Chapter 28. Thumbnails and the Thumbnail Cache
Information in this chapter:
• Thumbnails and the thumbnail cache
• How thumbnails and the thumbnail cache work
• Thumbnails and the thumbnail cache as evidence
When you open a folder like your My Pictures folder, you can view the files in a thumbnail format, like a bunch of small pictures. These small pictures or thumbnails are stored in a special file called a thumbnail cache database. These thumbnail databases can be read using special software and used as evidence in both civil and criminal cases.
Thumbnail caches are used in a wide variety of cases, mostly to attempt to establish whether or not an image file existed on the computer at some point in the past, even if that purpose is to corroborate some other piece of digital evidence.
Keywords
Thumbnails, Thumbs.db, Thumbnails.cache
Introduction
The typical computer today stores tens of thousands of images. These images can come from activities the user is aware of, such as transferring pictures from a digital camera to a computer. The images are also saved to the computer without any input from the computer user. For example, when you browse the Internet, many of the pictures and graphics you see can be saved to your computer automatically. When you open a folder like your My Pictures folder, you can view the files in a thumbnail format, like a bunch of small pictures. These small pictures or thumbnails are stored in a special file called a thumbnail cache database. These thumbnail databases can be read using special software and used as evidence in both civil and criminal cases.
28.1. Thumbnails and the thumbnail cache
Starting with the Windows 2000 operating system, 1 Microsoft introduced the thumbnail cache. The thumbnail cache assists the computer user in reviewing a large number of images at once by taking the full-sized images and making miniature representations of them. Instead of having to look at each image individually within a folder to find a particular picture you are looking for, the thumbnail cache will display all of the images at once as “thumbnail”-sized pictures. The thumbnail cache also speeds up how quickly pictures will display; it reduces the load time of images because the smaller thumbnail images no longer have to be recalculated every time they are accessed by a user, unlike the original images.
Figure 28.1 illustrates the difficulty in navigating a large set of pictures without thumbnails. Figure 28.2 shows the same set of pictures in thumbnail view.
As you can see from the two illustrations in Figure 28.1 and Figure 28.2, if you want to be able to easily find a picture, thumbnail view is much easier to deal with since you can see the image and not have to rely on remembering the file name.
28.2. How thumbnails and the thumbnail cache work
When you are looking in a folder that contains images and even documents, remember that the computer may store smaller versions of the images in a thumbnail cache. The thumbnail cache is a database of multiple images inside the cache file. In Windows 2000 and Windows XP, these databases were named thumbs.db and stored in the same folder that contained the image files. These files are hidden from the computer user by default. If you want to see the actual thumbs.db file in a folder, you must change your folder settings to show hidden files.
28.2.1. When are these thumbs.db cache files created?
Thumbs.db files are not created automatically unless you open the folder containing the pictures or images and change the view to thumbnail view.
In Fig. 28.3 you can see a listing of picture files. Note that there is no thumbs.db file in this folder because it has not been created yet.
Now if you look at Figure 28.4, you will see that the thumbs.db has been created once the view is changed to the thumbnail view.
However, in order for a thumbs.db thumbnail cache to be created at all, the user of the computer must have write access to the folder; or in other words, you must be able to create new files in the folder. If the folder contains images, you can still view them as thumbnails; however, a thumbs.db file will not be created.
Another anomaly of the thumbs.db cache is that when you have a very large number of pictures in a folder and you view them in one of the thumbnail views, Windows will not automatically add all of them to the thumbs.db cache. The reason is that Windows will only add thumbnails to the database cache that it actually renders into thumbnail view. If you notice, when you open a folder with a lot of images in thumbnail view for the first time, there is a noticeable pause when you scroll down, before the thumbnails appear. This is because Windows has not created the thumbnail yet. If the thumbnail has not been created, it will not appear in the database. What does this mean? Someone with a lot of pictures in a folder may never have seen the pictures at the bottom of the folder, if they did not bother to scroll down all the way, forcing Windows to render the thumbnail images. This can be especially important in a contraband image case where the defendant denies knowledge of the images. Being able to show that the images were never opened can help to show that intent was not present in possessing the images.
28.2.2. Changes in Windows Vista and Windows 7
When Windows Vista was released, the thumbnail database was no longer stored in each folder as it was in the earlier Windows operating systems. Now the thumbnail database is stored in a central location for each user account, referred to as the thumbnail cache. These files are located in the AppDataLocalMicrosoftWindowsExplorer folder for each user account on the computer. For example, if the computer has two user accounts, Bob and Sue, when Bob is logged on to the computer, the thumbnail cache will be saved to his private user area. If Bob logs off the computer and Sue logs in, the thumbnail database will be saved to her private user area. Note that if Bob is logged in and Sue starts using the computer without logging him out, any thumbnail database changes will still be saved in Bob’s private area.
28.2.3. Thumbs.db and networked drives
An odd issue is that in Windows Vista and Windows 7, if the user is looking at pictures in thumbnail view on a shared network hard drive where the user is allowed to create files, a thumbs.db file will be created in that shared folder when someone views the pictures in thumbnail view. There will not be a record of this in the thumbnail cache in the user’s private area on the local computer that is accessing the shared network drive. This is shown in Fig. 28.5.
28.3. Thumbnails and the thumbnail cache as evidence
Thumbnail caches are used in a wide variety of cases, mostly to attempt to establish whether or not an image file existed on the computer at some point in the past. The reason is that even if you delete all the pictures from a folder, the thumbs.db cache will retain the little thumbnail pictures.
The presence of a thumbs.db file can also reveal the last time the thumbs.db was updated to show that a folder was accessed at a certain time.
An examiner is presented with a computer to analyze that contains suspected child pornography. Upon review of the hard drive, no contraband images are present. However, a review of the thumbs.db cache shows thumbnail pictures of child pornography.
There are several things to consider in this scenario:
1. The images were on the hard drive and were deleted, leaving behind the thumbs.db file with the smaller images. However, without having something more to present, that is not a lot of evidence by itself.
2. The examiner is also presented with a USB stick containing contraband images. Can you prove whether or not those images have been on the computer in the past? Lo and behold, on the USB stick is a thumbs.db file that contains thumbnail images that match the thumbnail images from the computer hard drive. Case solved! Well, maybe not completely, but that is stronger evidence than in the first part of this scenario. The examiner would need to match the files using hash values of the thumbnails from inside the two thumbs.db caches to make a stronger case. For information on hash values, see Chapter 4 and Chapter 26.
3. The thumbs.db cache file did not originate on the computer being examined. Consider that someone handed you a USB stick containing files for work. You open the USB stick on your computer, select all the files, and start the copy process. A window pops up telling you that there are two hidden files that will be copied; do you want to copy them, yes or no? Not knowing exactly what that means, you select “Yes.” Unbeknownst to you, you just copied a thumbs.db file to your computer containing contraband images of child pornography.
Figure 28.6 is a screenshot of what the contents of a thumbs.db file looks like. What you see in the figure are the small thumbnails of all of the pictures viewed in the folder.
Figure 28.7 shows the same thumbs.db as in Fig. 28.6 in EnCase forensic software, with the details of the internal database shown.
What you can see in Fig. 28.7 is the file detail information from inside the thumbs.db file. The Last Written date is carried over from the file system date stamp.
The Root Entry at the bottom of the screenshot shows an Entry Modified date of when the thumbs.db file was last updated. The Root Entry date and time will update whenever the contents of the folder change.
You are embroiled in a civil case and the Plaintiff has hired a computer expert to examine your client’s computer. When the Plaintiff’s computer expert examines the computer, he sees a folder that is named the same as a file eraser program that is used to clean up computer files.
Your client says that he has used the program in the past to remove confidential files from the computer and also to clean up old junk as part of his normal business practices to prevent confidential information from falling into the wrong hands in case the laptop computer is lost or stolen. He also states that right after the court hearing, he removed the file-wiping program from his computer.
The Plaintiff’s expert concludes that the file-wiping program was run after the court hearing on the same date that the client claims he removed the program from his hard drive.
You hire your own expert to examine your client’s computer. Your expert reviews the hard drive and notes that the only file left in the hard drive–wiping program folder is the thumbs.db file. He also notes that the Entry Modified date and time match the date and time your client says he removed the software from his computer.
Since your expert knows that deleting the image files from a folder will cause the Root Entry time stamp to update in the thumbs.db file, he concludes that your client is accurate and that the file-wiping program was removed and not run the day after the court hearing.
In Fig. 28.8, you can see that the Root Entry date and time have changed after several pictures were deleted from the folder.
Summary
In this chapter we learned about the thumbnail databases that Windows uses to make viewing a large number of pictures in a folder faster and easier. We also looked at how and when those databases are created. We also learned what dates and times are updated when the contents of the folder changes. Finally, we looked at the thumbnail databases as evidence in a couple of case scenarios.
Reference
[1]
..................Content has been hidden....................
You can't read the all page of ebook, please click here login for view all page.