# Thumbcache

## Overview

**Evidence:** Thumbcache\
**Description:** Collect Thumbcache\
**Category:** System\
**Platform:** windows\
**Short Name:** tc\
**Is Parsed:** No\
**Sent to Investigation Hub:** Yes\
**Collect File(s):** Yes

## Background

Windows creates thumbnail images of pictures, videos, and documents for display in Explorer. These thumbnails are cached in database files (thumbcache\_\*.db) to improve performance.

Thumbnail caches can preserve images of files even after the original files are deleted, providing visual evidence of file content and user activity.

## Data Collected

This collector gathers structured data about thumbcache.

### Thumbcache Data

| Field        | Description               | Example                                                                   |
| ------------ | ------------------------- | ------------------------------------------------------------------------- |
| `Name`       | Artifact name             | Thumbcache                                                                |
| `Type`       | File                      | File                                                                      |
| `SourcePath` | Original file path        | C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache\_256.db |
| `Path`       | Relative path in evidence | Other/thumbcache\_256.db                                                  |

## Collection Method

This collector collects thumbcache files from:

* `Users\*\AppData\Local\Microsoft\Windows\Explorer\thumbcache_*.db`

Multiple database files exist for different thumbnail sizes (32, 96, 256, 1024, etc.).

## Forensic Value

Thumbnail caches can recover visual evidence from deleted images and documents. Investigators use this data to recover thumbnail images from deleted files, prove user access to images/documents, identify viewed media content, and establish visual evidence of file content.