±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 35535
New Yesterday: 0 Visitors: 142

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Webinars

Thumbs.db breakdown

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2  Next 
  

bh47100
Newbie
 

Thumbs.db breakdown

Post Posted: Sep 09, 04 15:43

I was wondering if anyone could give an overview of the Thumbs.db files created by windows. I know that there are thumbnail images stored in the file. I have tried to extract them with a hex editor and recreate the files from the headers, but to no avail. I know that FTK and EnCase will do this, but I want to know how they do it. Any help is appreciated, even ideas.

Thanks much,

Brandon  
 
  

jamie
Site Admin
 

Re: Thumbs.db breakdown

Post Posted: Sep 09, 04 19:28

Hi Brandon,

Is the information here any use?

www.experts-exchange.c...22626.html

Jamie
_________________
Jamie Morris
Forensic Focus
Web: www.forensicfocus.com
Twitter: twitter.com/ForensicFocus
Facebook: www.facebook.com/forensicfocus 
 
  

bh47100
Newbie
 

Re: Thumbs.db breakdown

Post Posted: Sep 10, 04 03:19

Thanks,

I did see that earlier today while I was Googling around. I was interested, but not enough to pay the $9.95/month fee to see the answer that I'm not sure is even there. EE does usually pop up when I need something answered though, so maybe it's time to take the plunge. Thanks again for a sound resource.

Brandon  
 
  

bh47100
Newbie
 

Re: Thumbs.db breakdown

Post Posted: Sep 10, 04 07:02

Sorry about the three post there. I got a little caffeinated and itchy trigger set in. I found that the data for the thumbs.db flows in as a stream and looks like the same hex data headers as a JPEG but actually is a bit different. The thumbs.db file is missing two key components..(quantization tables, Huffman encoding tables). Some people have theories that the tables are predefined by Microsoft and the OS interprets the .db file extension utilizing those predefined tables. I'm sure EnCase and FTK software developers could answer this....but they need to generate revenue as well........

Brandon  
 
  

jamie
Site Admin
 

Re: Thumbs.db breakdown

Post Posted: Sep 10, 04 19:18

No problem, I've tidied the thread up a little Smile

Thanks for sharing your findings, very interesting indeed. If you discover anything further I'd be very interested to learn more.

Cheers,

Jamie
_________________
Jamie Morris
Forensic Focus
Web: www.forensicfocus.com
Twitter: twitter.com/ForensicFocus
Facebook: www.facebook.com/forensicfocus 
 
  

FieserKiller
Newbie
 

Re: Thumbs.db breakdown

Post Posted: Sep 20, 05 01:31

Hi guys,
this is a pretty old thread im pushing up Wink

I'm working on decoding that Thumbs.db file for some days now, searching the internet for information but i can't find nothing.

So I did it myself and I'm on half way to success.

I've written java code which can extract and show all Thumbnails from a WindowsXP-created thumbs.db, I use the POI-Libraries from apache to access the filesystem in that OLE2-database, then i cut down the bytestreams to create standard jpg JFIF data.
But i'm not able to associate the right filenames to the Thumbnails.
Can anyone help?  
 
  

patchdep
Newbie
 

Re: Thumbs.db breakdown

Post Posted: Sep 20, 05 23:58

You can use FTK or EnCase to view the thumbs.db  
 

Page 1 of 2
Page 1, 2  Next