• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content

Loading…

Flash Player 9 (or above) is needed to view presentations.
We have detected that you do not have it on your computer. To install it, go here.

Like this presentation? Why not share!

Windows 7 forensics thumbnail-dtl-r4

on

  • 4,447 views

 

Statistics

Views

Total Views
4,447
Views on SlideShare
4,413
Embed Views
34

Actions

Likes
1
Downloads
137
Comments
0

1 Embed 34

http://www.ctin.org 34

Accessibility

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    Windows 7 forensics thumbnail-dtl-r4 Windows 7 forensics thumbnail-dtl-r4 Presentation Transcript

    • Windows 7Thumbnail Cache
      Troy Larson
      Principal Forensics Program Manager
      TWC Network Security Investigations
      NSINV-R3– Research|Readiness|Response
    • Windows 7 Thumbnail Cache
      What?
      Thumbnail cache:
      Supplies the thumbnails shown in Explorer, etc.
      File based:
      Thumbcache_*
      Local
      Thumbs.db
      Remote
    • Windows 7 Thumbnail Cache
      Why?
      Content of Folder
      Content of Thumbcache_256.db
      Created automatically when folders opened in Explorer in Icon view.
      Thumbnail cache files retain thumbnail images long after the source file has been deleted.
      Thumbs.db indicates a folder that has been shared.
    • Windows 7 Thumbnail Cache
      When?
      Thumbnail cache files are likely to be worth investigating when:
      There is a concern about illicit images.
      There is a concern that graphic files have been deleted.
      Comprehensive review of Thumbnail cache files can be efficiently performed.
      Number of tools scan and present the contents of thumbcache and thumbs.dbfiles, but some tools only work on certain versions of Windows.
    • Windows 7 Thumbnail Cache
      What is a thumbnail?
      It is an image that is used to represent an item.
      Picture or graphical items.
      But also, other files with images.
      Distinguished from a mere icon:
      Thumbnails are per item, rather than type, and
      Dynamically generated, based on item content.
      Stored separate from icon caches.
    • Windows 7 Thumbnail Cache
      Per account, local based, thumbnail caches are found at C:Users[Profile]AppDataLocalMicrosoftWindowsExplorer.
    • Windows 7 Thumbnail Cache
      The local, account specific, thumbnail cache consists of an index and 4 data files.
      Thumbcache_.idx—Index of which data files cache each image.
      Image cache files:
      Based on thumbnail size.
      thumbcache_32.db, bitmap based, 32x32.
      thumbcache_96.db, bitmap based, 96x96.
      thumbcache_256.db, JPEG based, 256x256.
      thumbcache_1024.db, JPEG based, special instances.
      New thumbnails usually appended to a thumbcache file.
    • Windows 7 Thumbnail Cache
      1
      C:UserstroylaPictures
      atomic-explosion.jpg
      Chrysanthemum.jpg
      Desert.jpg
      ThumbnailcacheID used to lookup thumbnail address in the Thumbcache_idx
      ThumbnailCacheIds
      • 0x81A9D28BFA8E4E59
      • 0xEE0CAA5E28390724
      • 0xDF17189B15C5C9CD
      2
      3
      Thumbcache_idx provides offsets to thumbcache_*.db
      Thumbcache_*.db provides thumbnails to Explorer.
      thumbcache_idx.db
      thumbcache_256.db
      thumbcache_32.db
      thumbcache_96.db
      thumbcache_1024.db
    • Windows 7 Thumbnail Cache
      C:UserstroylaPictures
      atomic-explosion.jpg
      Chrysanthemum.jpg
      Desert.jpg
      No direct path from thumbnail to original file.
      Thumbcache information does not point to any file.
      File information—ThumbnailcacheID—is used to find thumbnail from the original file.
      No file name or path information in the thumbcache* files.
      thumbcache_256.db
      thumbcache_32.db
      thumbcache_96.db
      thumbcache_1024.db
    • Windows 7 Thumbnail Cache
      Most Windows 7 thumbnail cache viewers display the thumbnail and the ThumbnailcacheID.
      0xEE0CAA5E28390724
      http://www.thumbnailexpert.com/
    • Windows 7 Thumbnail Cache
      Linking a thumbcache file thumbnail to its source:
      The Windows Search index maintains both path and ThumbnailcacheID, and can be used to link thumbnail to source.
      0xEE0CAA5E28390724
    • Windows 7 Thumbnail Cache
      Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F
      00000000 43 4D 4D4D 15 00 00 00 01 00 00 00 18 00 00 00 CMMM
      00000010 E0 E6 1C 00 3A 00 00 00 43 4D 4D4D 88 6C 00 00 àæ : CMMMˆl
      00000020 24 07 39 28 5E AA 0C EE 20 00 00 00 02 00 00 00 $ 9(^ª î
      00000030 36 6C 00 00 00 00 00 00 47 07 D9 39 67 BF AF D5 6l G Ù9g¿¯Õ
      00000040 EE B6 79 3E E2 C4 B8 56 65 00 65 00 30 00 63 00 î¶y>âĸVe e 0 c
      00000050 61 00 61 00 35 00 65 00 32 00 38 00 33 00 39 00 a a 5 e 2 8 3 9
      00000060 30 00 37 00 32 00 34 00 00 00 42 4D 36 6C 00 00 0 7 2 4 BM6l
      00000070 00 00 00 00 36 00 00 00 28 00 00 00 60 00 00 00 6 ( `
      00000080 48 00 00 00 01 00 20 00 00 00 00 00 00 00 00 00 H
      00000090 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      000000A0 0A 10 C3 FF 14 40 E3 FF 1C 6B FA FF 1B 78 FC FF Ãÿ @ãÿkúÿxüÿ
      000000B0 18 7A FE FF 05 63 F9 FF 05 47 EE FF 02 3A E5 FF zþÿcùÿGîÿ :åÿ
      File header.
      Record header.
      ThumbnailcacheID.
      Image fileheader.
    • Windows 7 Thumbnail Cache
      Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F
      00004460 32 31 E0 63 15 05 8C 6C D2 96 8B 70 21 B2 08 ED 21àc ŒlÒ–‹p!² í
      00004470 58 57 84 6B C6 F7 B1 B5 2A 72 A6 94 13 D0 FF D9 XW„kÆ÷±µ*r¦” ÐÿÙ
      00004480 43 4D 4D4D D3 2E 00 00 CD C9 C5 15 9B 18 17 DF CMMMÓ. ÍÉÅ › ß
      00004490 20 00 00 00 00 00 00 00 83 2E 00 00 00 00 00 00 ƒ.
      000044A0 47 A2 78 FB FC F1 96 88 11 0B DF E7 10 20 64 B8 G¢xûüñ–ˆ ßç d¸
      000044B0 64 00 66 00 31 00 37 00 31 00 38 00 39 00 62 00 d f 1 7 1 8 9 b
      000044C0 31 00 35 00 63 00 35 00 63 00 39 00 63 00 64 00 1 5 c 5 c 9 c d
      000044D0 FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 00 ÿØÿà JFIF
      000044E0 00 00 00 00 FF DB 00 43 00 05 03 04 04 04 03 05 ÿÛ C
      000044F0 04 04 04 05 05 05 06 07 0C 08 07 07 07 07 0F 0B
      00004500 0B 09 0C 11 0F 12 12 11 0F 11 11 13 16 1C 17 13
      00004510 14 1A 15 11 11 18 21 18 1A 1D 1D 1F 1F1F 13 17 !
      00004520 22 24 22 1E 24 1C 1E 1F 1E FF DB 00 43 01 05 05 "$" $ ÿÛ C
      00004530 05 07 06 07 0E 08 08 0E 1E 14 11 14 1E 1E1E1E
      Record header.
      ThumbnailcacheID.
      Image fileheader.
    • Windows 7 Thumbnail Cache
      Thumbcache_32.db
    • Windows 7 Thumbnail Cache
      Thumbcache_96.db
    • Windows 7 Thumbnail Cache
      Thumbcache_256.db
    • Windows 7 Thumbnail Cache
      Thumbcache_1024.db
    • Windows 7 Thumbnail Cache
      Buffy-1C$UserstroylaPictures
      Opening a shared folder using an icon view creates a thumbs.db file in the shared folder.
      Thumbs.db is independent of the user thumbnail caches on host and client.
      Existence of a thumbs.db file indicates a folder was remotely accessed.
    • Windows 7 Thumbnail Cache
      Note: Different UIDs
    • Windows 7 Thumbnail Cache
      Internals: The venerable structured storage file format.
    • Windows 7 Thumbnail Cache
      Internals: The venerable structured storage file format.
    • Questions?