Tuesday, 19 September 2006


Back in 2003, on a rainy night, an idea came to mind regarding the extraction of all the pictures from a host; ..and the title was inspired by the famous .."all your base are belong to us". [1]

I was looking at the thumbnail view of one of my folders and started wondering how does MS Windows® OS store information about thumbnails within each folder. Obviously that was the "thumbs.db" file which it was introduced with the release of W2K. (Note: Actually Win98 had the functionality of displaying thumbnails but you had to know the trick to enable this feature. In Windows Millennium the functionality was included but there was no thumb.db file).

Recently, the "thumbs.db" files have been mentioned in a number of books related to computer forensics evidence. Since December 2004, we had publicly available a working application in Python capable of extracting the picture previews from the thumbs.db file. The tool was developed a year earlier in 2003 actually and as far as we could tell at that moment, no one else had done something similar to this. We waited before we publish this tool to see if anyone else will mention how the thumbs.db file in computer forensics, just in case we had any issues. What I mean by that, is that Thumbs.db files were everywhere back then, especially on web servers. We were concern that if we had this published at the time we would be chased for "promoting hacking", which it was the general perception/perspective back then, and in some other occasion this actually happened (but this is another story).

The hidden file "thumbs.db" can be found in every directory. Focus on the ones located in directories where you have (or had) photos. The thumbs.db file is composed of a tiny preview version of each photo that has ever been in this particular directory, even if the actual picture no longer exists. Thus, by extracting all the "thumbs.db" files from a host and then running our tool we were able to see a small preview of all the pictures existed on this system over the years (downloaded, created, copied, and/or deleted). The interesting fact that Peer-to-Peer programs e.g. KaZaA, allows you to browse a remote user's shared directory. Most of the time, that directory contains a thumb.db file which you can easily download and have a preview of all the pictures he/she has ever had in this directory.

To avoid having thumbs.db files being generated automatically, you need deactivate the caching process of Windows. This can be done by going to:
My Computer > Tools > Folder Options… > View and check (tick) the "Do not cache thumbnails" check box.

Version 0.001 was release in 2004, and version 0.004 was released on 14/11/2006. [2]

[1] http://en.wikipedia.org/wiki/All_your_base_are_belong_to_us
[2] http://www.comp.glam.ac.uk/staff/kxynos/doer_v004.zip

No comments:

Post a Comment