I am working on a case in which, upon mounting the file in EnCase, the thumbcache files contain nothing but unallocated space. Using foremost on the exported Unallocated Clusters file returns quite a few files of interest.
I have not seen or heard of this before. What might have caused this? I found no evidence of tampering (no suspicious programs, etc.)
I am groping in the dark, so any help would be gratefully received.
Also, does anyone know if anyone has researched whether thumbnails are generated as needed (when the file is on screen, or in batches when the user opens that folder in thumbnail mode?
Is the computer you are investigating Windows 7?
And what version of EnCase?
If it's Windows 7, EnCase 6 doesn't do the thumbcaches, which would explain why they show as Unallocated.
Hope this helps
Space within the thumbcache files cannot be unallocated, by definition that space is allocated to the thumbcache files.
If you're looking for artefacts of thumbcache files within unallocated then try a the following GREP search;
CMMM.{8}j.p.g.
Replace the jpg with the file extension of the files you're looking for, I'm working on thumbcache files at the moment and this should probably catch artefacts from deleted ones, the jpg header for the thumb should appear around 48 bytes after the end of the search term.
Apologies for not including more information.
It is EnCase 6.18 and 6.19. The investigating is Windows 7.
I had previous analyzed Vista Thumbcache with EnCase, I did not know that it could not do Windows 7.
Using another program (Thumbcache Viewer) I can see them.