Difference between revisions of "Thumbs.db"
m |
(Added MiTeC Windos File Analyzer for thumbs.db extraction) |
||
| Line 4: | Line 4: | ||
There is a forensic application developed under the open source project over at sourceforge called vinetto at http://sourceforge.net/projects/vinetto that can extract them. It does require a python enviornment. Additionally there are several other java solutions based around the Jakarta project that is apart of Apache. Additional resources about thumbs.db can be found in a white paper at http://www.accessdata.com/media/en_US/print/papers/wp.Thumbs_DB_Files.en_us.pdf. | There is a forensic application developed under the open source project over at sourceforge called vinetto at http://sourceforge.net/projects/vinetto that can extract them. It does require a python enviornment. Additionally there are several other java solutions based around the Jakarta project that is apart of Apache. Additional resources about thumbs.db can be found in a white paper at http://www.accessdata.com/media/en_US/print/papers/wp.Thumbs_DB_Files.en_us.pdf. | ||
| + | |||
| + | MiTeC Windows File Analyzer [http://www.mitec.cz/wfa.html] is a tool for forensic analysis of Thumbnail Databases, Prefetch files, shortcuts, IExplore Index.DAT files and Recycle Bin contents on a Windows system. It will print a report of analyzed files. | ||
=Windows Vista= | =Windows Vista= | ||
Thumbs.db no longer exists in Vista. This data has been moved to ''User Profile/Application Data/Microsoft Internet Explorer/Thumbscache32, 96 and 128''' | Thumbs.db no longer exists in Vista. This data has been moved to ''User Profile/Application Data/Microsoft Internet Explorer/Thumbscache32, 96 and 128''' | ||
Revision as of 16:21, 20 December 2007
Thumbs.db is a file created by windows when thumbnail view is used. It is a hidden file not viewed by most users and not updated when files are moved from a folder which images have passed through or deleted. This gives a secondary chance that someone will leave behind at least partial evidence of an image in their windows folders.
The thumbnails in Thumbs.db are stored in a OLE 2 Compound Document format. It's the same format that MS Office uses.
There is a forensic application developed under the open source project over at sourceforge called vinetto at http://sourceforge.net/projects/vinetto that can extract them. It does require a python enviornment. Additionally there are several other java solutions based around the Jakarta project that is apart of Apache. Additional resources about thumbs.db can be found in a white paper at http://www.accessdata.com/media/en_US/print/papers/wp.Thumbs_DB_Files.en_us.pdf.
MiTeC Windows File Analyzer [1] is a tool for forensic analysis of Thumbnail Databases, Prefetch files, shortcuts, IExplore Index.DAT files and Recycle Bin contents on a Windows system. It will print a report of analyzed files.
Windows Vista
Thumbs.db no longer exists in Vista. This data has been moved to User Profile/Application Data/Microsoft Internet Explorer/Thumbscache32, 96 and 128'
