As everyone know, Microsoft Vista centralized the traditional thumbs.db under the users profile
\Users\%username%\AppData\Local\Windows\Explorer\thumbcache_96.db
Viewing the file structure in Encase 6.10, some but not all thumbnails will resolve the symbolic link to it's original path. Does anyone know how to manually resolve that path?
Thanks in advance,
Jon
I know that a few EnCase users (I'm not one) are requesting this information from GSC. If you use EnCase, I'm sure that they would explain the process. However, our preliminary tests reveal that the path information is no longer available when the original image is deleted. Hence, that may be why EnCase does not display the path in some cases. When I tested an EnCase report prepared by a colleague, I found that it correctly resolved paths for existing graphics. Unfortunately, I had no deleted graphics (with existing metadata) for which to test path resolution.
It does appear logical for Vista to remove path data for deleted files. After all, if a user views a folder in thumbs view, the user would not expect to see thumbs of deleted images. AFAIK, EnCase is the only tool that can parse this information.
Thanks for the information Jimmy. As I will be at Guidance headquarters next week, I intend on getting some answers. There is a guy from Guidance that supposedly did a presentation at CEIC about this last week. I'll post what I find out.
Thanks,
Jon
The Vista thumb cache either stores the full path or the text of a 64bit hash for an item.
If it's a hash, then EnCase trys to find a matching file. But if the file record is no longer in the MFT this is not possible.
The hash is derived from the volume and file identification.
Thanks very much for the helpful information. That would account for path information being unavailable for deleted files, at least those where the file record was overwritten. It appears then that the hash is the name of the file, e.g., 5da38f2daa6858c4, and derived by the algorithm. It would be interesting to see the process works.