Thumbnails

As is often the case, Windows features can end up being useful evidence to forensic examiners. For example, the Windows operating system makes the experience of viewing files in Windows explorer smoother by using ‘thumbnails’ of images. When examining images, we often rely on “thumbs.db” files and the “thumbcache”, both of which serve generally the same purpose.

When a user wants to view files in Windows Explorer in the thumbnail or filmstrip view, Windows generates small versions of the original images to display and stores them in a cache.

“Thumbs.db” files are one of these types of caches. In cases where they are present, each folder contains a hidden Windows system file, being a database storing all the generated thumbnail images for the image and video files in that folder. When those images are deleted, the thumbnails remain. This can provide the investigator with an insight into the past contents of the folder which may have otherwise been lost. The behaviour of the database is not consistent across Windows systems, but can with effort potentially show whether a user ever looked at the folder.

On Windows 7 through 10, the “thumbs.db” files were replaced with a different implementation of the same idea. Their replacement was the centralised “thumbcache” files. For each user, there is a single system folder full of thumbcache databases which contain all the thumbnails needed on the machine. As the thumbcache databases are not linked to any particular file, they require some extra work to connect the images within them to the folders they are referencing but it is possible.

As these artifacts are regular databases, they can be deleted by a user. They can also be recovered by forensic software. Most users will not know to delete them to hide evidence of their activity, and most users will not know how to  modify them to cover their tracks in a more comprehensive fashion.