Windows Thumbcache Forensics

This week I talk about surviving Windows Thumbcache forensics. A great source of evidence for File Use & Knowledge investigations.

Show Notes

The Windows Thumbcache, and it’s legacy the Thumbs.db file, are a great source of graphical evidence for File Use & Knowledge investigations. Thumbcache images are hidden system files that depict smaller images of multimedia files that serve the purpose of giving a user a graphical view of files in a given directory. Thumbcache files are centrally stored for each User account and this evidence can serve as a silent witness to a user  viewing images or as a record of images that once existed on a system. The podcast goes into more details of the nuances and pitfalls for the examiner when interpreting this evidence.

Thumbcache location on Windows 7, Windows 8 & Windows 10:

C:\Users\\AppData\Local\Microsoft\Windows\Explorer

Example of evidence files on Windows 10 System:

Screen Shot 2017-03-17 at 12.03.04 PM

Location of EDB File:

C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb

Related Registry Keys

NTUSER.dat – Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\
(DisableThumbnailCache = 1)

NTUSER.dat – Software\Policies\Microsoft\Windows\Explorer\
(DisableThumbsDBOnNetworkFolders = 1)

NTUSER.dat – Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ (DisableThumbnailCache = 1)

HKEY Local Machine – Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ (DisableThumbnailCache = 1)

HKEY Local Machine – SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ (DisableThumbnailCache = 1)

Tools

Thumbcache Viewer https://thumbcacheviewer.github.io/

ESEDB Viewer http://www.woanware.co.uk/forensics/esedbviewer.html

SDF Training Class of the Week

Learn More

Windows Shimcache Forensics

FIND EVIDENCE OF PAST AND PRESENT EXECUTABLES ON WINDOWS SYSTEMS AND UNCOVER MALICIOUS TOOLS.
Learn More

DFSP Sponsors make the Podcast possible. Show them your love and support!

Makers of Insight Forensic  an all-in-one forensic data recovery and acquisition system

The developer of RECON – the fastest and most complete way to process Live running Macs or Mac forensic images

Check out all the classes in the SDF series – quality content at a solid training value