Windows thumbnail cache
(→Format details) |
(Added sample files) |
||
(6 intermediate revisions by 3 users not shown) | |||
Line 10: | Line 10: | ||
== Format details == | == Format details == | ||
− | Thumbs.db format is undocumented, and fairly difficult to decode. | + | Thumbs.db format is undocumented, and fairly difficult to decode. Knowledge of [[Microsoft Compound File]] format is a prerequisite. There are at least two different major thumbnail versions, which we'll call "original format" and "new format". There are an uncertain number of minor versions. Different thumbnail versions may be combined in the same file. Presumably, this can happen when Windows updates a file created by a different version of Windows. |
− | Files that contain at least one "original format" thumbnail have a special stream named "Catalog", which contains the original filenames, and other information. One of the filenames may be the special name "{A42CD7B6-E9B9-4D02-B7A6-288B71AD28BA}". This is apparently the thumbnail for the folder | + | Files that contain at least one "original format" thumbnail have a special stream named "Catalog", which contains the original filenames, and other information. One of the filenames may be the special name "{A42CD7B6-E9B9-4D02-B7A6-288B71AD28BA}". This is apparently the thumbnail for the folder as a whole. The thumbnail streams themselves have simple numeric names like "021", which are to be reversed and interpreted as a Catalog ID number (120, in this example). |
Thumbnails in "new format" do not use a Catalog file. Instead, the streams have names like "256_79dea834bece3f6b", apparently containing a pixel size and a hash. | Thumbnails in "new format" do not use a Catalog file. Instead, the streams have names like "256_79dea834bece3f6b", apparently containing a pixel size and a hash. | ||
Line 20: | Line 20: | ||
There are are at least three different image formats that a thumbnail may use: | There are are at least three different image formats that a thumbnail may use: | ||
# Standard [[JFIF]] JPEG format | # Standard [[JFIF]] JPEG format | ||
− | # A nonstandard RGBA format based on [[JPEG]] | + | # A nonstandard RGBA format based on [[JPEG]] (At least, the [[JPEG#Color format|component ID numbers]] suggest that the format is RGBA. Thumbs Viewer can display these images, and its author says it is CMYK.) |
# [[PNG]] | # [[PNG]] | ||
Line 30: | Line 30: | ||
* [https://thumbcacheviewer.github.io/ Thumbcache Viewer] | * [https://thumbcacheviewer.github.io/ Thumbcache Viewer] | ||
* [http://vinetto.sourceforge.net/ Vinetto] | * [http://vinetto.sourceforge.net/ Vinetto] | ||
+ | * [https://github.com/AtesComp/Vinetto Vinetto for python3] | ||
+ | * {{Deark}} | ||
+ | |||
+ | == Sample files == | ||
+ | * {{DexvertSamples|archive/windowsThumbDB}} | ||
== Links == | == Links == | ||
* [[Wikipedia:Windows thumbnail cache|Wikipedia article]] | * [[Wikipedia:Windows thumbnail cache|Wikipedia article]] | ||
− | * [ | + | * [{{ForensicsWikiURL|thumbs.db}} Forensics Wiki article] |
* [http://qanda.digipres.org/117/what-you-should-you-with-thumbs-and-other-hidden-system-files What do you (or should you do) with ‘thumbs.db’ and other hidden system files?] | * [http://qanda.digipres.org/117/what-you-should-you-with-thumbs-and-other-hidden-system-files What do you (or should you do) with ‘thumbs.db’ and other hidden system files?] | ||
* [https://ad-pdf.s3.amazonaws.com/wp.Thumbs_DB_Files.en_us.pdf AccessData: THUMBS DB FILES FORENSIC ISSUES] | * [https://ad-pdf.s3.amazonaws.com/wp.Thumbs_DB_Files.en_us.pdf AccessData: THUMBS DB FILES FORENSIC ISSUES] | ||
* [https://groups.google.com/forum/#!topic/droid-list/VMRCnzw71gc Developing a signature for thumbs.db] | * [https://groups.google.com/forum/#!topic/droid-list/VMRCnzw71gc Developing a signature for thumbs.db] | ||
* [https://groups.google.com/forum/#!msg/droid-list/VMRCnzw71gc/3CO40cUu2vcJ More discussion on identifying thumbs.db] | * [https://groups.google.com/forum/#!msg/droid-list/VMRCnzw71gc/3CO40cUu2vcJ More discussion on identifying thumbs.db] | ||
+ | * [http://digital-archiving.blogspot.co.uk/2017/03/thumbsdb-what-are-they-for-and-why.html Thumbs.db – what are they for and why should I care?] | ||
[[Category:Microsoft]] | [[Category:Microsoft]] | ||
+ | [[Category:Windows]] | ||
[[Category:Microsoft Compound File]] | [[Category:Microsoft Compound File]] | ||
[[Category:File formats with a distinctive filename]] | [[Category:File formats with a distinctive filename]] |
Latest revision as of 15:10, 28 December 2023
Windows thumbnail cache (or Thumbs.db format) is a file format used by some versions of Microsoft Windows to store thumbnails of images and certain other file types. Thumbnails may be written to a file named Thumbs.db
in the folder containing the image file, or to a file in a central location. The file format is based on Microsoft Compound File format. Apparently the files can be of forensic interest as they sometimes contain references to deleted images.
In versions starting with Vista, separate thumbnail files are usually no longer used, with the thumbnails instead being stored in a centralized database at \Users\%username%\AppData\Local\Microsoft\Windows\Explorer
. However, separate Thumbs.db files may still be created on network drives.
Contents |
[edit] Format details
Thumbs.db format is undocumented, and fairly difficult to decode. Knowledge of Microsoft Compound File format is a prerequisite. There are at least two different major thumbnail versions, which we'll call "original format" and "new format". There are an uncertain number of minor versions. Different thumbnail versions may be combined in the same file. Presumably, this can happen when Windows updates a file created by a different version of Windows.
Files that contain at least one "original format" thumbnail have a special stream named "Catalog", which contains the original filenames, and other information. One of the filenames may be the special name "{A42CD7B6-E9B9-4D02-B7A6-288B71AD28BA}". This is apparently the thumbnail for the folder as a whole. The thumbnail streams themselves have simple numeric names like "021", which are to be reversed and interpreted as a Catalog ID number (120, in this example).
Thumbnails in "new format" do not use a Catalog file. Instead, the streams have names like "256_79dea834bece3f6b", apparently containing a pixel size and a hash.
In all versions, the thumbnail streams do not contain just the embedded image file. Instead, they start with a header.
There are are at least three different image formats that a thumbnail may use:
- Standard JFIF JPEG format
- A nonstandard RGBA format based on JPEG (At least, the component ID numbers suggest that the format is RGBA. Thumbs Viewer can display these images, and its author says it is CMYK.)
- PNG
[edit] Identification
There seems to be no simple way to reliably identify a Thumbs.db file as such, just from its contents. Heuristics must be used. See the "Format details" section above.