Forensic Analysis of Windows Thumbcache files

A range of court cases and forensic investigations have involved thumbnail pictures contained within operating system files, such as thumbcache and thumbs.db. In many of these cases, the thumbnail image has been the evidence presented to a court. Further analysis may locate additional information relating to thumbnail pictures, such as being able to link a thumbnail to a picture file on storage media, or locating information relating to the original file used to create the thumbnail, such as the full path and original file name. Using real-world law enforcement and test data, we demonstrate the application of our proposed operational methodology to conduct analysis of thumbcache files. We also propose a reporting and visualisation methodology to present the evidence to investigators, legal counsel, and court, which then forms the basis of our software prototype. Insider threat cases which involve pictures of intellectual property can potentially benefit from our proposed method.