Demystify “thumbs.db”
Are you working as a cyber crime investigator and looking for something which can prove in court of law that there was some pornographic content on the suspect’s machine? Let me help you out in this case.There is a file with a name “thumbs.db” which is automatically generated by Windows XP whenever user views the folder or image in thumbs view or in filmstrip view. Automatic generation of this file is ON by default. Thumbs.db contains a copy of each of the tiny preview images generated for image files in that folder so that they load up quickly the next time you browse that folder. If a user tries to view this file by any image viewer then it will be of no use. For extracting the juicy content from this file, forensic investigator has to understand the header of the thumbs file present in thumbs.db. Let me explain step by step on how to extract useful content from thumbs.db file.
Open any folder which has got some jpeg files and make that folder view in thumbs view as shown in
http://2.bp.blogspot.com/_kEJJtYsk89Q/SHuoc0ClK1I/AAAAAAAAAQQ/zCYf8K2-ez4/s320/fig1.JPG
As soon as the folder is kept in thumbs view “thumbs.db” file is created. Even if all JPEG files are deleted and thumbs.db file corresponding to those JPEG files is present, then also you can see the images but they will be very small in size. Thumbs.db which was created is now viewed using winhex. Once the file has been opened in winhex view, we will search and select for particular header. Header is “ÿØÿà JFIF” and its hex values are “FFD8FFE000104A464946″. This is shown in an example :-
http://3.bp.blogspot.com/_kEJJtYsk89Q/SHupjF2pUtI/AAAAAAAAAQg/xcYNtEqSxE0/s400/fig2.JPG
Copy the entire content in a notepad where the header is starting till the end of the file and save the file with the extension JPEG. You can now easily view the extracted content with any of the image viewer. If there are large number of headers in thumbs.db file, then you can use professional tool like “Windows File Analyzer” to see the contents of thumbs.db file.
Open any folder which has got some jpeg files and make that folder view in thumbs view as shown in
http://2.bp.blogspot.com/_kEJJtYsk89Q/SHu
As soon as the folder is kept in thumbs view “thumbs.db” file is created. Even if all JPEG files are deleted and thumbs.db file corresponding to those JPEG files is present, then also you can see the images but they will be very small in size. Thumbs.db which was created is now viewed using winhex. Once the file has been opened in winhex view, we will search and select for particular header. Header is “ÿØÿà JFIF” and its hex values are “FFD8FFE000104A464946″. This is shown in an example :-
http://3.bp.blogspot.com/_kEJJtYsk89Q/SHu
Copy the entire content in a notepad where the header is starting till the end of the file and save the file with the extension JPEG. You can now easily view the extracted content with any of the image viewer. If there are large number of headers in thumbs.db file, then you can use professional tool like “Windows File Analyzer” to see the contents of thumbs.db file.
1 comment:
Are you willing to know who your spouse really is, if your spouse is cheating just contact cybergoldenhacker he is good at hacking into cell phones,changing school grades and many more this great hacker has also worked for me and i got results of spouse whats-app messages,call logs, text messages, viber,kik, Facebook, emails. deleted text messages and many more this hacker is very fast cheap and affordable he has never disappointed me for once contact him if you have any form of hacking problem am sure he will help you THANK YOU.
contact: cybergoldenhacker at gmail dot com
Post a Comment