Investigating ThumbCache
04/03/2022 Friday
ThumbCache is a feature in Windows operating systems available starting from Windows Vista, which is used to cache thumbnail images of files for Windows Explorer view. When you open Windows Explorer in thumbnail view, the files within the folder are displayed as small images that represent the contents of the files. These images are stored in a centralized Thumbnail Cache file. The purpose of this feature is to avoid strenuous disk I/O, CPU processing, and load times. Microsoft Windows stores thumbnails of many file types, some of which include: JPEG, BMP, GIF, PNG, TIFF, AVI, PDF, PPTX, DOCX, HTML, MP4 etc.
Digital Forensics Value of ThumbCache Artifacts
Thumbnail cache files have been used by law enforcement agencies to prove that a file of interest was stored on a Windows systems hard drive even if deleted. When a user deletes a file, its thumbnail remains in the cached file. Analysis of the ThumbCache file yields information such as the metadata of the original file, its cache ID, header checksum, data offset, data type, and data size. The metadata can give investigators critical information like when the file was created, its location on the file system, when it was last accessed, when it was last modified and much more.
Location of ThumbCache Artifacts
Starting from Vista, ThumbCache Artifacts are stored in the following location:
C:\Users\[Username]\AppData\Local\Microsoft\Windows\Explorer
Structure of ThumbCache Artifacts
ThumbCache files are binary files. There are multiple cache files at the location mentioned above. Windows allows for different sized thumbnail images to be stored for each file. In Windows 7, there are a maximum of 4 sizes, 32x32, 96x96, 256x256 and 1024x1024 pixels. In Windows 10, the smallest size is 16 pixels and the largest 2560 pixels. For each size a version of the cache exists, e.g., a cache file for thumbnail images of size 32x32 is stored as thumbcache_32.db. Each thumbnail and its header are stored as a sub-record in the cache file. The sub-records stored in these files can be navigated using the thumbcache_idx.db file stored in the same directory. The index file has records of each, containing pointers to the locations of the associated sub-records.
Analyzing ThumbCache Artifacts with ArtiFast Windows
This section will discuss how to use ArtiFast Windows to extract ThumbCache artifacts from Windows machines
and what kind of digital forensics insight we can gain from the artifacts.
After you have created your case and added evidence for the investigation, at the Artifact Selection
phase, you can select ThumbCache Artifact:
Once ArtiFast parser plugins complete processing artifacts for analysis, it can be reviewed via "Artifact View" or "Timeline View," with indexing, filtering, and searching capabilities. Below is a detailed description of the ThumbCache artifact in ArtiFast software.
ThumbCache Artifact
The artifact contains information on the cached thumbnails. Each record in
a cache file contains a header and data, the data is the thumbnail. The details you can view include:
- Cache Record ID - The cached record identifier.
- Data Type - The file type of the data.
- Data Offset - The offset of the data within the record.
- Data Size - The size of the data in the record.
- Data Checksum - The checksum of the record data.
- Header Checksum - The checksum of the record header.
- Cache Entry Offset - The offset of the record within the cache file.
- Cache Entry Size - The record size.
- Cache Entry Hash - The hash value of the record.
- System Type - The Windows operating system type.
- Location - The location of the source cache file.
For more information or suggestions please contact: [email protected]
