Saturday, July 7, 2012

Windows 7 generated Thumbs.db

Windows 7 does not use the Thumbs.db file for folder thumbnail caching. However when accessing remote or mapped drives, it does create a Thumbs.db file in the remote folder when it viewed in explorer.

A quick way to create this file would be to browse your own C drive using the path '\\localhost\c$' and see explorer drop Thumbs.db everywhere as you click around into folders. You may have to change the folder view to Icons or Large Icons for it to trigger.

The format is slightly different and no tool seems to handle it correctly as of now. The new format is still an OLE document, however microsoft have gotten rid of the 'Catalog' stream, and the names of other streams are strings which include the resolution (96, 256, ..) and a 64bit hex number. The stream contains a regular jpeg file, which usually begins at 0x18 (on xp this was 0x0c). The stream header also begins with 0x18, a likely indication of the beginning of data.

Regular carving for JPG files will work against it. The good news for investigators is that the behavior of this file is similar to xp Thumbs.db, ie, the thumbnails do not get deleted once the file (image) is moved/deleted from that folder. This is different from usual windows 7 behavior where deleted files are quickly removed from the Thumbcaches.

No comments:

Post a Comment