Andrew Frowen offers the following royalty-free article for you to publish online or in print. Feel free to use this article in your newsletter, website, ezine, blog, or forum. ----------- PUBLICATION GUIDELINES - You have permission to publish this article for free providing the "About the Author" box is included in its entirety. - Do not post/reprint this article in any site or publication that contains hate, violence, porn, warez, or supports illegal activity. - Do not use this article in violation of the US CAN-SPAM Act. If sent by email, this article must be delivered to opt-in subscribers only. - If you publish this article in a format that supports linking, please ensure that all URLs and email addresses are active links. - Please send a copy of the publication, or an email indicating the URL to [email protected] - Content Crooner (www.ContentCrooner.com) has distributed this article on behalf of the author. Content Crooner does not own this article, please respect the author's copyright and publication guidelines. If you do not agree to these terms, please do not use this article. ----------- Article Title: Windows 7 Image Thumbnails - A Double Edged Sword? Author: Andrew Frowen Category: Security, Information Technology Word Count: 496 Keywords: computer forensics, digital forensics, thumbnail, windows, vista, xp, windows 7, cache Author's Email Address: [email protected] Article Source: http://www.contentcrooner.com ------------------ ARTICLE START ------------------
During investigations into the possession of indecent images of children, police will sieze any digital devices owned by the suspect and pass them, under controlled conditions, to a Digital Forensic Analyst for investigation. It is the analysts' role to extract evidence of any videos or images, and other documents, even where they have been deleted. For computers running Microsoft Windows, a common method for recovering evidence of deleted images is to analyse the thumbnails that are created for each image when the folder they are stored in is viewed. The thumbnails are created to reduce the time it takes to preview a folder, but because a thumbnail often remains present even after the image itself has been deleted, these entries can be used to confirm possession of indecent images, even if no other evidence of the image exists. In Windows XP, the thumbs.db file is automatically generated whenever a user views a folder in Explorer using 'thumbs' or 'filmstrip' mode. Files included in Thumbs.db files include image files (JPEGs, BMPs, GIFs and PNGs), document files (TIFFs and PDFs), video files (AVIs and MOVs), presentation files (PPTs) and some web pages (HTM and HTML). As well as image thumbnails, the thumbs.db file will also include information such as the original file name and the date each thumbnail was last written. While it is possible for a computer user to delete the thumbs.db file to remove this record, this is often overlooked because it appears as a 'hidden file', meaning that Explorer's settings need to be manually altered in order for it to become visible for deletion. However, even when visible, it is not possible to view the contents of a thumbs.db file without specialist software. With Windows Vista came a new approach to the creation of thumbnails, which has now been carried through to Windows 7. Instead of creating a thumbs.db file in every folder, Vista creates a single set of 'thumbcache' files, stored in a central directory. For Computer Forensic Analysts, this system has pros and cons. The central location means that even if a user running Vista deletes an entire folder containing indecent images, evidence may still exist in the central cache. In addition, thumbnails may even be recovered centrally for images stored on removable media (such as a CD or USB drive). However, the central location also means that users need only a single set of files to remove all thumbnails from the computer. Most significantly, while thumbnails offer a useful evidence recovery method, all three of the most recent Windows operating systems come with the option to disable the creation of thumbnails should the user wish, so it is never the sole avenue of enquiry for a Digital Forensic Analyst. Thorough investigations employ an extensive forensic tool kit to recover registry records, piece together fragments of deleted files, and track user movements online, meaning that in reality, if there were ever images on a suspects drive, computer forensics will usually be able to prove it. IntaForensics a BS EN ISO 9001:2000 registered firm providing Computer Forensics, Expert Witness, Mobile Phone Forensics, and Forensic Data Recovery to the Legal Sector, Police Forces, Local Authorities and Commercial organisations internationally. Visit http://www.intaforensics.com. Distributed by http://www.ContentCrooner.com ------------------ ARTICLE END ------------------ [Non-text portions of this message have been removed]
