Windows thumbnail cache
m |
(→Format details) |
||
Line 12: | Line 12: | ||
Thumbs.db format is undocumented, and fairly difficult to decode. The are at least two different major thumbnail versions, which we'll call "original format" and "new format". There are an uncertain number of minor versions. Different thumbnail versions may be combined in the same file. Presumably, this can happen when Windows updates a file created by a different version of Windows. | Thumbs.db format is undocumented, and fairly difficult to decode. The are at least two different major thumbnail versions, which we'll call "original format" and "new format". There are an uncertain number of minor versions. Different thumbnail versions may be combined in the same file. Presumably, this can happen when Windows updates a file created by a different version of Windows. | ||
− | Files that contain at least one "original format" thumbnail have a special stream named "Catalog", which contains the original filenames, and other information. The thumbnail streams themselves have simple numeric names like "021", which are to be reversed and interpreted as a Catalog ID number (120, in this case). | + | Files that contain at least one "original format" thumbnail have a special stream named "Catalog", which contains the original filenames, and other information. One of the filenames may be the special name "{A42CD7B6-E9B9-4D02-B7A6-288B71AD28BA}". This is apparently the thumbnail for the folder itself. The thumbnail streams themselves have simple numeric names like "021", which are to be reversed and interpreted as a Catalog ID number (120, in this case). |
Thumbnails in "new format" do not use a Catalog file. Instead, the streams have names like "256_79dea834bece3f6b", apparently containing a pixel size and a hash. | Thumbnails in "new format" do not use a Catalog file. Instead, the streams have names like "256_79dea834bece3f6b", apparently containing a pixel size and a hash. |
Revision as of 15:39, 28 October 2016
Windows thumbnail cache (or Thumbs.db format) is a file format used by some versions of Microsoft Windows to store thumbnails of images and certain other file types. Thumbnails may be written to a file named Thumbs.db
in the folder containing the image file, or to a file in a central location. The file format is based on Microsoft Compound File format. Apparently the files can be of forensic interest as they sometimes contain references to deleted images.
In versions starting with Vista, separate thumbnail files are usually no longer used, with the thumbnails instead being stored in a centralized database at \Users\%username%\AppData\Local\Microsoft\Windows\Explorer
. However, separate Thumbs.db files may still be created on network drives.
Contents |
Format details
Thumbs.db format is undocumented, and fairly difficult to decode. The are at least two different major thumbnail versions, which we'll call "original format" and "new format". There are an uncertain number of minor versions. Different thumbnail versions may be combined in the same file. Presumably, this can happen when Windows updates a file created by a different version of Windows.
Files that contain at least one "original format" thumbnail have a special stream named "Catalog", which contains the original filenames, and other information. One of the filenames may be the special name "{A42CD7B6-E9B9-4D02-B7A6-288B71AD28BA}". This is apparently the thumbnail for the folder itself. The thumbnail streams themselves have simple numeric names like "021", which are to be reversed and interpreted as a Catalog ID number (120, in this case).
Thumbnails in "new format" do not use a Catalog file. Instead, the streams have names like "256_79dea834bece3f6b", apparently containing a pixel size and a hash.
In all versions, the thumbnail streams do not contain just the embedded image file. Instead, they start with a header.
There are are at least three different image formats that a thumbnail may use:
Identification
There seems to be no simple way to reliably identify a Thumbs.db file as such, just from its contents. Heuristics must be used. See the "Format details" section above.