diff --git a/docs/libwtcdb.md b/docs/libwtcdb.md index 9a7b550d0..984085bce 100644 --- a/docs/libwtcdb.md +++ b/docs/libwtcdb.md @@ -6,8 +6,8 @@ tags: - LGPL --- The **libwtcdb** package contains a library and applications to read the -[Windows Explorer Thumbnail Cache database (thumbcache.db) -format](vista_thumbcache.md) format. +[Windows Explorer Thumbnail Cache database (thumbcache.db) format](windows_thumbcache.md) +format. ## Tools @@ -18,10 +18,9 @@ The **libwtcdb** package contains the following tools: ## See Also -- [Windows Explorer Thumbnail Cache database (thumbcache.db) - format](vista_thumbcache.md) +* [Windows Explorer Thumbnail Cache database (thumbcache.db) format](windows_thumbcache.md) ## External Links -- [Project site](https://github.com/libyal/libwtcdb/) +* [Project site](https://github.com/libyal/libwtcdb/) diff --git a/docs/thumbnailexpert.md b/docs/thumbnailexpert.md index 3a8ebc3e6..8c3910e4e 100644 --- a/docs/thumbnailexpert.md +++ b/docs/thumbnailexpert.md @@ -75,7 +75,7 @@ caches of many programs. - Windows Seven Explorer (c) Microsoft - thumbcache_idx.db, thumbcache_1024.db, thumbcache_256.db, thumbcache_96.db, thumbcache_32.db -- [Windows Vista Explorer](vista_thumbcache.md) Microsoft - +- [Windows Vista Explorer](windows_thumbcache.md) Microsoft - thumbcache_idx.db, thumbcache_1024.db, thumbcache_256.db, thumbcache_96.db, thumbcache_32.db - WinNc (c) Dunes MulitMedia, Inc. - WinNcThumbs.db diff --git a/docs/thumbnails.md b/docs/thumbnails.md index 197754de1..1886a46f8 100644 --- a/docs/thumbnails.md +++ b/docs/thumbnails.md @@ -11,7 +11,7 @@ See [Thumbs.db](thumbs.db.md). ## [Windows](windows.md) Vista -*See [Vista thumbcache](vista_thumbcache.md)* +*See [Windows thumbcache](windows_thumbcache.md)* Thumbs.db no longer exists in Vista. This data has been moved to *\Users\\\AppData\Local\Microsoft\Windows\Explorer* diff --git a/docs/thumbs.db.md b/docs/thumbs.db.md index 90497cef5..cc183674d 100644 --- a/docs/thumbs.db.md +++ b/docs/thumbs.db.md @@ -32,7 +32,7 @@ files. # Windows Vista/7 -*See [Vista thumbcache](vista_thumbcache.md)* +*See [Windows thumbcache](windows_thumbcache.md)* Thumbs.db no longer exists in Vista/7 as individual files. This data has been moved to a centralized database located in diff --git a/docs/vista_thumbcache.md b/docs/vista_thumbcache.md index 40a110663..1724dc793 100644 --- a/docs/vista_thumbcache.md +++ b/docs/vista_thumbcache.md @@ -1,107 +1,6 @@ --- tags: - - Windows + - Redirect --- -## Overview -[Windows Vista](windows_vista.md) stores [thumbnails](thumbnails.md) in the -following directory: - - \Users\%username%\AppData\Local\Microsoft\Windows\Explorer - -This directory contains following files: - -* thumbcache_idx.db -* thumbcache_32.db, thumbcache_96.db, thumbcache_256.db, and - thumbcache_1024.db -* thumbcache_sr.db - -Thumbnails are stored in *thumbcache_NN.db* files in different formats. -There are several tools that can work with Vista thumbcache database -(see below) and individual images can be extracted using [file -carving](file_carving.md). Unfortunately, there is no -information in the thumbcache database that can easily link thumbnails -with original files in all cases. One of the ways to link the thumbnails -with original files is to use the contents of the [Windows Search -(windows.edb)](windows_desktop_search.md) database. - -## Thumbcache Format - -In general, every thumbnail in cache is associated with two 64-bit -variables. First variable (sometimes called *Unique ID*, *Secret*, *File -ID*) associates data in file *thumbcache_idx.db* with thumbnail data in -*thumbcache_NN.db* files; the purpose of this variable is unclear. -Another variable is *Thumbnail Cache ID* (sometimes called *Thumbnail -filename* (in [FTK](forensic_toolkit.md) is used to link -thumbnails with original files. Actually, *Thumbnail Cache ID* is -represented as Unicode string of HEX encoding. - -## Thumbnail Creation Process - -[Windows](windows.md) Vista creates thumbnails for files on -different media types, including: - -* Removable devices -* Network drives -* Encrypted containers (e.g. PGP Desktop, [TrueCrypt](truecrypt.md), BestCrypt) - -[Windows](windows.md) Vista doesn't create thumbnails for files encrypted using -EFS unless thumbcache directory is encrypted too; [Windows](windows.md) Vista -doesn't delete thumbnails for files after they were encrypted using EFS. - -Some programs may generate thumbnails for some file types which are -displayed in Windows Explorer, but not stored in the thumbcache (e.g. -Ascon Kompas). - -## Linking thumbnails with original files - -### Using Windows Indexer - -One way to link thumbnails with original files is to use Windows Indexer -database, which stores association between **indexed** files and -*ThumbnailCacheIDs* with some metadata. The windows.edb database file -contents can be extracted using [Windows Search Index -Extractor](http://www.simplecarver.com/tool.php?toolname=Windows%20Search%20Index%20Extractor) - -#### Using Windows PowerShell - -Windows PowerShell provides easy way to access this database using SQL queries. -Note that most forensic tools (like FTK display *ThumbnailCacheID* -(where FTK calls it *Thumbnail filename*) in hexadecimal, but Windows PowerShell -returns the result in decimal. - -#### Using HEX editor - -You can also search for *ThumbnailCacheID* value in *Windows.edb* file -using your favorite HEX editor. - -### Vista Windows Photo Gallery - -Windows Vista includes a built-in picture previewing tool called Windows -Photo Gallery (the LIVE edition may also be installed by the user). Both -of these programs create the files *pictures.pd4* and *pictures.pd5* -respectively containing the *ThumbnailCacheID* and file path information -of previewed pictures and videos. The contents of the pictures.pd4 and -pictures.pd5 can be extracted using [WPG Viewer](http://www.simplecarver.com/tool.php?toolname=WPG%20Viewer) - -## External Links - -* [Windows Explorer Thumbnail Cache database (thumbcache.db) format](https://github.com/libyal/libwtcdb/blob/main/documentation/Windows%20Explorer%20Thumbnail%20Cache%20database%20format.asciidoc), - by the [libwtcdb project](libwtcdb.md) - -### ThumbnailCacheId - -* [System.ThumbnailCacheId](https://learn.microsoft.com/en-us/windows/win32/properties/props-system-thumbnailcacheid) -* [IThumbnailCache interface](https://learn.microsoft.com/en-us/windows/win32/api/thumbcache/nn-thumbcache-ithumbnailcache) - -### Non-English - -* Использование централизованных баз данных эскизов для исследования - графических файлов на зашифрованных разделах, ITDefence, 2009 ([extended version](https://www.securitylab.ru/analytics/370474.php)) - -## Tools - -* [FTK](forensic_toolkit.md) -* [Thumbs.db Viewer](http://www.janusware.com/?page=412,2) -* [Thumbcache-viewer](https://code.google.com/archive/p/thumbcache-viewer) -* [WinThumbs](http://www.simplecarver.com/tool.php?toolname=WinThumbs%20Extractor) +_See: [Windows thumbcache](windows_thumbcache.md)_ diff --git a/docs/windows.md b/docs/windows.md index 85eabeedb..c5a687722 100644 --- a/docs/windows.md +++ b/docs/windows.md @@ -172,7 +172,7 @@ keys and values that provides a wealth of information to forensic systems. They contain thumbnails of images or documents and can be of great value for the [investigator](investigator.md). -See also: [Vista thumbcache](vista_thumbcache.md). +See also: [Windows thumbcache](windows_thumbcache.md). ### Browser Cache diff --git a/docs/windows_thumbcache.md b/docs/windows_thumbcache.md new file mode 100644 index 000000000..11d60b860 --- /dev/null +++ b/docs/windows_thumbcache.md @@ -0,0 +1,109 @@ +--- +tags: + - Windows +--- +## Overview + +[Windows Vista](windows_vista.md) stores [thumbnails](thumbnails.md) in the +following directory: + + \Users\%username%\AppData\Local\Microsoft\Windows\Explorer + +This directory contains following files: + +* thumbcache_idx.db +* thumbcache_32.db, thumbcache_96.db, thumbcache_256.db, and + thumbcache_1024.db +* thumbcache_sr.db + +Thumbnails are stored in *thumbcache_NN.db* files in different formats. +There are several tools that can work with Vista thumbcache database +(see below) and individual images can be extracted using [file +carving](file_carving.md). Unfortunately, there is no +information in the thumbcache database that can easily link thumbnails +with original files in all cases. One of the ways to link the thumbnails +with original files is to use the contents of the [Windows Search +(windows.edb)](windows_desktop_search.md) database. + +## Thumbcache Format + +In general, every thumbnail in cache is associated with two 64-bit +variables. First variable (sometimes called *Unique ID*, *Secret*, *File +ID*) associates data in file *thumbcache_idx.db* with thumbnail data in +*thumbcache_NN.db* files; the purpose of this variable is unclear. +Another variable is *Thumbnail Cache ID* (sometimes called *Thumbnail +filename* (in [FTK](forensic_toolkit.md) is used to link +thumbnails with original files. Actually, *Thumbnail Cache ID* is +represented as Unicode string of HEX encoding. + +## Thumbnail Creation Process + +[Windows](windows.md) Vista creates thumbnails for files on +different media types, including: + +* Removable devices +* Network drives +* Encrypted containers (e.g. PGP Desktop, [TrueCrypt](truecrypt.md), BestCrypt) + +[Windows](windows.md) Vista doesn't create thumbnails for files encrypted using +EFS unless thumbcache directory is encrypted too; [Windows](windows.md) Vista +doesn't delete thumbnails for files after they were encrypted using EFS. + +Some programs may generate thumbnails for some file types which are +displayed in Windows Explorer, but not stored in the thumbcache (e.g. +Ascon Kompas). + +## Linking thumbnails with original files + +### Using Windows Indexer + +One way to link thumbnails with original files is to use Windows Indexer +database, which stores association between **indexed** files and +*ThumbnailCacheIDs* with some metadata. The windows.edb database file +contents can be extracted using [Windows Search Index +Extractor](http://www.simplecarver.com/tool.php?toolname=Windows%20Search%20Index%20Extractor) + +#### Using Windows PowerShell + +Windows PowerShell provides easy way to access this database using SQL queries. +Note that most forensic tools (like FTK display *ThumbnailCacheID* +(where FTK calls it *Thumbnail filename*) in hexadecimal, but Windows PowerShell +returns the result in decimal. + +#### Using HEX editor + +You can also search for *ThumbnailCacheID* value in *Windows.edb* file +using your favorite HEX editor. + +### Vista Windows Photo Gallery + +Windows Vista includes a built-in picture previewing tool called Windows +Photo Gallery (the LIVE edition may also be installed by the user). Both +of these programs create the files *pictures.pd4* and *pictures.pd5* +respectively containing the *ThumbnailCacheID* and file path information +of previewed pictures and videos. The contents of the pictures.pd4 and +pictures.pd5 can be extracted using [WPG Viewer](http://www.simplecarver.com/tool.php?toolname=WPG%20Viewer) + +## External Links + +* [Windows Explorer Thumbnail Cache database (thumbcache.db) format](https://github.com/libyal/libwtcdb/blob/main/documentation/Windows%20Explorer%20Thumbnail%20Cache%20database%20format.asciidoc), + by the [libwtcdb project](libwtcdb.md) + +### ThumbnailCacheId + +* [System.ThumbnailCacheId](https://learn.microsoft.com/en-us/windows/win32/properties/props-system-thumbnailcacheid) +* [IThumbnailCache interface](https://learn.microsoft.com/en-us/windows/win32/api/thumbcache/nn-thumbcache-ithumbnailcache) + +### Non-English + +* Использование централизованных баз данных эскизов для исследования + графических файлов на зашифрованных разделах, ITDefence, 2009 ([extended version](https://www.securitylab.ru/analytics/370474.php)) +* [Forensische Analyse des Microsoft Windows Thumbnail Cache](https://it-forensik.fiw.hs-wismar.de/images/a/a5/BT_SAugustin.pdf), + by Stefan Augustin, August 2023 + +## Tools + +* [FTK](forensic_toolkit.md) +* [Thumbs.db Viewer](http://www.janusware.com/?page=412,2) +* [Thumbcache-viewer](https://thumbcacheviewer.github.io/) +* [WinThumbs](http://www.simplecarver.com/tool.php?toolname=WinThumbs%20Extractor)