Win Vista/7/8/10 Thumbnails Analyzer
Thumbs2LaTeX
Introduction
In previous versions of the Microsoft Windows operating system (up to Windows XP), Thumbnails of viewed pictures were stored within an file calles “thumbs.db” for each directory. The thumbnails stored along with the file name of the original image in those databases remained even after the deletion of the original image, making them interesting subject in digital forensic investigations.
Beginning with Windows Vista, and also in Windows 7 and 8, those files have been replaced, by a central database for each system user. Those are typically stored in the location
\Users\%username%\AppData\Local\Microsoft\Windows\Explorer\
This folder usually contains the following files:
-
thumbcache_idx.db
-
thumbcache_32.db, thumbcache_96.db, thumbcache_256.db, thumbcache_1024.db
-
thumbcache_sr.db
From those files, thumbnails can be extracted using available tools. However, those databases do not provide the file name and path of the original image any more. Instead, thumbnails are identified usind a magic ID. Thus, forensic examiners need a tool to obtain this missing information. As a solution to this, experts usually analyse the Windows Search Indexer Database, which also stores those IDs along with lots of more metadata.
Thumbs2LaTeX connects thumbail images from Windows Vista/7/8 thumbcache databases to information stored in the Windows Search Indexer database. It generates both, an xml and a latex file containing the metadata (if available). The latex file can then directly be included in a forensic report, for example. The XML-File can be displayed using a standard browser or can be used for further automated processing.
This Tool was implemented by Stefan Pfennig, Michael Weisser in the course of the lecture ‘Forensic Hacks’ at Friedrich-Alexander-University held by Dr.-Ing. Andreas Dewald.
Download
Usage
thumbs2latex [-i IMAGE -p OFFSET]
[-t THUMBCACE FILES -o FILEPATH -e WINDOWS ESE DB]
[-d PATH] [-m]
[-lc LOGLEVEL] [-lf LOGLEVEL] [-l LOGFILE]
[-h]
Optional arguments:
-h, –help show a help message and exit
Thumbcache input:
-t, –thumbcaches THUMBCACE FILE(S):
One or more thumcache files to read. The files must
be acessable from the script.
-o, –original-file FILEPATH(S):
The original path of the thumbcache files (path on
the original partition ). Must be the same number
as THUMBCACHE FILES: For each thumbcache file,
there must be a original path.
-e, –esedb WINDOWS ESE DB:
The ESE database file (from the same installation
as the thumbcaches). Can also be used to overwrite
the extracted ESE database when using a disk image
as source.
Image input:
-i, –image IMAGE:
A disk image containing Windows partitions. All
image formats supported by fls/icat are allowed
-p, –partition-offset OFFSET:
The offset to a partition in sectors. The ESE DB
and thumbcache files will be extracted from this
partition. All partition formats supported by
fls/icat are allowed.
Output options:
-d, –destination PATH:
Path where the output (thumb images and xml/latex)
will be written into.
-m, –metadata-only:
If set only entries of a thumbcache file with
existing metadata in ESE DB will be written to the
output. If not specified all non-zero entries of a
thumbcache file are written, resulting in huge
files.
Logging options:
-lc, –loglevel-console LOGLEVEL:
Level of output verbosity. 0 is no console output.
5 is debug console output. The log is still written
to the logfile with the verbosity defined by
–loglevel-file. Default is 4 (INFO).
-lf, –loglevel-file LOGLEVEL:
Level of logged data written to the logfile
specified by -l: 0 is off, 5 is debug. Default is 4
(INFO).
-l, –logfile LOGFILE:
File where is log is written to. If the file exists
the output is appended. Default is
thumbs2latex.log.
Description
There are two possibilities to provide the thumbcache database and the Windows ESE database:
From a partition using a disk image:
All thumbcache database files and the Windows ESE db are searched on
the given partition of the provided image and extracted into a
folder. From there they are used like they are given via the
commandline. The use of the extracted ESE database can be overwritten
with a custom one via the –esedb parameter
Example:
./thumbs2latex.py –image “../images/Win7 mit Thumbcaches.dd” –partition-offset 2048
Directly via the commandline:
One or multiple thumbcache databases and one ESE database can be
provided. Also the original path for each thumbcache databes must be
given to have a correct reference to the thumbcache database in the
output files. The Windows ESE database should obviously be from the
same Windows installation as the thumbcache database.
Example:
./thumbs2latex.py –thumbcaches ../Explorer/thumbcache_1024.db ../Explorer/thumbcache_256.db
–original-file Users/John/AppData/Windows/thumbcache_1024.db Users/John/AppData/Windows/thumbcache_256.db
-esedb ../ese/Windows.edb
Additionally an output folder can be specified with –destination PATH.
The thumb images, the xml and latex output and, if a disk image is used
as input, the extracted thumbcache databases and the windows ESE db is
stored there. All non-zero thumbnail images are extracted into a folder
for their thumbcache database and being read by the program. Images in
bitmap format are converted to the png format to be usable with latex.
The table ‘SystemIndex_0A.7’ of the Windows ESE DB is extracted to a
text file which is read by the program. Afterwards the text file is
removed. Then the id of every thumbnail image is searched in the that
table. When there is a hit the metadata is copied to the thumbcache
image object. The output is written as xml. Also the xml representation
is transformed to latex using a xslt transformation (xml2latex.xslt)
resulting in a latex file. Booth, the xml andlatex file contain a
reference to the thumbnail image and its metadata if available. With
the –metadata-only switch only thumbnails that were found in the ESE
DB are written to both output files.
To include the LaTeX file the following packages are needed:
\usepackage[utf8x]{inputenc}
\usepackage{longtable}