An analysis of the structure and behaviour of the Windows 7 operating system thumbnail cache

Date published

2011-06-28

Free to read from

Supervisor/s

Journal Title

Journal ISSN

Volume Title

Publisher

University of Strathclyde, Glasgow

Department

Type

Conference paper

ISSN

Format

Citation

Sarah Morris and Howard Chivers. An analysis of the structure and behaviour of the Windows 7 operating system thumbnail cache. Proceedings from 1st International Conference on Cybercrime, Security and Digital Forensics, 27-28 June 2011, University of Strathclyde, Glasgow, Scotland, UK.

Abstract

Operating systems such as Windows 7 implement a thumbnail cache structure to store visual thumbnails and associated metadata. There is no standard implementation of a thumbnail cache or its functions, which has led developers to implement their own structures and behaviour. The artefacts present within a thumbnail cache are of interest to a forensic analyst as they can provide information on files within the system which may be of use to the investigation. This research investigates the structure and behaviour of the thumbnail cache implemented in Windows 7 and shows that as well as storing information relating to visual thumbnails the cache also stores the names of networked computers, GUIDs relating to system artefacts and allocated drive letter information. It also shows that due to the behaviour of the cache, information such as records relating to files which are no longer on the system may be available, proving interesting forensic evidence.

Description

Software Description

Software Language

Github

Keywords

thumbnail cache, windows 7, forensic computing

DOI

Rights

Relationships

Relationships

Supplements

Funder/s