Thumbcache

Overview

Evidence: Thumbcache Description: Collect Thumbcache Category: Other Evidence Platform: Windows Short Name: tc Is Parsed: No - Raw database files Sent to Investigation Hub: Yes Collect File(s): No

Background

Windows creates thumbnail images of pictures, videos, and documents for display in Explorer. These thumbnails are cached in database files (thumbcache_*.db) to improve performance.

Thumbnail caches can preserve images of files even after the original files are deleted, providing visual evidence of file content and user activity.

Data Collected

Field

Description

Example

Name

Artifact name

Thumbcache

Type

File

SourcePath

Original file path

C:\Users\user\AppData\Local\Microsoft\Windows\Explorer\thumbcache_256.db

Path

Relative path in evidence

Other/thumbcache_256.db

Collection Method

This collector collects thumbcache files from:

Users\*\AppData\Local\Microsoft\Windows\Explorer\thumbcache_*.db

Multiple database files exist for different thumbnail sizes (32, 96, 256, 1024, etc.).

Usage

Thumbnail caches can recover visual evidence from deleted images and documents. Investigators use this data to recover thumbnail images from deleted files, prove user access to images/documents, identify viewed media content, and establish visual evidence of file content.

Known Limitations

Only thumbnails, not full images
Database format requires specialized parsers
Not all file types generate thumbnails
Thumbnails may be overwritten over time

Notes

Tools like Thumbcache Viewer can parse these databases to extract thumbnail images. Thumbnails can persist after original files are deleted, providing valuable visual evidence.

PreviousTCP Table NextTimeline

Last updated 51 minutes ago

Was this helpful?