Thumb.db and Thumbcache Parsers

If you ever wanted to parse those thumbs.db files or the thumbcache files using Autopsy then your wait is over. You can now parse both of these files. The plugin has no options to choose so all you have to do is check the boxes and click finish to start parsing those files.

Ingest Module Options.

So once you pick one or both to run what will happen is that the files, thumbs.db or thumbcache_*.db, are written to the temp directory and then they are parsed and stored in the ModuleOutput directory within your Autopsy case. The following structure is used for both modules, <case directory>/ModuleOutput/<thumbs.db or thumbcache>/<file-id>-<thumbs.db or thumbcache_*>. Below is a screenshot of what it looks like.

Directory Structure of ModuleOuput For Thumbs/Thumbcache.

Once the files have been extracted they are then imported into Autopsy as Derived Files. Derived files will have a parent file which will be the file that they came from. Below is a screenshot of what that looks like in Autopsy. Note that each thumbs/thumbcache file will have the number of files associated with them.

View of Thumbs/Thumbcache Derived files.

You will notice that each of the files do not have any timestamps associated with them. This is because there is no way to know when they may have been create or modified.

You can download the Thumbs.db parser here, and the Thumbcache parser here. If you have any questions let me know. Comments and suggestions welcomed and encouraged.