Hi Ross
It looks like the Catalog file has a structure like this:
Catalog header
Offset 0: 10 00 07 00 (Magic?)
Offset 4: Number of catalog entries (unsigned 32-bit integer)
Offset 8: Image width (unsigned 32-bit integer) e.g. 96
Offset 12: Image height (unsigned 32-bit integer) e.g. 96
From offset 16 onwards you get an array of catalog entries.
Each catalog entry
Offset 0: Size of entry (unsigned 32-bit integer) (In your example this is the “26 00 00 00”)
Offset 4: Entry number (unsigned 32-bit integer)
Offset 8: ????
Offset 10: ????
Offset 12: Entry name (a variable length UTF16 string with a terminating 0x00000000)
Cheers
Richard
--
You received this message because you are subscribed to the Google Groups "droid-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
droid-list+...@googlegroups.com.
To post to this group, send email to
droid...@googlegroups.com.
Visit this group at http://groups.google.com/group/droid-list.
For more options, visit https://groups.google.com/d/optout.
______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
______________________________________________________________________
Hi all
An addendum on thumbs.db Catalog files…
This source: https://ad-pdf.s3.amazonaws.com/wp.Thumbs_DB_Files.en_us.pdf suggests there are different Thumbs.db versions between Win ME/2000/XP and 2003.
The FTK screenshots in it have a version 7. So that 07 00 at offset 2 is likely the Thumbs.db database version number (which means with will probably vary).
Also the FTK screenshots have last modified dates, which explains that unknown 8 byte sequence in the catalog entries.
Which gives:
Catalog header
Offset 0: 10 00
Offset 2: Unsigned 16-bit integer, Thumbs.db Database Version number e.g. 7
Offset 4: Number of catalog entries (unsigned 32-bit integer)
Offset 8: Image width (unsigned 32-bit integer) e.g. 96
Offset 12: Image height (unsigned 32-bit integer) e.g. 96
From offset 16 onwards you get an array of catalog entries.
Each catalog entry
Offset 0: Size of entry (unsigned 32-bit integer) (In Ross’s example this is the “26 00 00 00”)
Offset 4: Entry number (unsigned 32-bit integer)
Offset 8: Last modified date (in Win FILETIME format - http://msdn.microsoft.com/en-us/library/windows/desktop/ms724284%28v=vs.85%29.aspx) e.g. the first entry in Ross’s example has 2011-12-16 11:01:54
Offset 16: Entry name (a variable length UTF16 string with a terminating 0x00000000)
Cheers
Richard
From: Lehane, Richard
Sent: Tuesday, 29 July 2014 3:54 PM
To: 'droid...@googlegroups.com'
Subject: RE: Seeking community feedback and testing: Developing a signature for Thumbs.db and its versions
Hi Ross
It looks like the Catalog file has a structure like this:
Catalog header
Offset 0: 10 00 07 00 (Magic?)
Offset 4: Number of catalog entries (unsigned 32-bit integer)
Offset 8: Image width (unsigned 32-bit integer) e.g. 96
Offset 12: Image height (unsigned 32-bit integer) e.g. 96
From offset 16 onwards you get an array of catalog entries.
Each catalog entry
Offset 0: Size of entry (unsigned 32-bit integer) (In your example this is the “26 00 00 00”)
Offset 4: Entry number (unsigned 32-bit integer)
Offset 8: ????
Offset 10: ????
Offset 12: Entry name (a variable length UTF16 string with a terminating 0x00000000)
Cheers
Richard
From:
droid...@googlegroups.com [mailto:droid...@googlegroups.com]
On Behalf Of ross-spencer
Sent: Tuesday, 29 July 2014 2:36 PM
To: droid...@googlegroups.com
Subject: Seeking community feedback and testing: Developing a signature for Thumbs.db and its versions
Hi All,
--
You received this message because you are subscribed to the Google Groups "droid-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
droid-list+...@googlegroups.com.
To post to this group, send email to
droid...@googlegroups.com.
Visit this group at http://groups.google.com/group/droid-list.
For more options, visit https://groups.google.com/d/optout.
______________________________________________________________________
This email has been scanned by the Symantec Email Security.cloud service.
For more information please visit http://www.symanteccloud.com
______________________________________________________________________