail-cache/ Windows thumbnail cache (thumbs.db)]
 +
 
 +
[[Category:File Formats]]

Latest revision as of 04:13, 9 September 2011

Thumbs.db is a file created by Windows when thumbnail view is used. It is a hidden file not viewed by most users and not updated when files are moved from a folder which images have passed through or deleted. This gives a secondary chance that someone will leave behind at least partial evidence of an image in their Windows folders.

The thumbnails in Thumbs.db are stored in the OLE Compound File format. It's the same format that Microsoft Office uses.

There is a forensic open source application developed at sourceforge called vinetto at http://sourceforge.net/projects/vinetto that can extract them. It does require a python environment. Additionally, there are several other Java solutions based around the Jakarta project that is apart of Apache. Additional resources about thumbs.db can be found in a white paper at http://www.accessdata.com/media/en_US/print/papers/wp.Thumbs_DB_Files.en_us.pdf.

MiTeC Windows File Analyzer [1] is a tool for forensic analysis of Thumbnail Databases, Prefetch files, shortcuts, IExplore Index.DAT files and Recycle Bin contents on a Windows system. It will print a report of analyzed files.

Windows Vista/7

See Vista thumbcache

Thumbs.db no longer exists in Vista/7 as individual files. This data has been moved to a centralized database located in \Users\%username%\AppData\Local\Microsoft\Windows\Explorer

Windows Vista will save thumbnails for files on mounted encrypted file systems (except EFS).

External Links