Forensic Analysis of Windows Thumbcache Files
Quick D, Tassone C and Choo K-K R 2014. Forensic Analysis of Windows Thumbcache files. In 20th Americas Conference on Information Systems (AMCIS 2014), 7-10 August 2014, Association for Information Systems (Forthcoming)
13 Pages Posted: 2 May 2014
Date Written: April 26, 2014
A range of court cases and forensic investigations have involved thumbnail pictures contained within operating system files, such as thumbcache and thumbs.db. In many of these cases, the thumbnail image has been the evidence presented to a court. Further analysis may locate additional information relating to thumbnail pictures, such as being able to link a thumbnail to a picture file on storage media, or locating information relating to the original file used to create the thumbnail, such as the full path and original file name. Using real-world law enforcement and test data, we demonstrate the application of our proposed operational methodology to conduct analysis of thumbcache files. We also propose a reporting and visualisation methodology to present the evidence to investigators, legal counsel, and court, which then forms the basis of our software prototype. Insider threat cases which involve pictures of intellectual property can potentially benefit from our proposed method.
Keywords: Digital Forensic Analysis, Thumbcache, Microsoft Windows, Computer Forensics
JEL Classification: C88, C89, K42, K49
Suggested Citation: Suggested Citation