1. Windows 7
Thumbnail Cache
Troy Larson
Principal Forensics Program Manager
TWC Network Security Investigations
NSINV-R3– Research|Readiness|Response

2. Windows 7 Thumbnail Cache
Thumbnail cache:
• Supplies the
thumbnails
shown in
Explorer, etc.
• File based:
– Thumbcache_*
• Local
– Thumbs.db
• Remote

3. Windows 7 Thumbnail Cache
• Created automatically when folders opened in Explorer in Icon
view.
• Thumbnail cache files retain thumbnail images long after the
source file has been deleted.
• Thumbs.db indicates a folder that has been shared.
Content of Folder
Content of Thumbcache_256.db

4. Windows 7 Thumbnail Cache
• Thumbnail cache files are likely to be worth investigating when:
– There is a concern about illicit images.
– There is a concern that graphic files have been deleted.
• Comprehensive review of Thumbnail cache files can be efficiently
performed.
– Number of tools scan and present the contents of thumbcache and
thumbs.db files, but some tools only work on certain versions of
Windows.

5. Windows 7 Thumbnail Cache
What is a thumbnail?
• It is an image that is used to represent an item.
– Picture or graphical items.
– But also, other files with images.
• Distinguished from a mere icon:
– Thumbnails are per item, rather than type, and
– Dynamically generated, based on item content.
– Stored separate from icon caches.

6. Windows 7 Thumbnail Cache
Per account, local based, thumbnail caches are found at
C:Users[Profile]AppDataLocalMicrosoftWindowsExplorer.

7. Windows 7 Thumbnail Cache
The local, account specific, thumbnail cache consists of an
index and 4 data files.
• Thumbcache_.idx—Index of which data files cache
each image.
• Image cache files:
– Based on thumbnail size.
• thumbcache_32.db, bitmap based, 32x32.
• thumbcache_96.db, bitmap based, 96x96.
• thumbcache_256.db, JPEG based, 256x256.
• thumbcache_1024.db, JPEG based, special instances.
– New thumbnails usually appended to a thumbcache file.

8. Windows 7 Thumbnail Cache
C:UserstroylaPictures
atomic-explosion.jpg
Chrysanthemum.jpg
Desert.jpg
ThumbnailCacheIds
• 0x81A9D28BFA8E4E59
• 0xEE0CAA5E28390724
• 0xDF17189B15C5C9CD
thumbcache_idx.db
thumbcache_32.db thumbcache_96.db thumbcache_256.db thumbcache_1024.db
ThumbnailcacheID
used to lookup
thumbnail address in
the Thumbcache_idx
Thumbcache_idx
provides offsets to
thumbcache_*.db
Thumbcache_*.db
provides thumbnails
to Explorer.
1
2
3

9. Windows 7 Thumbnail Cache
Thumbcache information does not point to any file.
• File information—ThumbnailcacheID—is used to find
thumbnail from the original file.
• No file name or path information in the thumbcache* files.
thumbcache_32.db thumbcache_96.db thumbcache_256.db thumbcache_1024.db
C:UserstroylaPictures
atomic-explosion.jpg
Chrysanthemum.jpg
Desert.jpg

10. Windows 7 Thumbnail Cache
Most Windows 7
thumbnail cache
viewers display the
thumbnail and the
ThumbnailcacheID.
0xEE0CAA5E28390724
http://www.thumbnailexpert.com/

11. Windows 7 Thumbnail Cache
Linking a thumbcache file thumbnail to its source:
• The Windows Search index maintains both path
and ThumbnailcacheID, and can be used to link
thumbnail to source.
0xEE0CAA5E28390724

12. Windows 7 Thumbnail Cache
• File header.
• Record header.
• ThumbnailcacheID.
• Image fileheader.
Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F
00000000 43 4D 4D 4D 15 00 00 00 01 00 00 00 18 00 00 00 CMMM
00000010 E0 E6 1C 00 3A 00 00 00 43 4D 4D 4D 88 6C 00 00 àæ : CMMMˆl
00000020 24 07 39 28 5E AA 0C EE 20 00 00 00 02 00 00 00 $ 9(^ª î
00000030 36 6C 00 00 00 00 00 00 47 07 D9 39 67 BF AF D5 6l G Ù9g¿¯Õ
00000040 EE B6 79 3E E2 C4 B8 56 65 00 65 00 30 00 63 00 î¶y>âĸV e e 0 c
00000050 61 00 61 00 35 00 65 00 32 00 38 00 33 00 39 00 a a 5 e 2 8 3 9
00000060 30 00 37 00 32 00 34 00 00 00 42 4D 36 6C 00 00 0 7 2 4 BM6l
00000070 00 00 00 00 36 00 00 00 28 00 00 00 60 00 00 00 6 ( `
00000080 48 00 00 00 01 00 20 00 00 00 00 00 00 00 00 00 H
00000090 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
000000A0 0A 10 C3 FF 14 40 E3 FF 1C 6B FA FF 1B 78 FC FF Ãÿ @ãÿ kúÿ xüÿ
000000B0 18 7A FE FF 05 63 F9 FF 05 47 EE FF 02 3A E5 FF zþÿ cùÿ Gîÿ :åÿ

13. Windows 7 Thumbnail Cache
Offset 0 1 2 3 4 5 6 7 8 9 A B C D E F
00004460 32 31 E0 63 15 05 8C 6C D2 96 8B 70 21 B2 08 ED 21àc ŒlÒ–‹p!² í
00004470 58 57 84 6B C6 F7 B1 B5 2A 72 A6 94 13 D0 FF D9 XW„kÆ÷±µ*r¦” ÐÿÙ
00004480 43 4D 4D 4D D3 2E 00 00 CD C9 C5 15 9B 18 17 DF CMMMÓ. ÍÉÅ › ß
00004490 20 00 00 00 00 00 00 00 83 2E 00 00 00 00 00 00 ƒ.
000044A0 47 A2 78 FB FC F1 96 88 11 0B DF E7 10 20 64 B8 G¢xûüñ–ˆ ßç d¸
000044B0 64 00 66 00 31 00 37 00 31 00 38 00 39 00 62 00 d f 1 7 1 8 9 b
000044C0 31 00 35 00 63 00 35 00 63 00 39 00 63 00 64 00 1 5 c 5 c 9 c d
000044D0 FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 00 ÿØÿà JFIF
000044E0 00 00 00 00 FF DB 00 43 00 05 03 04 04 04 03 05 ÿÛ C
000044F0 04 04 04 05 05 05 06 07 0C 08 07 07 07 07 0F 0B
00004500 0B 09 0C 11 0F 12 12 11 0F 11 11 13 16 1C 17 13
00004510 14 1A 15 11 11 18 21 18 1A 1D 1D 1F 1F 1F 13 17 !
00004520 22 24 22 1E 24 1C 1E 1F 1E FF DB 00 43 01 05 05 "$" $ ÿÛ C
00004530 05 07 06 07 0E 08 08 0E 1E 14 11 14 1E 1E 1E 1E
• Record header.
• ThumbnailcacheID.
• Image fileheader.

14. Windows 7 Thumbnail Cache
Thumbcache_32.db

15. Windows 7 Thumbnail Cache
Thumbcache_96.db

16. Windows 7 Thumbnail Cache
Thumbcache_256.db

17. Windows 7 Thumbnail Cache
Thumbcache_1024.db

18. Windows 7 Thumbnail Cache
Buffy-1C$UserstroylaPictures
Opening a shared folder using an icon view creates a thumbs.db file
in the shared folder.
Thumbs.db is independent of the user thumbnail caches on host
and client.
Existence of a thumbs.db file indicates a folder was remotely
accessed.

19. Windows 7 Thumbnail Cache
Note: Different UIDs

20. Windows 7 Thumbnail Cache
Internals: The venerable structured storage file format.

21. Windows 7 Thumbnail Cache
Internals: The venerable structured storage file format.

22. Questions?