The thumbs.db file on a Windows XP system can be a treasure chest of 96 x 96 pixel artifacts. By default, in the standard Windows XP home and professional editions, a thumbs.db file is created in folders viewed in the thumbnail view which contain jpegs, bitmaps, GIFs, PNGs and other files.
These thumbs.db files are very useful to forensic examiners because they can contain thumbnails of pictures and other media which currently exist and previously existed in the same directory as the thumbs.db file.
The screenshot below shows a view of the contents of a thumbs.db file from within an older version of EnCase. The pictures were previously located in the same folder as the thumbs.db file but were erased. However, as you can see the thumbnails of these pictures still exist in the thumbs.db file.
Encase - Thumbs.db File Structure
It’s very easy to disable thumbnail caching on a Windows XP system so that existing thumbs.db files are not updated with new thumbnails and new thumbs.db files are prevented from being created. Just follow the instructions below.
- Open explorer
- Click the “Tools” menu
- Choose “Folder Options…”
- Select the “View” tab
- Under “Files and Folders” checkmark “Do not cache thumbnails”
Do not cache thumbnails
The actual registry key value that is modified which you can change manually is located here:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Modify the value: DisableThumbnailCache
Remember that you have only disabled thumbnail caching and any previous thumbs.db files still exist on the system. To find these files you can run a simple search from explorer for the file name “Thumbs.db”.
You could just delete all of the thumbs.db files that show up in the search results but then they could be recovered with simple data recovery techniques. So the best way to delete the files is with file wiping software like CCleaner which I’ve mentioned in previous articles.
You are able to add custom files to the wiping sequence in CCleaner like in the screenshot below.
CCleaner Custom File Wipe
Also remember to set CCleaner to do a one pass wipe over the file when it deletes it. Otherwise the thumbs.db files that were deleted can still be recovered.
One Pass Wipe - CCleaner
If you’ve any tips or suggestions you’d like to add, please comment below.
Wow… this is great. I had no idea there was such a thing as the thumbs.db file. Is there any way to view the ocntents of the thumbs file besides encase?
Hey Alister, there’s this software:
Link
I’ve not actually tried it but it should work. Looks like they’ve released the source code for the older version as well.
I believe that you need to also have “Show hidden files” enabled, from the folder options/view menu like above to see the thumbs.db files. I believe.
Windows Vista has a similar type of .db file setup which I’ll throw in another article. I’ll include Windows 7 information as well, since it probably uses Vista’s method (not 100% sure on this though).
I subscribed to your rss cause I want to see what you have for vista on the thumbs.db. I have used ccleaner forever and it works great but I didn’t even realize I should have set it to secure file deletion. I guess I never looked through the options lol but i am good to go now!
Heh, I knew I saw the do not cache thumbnails option somewhere but couldn’t remember where. This is where you should also enable file extensions or uncheck disable file extensions for known filetypes and show hidden files.
Really wasn’t sure what the option did either. I knew it had something to do with the thumbnails you saw on the folder but I guess I didn’t look into it that well.
While CCleaner is useful, there’s other options such as the free program Eraser (http://shuurl.com/U4588). What’s nice about Eraser is the on-demand button and the scheduler. For instance, you can set the schedule to wipe files/folder at a specific time or on every reboot. Very handy.
I’m a big fan of Eraser… Tested with FTK and Encase, no issues, always running and wiping.
I’ve always wondered what that thumbs.db file was for… seems like another pointless Windows innovation to me!
Freelance graphic designers
Windows Vista has a similar type of .db file setup which I’ll throw in another article. I’ll include Windows 7 information as well, since it probably uses Vista’s method (not 100% sure on this though).
———————–
Windows 7 doesn’t have the option anymore of disabling Thumbnail Cache on the options of Windows Explorer . Any idea of how could you disable it?
Look here for a lcoal policy setting
http://www.technoleros.com/turn-off-caching-of-windows-7-thumbnails-in-hidden-thumbs-db-files/
I did all the steps. I disabled the caching, did a search (including system and hidden files) and wiped all thumbs.db files with Eraser (Tolvanin) 24 passes. Rebooted the computer for good measure. Then I imported a .jpg file into “Photoshop” altered it, and saved it back to the same file and folder. I opened the folder and the thumbnail was the same as it was before I wiped all the thumbs.db files. It was NOT a thumbnail of the altered photo, it was the original. If the cache had to be recreated from scratch, the thumbnail would have shown the alterations I made to the .jpg file. I clicked on the thumbnail, and when the file opened, it showed the changes I made in Photoshop, but the thumbnail never changed. I would say the original thumbnail never was erased. I loaded a forensic program, “dmThumb” and it found no thumbs.db files on my local drives. Where is the “old” thumbnail being stored?
Interesting JW. Is this on a Windows XP system? If it is Windows XP then the thumbnail will be in a thumbs.db file located within the folder containing the JPEG. Windows Vista and 7 store the thumbnail cache in a central folder named “explorer” under a profile/application data (appdata), etc.
Yes, It is Windows XP SP3. I understand from your explanation how the thumbs.db file works, and that it is in each folder that displays (thumbnail images of)picture content. I have enabled “show system and hidden files,” and also used the advanced search option to search hidden and system files. There are no longer any thumbs.db files to be found (I wiped them all) but my photo folder still shows a thumbnail image that I know was created before I disabled caching of thumbnail images, and wiped the thumbs.db files. I think I will try booting with a Linux live CD and see what I can find.
Either I am mistaken, or something a bit curious is going on.
Yeah I would try loading the disk with a Linux boot CD and see if there is still a thumbs.db file in there. That’s very interesting, I wish I could take a look at it personally. It’s always possible that there is some other factor at play here like maybe other software or something.
Keep me updated if you find something or email me directly if you want to talk more about it, through the contact form at the top.
ive done acouple things to DISABLE the thumb nail preview from being cached and they worked for a while. what i did was:
First, turn off thumbnail creation by opening Windows Explorer, clicking the Organize button and selecting Folder and Search Options.
Click on the View tab and check Always show icons, never thumbnails. Click the OK button.
Then, run Disk Cleanup on Drive C: and empty the cache so you can recover the disk space. You can find it in Accessories/System Tools.
In Windows Explorer, navigate to the AppData\Local\Microsoft\Windows folder under your name. (If you can’t find it, just copy the following: %LocalAppData%\Microsoft\Windows
Paste it into the Address Bar and hit Enter.)
Right-Click on the Explorer folder and select Properties.
Select the Security tab.
Click the Advanced button.
On the Permissions tab, click the Edit button.
Uncheck “Include inheritable permissions from this object’s parent”.
Click the Remove button in the Windows Security box that pops up.
Click the OK button on the Permissions tab.
Click the Yes button in the Windows Security box that pops up.
Close all the open boxes.
Go back into the Folder and Search Options and uncheck the Always show icons, never thumbnails and you’re done.
Now, browse any folder you want and Windows will create the thumbnails on the fly, but won’t save them to disk. I’ve verified that these Security Settings will not be overwritten by rebooting Windows. However, I don’t know if the Explorer directory is used for anything else. I’ve been using Vista for over a year now and the only files in my Explorer directory were the thumbnail databases.
If you think you can do the same thing to the thumbnail database files instead of the Explorer directory, you can’t. I tried that first and Windows was still able to delete them and create new ones. This is also true if you try setting the file’s Read-only, Hidden and System attributes.
as i said this worked for a while but not anymore for some reason. anyone know a way to keep the peview but disable the caching?
I also highly recommend Simple File Shredder.
It has a nice search feature, erase free space, DoD 7x and Guttmann 35x and adds a shred link in your right click context menu. Very simple, basic, and effective.
http://download.cnet.com/1770-20_4-0.html?query=Simple+File+Shredder&searchtype=downloads