Seeking community feedback and testing: Developing a signature for Thumbs.db and its versions

[ross-spencer]

Hi All,

I've been working on a signature for Thumbs.db. It's fairly straightforward, most of the time this far has been spent setting up a testing mechanism for DROID 6.1.3 and figuring out a few subtleties with DROID container signature code. 

There are two parts required to develop a DROID container signature. Reference to it in the standard binary signature file plus the signature for the container type we need to identify first. In this case OLE2. Second we need a container signature file containing mappings and the signature itself. 

The Thumbs.db files I have found for myself I believe are all Windows XP. These contain two files as standard that I search for:

'Catalog'

and 

'1'

Catalog contains an index of the thumbnails that exist in thumbs.db and '1' is the very first image object we can find in thumbs.db.

Catalog contains the following sequence that seems to be consistent:

10 00 07 00 02 00 00 00 60 00 00 00 60 00 00 00 26 00 00 00 01 00 00 00 00

• 02, highlighted, is variable, and is a count of the number of thumbnails in the Thumbs.db file. I am yet to see a Thumbs.db file with over 128 thumbnails. 
  
• 26, highlighted, is variable, but I am not sure what this represents. 
  

In both cases, as variables, I have created a signature using the syntax [00:FF] which enables the byte at those positions to be anything from 0x00 to 0xFF.

Likewise '1' contains the following consistent sequence:

0C 00 00 00 01 00 00 00 

I have had to truncate the sequence to this as a portion of the byte-stream following that cannot be matched in DROID at present, e.g. In this signature i'd add: 

{4} 00 00 

But the syntax used is not valid in container signatures. See: https://groups.google.com/d/msg/droid-list/0xDnputieUk/PWlBlbnF0HEJ

I've created a signature that works for the attached file 'thumbs-for-tna.db'. This signature should also work on other XP based Thumbs.db files. As part of this thread I'm looking for:

• Community testing of the signature
• Verification of Windows versions it works on
• Sample files from Windows 2000, Windows Vista, Windows 7, Windows 8, where they exist
• Verification that no other versions of NT used Thumbs.db
• Help to understand the meaning of the byte sequences further
• Guidance for the PRONOM team on how we should create entries in PRONOM

Having chatted to a colleague at State Records New South Wales (See this thread: https://groups.google.com/forum/#!msg/droid-list/0xDnputieUk/IOy1FuS5IVYJ) It is clear others are doing this work. One of the issues we're discovering though is that the Thumbs.db files that we can find on later windows versions, (see this link: http://www.swiftforensics.com/2012/07/windows-7-generated-thumbsdb.html) are of a slightly different format and cannot be identified using DROID mechanisms at present (as far as I can work out). My suggestion to the PRONOM team would be to create at least two entries for Thumbs.db, 2000 - XP, and Vista onward. This suggestion is heavily dependent on being able to source files from other versions of the operating system. 

Files attached to this post:

• thumbs-for-tna.db - One of the objects I've been working with from an XP system
• test-thumbs-db-container-signature-20140728.xml - Binary signature file to place in .droid6\container_sigs
• Thumbs.db-v2.0-sgianture-file.xml - standard signature file to place in .droid6\signature_files
• dl-nsw-thumbs.db - A later Thumbs.db file linked to by Richard Lehane in the previous thread, this won't work with the attached files. 

All help appreciated.

Cheers,

Ross

[Lehane, Richard]

Hi Ross

It looks like the Catalog file has a structure like this:

 

Catalog header

Offset 0: 10 00 07 00 (Magic?)

Offset 4: Number of catalog entries (unsigned 32-bit integer)

Offset 8: Image width (unsigned 32-bit integer) e.g. 96

Offset 12: Image height (unsigned 32-bit integer) e.g. 96

 

From offset 16 onwards you get an array of catalog entries.

 

Each catalog entry

Offset 0: Size of entry (unsigned 32-bit integer) (In your example this is the “26 00 00 00”)

Offset 4: Entry number (unsigned 32-bit integer)

Offset 8: ????

Offset 10: ????

Offset 12: Entry name (a variable length UTF16 string with a terminating 0x00000000)

 

Cheers

Richard

--
You received this message because you are subscribed to the Google Groups "droid-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to droid-list+...@googlegroups.com.
To post to this group, send email to droid...@googlegroups.com.
Visit this group at http://groups.google.com/group/droid-list.
For more options, visit https://groups.google.com/d/optout.

______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
______________________________________________________________________

______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
______________________________________________________________________

[Lehane, Richard]

Hi all

 

An addendum on thumbs.db Catalog files…

 

This source: https://ad-pdf.s3.amazonaws.com/wp.Thumbs_DB_Files.en_us.pdf suggests there are different Thumbs.db versions between Win ME/2000/XP and 2003.

The FTK screenshots in it have a version 7. So that 07 00 at offset 2 is likely the Thumbs.db database version number (which means with will probably vary).

Also the FTK screenshots have last modified dates, which explains that unknown 8 byte sequence in the catalog entries.

 

Which gives:

Catalog header

Offset 0: 10 00

Offset 2: Unsigned 16-bit integer, Thumbs.db Database Version number e.g. 7

Offset 4: Number of catalog entries (unsigned 32-bit integer)

Offset 8: Image width (unsigned 32-bit integer) e.g. 96

Offset 12: Image height (unsigned 32-bit integer) e.g. 96

 

From offset 16 onwards you get an array of catalog entries.

 

Each catalog entry

Offset 0: Size of entry (unsigned 32-bit integer) (In Ross’s example this is the “26 00 00 00”)

Offset 4: Entry number (unsigned 32-bit integer)

Offset 8: Last modified date (in Win FILETIME format  - http://msdn.microsoft.com/en-us/library/windows/desktop/ms724284%28v=vs.85%29.aspx) e.g. the first entry in Ross’s example has 2011-12-16 11:01:54

Offset 16: Entry name (a variable length UTF16 string with a terminating 0x00000000)

 

Cheers

Richard

 

From: Lehane, Richard
Sent: Tuesday, 29 July 2014 3:54 PM
To: 'droid...@googlegroups.com'
Subject: RE: Seeking community feedback and testing: Developing a signature for Thumbs.db and its versions

 

Hi Ross

It looks like the Catalog file has a structure like this:

 

Catalog header

Offset 0: 10 00 07 00 (Magic?)

Offset 4: Number of catalog entries (unsigned 32-bit integer)

Offset 8: Image width (unsigned 32-bit integer) e.g. 96

Offset 12: Image height (unsigned 32-bit integer) e.g. 96

 

From offset 16 onwards you get an array of catalog entries.

 

Each catalog entry

Offset 0: Size of entry (unsigned 32-bit integer) (In your example this is the “26 00 00 00”)

Offset 4: Entry number (unsigned 32-bit integer)

Offset 8: ????

Offset 10: ????

Offset 12: Entry name (a variable length UTF16 string with a terminating 0x00000000)

 

Cheers

Richard

 

 

From: droid...@googlegroups.com [mailto:droid...@googlegroups.com] On Behalf Of ross-spencer
Sent: Tuesday, 29 July 2014 2:36 PM
To: droid...@googlegroups.com
Subject: Seeking community feedback and testing: Developing a signature for Thumbs.db and its versions

 

Hi All,

--

You received this message because you are subscribed to the Google Groups "droid-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to droid-list+...@googlegroups.com.
To post to this group, send email to droid...@googlegroups.com.
Visit this group at http://groups.google.com/group/droid-list.
For more options, visit https://groups.google.com/d/optout.

______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
______________________________________________________________________