|
Windows 7 Forensics - Part IV - Thumbcache_*.db |
 |
 |
 |
|
Written by Lance Mueller
|
|
Sunday, 10 January 2010 02:25 |
Windows 7 creates small thumbnail images of graphic files the same way previous version of Windows does, nothing new here. It stores the thumbnails in the same location as in Windows Vista:
C:\Users\%username%\AppData\Local\Microsoft\Windows\Explorer
There are files named Thumbcache_32.db, Thumbcache_96.db, Thumbcache_256.db & Thumbcache_1024.db which correspond to the thumbnails stored for that specific user account and size.
Currently, the latest release of EnCase (6.15.0.82) does *not* parse these files correctly. The structure has slightly changed and therefore if you try and view the contents of any of the "thumbcache" files, EnCase will mount them without error, but they will appear empty. You can however, use the File Finder module to carve JPG images out of the *.db files.
If anyone is using any other tools and can confirm they handle these new Windows 7 thumbcache files correctly, please post the name in the comments so everyone can benefit and have a tool until EnCase incorporates this support.
Posted: 2010-01-10 07:25:00 |
