Vinetto documentation page
Attempt at typology
Metadata
Thumbs.db links
Back to vinetto home page
This typology constitutes an attempt to classify thumbnails according to the way Microsoft OSes store them in Thumbs.db files.
Thumbnails
format
into the
Thumbs.db
file
|
Observations & comments
|
Thumbnail
seen from
Windows(R)TM
(screen capture)
|
Thumbnail
recovered by
vinetto
|
|
Type 2
|
a) These Type 2 thumbnails are stored as JFIF-standard file: they have
header(1), Huffman table and quantization table.
b) One can find them on XP (Home and Pro) and 2003 Server systems.
c) These thumbnails are associated to simple filenames (no full path with drive letter as in Type 1a)
Here, it's an easy job for vinetto: it's only matter of writing related stream to a file with .jpg
extension.
|
 |
|
|
Type 1b
|
a) These Type 1b thumbnails mainly consist of a raw RGBA JPEG data stream: they do not have
standard header, Huffman table or quantization table.
b) idem Type 2 ? (verification not done)
c) idem Type 2
Here vinetto uses Python Imaging Library to split the image into its R, G, B and A components,
and to merge these R, G and B components.
"A" component doesn't seem to be very useful (... some verifications to do).
|
 |
|
|
Type 1a
|
a) These Type 1a thumbnails mainly consist of a raw RGBA JPEG data stream: they do not have
standard header, Huffman table or quantization table. However, Types 1a and 1b are not identical.
b) One can find them on 9x, ME and 2000 systems (in the latter case Thumbs.db files are only created on FAT filesystems).
c) These thumbnails are associated to full pathnames including drive letter.
Vinetto processing is currently the same for types 1a and 1b ...
Here, it seems "A" component should be useful :)
|
|
|
Note : (1) A JFIF-standard file will start with the four bytes (hex) FF D8 FF E0,
followed by two variable bytes (often hex 00 10), followed by 'JFIF'. (source : JPEG faq)
0 - No guaranty : The following statements are mainly assumptions based on speculation, experiment and attentive reading
of the LAOLA file system Hacking guide
by Martin Schwartz.
1 - Thumbs.db file internals :
- a Thumbs.db file is an OLE structured storage file.
It is a rather complicated structure that looks like a "mini" FAT system.
- In short :
Data is stored as "streams" in a Thumbs.db file.
There are two kinds of stream : Catalog and thumbnails.
In the Catalog stream each entry stores :
- timestamp : "modify" timestamp of the actual picture file
- name string : actual picture file name (Types 2 and 1b: simple filename.
Type 1a: full pathname with drive letter)
A thumbnail stream stores :
- rawname string : reversed index number (e.g. if index number is 165 then rawname string is "561")
- Root Entry : the root entry of the Thumbs.db filesystem records a timestamp.
This timestamp seems to refer to the last modification of the Thumbs.db file
There is very few relevant articles concerning Thumbs.db files on the Web.
One can hardly find more than those links:
ThumbDBLib A C# library for reading thumbs.db files.
It is a blog post from Pete Daves with working code library
Thumbs DB Files Forensic Issues.
A white paper from AccessData by Dustin Hurlbut.
A Brand New Web Look for Your Folders. It is an old (May 1999) MSDN article by Dino Esposito. But there is an interesting
Thumbnails View section.
[You may submit more Thumbs.db links : please email me (rukin at users dot sourceforge dot net) ]
Author : Michel Roukine
e-mail: rukin at users dot sourceforge dot net
|
|
This page was last updated on
|
