lowmanio.co.uk title image

Thumbs.db

Fri, 30 Oct 2009 11:45AM

Category: Digital Forensics & Malware

Written by Sarah | No comments

Most Windows XP users aren't aware of the Thumbs.db file that sits in every folder that contains at least one image, because it is a hidden file that by default is not shown. By going to any folder in explorer and going to Tools > Folder Options > View and choosing 'show hidden files and folders' suddenly Thumbs.db files appear everywhere.

There main use of the file is to store little thumbnails of the images in that folder so when the view of the folder is changed to 'thumbnails' a mini version of the images appear. However Thumbs.db is incredibly useful to forensic examiners because the it does not delete thumbnails of images that have been deleted, thus creating a record of every image that has ever been in that folder.

In 2008 this was used against a Norwegian man called Martin Stenstadvolden who had deleted child pornography images on his computer. However, he had not deleted the Thumbs.db files, and lo and behold there were lots of thumbnails of illicit images. He was charged and pleaded guilty from this evidence.

In Windows Vista, Thumbs.db files are no longer stored in the same folder as the files, but instead in a centralized folder which can be found at:

C:\Users\[Name]\AppData\Local\Microsoft\Windows\Explorer

However for some bizarre reason Windows 7 has gone back to the old way of putting Thumbs.db files with the images. It does make it easier to investigate though! There aren't many free Thumbs.db viewers available, but the most commonly used is Vinetto.

Tagged with: thumbs.db, cases

Comments

No comments.

Add a comment

captcha