Thumbnail Extraction using Vinetto
Independent Cyber Security Researcher
Cyber Forensics is very challenging field, finding a relevant digital evidence for investigation is one of the biggest challenges faced by forensic investigators on a daily basis. Thumbnail files generated by Windows operating system is one of the great investigative resource that cyber forensic investigators can use in their investigations.
The data extracted from these files are limited but can answer many questions while creating a timeline of the Evidence drive.
What is Thumbnail ?
The Windows operating system creates thumbnail cache files for images and other file types to speed up the loading of folders on the system. Under Windows XP, thumbs.db files were being used and they were put into the folders the images were stored in.
Starting with Windows Vista, Microsoft moved the cache to a central location (%userprofile%\AppData\Local\Microsoft\Windows\Explorer) where thumbcache_xxx.db files are stored in. Here you also find an index file that contains information where each cached version of an image is found in.
The only exception to the rule is when you browse network shares using Windows Vista or newer versions of Windows. Instead of using the local thumbnail cache, thumbs.db files are created in the folders that you are browsing. This behaviour can be changed in the Group Policy.
You can think of them as caches that are designed to speed up the display of folders when you use Windows Explorer.
Without the thumbnail cache, Windows would have to process the images in the folder on load every time the folder is opened, which can slow down the display depending on the overall performance of the system and the number of image files in the folder.
Windows does not only store image formats in the database files though. While one of the main purposes is to process jpeg, png, bmp, tiff and gif image files, the cache is also used for document formats such as docx, pptx, pdf and html, and video formats such as avi.
The effect that a thumbs.db cache file and thumbcache file has on the loading time of a folder can be witnessed best if you open a large folder full of image files. You will notice that the loading is faster when the thumbnail cache is enabled. This becomes especially apparent on slow storage devices such as image DVDs or slow hard drives.
Vinetto is a forensics tool which was created by Michel Roukine, it is used to examine Thumbs.db files. It is a command line python script that works on Linux, Mac OS X and Cygwin(win32)
The Windows systems (98, ME, 2000 and XP) can store thumbnails and metadata of the picture files contained in the directories of its FAT32 or NTFS filesystems. Thumbnails and associated metadata are stored in Thumbs.db files. Thumbs.db files are undocumented OLE structured files.
Once a picture file has been deleted from the filesystem, the related thumbnail and associated metadata remain stored in the Thumbs.db file. So, the data contained in those thumbs.db files are an helpful source of information for the forensics investigator.
What the software is intended to do : Vinetto extracts thumbnails and associated metadata from the Thumbs.db files. Moreover it will function according to three modes:
Elementary mode : in this mode vinetto will only extract thumbnails and metadata from chosen Thumbs.db file.
Directory mode : in this mode vinetto will check for consistency between directory content and related Thumbs.db file i.e. it will report thumbnails that have a missing associated file into the directory.
Filesystem mode : in this mode vinetto will process whole FAT or NTFS partition.
Vinetto will help *nix-based forensics investigators to easily preview thumbnails of deleted pictures on Windows systems and obtain information (dates, path, …) about those deleted images.