Tuesday, 3 March 2009
Thumbs.db: How Computer Forensics Can Reveal Traces of a Deleted Image
In recent years, initiatives such as Operation Ore have stepped up efforts to identify and prosecute those possessing indecent images of children in England and Wales. When a person is suspected of such an offence, the first action by the police is usually to confiscate all their computer equipment so that it can be examined by a computer forensic analyst. The aim of this analysis is to recover any evidence of indecent images on the suspect’s computer.
Often the suspect will have deleted the images before the police reach them. In such cases, computer forensic analysts often look to the Thumbs.db file on computers running Windows XP to reveal the presence of images, even after they have been ‘deleted’ by the user.
A thumbs.db file is automatically generated whenever a user views a folder in ‘thumbs’ or ‘filmstrip’ mode. The file create a set of small images (no more than 96×96 pixels), known as thumbnails, for all of the images in a folder. The purpose of this file is to speed up the time it takes to display a folder in ‘thumbs’ mode by creating a cached thumbnail of each image so that Windows does not have to create a new one every time. Files that are indexed in a Thumbs.db file include image files such as JPEGs, BMPs, GIFs and PNGs, document image files such as TIFFs and PDFs, video files such as AVIs and MOVs, presentation files such as PPTs and some HTML web pages.
When the Thumbs.db file creates a thumbnail of an image, this often remains on a person’s computer even after they have deleted the image file itself. Many people fail to delete the Thumbs.db file when deleting images because it is a ‘hidden file’, meaning that it is only viewable in a directory when the “Show Hidden Files” option is turned on.
Thumbs.db data is stored in ‘OLE Compound Document format’ which means the contents of the file cannot be viewed without specialist knowledge or software. However, computer forensic experts are able to convert the data stored within a Thumbs.db file into readable form, extracting each of the thumbnail images, along with information such as the original file name and the date each thumbnail was last written. There are also a number of tools available that can be used to extract and view the data in a Thumbs.db file. These include ‘Encase’ and ‘AccessData FTK’, which offer a simple user interface for viewing the thumbnails within Thumbs.db files.
Evidence extracted from Thumbs.db files can carry significant weight in court cases. For example, in December 2008, a Norwegian man, Martin Stenstadvolden pleaded guilty to downloading child pornography after computer forensic analysis revealed cached thumbnails of illicit images, which he believed he had erased all trace of. With the sheer amount of information on the Internet becoming greater every day, and new technology producing ever more illicit ways of sharing indecent images, computer forensics represents an ever increasingly vital tool in the arsenal of law enforcement.
IntaForensics a BS EN ISO 9001:2000 registered firm providing Computer Forensics, Expert Witness, Mobile Phone Forensics, and Forensic Data Recovery to the Legal Sector, Police Forces, Local Authorities and Commercial organisations internationally. Visit Computer Forensics for further information.
Info originated from here
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment