Blog >> Thumbs.db

Investigating Thumbs.db

26/05/2021 Wednesday

Thumbs.db files are hidden Windows system files generated in the same directory of each folder on the system. These files are used to cache the thumbnail images that represent the contents within the folders when Windows Explorer is set to the thumbnails or filmstrip view. This makes it faster to display the thumbnails because they would not have to be regenerated every time a user accesses the folder containing them.

The feature is mainly used in older Windows system versions before Windows Vista. In newer versions, a centralized caching feature called ThumbCache is used alongside thumbs.db. The thumbs.db file can be deleted safely but will be regenerated if the thumbnail view is still enabled unless a user disables the feature. The thumbs.db file indexes some HTML web pages, image, video, document, and presentation files.


Digital Forensics Value of Thumbs.db Artifacts


Thumbnails cached in Thumbs.db files and their corresponding file metadata remain, even after the original files have been deleted. Many users fail to delete the thumbs.db file because it is a hidden file or because they are not aware of its purpose on the system. The artifacts extracted from this file can be used by investigators to prove that a file was at some point stored on the system even after it has been deleted. The artifact has been shown to carry weight in court, specifically in cases where the presence of illicit images needed to be revealed.


Location of Thumbs.db Artifacts


Thumbs.db artifacts are stored in the same directory as the folder whose thumbnail images it has cached.


Structure of Thumbs.db Artifacts


Thumbs.db data is stored in OLE compound file format. OLE is a binary format developed by Microsoft that works like a real file system.


Analyzing Thumbs.db Artifacts with ArtiFast Windows


This section will discuss how to use ArtiFast Windows to analyze Thumbs.db artifact from Windows machines and what kind of digital forensics insights we can gain from the artifact.

After you have created your case and added evidence for investigation, at the Artifacts Parser Selection Phase, you can select Thumbs.db artifact:






Once ArtiFast parser plugins complete processing artifacts for analysis, it can be reviewed via “Artifact View” or “Timeline View,” with indexing, filtering, and searching capabilities. Below is a detailed description of Thumbs.db artifact in ArtiFast software.


Thumbs.db Artifact

The artifact contains information on the cached thumbnails. The details you can view include: