Friday, November 9, 2012

Analyzing Thumbcache

In Windows XP/2000, when a user viewed files as thumbnails in Windows Explorer, Windows would create a hidden system file named Thumbs.db in that directory and store a thumbnail-sized graphic in JPG format of each of the files, keeping the original name and file extension.  Generally speaking if you found a Thumbs.db file in a folder it would correspond to images that where viewed as thumbnails in that folder...barring any tampering that a user may have done, eg. copying a Thumbs.db from a different folder to that folder, etc.  Also, generally speaking, by checking the Security properties of the Thumbs.db you could tell by the Owners of the file, who the file was tied to.



As seen using Eric Kutcher's ThumbsViewer These files could be of forensic importance in that even if a user had deleted the actual incriminating files from the directory, the contents of the Thumbs.db file would be left behind unless specifically "cleaned" by a user with something like CCleaner, or by deleting the actual Thumbs.db file itself.





Starting with Windows Vista, Microsoft switched from using directory level Thumbs.db database files to storing image thumbnails in a single folder structure which holds individual files that track all the viewed items, based on the icon size selected.  Thumbcache files are directly tied to each user, storing the files in the following directory:

\Users\%username%\AppData\Local\Microsoft\Windows\Explorer

This directory contains following files:

    thumbcache_idx.db
    thumbcache_32.db, thumbcache_96.db, thumbcache_256.db, and thumbcache_1024.db
    thumbcache_sr.db

The thumbnails stored in Thumbcache db files in are stored in various formats, for example original.jpg will be stored as a .jpg and original.png will be stored as .png, but do not retain the original name, instead being renamed with a Unicode string, called a ThumbnailCacheID.  This time we'll use Eric Kutcher's Thumbcache Viewer to view the same set of images as above in our XP Thumbs.db file from a Windows 7 Thumbcache db.  Notice the difference in the selected "FileNames" even though they are the exact same image on both system.




Unfortunately, there is no information in the Thumbcache db that can easily link thumbnails with original file names or locations. One way we can do this is to use Windows Search (Windows.edb) database, which can be found at C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb on Windows 7.  Windows.edb stores the ThumbnailCacheID as part of its metadata for indexed files. We can view Windows.edb database file contents using Woanware's EseDbViewer.


First, a quick side note.  Many times when trying to access a Windows.edb file you've taken from a forensic image you will get an error trying to open it indicating that the file is corrupt.  To fix this issue, use the Windows built-in command esentutil  with the /p option and pointing it at the Windows.edb file you want to fix.  Occasionally, I've had to run this command more than once to get it to fix the file.





 Once its fixed, open it in EseDbViewer, selecting Generic Mode.



We are interested in the Table named SystemIndex_0A so select that one.



Next we are going to export this selected table to csv output so that we can search it easily.  Once it has been exported, open it in Excel and you can now search for the ThumbCacheID value of the specific image you are interested in.  Note, there are numerous fields exported and there may be a lot of empty entries in your csv file as not all indexed files contain the same metadata.  For our example we can see from the image above in Thumbcache Viewer that the image we are interested in had been renamed to 7fa896b6df7fc307.jpg so we want to search for the string 7fa896b6df7fc307.  I use a simple Find for that string in my excel file and find the following entry (with a great deal of extra information removed so we only see what is important for this example).

.jpg    IrfanView JPG File    file:C:/Users/mattylp/Pictures/size2_4e79a01ca167b.jpg 7fa896b6df7fc307   

The Windows.edb file shows me this was type .jpg, the registered viewer for it on the system was IrfanView, the original filepath and name were C:/Users/mattylp/Pictures/size2_4e79a01ca167b.jpg and its ThumbCacheID is 7fa896b6df7fc307.  Note, this filename is exactly the same as the filename which we had when we looked at this image in our Windows XP Thumbs.db file.




6 comments:

  1. Hey there Matt. The link to download EseDbViewer doesn't work on WOAN's website. Do you have a copy or can point me to another location to download it?

    Thanks!

    blacktobasics@hotmail.com

    ReplyDelete
  2. http://www.woanware.co.uk/forensics/esedbviewer.html

    ReplyDelete
  3. I've noticed that EseDbViewer isn't parsing the date fields properly or not showing any dates in the widows.edb depending on the version. I hope it gets fixed, it's a great tool, useful for webcache in IE10 as well.

    ReplyDelete
  4. Great write up.
    Simple type in the writeup The windows command is esentutl.exe /s

    "To fix this issue, use the Windows built-in command esentutil with the /p"

    Regards,
    Robert

    ReplyDelete
    Replies
    1. I am running Win7 Enterprise, 64 bit and when I try to run esentutil, I get an error indicating that it is not a recognized program or command.

      Delete
    2. He made a typo, it should be "esentutl" (you can see it in the screen shot of the cmd line)

      Delete