Windows 7 forensics thumbnail-dtl-r4
of 22
/22
-
date post
13-Sep-2014 -
Category
Technology
-
view
4.687 -
download
5
Embed Size (px)
description
Transcript of Windows 7 forensics thumbnail-dtl-r4
Tools of the Trade Encase Essentials
Windows 7Thumbnail Cache
Troy LarsonPrincipal Forensics Program ManagerTWC Network Security InvestigationsNSINV-R3 Research|Readiness|Response
1Windows 7 Thumbnail CacheThumbnail cache:Supplies the thumbnails shown in Explorer, etc.File based:Thumbcache_*LocalThumbs.dbRemoteWhat?
Windows 7 Thumbnail CacheCreated automatically when folders opened in Explorer in Icon view.Thumbnail cache files retain thumbnail images long after the source file has been deleted.Thumbs.db indicates a folder that has been shared.Why?
Content of FolderContent of Thumbcache_256.dbWindows 7 Thumbnail CacheThumbnail cache files are likely to be worth investigating when:There is a concern about illicit images.There is a concern that graphic files have been deleted.Comprehensive review of Thumbnail cache files can be efficiently performed.Number of tools scan and present the contents of thumbcache and thumbs.db files, but some tools only work on certain versions of Windows.
When?
Windows 7 Thumbnail CacheWhat is a thumbnail?It is an image that is used to represent an item.Picture or graphical items.But also, other files with images.Distinguished from a mere icon:Thumbnails are per item, rather than type, andDynamically generated, based on item content.Stored separate from icon caches.
Windows 7 Thumbnail CachePer account, local based, thumbnail caches are found at C:\Users\[Profile]\AppData\Local\Microsoft\Windows\Explorer.
Windows 7 Thumbnail CacheThe local, account specific, thumbnail cache consists of an index and 4 data files.Thumbcache_.idxIndex of which data files cache each image.Image cache files:Based on thumbnail size.thumbcache_32.db, bitmap based, 32x32.thumbcache_96.db, bitmap based, 96x96.thumbcache_256.db, JPEG based, 256x256.thumbcache_1024.db, JPEG based, special instances.New thumbnails usually appended to a thumbcache file.
Windows 7 Thumbnail CacheC:\Users\troyla\Pictures atomic-explosion.jpg Chrysanthemum.jpg Desert.jpgThumbnailCacheIds0x81A9D28BFA8E4E590xEE0CAA5E283907240xDF17189B15C5C9CD
thumbcache_idx.db
thumbcache_32.dbthumbcache_96.dbthumbcache_256.dbthumbcache_1024.db
ThumbnailcacheID used to lookup thumbnail address in the Thumbcache_idx Thumbcache_idx provides offsets to thumbcache_*.dbThumbcache_*.db provides thumbnails to Explorer.123Windows 7 Thumbnail CacheThumbcache information does not point to any file.File informationThumbnailcacheIDis used to find thumbnail from the original file.No file name or path information in the thumbcache* files.
thumbcache_32.dbthumbcache_96.dbthumbcache_256.dbthumbcache_1024.dbC:\Users\troyla\Pictures atomic-explosion.jpg Chrysanthemum.jpg Desert.jpgNo direct path from thumbnail to original file.Windows 7 Thumbnail CacheMost Windows 7 thumbnail cache viewers display the thumbnail and the ThumbnailcacheID.
0xEE0CAA5E28390724http://www.thumbnailexpert.com/
Windows 7 Thumbnail CacheLinking a thumbcache file thumbnail to its source:The Windows Search index maintains both path and ThumbnailcacheID, and can be used to link thumbnail to source.
0xEE0CAA5E28390724Windows 7 Thumbnail CacheFile header.Record header.ThumbnailcacheID.Image fileheader.Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F
00000000 43 4D 4D 4D 15 00 00 00 01 00 00 00 18 00 00 00 CMMM 00000010 E0 E6 1C 00 3A 00 00 00 43 4D 4D 4D 88 6C 00 00 : CMMMl 00000020 24 07 39 28 5E AA 0C EE 20 00 00 00 02 00 00 00 $ 9(^ 00000030 36 6C 00 00 00 00 00 00 47 07 D9 39 67 BF AF D5 6l G 9g00000040 EE B6 79 3E E2 C4 B8 56 65 00 65 00 30 00 63 00 y>V e e 0 c 00000050 61 00 61 00 35 00 65 00 32 00 38 00 33 00 39 00 a a 5 e 2 8 3 9 00000060 30 00 37 00 32 00 34 00 00 00 42 4D 36 6C 00 00 0 7 2 4 BM6l 00000070 00 00 00 00 36 00 00 00 28 00 00 00 60 00 00 00 6 ( ` 00000080 48 00 00 00 01 00 20 00 00 00 00 00 00 00 00 00 H 00000090 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 000000A0 0A 10 C3 FF 14 40 E3 FF 1C 6B FA FF 1B 78 FC FF @ k x000000B0 18 7A FE FF 05 63 F9 FF 05 47 EE FF 02 3A E5 FF z c G :Windows 7 Thumbnail CacheOffset 0 1 2 3 4 5 6 7 8 9 A B C D E F
00004460 32 31 E0 63 15 05 8C 6C D2 96 8B 70 21 B2 08 ED 21c lp! 00004470 58 57 84 6B C6 F7 B1 B5 2A 72 A6 94 13 D0 FF D9 XWk*r 00004480 43 4D 4D 4D D3 2E 00 00 CD C9 C5 15 9B 18 17 DF CMMM. 00004490 20 00 00 00 00 00 00 00 83 2E 00 00 00 00 00 00 . 000044A0 47 A2 78 FB FC F1 96 88 11 0B DF E7 10 20 64 B8 Gx d000044B0 64 00 66 00 31 00 37 00 31 00 38 00 39 00 62 00 d f 1 7 1 8 9 b 000044C0 31 00 35 00 63 00 35 00 63 00 39 00 63 00 64 00 1 5 c 5 c 9 c d 000044D0 FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 00 JFIF 000044E0 00 00 00 00 FF DB 00 43 00 05 03 04 04 04 03 05 C 000044F0 04 04 04 05 05 05 06 07 0C 08 07 07 07 07 0F 0B 00004500 0B 09 0C 11 0F 12 12 11 0F 11 11 13 16 1C 17 13 00004510 14 1A 15 11 11 18 21 18 1A 1D 1D 1F 1F 1F 13 17 ! 00004520 22 24 22 1E 24 1C 1E 1F 1E FF DB 00 43 01 05 05 "$" $ C 00004530 05 07 06 07 0E 08 08 0E 1E 14 11 14 1E 1E 1E 1E Record header.ThumbnailcacheID.Image fileheader.Windows 7 Thumbnail CacheThumbcache_32.db
Windows 7 Thumbnail CacheThumbcache_96.db
Windows 7 Thumbnail CacheThumbcache_256.db
Windows 7 Thumbnail CacheThumbcache_1024.db
Windows 7 Thumbnail Cache
\\Buffy-1\C$\Users\troyla\PicturesOpening a shared folder using an icon view creates a thumbs.db file in the shared folder.
Thumbs.db is independent of the user thumbnail caches on host and client.
Existence of a thumbs.db file indicates a folder was remotely accessed.Windows 7 Thumbnail Cache
Note: Different UIDsWindows 7 Thumbnail CacheInternals: The venerable structured storage file format.
Windows 7 Thumbnail CacheInternals: The venerable structured storage file format.
Questions?
