Friday, April 4, 2014

Windows 8 Thumbs.db files - still the same and not the same!

Screenshot of folder in Windows 8 showing Thumbs.db

Thumbs.db files have made a comeback in windows 8. Now, like in windows XP, explorer will create these files in every folder containing media files. This used to be a great forensic resource for investigators because thumbnails once created and stored in the Thumbs.db remained there even after the image file itself was deleted. This behavior is also noted with Windows 8.

The only thing that is different is the format of these new Thumbs.db files. It is not the Windows XP format and the usual thumbs.db file viewers including most forensic tools will not parse this file correctly. The format is actually the same as Windows 7 Thumbs.db files. Yes, that was not a typo, I said 'Windows 7'. I had looked into this earlier and the details are available here.

An interesting thing to note is that in windows 8, the same Thumbcache_*.db files are still maintained on a per user basis like windows 7 does. So the Thumbs.db is really a redundant location for these thumbnails as they are already cached in the Thumbcache database. So why the duplication?

Update (Thanks proneer for this tip!):
There are some caveats here. On windows 8, Thumbs.db will only be created in folders under a user profile folder, so anything created in C:\ or C:\program files or C:\program data or any other folder not under a user profile, ie, C:\Users\<USER>\* will not have thumbs.db files. 

But this has got nothing to do with a particular logged in user. A thumbs.db file will be created even when the logged in user browses folders of another user under their profile (as long as file permissions allow that user to write files to the other users' folder).

This behavior is different from Windows 7 thumbs.db where the location does not matter for creation of thumbs.db files.

There is another oddity noted. Sometimes a thumbs.db is created immediately upon folder being opened in explorer, on other occasions it has be triggered by changing the 'view' of the folder to 'Large icons'.

6 comments:

  1. Yogesh, I think that this is at least analogous to the thumbs.db files that appear regularly in Win 7. I have to check my notes, but I t5hink it has something to do with accessing files on a network share.

    ReplyDelete
    Replies
    1. It is the same, seen on win7 when you access a resource via network path. I have discussed the format too earlier here: http://www.swiftforensics.com/2012/07/windows-7-generated-thumbsdb.html

      Delete
  2. It is only left folder or sub folders of "Desktop" in my computer.

    ReplyDelete
    Replies
    1. Good observation! I have verified and updated the article with this new information. Thanks.

      Delete
  3. First of all...excellent post.
    At the end you mention that it sometimes is created immediately and sometimes when you change "view".

    I haven't tested in Windows 8 (since I only have 7) but in Windows 7 the "details pane" at the bottom of the explorer window contains a small thumbnail.
    When you click an image a small thumbnail is visible in the "details pane", and this thumbnail was in my tested stored in thumbache/thumbs.db even if the view was set to "details view" and not "icons".

    ReplyDelete
  4. I'm finding numerous errors in the events logs pertaining to the file history backup log in Win 8.1 stating user/pictures/folder name/thumbs.db not found, backup will be attempted at a later date. What's the deal? Win 8.1 backup which is now called "File History" seems to think these files *should* be there but they're not. Is expecting thumbs.db to be in every picture folder a legacy feature that should have been turned off in Win 8.1 (update 1)?

    ReplyDelete