Proj X8: Thumbcache (10 pts.)

What You Need for This Project

Purpose

You will create an image and delete it. Then you will recover evidence of it from the Thumbnail Cache. This sort of evidence is often used in child pornography cases, to show that someone viewed a forbidden image.

Creating an Image

Open Paint. Click the brush icon, and set the brush width to the widest possible setting, as shown below:

Write your name using the mouse, as shown below. Don't use the literal text "Your Name"--use your own name.

Save the file in your Pictures folder with the name "YOURNAME". Don't use the literal text "Your Name"--use your own name. Accept the default File Type of JPG.

Close Paint.

Click Start, Computer.

In the left pne, click Pictures.

If you are using Windows Server 2008, you see only little icons, not thumbnail versions of the pictures, as shown below.

Click Organize, "Folder and Search Options". On the General tab, click "Show preview and filters". Click OK.

Click Organize, Layout, "Details Pane".

Click Organize, "Folder and Search Options", and View.

Clear the "Always show icons, never thumbnails", box, as shown below. Click OK.

Close Windows Explorer and open it again. Click the file with your name on it. You should see a thumbnail version of it at the lower left, as shown below.

Drag the "YOURNAME-pX8b" file into the Recycle Bin

Right-click the Recycle Bin and click "Empty recycle bin". Click Yes to confirm the deletion.

Viewing the Thumbcache Files

Click Start. In the upper right of the Start menu, click your logon name, which is probably Administrator.

In the Administrator window, click Organize, "Folder and search options".

Click the View tab.

Make these two adjustments, as shown below:

Click OK.

In the Administrator window, double-click AppData, Local, Microsoft, Windows, and Explorer.

You should see several "thumbcache" files, as shown below.

Getting Thumbcache Viewer

To view these files, open a Web browser and go to

https://thumbcacheviewer.github.io/

On the left side, click the "Download Thumbcache Viewer" button.

Download the thumbcache_viewer.zip file. Unzip it. Run the thumbcache_viewer.exe file.

In "Thumbcache Viewer", click File, Open.

Navigate to C:\Users\Administrator\AppData\Local\Microsoft\Windows\Explorer and double-click thumbcache_256.db. If you are working at home, replace "Student" with your username.

A list of files with long hexadecimal names appears, as shown below:

Many of the images have "Data Size" of zero. Click the gray Data Size column header to sort the list by size.

Click the largest image.

The image appears in Image Viewer, as shown below:

Press the down-arrow key to scroll through the images and find one with your name on it, as shown below:

If you can't find the image, try the other thumbcache files.

Saving a Screen Image

Make sure your screen shows an image with your name on it.

Press the PrintScrn key in the upper-right portion of the keyboard. That will copy the whole desktop to the clipboard.

YOU MUST SUBMIT AN IMAGE OF THE WHOLE DESKTOP TO GET FULL CREDIT!

Open Paint and paste in the image.

Save the image with the filename "Your Name Proj X8". Use your real name, not the literal text "Your Name".

Turning in your Project

Attach the image to an email.

Send it to: cnit.121@gmail.com with a subject line of "Proj X8 From Your Name", replacing Your Name with your own first and last name. Send a Cc to yourself.

Sources

http://escforensics.blogspot.com/2012/11/analyzing-thumbcache.html

https://code.google.com/p/thumbcache-viewer/

http://www.woanware.co.uk/?page_id=89

Last Modified: 10-5-16