Difference between revisions of "Vista thumbcache"

From ForensicsWiki
Jump to: navigation, search
(New page: Windows Vista stores thumbnails in the following directory: ''\Users\\AppData\Local\Microsoft\Windows\Explorer'' This directory contains following files: * thumbcache_idx.db * thumbc...)
 
Line 1: Line 1:
 +
== Overview ==
 +
 
[[Windows]] Vista stores thumbnails in the following directory: ''\Users\\AppData\Local\Microsoft\Windows\Explorer''
 
[[Windows]] Vista stores thumbnails in the following directory: ''\Users\\AppData\Local\Microsoft\Windows\Explorer''
  
Line 9: Line 11:
 
Thumbnails are stored in ''thumbcache_NN.db'' files in different formats (e.g. [[BMP]]) and can be extracted using [[File Carving | file carving]]. There are several tools that can work with Vista Thumbcache: [http://www.dmthumbs.com/ dmThumbs], [http://www.janusware.com/fetch.php?page=412,2 Thumbs.db Viewer], and [[FTK]]. Unfortunately, there is no information in the thumbcache that can easily link thumbnails with original files in all cases. One of the ways to link thumbnails with original files is to use Windows Indexer (Windows.edb) database.
 
Thumbnails are stored in ''thumbcache_NN.db'' files in different formats (e.g. [[BMP]]) and can be extracted using [[File Carving | file carving]]. There are several tools that can work with Vista Thumbcache: [http://www.dmthumbs.com/ dmThumbs], [http://www.janusware.com/fetch.php?page=412,2 Thumbs.db Viewer], and [[FTK]]. Unfortunately, there is no information in the thumbcache that can easily link thumbnails with original files in all cases. One of the ways to link thumbnails with original files is to use Windows Indexer (Windows.edb) database.
  
Thumbcache format is described [http://www.noxa.org/blog/?p=5 here].
+
== Thumbcache Format ==
 +
 
 +
''Thumbcache format is described [http://www.noxa.org/blog/?p=5 here].''
 +
 
 +
In general, every thumbnail in cache is associated with two 64-bit variables. First variable (sometimes called ''Unique ID'', ''Secret'', ''File ID'') associates data in file ''thumbcache_idx.db'' with thumbnail data in ''thumbcache_NN.db'' files; the purpose of this variable is unclear. Another variable is ''Thumbnail Cache ID'' (sometimes called ''Thumbnail filename'' (in [[FTK]]), ''File Ref'') is used to link thumbnails with original files. Actually, ''Thumbnail Cache ID'' is represented as Unicode string of HEX encoding.
 +
 
 +
== Thumbnail Creation Process ==
 +
 
 +
[[Windows]] Vista creates thumbnails for files on:
 +
 
 +
* [[Hard Drive | Hard drives]]
 +
* Removable devices
 +
* Network drives
 +
* Encrypted containers (e.g. [[PGP]] Desktop, [[TrueCrypt]], [[BestCrypt]])
 +
 
 +
[[Windows]] Vista doesn't create thumbnails for files encrypted using [[EFS]] unless thumbcache directory is encrypted too.
 +
 
 +
== Linking thumbnails with original files ==
 +
 
 +
 
  
 
== External Links ==
 
== External Links ==
  
 
* [http://www.whereisyourdata.co.uk/data/modules/wfdownloads/visit.php?cid=4&lid=9 Forensic Implications of Windows Vista, Barrie Stewart, 2007]
 
* [http://www.whereisyourdata.co.uk/data/modules/wfdownloads/visit.php?cid=4&lid=9 Forensic Implications of Windows Vista, Barrie Stewart, 2007]

Revision as of 09:55, 19 March 2009

Overview

Windows Vista stores thumbnails in the following directory: \Users\\AppData\Local\Microsoft\Windows\Explorer

This directory contains following files:

  • thumbcache_idx.db
  • thumbcache_32.db, thumbcache_96.db, thumbcache_256.db, and thumbcache_1024.db
  • thumbcache_sr.db

Thumbnails are stored in thumbcache_NN.db files in different formats (e.g. BMP) and can be extracted using file carving. There are several tools that can work with Vista Thumbcache: dmThumbs, Thumbs.db Viewer, and FTK. Unfortunately, there is no information in the thumbcache that can easily link thumbnails with original files in all cases. One of the ways to link thumbnails with original files is to use Windows Indexer (Windows.edb) database.

Thumbcache Format

Thumbcache format is described here.

In general, every thumbnail in cache is associated with two 64-bit variables. First variable (sometimes called Unique ID, Secret, File ID) associates data in file thumbcache_idx.db with thumbnail data in thumbcache_NN.db files; the purpose of this variable is unclear. Another variable is Thumbnail Cache ID (sometimes called Thumbnail filename (in FTK), File Ref) is used to link thumbnails with original files. Actually, Thumbnail Cache ID is represented as Unicode string of HEX encoding.

Thumbnail Creation Process

Windows Vista creates thumbnails for files on:

Windows Vista doesn't create thumbnails for files encrypted using EFS unless thumbcache directory is encrypted too.

Linking thumbnails with original files

External Links