I was wondering if anyone could give an overview of the Thumbs.db files created by windows. I know that there are thumbnail images stored in the file. I have tried to extract them with a hex editor and recreate the files from the headers, but to no avail. I know that FTK and EnCase will do this, but I want to know how they do it. Any help is appreciated, even ideas.
Thanks much,
Brandon
Hi Brandon,
Is the information here any use?
Jamie
Thanks,
I did see that earlier today while I was Googling around. I was interested, but not enough to pay the $9.95/month fee to see the answer that I'm not sure is even there. EE does usually pop up when I need something answered though, so maybe it's time to take the plunge. Thanks again for a sound resource.
Brandon
Sorry about the three post there. I got a little caffeinated and itchy trigger set in. I found that the data for the thumbs.db flows in as a stream and looks like the same hex data headers as a JPEG but actually is a bit different. The thumbs.db file is missing two key components..(quantization tables, Huffman encoding tables). Some people have theories that the tables are predefined by Microsoft and the OS interprets the .db file extension utilizing those predefined tables. I'm sure EnCase and FTK software developers could answer this….but they need to generate revenue as well……..
Brandon
No problem, I've tidied the thread up a little 🙂
Thanks for sharing your findings, very interesting indeed. If you discover anything further I'd be very interested to learn more.
Cheers,
Jamie
Hi guys,
this is a pretty old thread im pushing up 😉
I'm working on decoding that Thumbs.db file for some days now, searching the internet for information but i can't find nothing.
So I did it myself and I'm on half way to success.
I've written java code which can extract and show all Thumbnails from a WindowsXP-created thumbs.db, I use the POI-Libraries from apache to access the filesystem in that OLE2-database, then i cut down the bytestreams to create standard jpg JFIF data.
But i'm not able to associate the right filenames to the Thumbnails.
Can anyone help?
You can use FTK or EnCase to view the thumbs.db
Hi there
Pop along to http//
Cheers
Nick
Hi,
I'm writing a script to decode Thumbs.db files.
It is still "pre alpha", but you may download it at
http//
HTH
rukin