Parser for thumbcache files

[lfcnassif]

Currently we have a generic OLEParser that handles Thumbs.db files. But we don't have any parser for thumbcache files, they are just sent to carving module to carve images, usually that returns partial images, since they are possibly fragmented into the thumbcache file.

Related project and documentation: https://github.com/libyal/libwtcdb https://github.com/libyal/libwtcdb/blob/main/documentation/Windows%20Explorer%20Thumbnail%20Cache%20database%20format.asciidoc

[marcus6n]

Could you provide an example of a thumbcache file for parse?

[lfcnassif]

Hi @marcus6n. You can find it in modern Windows OSes in the following path: C:/Users/XXXX/AppData/Local/Microsoft/Windows/Explorer/thumbcache_NN.db

Where NN is the thumbnail resolution in pixels.

See some samples below from a public forensic image to start working, but you will need much more for stress testing: thumbcache.zip

[marcus6n]

I made the parser following the reference documentation I was given and this is how it looks in the IPED text viewer:

If you want to try running it, I'll leave the download branch here and if there's any inconsistent data, please let me know so I can fix it.

Branch: feature/thumbcache-parser

PS: I also used some thumbcache files found on my pc.

[lfcnassif]

Thanks @marcus6n. But the more important info to be extracted from thumbcache files is the embedded images thumbnails.

Take a look at this project as a reference: https://github.com/AtesComp/Vinetto But since it is GPL, we cannot copy and paste its code.

[marcus6n]

Got it, I’ll check Vinetto for inspiration and implement a custom solution for extracting thumbnails without using their code. Thanks!

[marcus6n]

@lfcnassif, I've analyzed the reference codes, but I'm having trouble developing the image extraction process. I'll make a PR so that if there are devs available they can help me with this implementation.

[marcus6n]

Hi @lfcnassif,

I was able to perform the image processing that you mentioned as being the most important. I had some challenges when trying to direct the folder of processed images to the folder of the case generated by IPED when used. It turns out that, in the current process, the images that are analyzed end up being saved inside the very folder that is being analyzed.

I would like your help in modifying this behavior, so that the images are shown correctly within the IPED interface, in the “Preview” section. If you can help me with this, that would be great!

https://github.com/user-attachments/assets/21168c1b-21bf-46f7-8eb4-57446e73c94e

[lfcnassif]

Thank you @marcus6n! I can try to take a look after I return from vacation, if @hauck-jvsh doesn't review before me.

[lfcnassif]

Sorry, I closed by accident.

[lfcnassif]

Please take a look at MboxParser, the method you need is at line 113, call it for each extracted image. And have you compared the results to those from Vinetto tool?

[marcus6n]

Ok, I'll check this parser later today. I compared the results with Vinetto and they were identical, same files same metadata and thumbnails.