Join Us!

Notifications
Clear all

Thumbs.db breakdown  

  RSS
bh47100
(@bh47100)
New Member

I was wondering if anyone could give an overview of the Thumbs.db files created by windows. I know that there are thumbnail images stored in the file. I have tried to extract them with a hex editor and recreate the files from the headers, but to no avail. I know that FTK and EnCase will do this, but I want to know how they do it. Any help is appreciated, even ideas.

Thanks much,

Brandon

Quote
Posted : 09/09/2004 4:43 pm
Jamie
(@jamie)
Community Legend

Hi Brandon,

Is the information here any use?

http://www.experts-exchange.com/Programming/Programming_Platforms/Win_Prog/Q_20822626.html

Jamie

ReplyQuote
Posted : 09/09/2004 8:28 pm
bh47100
(@bh47100)
New Member

Thanks,

I did see that earlier today while I was Googling around. I was interested, but not enough to pay the $9.95/month fee to see the answer that I'm not sure is even there. EE does usually pop up when I need something answered though, so maybe it's time to take the plunge. Thanks again for a sound resource.

Brandon

ReplyQuote
Posted : 10/09/2004 4:19 am
bh47100
(@bh47100)
New Member

Sorry about the three post there. I got a little caffeinated and itchy trigger set in. I found that the data for the thumbs.db flows in as a stream and looks like the same hex data headers as a JPEG but actually is a bit different. The thumbs.db file is missing two key components..(quantization tables, Huffman encoding tables). Some people have theories that the tables are predefined by Microsoft and the OS interprets the .db file extension utilizing those predefined tables. I'm sure EnCase and FTK software developers could answer this….but they need to generate revenue as well……..

Brandon

ReplyQuote
Posted : 10/09/2004 8:02 am
Jamie
(@jamie)
Community Legend

No problem, I've tidied the thread up a little 🙂

Thanks for sharing your findings, very interesting indeed. If you discover anything further I'd be very interested to learn more.

Cheers,

Jamie

ReplyQuote
Posted : 10/09/2004 8:18 pm
FieserKiller
(@fieserkiller)
New Member

Hi guys,
this is a pretty old thread im pushing up 😉

I'm working on decoding that Thumbs.db file for some days now, searching the internet for information but i can't find nothing.

So I did it myself and I'm on half way to success.

I've written java code which can extract and show all Thumbnails from a WindowsXP-created thumbs.db, I use the POI-Libraries from apache to access the filesystem in that OLE2-database, then i cut down the bytestreams to create standard jpg JFIF data.
But i'm not able to associate the right filenames to the Thumbnails.
Can anyone help?

ReplyQuote
Posted : 20/09/2005 2:31 am
patchdep
(@patchdep)
New Member

You can use FTK or EnCase to view the thumbs.db

ReplyQuote
Posted : 21/09/2005 12:58 am
nickfx
(@nickfx)
Active Member

Hi there

Pop along to http//www.accessdata.com/support.htm and download a whitepaper detailing all the information on thumbs.db you ever need to know. Had a case last month that hinged on thumbs.db and the doc was invaluable.

Cheers

Nick

ReplyQuote
Posted : 23/09/2005 2:16 pm
rukin
(@rukin)
New Member

Hi,

I'm writing a script to decode Thumbs.db files.

It is still "pre alpha", but you may download it at
http//sourceforge.net/projects/vinetto

HTH

rukin

ReplyQuote
Posted : 31/03/2006 8:50 pm
Share: