Computer Forensics Miscellany

Revisiting Windows Thumbnail files, thumbs.db and thumbcache

In those difficult cases where an examiner has to scrape together the smallest pieces of evidence to form a case Windows thumbnail databases often prove to be very useful.

When Windows Vista arrived one of the new artefacts mentioned in forensic reviews was the thumbcache files which were said to replace the thumbs.db files found in earlier versions of Windows. There was never any mention that the thumbs.db file did still exist in Vista under certain circumstances, in fact at the time of writing one Forensics Wiki states “thumbs.db no longer exists in Vista/7 as individual files”.

This paper takes a new look at the forensic implications of Windows thumbnail databases and uncovers some surprising findings which result in a challenge to one of the main implications drawn from the presence of Windows thumbnail databases.

Under My Thumbs - Revisiting Windows Thumbnail Databases