Thumbnail Caches - nurit-cyber/OperatingSystemForensics GitHub Wiki

When user changes the icon for a directory/file, it creates a thumbs.db hidden file, and they do not get deleted, and even when deleted, it can be carved out. These files contain the filename and the last modification date of source file.

XP - Thumbs.db

2008 / Vista / 7 / 8/ 10

These will exist not in a single directory, but in a general location:

\Users[Username]\AppData\Local\Microsoft\Windows\Explorer\

These files will contain the image caches: thumbcache_.db, icon caches (Windows 8+): iconcache_.db, and tile caches (Windows 8+): thumbcache_.db & iconcache_.db & TileCache***.dat

Vista / 7

Thumbs.db is not created in folders except in network folders.
The thumbcache_files have little forensic relevance because Windows removes thumbnails for images that are deleted - Original file name or path is not available (sees that it existed, but cannot find where it was located)
- Windows.edp hashes the files - Only a computed hash is available and can be matched up with hash available in Windows search database to find corresponding

8+

XP Thumbs.db exists, but it can be deleted and disabled. Tools for performance or privacy can delete the files with ease.
Format is the same as Windows 7 dropped Thumbs.db (OLE file: D0 CF 11 E0) and can be carved, which is most likely the icon, not the original image. - JPG images embedded as streams named 256_xxxxxxxxxx Only the images that are shown on the screen will be cached, which will prove whether a user claims that it appeared on their screen and they immediately closed it or not (shows that only a few images were cached)

Fixing the Windows.edb Search Database

It is always running and cannot copy it (if forced copy, it could possibly corrupt the file and/or be incomplete) esentutl.exe assists with that.

esentutl.exe /p Windows.edb

In order to run the command, load the active drive into RawData or FTK Imager and copy the .edb file into the active drive. Run the command with admin privileges in CMD, and the user should be able to review the thumbcache files again, and then select CTRL + M.

Select the fixed .edb file, and certain thumbcaches should reveal the source path.