Thumbcache
Overview
Section titled “Overview”Evidence: Thumbcache
Description: Collect Thumbcache
Category: System
Platform: windows
Short Name: tc
Is Parsed: No
Sent to Investigation Hub: Yes
Collect File(s): Yes
Background
Section titled “Background”Windows creates thumbnail images of pictures, videos, and documents for display in Explorer. These thumbnails are cached in database files (thumbcache_*.db) to improve performance.
Thumbnail caches can preserve images of files even after the original files are deleted, providing visual evidence of file content and user activity.
Data Collected
Section titled “Data Collected”This collector gathers structured data about thumbcache.
Thumbcache Data
Section titled “Thumbcache Data”| Field | Description | Example |
|---|---|---|
Name | Artifact name | Thumbcache |
Type | File | File |
SourcePath | Original file path | C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_256.db |
Path | Relative path in evidence | Other/thumbcache_256.db |
Collection Method
Section titled “Collection Method”This collector collects thumbcache files from:
Users\*\AppData\Local\Microsoft\Windows\Explorer\thumbcache_*.db
Multiple database files exist for different thumbnail sizes (32, 96, 256, 1024, etc.).
Forensic Value
Section titled “Forensic Value”Thumbnail caches can recover visual evidence from deleted images and documents. Investigators use this data to recover thumbnail images from deleted files, prove user access to images/documents, identify viewed media content, and establish visual evidence of file content.