Sunday, January 10, 2010

Windows 7 Forensics - Part IV - Thumbcache_*.db

Windows 7 creates small thumbnail images of graphic files the same way previous version of Windows does, nothing new here. It stores the thumbnails in the same location as in Windows Vista:

C:\Users\%username%\AppData\Local\Microsoft\Windows\Explorer

There are files named Thumbcache_32.db, Thumbcache_96.db, Thumbcache_256.db & Thumbcache_1024.db which correspond to the thumbnails stored for that specific user account and size.

Currently, the latest release of EnCase (6.15.0.82) does *not* parse these files correctly. The structure has slightly changed and therefore if you try and view the contents of any of the "thumbcache" files, EnCase will mount them without error, but they will appear empty. You can however, use the File Finder module to carve JPG images out of the *.db files.

If anyone is using any other tools and can confirm they handle these new Windows 7 thumbcache files correctly, please post the name in the comments so everyone can benefit and have a tool until EnCase incorporates this support.

Posted by Lance Mueller at Sunday, January 10, 2010
ShareThis

Labels: , ,

3 comments:

Anonymous Sunday, 10 January, 2010  

Thumbnail Expert - http://www.thumbnailexpert.com

Cd-MaN Sunday, 10 January, 2010  

You should use [ / ] (or other symbols of your choosing) instead of < / > when writing HTML or escape them as &lt; / &gt;. Otherwise it won't show up, as it happened in this post with <username>.

Thank you for the useful posts.

Best regards.

Anonymous Monday, 11 January, 2010  

I have just tested this in FTK 3.0.4. It does not parse the files. It does show the embedded images when you turn on carving options during evidence processing.

Post a Comment

Post a Comment

Subscribe to: Post Comments (Atom)

Computer Forensics, Malware Analysis & Digital Investigations

Loading...

Random Articles