06.22.07
Importance of “thumbs.db” in digital forensic world
by Kush Wadhwa, NII Consulting
Are you working as a cyber crime investigator and looking for something which can prove in court of law that there was some pornographic content on the suspect’s machine? Let me help you out in this case.There is a file with a name “thumbs.db” which is automatically generated by Windows XP whenever user views the folder or image in thumbs view or in filmstrip view. Automatic generation of this file is ON by default. Thumbs.db contains a copy of each of the tiny preview images generated for image files in that folder so that they load up quickly the next time you browse that folder. If a user tries to view this file by any image viewer then it will be of no use. For extracting the juicy content from this file, forensic investigator has to understand the header of the thumbs file present in thumbs.db. Let me explain step by step on how to extract useful content from thumbs.db file.
Open any folder which has got some jpeg files and make that folder view in thumbs view as shown in 
As soon as the folder is kept in thumbs view “thumbs.db” file is created. Even if all JPEG files are deleted and thumbs.db file corresponding to those JPEG files is present, then also you can see the images but they will be very small in size. Thumbs.db which was created is now viewed using winhex. Once the file has been opened in winhex view, we will search and select for particular header. Header is “ÿØÿà JFIF” and its hex values are “FFD8FFE000104A464946″. This is shown in 
as an example.
Copy the entire content in a notepad where the header is starting till the end of the file and save the file with the extension JPEG. You can now easily view the extracted content with any of the image viewer. If there are large number of headers in thumbs.db file, then you can use professional tool like “Windows File Analyzer” to see the contents of thumbs.db file.Even if the picture files are deleted, the information will be stored in thumbs.db file which can be very helpful.
Hope this information is enough. Happy experimenting.
AuditPro™ - Comprehensive enterprise security assessment solution for critical asset identification, policy compliance, risk analysis, real time vulnerability views, graphical progress analysis and more.
spy1 Said:
June 22, 2007 at 5:08 pm
For some reason, this article only displays correctly in FireFox - parts of sentences seem to be cut off in Internet Explorer.
Great article - thanks! Pete
RajDeep Singh Said:
July 11, 2007 at 7:31 am
Article is very informative….
aktar shaikh Said:
July 24, 2007 at 7:51 am
hi,
i have gone thru the article, i am not a technical person but, it is very nice & very helpful article. here you can track every thing which happens on your pc even if you are not there.
Great, Keep it up.
aktar.
Shashank Joshi Said:
August 7, 2007 at 6:13 am
Hi..
That’s A very Nice Information.
But Sir, I have also a Windows XP O.S. But when ever I Show the JPEG image in Thumbnails Format. There is no another file Is displayed i.e. “Thumbs” File which is discussed in article. So IF any suggestion then plz help me…
Antivirustaneja Said:
August 8, 2007 at 2:46 pm
Also Check here……..
http://www.hackerfactor.com/forensics.html
“JpegQuality. A JPEG image analysis tool that displays the quantization tables and estimates the JPEG quality. This source code was released publicly at the Black Hat Briefings USA 2007 conference. ”
Using Above
“Researcher’s Analysis of al Qaeda Images Reveals Surprises” at
http://blog.wired.com/27bstroke6/2007/08/researchers-ana.html
Kush Said:
August 9, 2007 at 9:41 am
Thanks Shashank for your valuable feedback. Shashank whenever you view the file in thumbnail view in Windows XP, a thumb.db file is created. This file is system hidden file and is not viewable. To view the file click on Tools—–>Folder Options——-> View———>Hidden files and folders———>Show hidden files and folders. Click on apply. Now you can easily view the file and can analyze it.
LG Said:
September 1, 2007 at 2:31 pm
Great article. I work for the DoD and always welcome “other” methods of discovering “naughty” pics on government computers.