Windows 7 forensics thumbnail-dtl-r4

5,303 views

Published on

Published in: Technology, Art & Photos
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
5,303
On SlideShare
0
From Embeds
0
Number of Embeds
39
Actions
Shares
0
Downloads
196
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Windows 7 forensics thumbnail-dtl-r4

  1. 1. Windows 7 Thumbnail Cache Troy Larson Principal Forensics Program Manager TWC Network Security Investigations NSINV-R3– Research|Readiness|Response
  2. 2. Windows 7 Thumbnail Cache Thumbnail cache: • Supplies the thumbnails shown in Explorer, etc. • File based: – Thumbcache_* • Local – Thumbs.db • Remote
  3. 3. Windows 7 Thumbnail Cache • Created automatically when folders opened in Explorer in Icon view. • Thumbnail cache files retain thumbnail images long after the source file has been deleted. • Thumbs.db indicates a folder that has been shared. Content of Folder Content of Thumbcache_256.db
  4. 4. Windows 7 Thumbnail Cache • Thumbnail cache files are likely to be worth investigating when: – There is a concern about illicit images. – There is a concern that graphic files have been deleted. • Comprehensive review of Thumbnail cache files can be efficiently performed. – Number of tools scan and present the contents of thumbcache and thumbs.db files, but some tools only work on certain versions of Windows.
  5. 5. Windows 7 Thumbnail Cache What is a thumbnail? • It is an image that is used to represent an item. – Picture or graphical items. – But also, other files with images. • Distinguished from a mere icon: – Thumbnails are per item, rather than type, and – Dynamically generated, based on item content. – Stored separate from icon caches.
  6. 6. Windows 7 Thumbnail Cache Per account, local based, thumbnail caches are found at C:Users[Profile]AppDataLocalMicrosoftWindowsExplorer.
  7. 7. Windows 7 Thumbnail Cache The local, account specific, thumbnail cache consists of an index and 4 data files. • Thumbcache_.idx—Index of which data files cache each image. • Image cache files: – Based on thumbnail size. • thumbcache_32.db, bitmap based, 32x32. • thumbcache_96.db, bitmap based, 96x96. • thumbcache_256.db, JPEG based, 256x256. • thumbcache_1024.db, JPEG based, special instances. – New thumbnails usually appended to a thumbcache file.
  8. 8. Windows 7 Thumbnail Cache C:UserstroylaPictures atomic-explosion.jpg Chrysanthemum.jpg Desert.jpg ThumbnailCacheIds • 0x81A9D28BFA8E4E59 • 0xEE0CAA5E28390724 • 0xDF17189B15C5C9CD thumbcache_idx.db thumbcache_32.db thumbcache_96.db thumbcache_256.db thumbcache_1024.db ThumbnailcacheID used to lookup thumbnail address in the Thumbcache_idx Thumbcache_idx provides offsets to thumbcache_*.db Thumbcache_*.db provides thumbnails to Explorer. 1 2 3
  9. 9. Windows 7 Thumbnail Cache Thumbcache information does not point to any file. • File information—ThumbnailcacheID—is used to find thumbnail from the original file. • No file name or path information in the thumbcache* files. thumbcache_32.db thumbcache_96.db thumbcache_256.db thumbcache_1024.db C:UserstroylaPictures atomic-explosion.jpg Chrysanthemum.jpg Desert.jpg
  10. 10. Windows 7 Thumbnail Cache Most Windows 7 thumbnail cache viewers display the thumbnail and the ThumbnailcacheID. 0xEE0CAA5E28390724 http://www.thumbnailexpert.com/
  11. 11. Windows 7 Thumbnail Cache Linking a thumbcache file thumbnail to its source: • The Windows Search index maintains both path and ThumbnailcacheID, and can be used to link thumbnail to source. 0xEE0CAA5E28390724
  12. 12. Windows 7 Thumbnail Cache • File header. • Record header. • ThumbnailcacheID. • Image fileheader. Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F 00000000 43 4D 4D 4D 15 00 00 00 01 00 00 00 18 00 00 00 CMMM 00000010 E0 E6 1C 00 3A 00 00 00 43 4D 4D 4D 88 6C 00 00 àæ : CMMMˆl 00000020 24 07 39 28 5E AA 0C EE 20 00 00 00 02 00 00 00 $ 9(^ª î 00000030 36 6C 00 00 00 00 00 00 47 07 D9 39 67 BF AF D5 6l G Ù9g¿¯Õ 00000040 EE B6 79 3E E2 C4 B8 56 65 00 65 00 30 00 63 00 î¶y>âĸV e e 0 c 00000050 61 00 61 00 35 00 65 00 32 00 38 00 33 00 39 00 a a 5 e 2 8 3 9 00000060 30 00 37 00 32 00 34 00 00 00 42 4D 36 6C 00 00 0 7 2 4 BM6l 00000070 00 00 00 00 36 00 00 00 28 00 00 00 60 00 00 00 6 ( ` 00000080 48 00 00 00 01 00 20 00 00 00 00 00 00 00 00 00 H 00000090 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000000A0 0A 10 C3 FF 14 40 E3 FF 1C 6B FA FF 1B 78 FC FF Ãÿ @ãÿ kúÿ xüÿ 000000B0 18 7A FE FF 05 63 F9 FF 05 47 EE FF 02 3A E5 FF zþÿ cùÿ Gîÿ :åÿ
  13. 13. Windows 7 Thumbnail Cache Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F 00004460 32 31 E0 63 15 05 8C 6C D2 96 8B 70 21 B2 08 ED 21àc ŒlÒ–‹p!² í 00004470 58 57 84 6B C6 F7 B1 B5 2A 72 A6 94 13 D0 FF D9 XW„kÆ÷±µ*r¦” ÐÿÙ 00004480 43 4D 4D 4D D3 2E 00 00 CD C9 C5 15 9B 18 17 DF CMMMÓ. ÍÉÅ › ß 00004490 20 00 00 00 00 00 00 00 83 2E 00 00 00 00 00 00 ƒ. 000044A0 47 A2 78 FB FC F1 96 88 11 0B DF E7 10 20 64 B8 G¢xûüñ–ˆ ßç d¸ 000044B0 64 00 66 00 31 00 37 00 31 00 38 00 39 00 62 00 d f 1 7 1 8 9 b 000044C0 31 00 35 00 63 00 35 00 63 00 39 00 63 00 64 00 1 5 c 5 c 9 c d 000044D0 FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 00 ÿØÿà JFIF 000044E0 00 00 00 00 FF DB 00 43 00 05 03 04 04 04 03 05 ÿÛ C 000044F0 04 04 04 05 05 05 06 07 0C 08 07 07 07 07 0F 0B 00004500 0B 09 0C 11 0F 12 12 11 0F 11 11 13 16 1C 17 13 00004510 14 1A 15 11 11 18 21 18 1A 1D 1D 1F 1F 1F 13 17 ! 00004520 22 24 22 1E 24 1C 1E 1F 1E FF DB 00 43 01 05 05 "$" $ ÿÛ C 00004530 05 07 06 07 0E 08 08 0E 1E 14 11 14 1E 1E 1E 1E • Record header. • ThumbnailcacheID. • Image fileheader.
  14. 14. Windows 7 Thumbnail Cache Thumbcache_32.db
  15. 15. Windows 7 Thumbnail Cache Thumbcache_96.db
  16. 16. Windows 7 Thumbnail Cache Thumbcache_256.db
  17. 17. Windows 7 Thumbnail Cache Thumbcache_1024.db
  18. 18. Windows 7 Thumbnail Cache Buffy-1C$UserstroylaPictures Opening a shared folder using an icon view creates a thumbs.db file in the shared folder. Thumbs.db is independent of the user thumbnail caches on host and client. Existence of a thumbs.db file indicates a folder was remotely accessed.
  19. 19. Windows 7 Thumbnail Cache Note: Different UIDs
  20. 20. Windows 7 Thumbnail Cache Internals: The venerable structured storage file format.
  21. 21. Windows 7 Thumbnail Cache Internals: The venerable structured storage file format.
  22. 22. Questions?

×