Thumbcache.db Primer

by Michael L. Kelley Jr.

thumbs.db is a Microsoft Windows thumbnail cache "database" file.  This file holds information pertaining to thumbnails of images saved on a computer.  The most common file types that make up these thumbnails are from JPG, PNG, and BMP files.  This file can also include thumbnails from formats other than images, such as DOCX, PDF, HTML, AVI, and others.

In forensics, this is a pertinent file to pay attention to.  The main reason being that when images are deleted from a computer, thumbs.db will retain the thumbnail data for the image file unless it is cleared out too.  Some might be unaware of this, allowing forensic investigators to trace back an image that was previously deleted.  Thumbnails have been brought up numerous times in court cases.  For the purposes of this article, I will be working with the Windows 10 operating system and a few bits of Python 3 code just for fun.

General

thumbs.db has been around in Windows since Windows 95.  By default, thumbs.db is a hidden system file and is automatically created by the operating system when image files are present in a folder.  Thumbnails are created to help speed-up image processing and to provide a quick preview for images in Windows Explorer.  If an image is deleted, the information will be retained in the thumbs.db file.

From a forensics standpoint, thumbs.db is significant and can be used to prove if an image was indeed on a given computer system at one time.  In Windows XP and earlier, the thumbs.db file would get created whenever there was an instance of an image thumbnail.

The thumbs.db file would be stored in the same folder where those images occurred.  In my opinion, this makes the thumbs.db thumbnails easier to work with and find.  Starting with Windows Vista and later, thumbs.db was switched with thumbcache_XXX.db files, where the XXX corresponds to maximum pixel size.  The format of these files are:

thumbcache_16.db thumbcache_32.db thumbcache_96.db thumbcache_1024.db

And so on and so forth, according to the resolution size on your given machine.

In Windows 10, thumbs.db is a handled a little differently.  Instead of making a .db file in every folder that has an instance of an image, Windows keeps the thumb cache files in a central location.  Thumbnails are only generated for images saved in a user's directory.  You must enable hidden files to see these files show up.  These files are found under a given user's profile in the location at:

C:\Users\%username%\AppData\Local\Microsoft\Windows\Explorer

Thumbnails also have a distinct ID that corresponds to each thumbnail.  This is called the ThumbnailCacheID and a list of these ID values can be found in the file thumbcache_idx in the above folder.

Setup

For this article, the following software will be used/looked at.  Please install in order to follow along:

• Microsoft Windows 10
• Python 3.6.4 - www.python.org
• Thumbcache Viewer - thumbcacheviewer.github.io
• Thumbnail Database Cleaner - www.itsamples.com/thumbnail-database-cleaner.html

Enabling Hidden Files and Folders in Windows 10

• Open a "File Explorer" window.
• View -> Options -> Change folder and search options
• View tab -> Advanced settings -> Show hidden files, folders, and drives -> O.K.

Research

To begin, copy a few image files to a new folder on your desktop named "Photos."  Open them up a few times.  Now we will use Python to make sure the thumbcache.db files are present on your machine.  This code was run in Python 3.6 and assumes you run the program from the specified folder.

Also make sure you change the file path in the code to reflect your specific username:

import os # assign variabie for file list files = os.listdir(r"C:\Users\%username%\AppData\Local\Microsoft\Windows\Explorer") # print the contents of the directory print(files)

You should see the various thumbcache.db files showing up in that directory.  Now, we will a want to grab a copy of one of the thumbcache.db files and save it to another location for later use.  We will use some quick Python code to accomplish this as well.  Make sure you run the Python file from the same directory that the thumbcache files are located.

If you want to skip the Python code you can just use the old fashioned right-click "Copy -> Paste".

The code to copy the file is:

import shutil # copy a file and then make a new copy # shutil.copyfile(src, dst) # copied file name must be different shutil.copyfile('thumbcache.db', 'thumbscopy.db')

Now, open the Thumbcache Viewer program you installed earlier.  We will use this to check what is going on with the thumbcache.db files located in the Explorer folder.  Once Thumbcache Viewer is opened, navigate to one of the thumbcache.db files and open it up.

What do you notice?  The contents of the image you just deleted are still visible in the thumbcache.db file.  If this were an investigation, you would have just been found out!  This is the magic of the thumbs.db and thumbcache.db files and how they can be used for evidence.  If someone could get access to these files, they could see the thumbnails for images that may have been deleted from their original folders/location a long time ago.

One important note is that the thumbnails found in the thumbcache.db files do not retain the same file name as the original image that they point to.  Instead, they are named using a Unicode string, the ThumbnailCacheID.  This ID is useful to have to be able to tie together the thumbcache entry to the original source image because thumbcache.db files do not store the path to the source images in the way that thumbs.db files do.  To research this aspect further, check out the Thumbcache Parser software by Guidance Software.

Thumbnail Database Cleaner can be used to clear out the thumbcache.db files.  Once cleared, remember that the files will begin to repopulate for any future images on your system.  You can also have Windows disable thumbnail caching by going to "Folder Options" and enabling the setting "Always show icons, never thumbnails."  This will ensure that the thumbnail_xxx.db cache files do not get generated.

Another program that is able to clear out thumbnail cache files is CCleaner, which can also clear out various other temporary and junk files.

Additional Software

• FTK Imager
• Vinetto
• Nirsoft's ESEDatabase View

Further Research

• Using a program such as FTK Imager with these thumbnail files.
• Using a hex editor with these thumbnail files to examine differences.
• Comparing the hash from a thumbcache file to that of a Windows generated file of the original content.
• Examining thumbcache files from an encrypted system.  What do you notice?
• Obtaining some thumbcache.db files from another system and seeing what you can find.
• Researching important court cases that used thumbnails for evidence.

Conclusion

thumbs.db and thumbcache.db are featured in Windows operating systems to speed-up image processing and loading times, but the impact they have in computer forensics can be significant.  Knowing that these files exist is important because they take up space, can be used to track down a lost image, and can be used as evidence to show that an image was connected to a specific computer system in some way.  Play around with these files and see what you can come up with.

Further Reading

• ESCForensics: Analyzing Thumbcache
• bit.ly/2GzQa2P
• Windows 7 Thumbnail Cache Forensics