Libesedb is a great bit of kit, but attempting to develop with it is a bit of a minefield as there doesnt appear to be any documentation about usage. On the plus side its the first bit of open source code I've downloaded which has actually compiled clean on the first go with no "tweaking".
In the event that someone digs this thread up in the distant future, I gave up on thumbscache files when I did some testing and found that yeah, the windows.edb file is pretty much immediately updated making recovering deleted file paths very unlikely.
What I suggest is that you take the "filename" attribute of the thumbnail you're interested in, manipulate it into the byte order seen in the windows.edb file and use that as a search term over the case and hope that you get a hit in a pagefile or something. Good luck.
That said, I really find Windows.edb interesting, and I am flabbergasted the forensics community hasn't given it more attention. This is my main focus of research, once I get some free time.
Actually, quite a few people have looked into it, I too wrote a utility and an enscript to carve out and process the wss db a couple of years back. But like another user pointed out, very little deleted data would actually be found as it is very efficient at clean up, hence limiting its use.
The one place where it is really useful is recovering deleted email, especially entire deleted PST files. Every single message has a seperate record in the db and these seem to linger on.
I too wrote a utility and an enscript to carve out and process the wss db a couple of years back. But like another user pointed out, very little deleted data would actually be found as it is very efficient at clean up, hence limiting its use.
Did you post your utility and EnScript?
Sure, NOW Microsoft decides to be efficient and clean…
has any work been done on this lately?
even just for allocated items?
I've located pictures of interest in the thumbnail cache and would like to tie them to their specific folder but havent found a way to do so.
Any suggestions would be greatly appreciated
All,
Take a look at
"This application parses the thumbcache_*.db files from Windows Vista and Windows 7 including looking up the original file name in the Windows.edb."
Regards,
Jesse
Thumbcachehelper is kind of cool, but there is no way to export the output! This makes it pretty much useless in my opinion. I can't even do a find for the thumbnail of interest, you just have to scroll and scroll and scroll and scroll. Ugh.
And of course, because Windows.edb eliminates the problem of linking thumbnails of deleted files to any sort of metadata. Deleted pictures just show as "Not Found" in ThumbcacheHelper. Not that it is its fault, of course. The data just isn't there. But, that would be the holy grail!
It does something really cool, and I hope they improve it to make it worth using!
Thumbcachehelper is kind of cool, but there is no way to export the output! This makes it pretty much useless in my opinion. I can't even do a find for the thumbnail of interest, you just have to scroll and scroll and scroll and scroll. Ugh.
And of course, because Windows.edb eliminates the problem of linking thumbnails of deleted files to any sort of metadata. Deleted pictures just show as "Not Found" in ThumbcacheHelper. Not that it is its fault, of course. The data just isn't there. But, that would be the holy grail!
It does something really cool, and I hope they improve it to make it worth using!
is it "deleted" pictures that show the "not found"? or is it just non-indexed pictures
I just ran a test and saw that the files in my my documents showed up fine but the stuff that was accessed on a server/external media it couldnt trace back the source. I'm thinking its because the externals/server werent indexed and not in the EDB.
Maybe there's a way to reverse the filename/hash?