Windows thumbnail cache
(→Software) |
(→Links: Updating Forensics Wiki links) |
||
Line 35: | Line 35: | ||
== Links == | == Links == | ||
* [[Wikipedia:Windows thumbnail cache|Wikipedia article]] | * [[Wikipedia:Windows thumbnail cache|Wikipedia article]] | ||
− | * [ | + | * [{{ForensicsWikiURL|thumbs.db}} Forensics Wiki article] |
* [http://qanda.digipres.org/117/what-you-should-you-with-thumbs-and-other-hidden-system-files What do you (or should you do) with ‘thumbs.db’ and other hidden system files?] | * [http://qanda.digipres.org/117/what-you-should-you-with-thumbs-and-other-hidden-system-files What do you (or should you do) with ‘thumbs.db’ and other hidden system files?] | ||
* [https://ad-pdf.s3.amazonaws.com/wp.Thumbs_DB_Files.en_us.pdf AccessData: THUMBS DB FILES FORENSIC ISSUES] | * [https://ad-pdf.s3.amazonaws.com/wp.Thumbs_DB_Files.en_us.pdf AccessData: THUMBS DB FILES FORENSIC ISSUES] |
Revision as of 14:41, 4 September 2023
Windows thumbnail cache (or Thumbs.db format) is a file format used by some versions of Microsoft Windows to store thumbnails of images and certain other file types. Thumbnails may be written to a file named Thumbs.db
in the folder containing the image file, or to a file in a central location. The file format is based on Microsoft Compound File format. Apparently the files can be of forensic interest as they sometimes contain references to deleted images.
In versions starting with Vista, separate thumbnail files are usually no longer used, with the thumbnails instead being stored in a centralized database at \Users\%username%\AppData\Local\Microsoft\Windows\Explorer
. However, separate Thumbs.db files may still be created on network drives.
Contents |
Format details
Thumbs.db format is undocumented, and fairly difficult to decode. Knowledge of Microsoft Compound File format is a prerequisite. There are at least two different major thumbnail versions, which we'll call "original format" and "new format". There are an uncertain number of minor versions. Different thumbnail versions may be combined in the same file. Presumably, this can happen when Windows updates a file created by a different version of Windows.
Files that contain at least one "original format" thumbnail have a special stream named "Catalog", which contains the original filenames, and other information. One of the filenames may be the special name "{A42CD7B6-E9B9-4D02-B7A6-288B71AD28BA}". This is apparently the thumbnail for the folder as a whole. The thumbnail streams themselves have simple numeric names like "021", which are to be reversed and interpreted as a Catalog ID number (120, in this example).
Thumbnails in "new format" do not use a Catalog file. Instead, the streams have names like "256_79dea834bece3f6b", apparently containing a pixel size and a hash.
In all versions, the thumbnail streams do not contain just the embedded image file. Instead, they start with a header.
There are are at least three different image formats that a thumbnail may use:
- Standard JFIF JPEG format
- A nonstandard RGBA format based on JPEG (At least, the component ID numbers suggest that the format is RGBA. Thumbs Viewer can display these images, and its author says it is CMYK.)
- PNG
Identification
There seems to be no simple way to reliably identify a Thumbs.db file as such, just from its contents. Heuristics must be used. See the "Format details" section above.