Thumbcache

Overview

Evidence: Thumbcache Description: Collect Thumbcache Category: System Platform: windows Short Name: tc Is Parsed: No Sent to Investigation Hub: Yes Collect File(s): Yes

Background

Windows creates thumbnail images of pictures, videos, and documents for display in Explorer. These thumbnails are cached in database files (thumbcache_*.db) to improve performance.

Thumbnail caches can preserve images of files even after the original files are deleted, providing visual evidence of file content and user activity.

Data Collected

This collector gathers structured data about thumbcache.

Thumbcache Data

Field

Description

Example

Name

Artifact name

Thumbcache

Type

File

SourcePath

Original file path

C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_256.db

Path

Relative path in evidence

Other/thumbcache_256.db

Collection Method

This collector collects thumbcache files from:

Users\*\AppData\Local\Microsoft\Windows\Explorer\thumbcache_*.db

Multiple database files exist for different thumbnail sizes (32, 96, 256, 1024, etc.).

Forensic Value

Thumbnail caches can recover visual evidence from deleted images and documents. Investigators use this data to recover thumbnail images from deleted files, prove user access to images/documents, identify viewed media content, and establish visual evidence of file content.

PreviousTelegram Desktop Download NextTightVNC Logs

Last updated 3 days ago

Was this helpful?