Hi All,
I would be interested in hearing of peoples own opinion and experiences in relation to forensic value of Windows 7 Thumbcache files, in relation to child exploitation investigations or similar.
The reason I ask is that I have located the following paper
http//
Which challenges the following notion
"The presence of pictures in a Windows thumbnail database is taken as an indicator of guilty knowledge; for the pictures to exist in the thumbnail database the folder containing the pictures must have been opened in Windows Explorer in a thumbnail view thus implying that the user must have knowledge of them."
The conclusion of the paper and the authors testing is
"It has become clear in conducting these experiments that thumbnail pictures can be created in both the thumbs.db and thumbcache files without those pictures ever being exposed to view by the user. Consequently it is no longer tenable for the assertion to be made that the presence of thumbnail pictures indicates that the pictures have been displayed to the user in thumbnail view in Windows Explorer. Any assertions made about the forensic implications of Windows thumbnail databases need to be carefully considered in light of the above experimental findings."
Can anyone else confirm these findings or provide an opinion as to why they would not be valid?
Kind regards,
John.
If you can demonstrate that it's possible for the thumbcache and thumbs.db to be generated even if the images have never been previewed (in the meaning that the directory containing the picture has been opened at least once in thumbnail view).
then you should document your finding, and it's possible that it'll be taken in account during the trial.
Still, there are other things that have to be considered, or at least i've seen being considered during a child pornografy investigation.
For instance, if the pictures are still present as files in the folder, or they have been deleted.
if only the thumbs are present, can it be that the user knew about the picture and therefore deleted them? can this be considered as a will by the user to get rid of them? and in which means?
sometimes the problem is not "simply technical".
Also the jurisdition and the law can vary from country to country.
Thanks Rampage for responding.
With respect to case I am working on now, the CP files still exist at the relevant location to which the Thumbcache files refer to. I was just doing some background reading when I came across this paper.
I have other information relevant to possession so the thumbcache files would wrap the job up, but this paper raises an issue about the value of the thumbcache information.
Has anyone else experienced this, has an opinion, or even no longer uses thumbcache evidence for this very reason?
Hello,
sorry i couldn't be of any help then.
Now i'm just curious were you able to reproduce a situation in which thumbcache is populated/generated even if the directory was never opened in thumbnail view?
If so, try cross verifying with the registry shellbags of the windows OS.
Windows stores informations about opened windows and their states in the registry shellbags for user experience reasons.
You might be able to find clues in there, if the directory was actually opened in thumbnail view or not, and if you are lucky, even informations about the files contained in it at the time of opening the window.
With the Windows 7 Thumbcache, the size of the picture is particularly significant.
I'm doing this off the top of my head but if the folder is viewed in thumbnail view a certain sized is produced (think its 96x96) if a picture is clicked on, a different size is produced (say 256x256). Then lastly if the pictures are displayed on the right, when clicked on, a 1024x1024 image is produced. So if the IIC is a 1024x1024 thumbnail it is more then the folder may just have been viewed in gallery mode.
Also there is a way to match the thumbcache image to a filename using the windows.edb file, try the thumbcachehelper program
@Rampage. No, unfortunately not had the time reproduce a situation in which thumbcache is populated/generated even if the directory was never opened in thumbnail view. However, according to white paper I referred to at the beginning of my post - that's exactly what happens.
@Rampage & Minime, I have had a quick look at the shell bag information for that very same reason, to see if the relevant folder was set to "large icon" view etc (aka thumbnail view). But i will try and take another look tonight as its got me curious (its going to be a long night!).
Thanks for your help to date.
Further comments/opinions welcome.