Notifications
Clear all

Thumbs.db breakdown

9 Posts
6 Users
0 Likes
1,948 Views
bh47100
(@bh47100)
Posts: 8
Active Member
Topic starter
 

I was wondering if anyone could give an overview of the Thumbs.db files created by windows. I know that there are thumbnail images stored in the file. I have tried to extract them with a hex editor and recreate the files from the headers, but to no avail. I know that FTK and EnCase will do this, but I want to know how they do it. Any help is appreciated, even ideas.

Thanks much,

Brandon

 
Posted : 09/09/2004 3:43 pm
Jamie
(@jamie)
Posts: 1288
Moderator
 

Hi Brandon,

Is the information here any use?

http://www.experts-exchange.com/Programming/Programming_Platforms/Win_Prog/Q_20822626.html

Jamie

 
Posted : 09/09/2004 7:28 pm
bh47100
(@bh47100)
Posts: 8
Active Member
Topic starter
 

Thanks,

I did see that earlier today while I was Googling around. I was interested, but not enough to pay the $9.95/month fee to see the answer that I'm not sure is even there. EE does usually pop up when I need something answered though, so maybe it's time to take the plunge. Thanks again for a sound resource.

Brandon

 
Posted : 10/09/2004 3:19 am
bh47100
(@bh47100)
Posts: 8
Active Member
Topic starter
 

Sorry about the three post there. I got a little caffeinated and itchy trigger set in. I found that the data for the thumbs.db flows in as a stream and looks like the same hex data headers as a JPEG but actually is a bit different. The thumbs.db file is missing two key components..(quantization tables, Huffman encoding tables). Some people have theories that the tables are predefined by Microsoft and the OS interprets the .db file extension utilizing those predefined tables. I'm sure EnCase and FTK software developers could answer this….but they need to generate revenue as well……..

Brandon

 
Posted : 10/09/2004 7:02 am
Jamie
(@jamie)
Posts: 1288
Moderator
 

No problem, I've tidied the thread up a little 🙂

Thanks for sharing your findings, very interesting indeed. If you discover anything further I'd be very interested to learn more.

Cheers,

Jamie

 
Posted : 10/09/2004 7:18 pm
(@fieserkiller)
Posts: 1
New Member
 

Hi guys,
this is a pretty old thread im pushing up 😉

I'm working on decoding that Thumbs.db file for some days now, searching the internet for information but i can't find nothing.

So I did it myself and I'm on half way to success.

I've written java code which can extract and show all Thumbnails from a WindowsXP-created thumbs.db, I use the POI-Libraries from apache to access the filesystem in that OLE2-database, then i cut down the bytestreams to create standard jpg JFIF data.
But i'm not able to associate the right filenames to the Thumbnails.
Can anyone help?

 
Posted : 20/09/2005 1:31 am
(@patchdep)
Posts: 5
Active Member
 

You can use FTK or EnCase to view the thumbs.db

 
Posted : 20/09/2005 11:58 pm
nickfx
(@nickfx)
Posts: 131
Estimable Member
 

Hi there

Pop along to http//www.accessdata.com/support.htm and download a whitepaper detailing all the information on thumbs.db you ever need to know. Had a case last month that hinged on thumbs.db and the doc was invaluable.

Cheers

Nick

 
Posted : 23/09/2005 1:16 pm
(@rukin)
Posts: 7
Active Member
 

Hi,

I'm writing a script to decode Thumbs.db files.

It is still "pre alpha", but you may download it at
http//sourceforge.net/projects/vinetto

HTH

rukin

 
Posted : 31/03/2006 7:50 pm
Share: