tag:blogger.com,1999:blog-1264611260322778486.post4766878812392531992..comments2024-01-01T03:51:10.857-05:00Comments on Yogesh Khatri's forensic blog: Windows 7 Thumbcache hash algorithmYogesh Khatrihttp://www.blogger.com/profile/03726664886311447808noreply@blogger.comBlogger10125tag:blogger.com,1999:blog-1264611260322778486.post-59512366624144416732019-04-03T21:55:02.162-04:002019-04-03T21:55:02.162-04:00I'm using the same algorithm but I have had no...I'm using the same algorithm but I have had no luck generating the correct hash yet.<br />What are byte arrays here and how is data filled in them?<br />Consider this file_id = 46443371157476663<br />Is this byte array set correctly?<br />array[0]=0<br />array[1]=165<br />array[2]=0<br />array[3]=0<br />array[4]=0<br />array[5]=3<br />array[6]=85<br />array[7]=55<br /><br />Thank you-https://www.blogger.com/profile/04970101643446383668noreply@blogger.comtag:blogger.com,1999:blog-1264611260322778486.post-32489225051924555152019-04-03T21:53:19.139-04:002019-04-03T21:53:19.139-04:00This comment has been removed by the author.-https://www.blogger.com/profile/04970101643446383668noreply@blogger.comtag:blogger.com,1999:blog-1264611260322778486.post-78760162892464683932013-02-14T01:16:53.585-05:002013-02-14T01:16:53.585-05:00That is correct, on first view of a particular fil...That is correct, on first view of a particular file in explorer depending on the view size (small, large, ..) the thumbnail(s) will get created and stored in the appropriate cache file.Yogesh Khatrihttps://www.blogger.com/profile/03726664886311447808noreply@blogger.comtag:blogger.com,1999:blog-1264611260322778486.post-63122201601987883602013-02-01T17:23:07.921-05:002013-02-01T17:23:07.921-05:00why do only certain caches get populated? Does it ...why do only certain caches get populated? Does it depend on which view you see the images in? extra large, large, small, and medium? (Does that affect which cache is populated?)Curioushttps://www.blogger.com/profile/17251157626603713804noreply@blogger.comtag:blogger.com,1999:blog-1264611260322778486.post-7279521369364032222012-11-23T01:52:10.800-05:002012-11-23T01:52:10.800-05:00Yes indeed, from a practical point of view, that i...Yes indeed, from a practical point of view, that is where to match it. However the post was not meant for that, it is more academic and intends to explain the hashing scheme as to how these are generated in the first place.Yogesh Khatrihttps://www.blogger.com/profile/03726664886311447808noreply@blogger.comtag:blogger.com,1999:blog-1264611260322778486.post-61767158069045422952012-11-23T01:48:49.093-05:002012-11-23T01:48:49.093-05:00Thanks for spotting that Simon, the 'v3' c...Thanks for spotting that Simon, the 'v3' crept in from my enscript, it should have been replaced by 'count'. Fixed now. Yogesh Khatrihttps://www.blogger.com/profile/03726664886311447808noreply@blogger.comtag:blogger.com,1999:blog-1264611260322778486.post-54514733076768126312012-11-12T19:42:22.121-05:002012-11-12T19:42:22.121-05:00It may not work in every case, but one way you can...It may not work in every case, but one way you can match the ThumbCacheID to the orginal full path is using Windows.edb the Windows Search database. http://escforensics.blogspot.com/2012/11/analyzing-thumbcache.htmlMatthttps://www.blogger.com/profile/13838120128748078136noreply@blogger.comtag:blogger.com,1999:blog-1264611260322778486.post-52558832604109554832012-10-18T09:22:50.818-04:002012-10-18T09:22:50.818-04:00Great information Yogesh - thanks.
The value in t...Great information Yogesh - thanks.<br /><br />The value in the INDX entry is the MFT sequence number; it's also to be found at offset 16 for 2 bytes in a file's MFT record.<br /><br />BTW, you have a slight typo in your code at the point you increment the array count.<br /><br />Best.Simon Keyhttps://www.blogger.com/profile/04035574727128551161noreply@blogger.comtag:blogger.com,1999:blog-1264611260322778486.post-69162677883167892092012-06-17T14:01:12.755-04:002012-06-17T14:01:12.755-04:00I used IDA Pro, the best disassembler out there. T...I used IDA Pro, the best disassembler out there. The functions are located in shell32.DLL, GetThumbnailCacheId() and CalculateHashKey().Yogeshhttps://www.blogger.com/profile/08526932165369184069noreply@blogger.comtag:blogger.com,1999:blog-1264611260322778486.post-40834235378165932912012-06-16T14:02:50.316-04:002012-06-16T14:02:50.316-04:00What did you use to find the hashing algorithm? An...What did you use to find the hashing algorithm? And how did you find the input data that goes into it?Anonymousnoreply@blogger.com