During investigations into the possession of indecent images of children, police will sieze any digital devices owned by the suspect and pass them, under controlled conditions, to a Digital Forensic Analyst for investigation. It is the analysts’ role to extract evidence of any videos or images, and other documents, even where they have been deleted.
For computers running Microsoft Windows, a common method for recovering evidence of deleted images is to analyse the thumbnails that are created for each image when the folder they are stored in is viewed. The thumbnails are created to reduce the time it takes to preview a folder, but because a thumbnail often remains present even after the image itself has been deleted, these entries can be used to confirm possession of indecent images, even if no other evidence of the image exists.
In Windows XP, the thumbs.db file is automatically generated whenever a user views a folder in Explorer using ‘thumbs’ or ‘filmstrip’ mode. Files included in Thumbs.db files include image files (JPEGs, BMPs, GIFs and PNGs), document files (TIFFs and PDFs), video files (AVIs and MOVs), presentation files (PPTs) and some web pages (HTM and HTML).
As well as image thumbnails, the thumbs.db file will also include information such as the original file name and the date each thumbnail was last written. While it is possible for a computer user to delete the thumbs.db file to remove this record, this is often overlooked because it appears as a ‘hidden file’, meaning that Explorer’s settings need to be manually altered in order for it to become visible for deletion. However, even when visible, it is not possible to view the contents of a thumbs.db file without specialist software.
With Windows Vista came a new approach to the creation of thumbnails, which has now been carried through to Windows 7. Instead of creating a thumbs.db file in every folder, Vista creates a single set of ‘thumbcache’ files, stored in a central directory.
For Computer Forensic Analysts, this system has pros and cons. The central location means that even if a user running Vista deletes an entire folder containing indecent images, evidence may still exist in the central cache. In addition, thumbnails may even be recovered centrally for images stored on removable media (such as a CD or USB drive). However, the central location also means that users need only a single set of files to remove all thumbnails from the computer.
Most significantly, while thumbnails offer a useful evidence recovery method, all three of the most recent Windows operating systems come with the option to disable the creation of thumbnails should the user wish, so it is never the sole avenue of enquiry for a Digital Forensic Analyst. Thorough investigations employ an extensive forensic tool kit to recover registry records, piece together fragments of deleted files, and track user movements online, meaning that in reality, if there were ever images on a suspects drive, computer forensics will usually be able to prove it.