HomeComputer ForensicsImage Thumbnails In Vista And The Implications For Computer Forensic Investigations

Image Thumbnails In Vista And The Implications For Computer Forensic Investigations

6 March 2009

When a person is suspected of possessing indecent images of children, investigators typically commission the services of a computer forensic analyst. Such an expert is then able to analyse the suspect’s computer in order to recover evidence of wrongdoing. For computers running Windows XP, a common line of enquiry is to search for ‘thumbs.db’ files: hidden index files present in any directory containing images which have been viewed in ‘thumbs mode’.

The purpose of the thumbs.db file is to speed up the time it takes to display a folder in thumbs mode, providing an instant 96 x 96 pixel preview of image files such as JPEGs, BMPs, GIFs and PNGs, document image files such as TIFFs and PDFs, video files such as AVIs and MOVs, presentation files such as PPTs and some HTML web pages. Thumbs.db files are useful to computer forensic analysts as they retain thumbnails of images even after the main image is deleted, thus providing proof that the image was once present.

However, thumbnails are stored differently within the Windows Vista operating system. Instead of a thumbnail file being created in every directory, all thumbnails are now stored in a set of ‘thumbcache’ files within a central directory: “AppDataLocalMicrosoftWindowsExplorer”. One advantage of this system to computer forensic experts is that even if the entire directory containing an indecent image is deleted, the thumbnail may still be present in the central directory, albeit in a form that needs to be decoded using specialist software. However, this can also be a negative in that a user now has only to delete the thumbnail files in a single directory in order to remove all traces of otherwise deleted images throughout the hard drive.

Vista thumbnails are now stored in a variety of sizes from 32 x 32 pixels up to 1024 x 1024 pixels, which are created according to the size at which the user views the thumbnail. This can present an advantage to computer forensic analysts in that it allows them to view more detail of the image than is available in Windows XP’s 96 x 96 pixel thumbnails. Of course, it is also possible that the thumbnail images could have been viewed only at 32 x 32 pixels, which would make things harder for the analyst attempting to ascertain if the image was of an illegal nature.

The new thumbnail system in Vista is also of significant benefit to analysts in cases where removable storage media has been attached to the computer, but is no longer present. For example, in Windows XP, if a USB hard drive was attached to a computer, and a set of images in a directory viewed in ‘thumbs’ mode, the thumbnails would be created and stored on the device, but in Vista, the thumbnails would be stored in the computer’s ‘Explorer’ directory. This means that computer forensic analysts are now able to locate evidence of images that were viewed on, but never transferred from the removable media to the main computer.

Of course, for the determined criminal, there are always new and increasingly complex ways to avoid detection, but at the time of writing, the location and analysis of thumbs.db and thumbcache files continues to represent an extremely effective method for the recovery of evidence relating to the possession of indecent images.

Categories

Talk to our consultation team today

Contact Us

I can honestly say that your excellent customer service and communication has made our forensic instructions to you exceptionally easy. I am very conscious of the amount of time I must have taken up with various queries, requests, and then changed requests but you have always been very patient, polite and extremely helpful.

Case Review Manager - Criminal Cases Review Commission