Dr Sarah Morris
Digital Forensics Research Portfolio
Research Publications ~ 2011
Forming a relationship between artefacts identified in thumbnail caches and the remaining data on a storage device
The primary function of a thumbnail cache is similar between different operating systems; however there is no consistent implementation; because the thumbnails are potentially interesting to forensic analysts it is important to understand the detail of how they are used in a particular operating system. Previous work has shown the importance of understanding the structure and the effect of user behaviour on various thumbnail caches. However, an analyst needs to demonstrate a relationship between artefacts identified in the thumbnail cache and those found elsewhere on the system in order to provide context and corroboration of any evidence derived from thumbnails. A relationship between artefacts can also assist in establishing possible event time lines, and understanding the user behaviour which led to the system being in its current state.
This paper establishes the relationships which are formed between user generated files and information stored in the thumbnail cache; this shows how a forensic analyser can infer relationships between the thumbnail cache and other artefacts identified on the system. This paper provides a description of each relationship between the thumbnail cache and other artefacts; these relationships allow the corroboration of evidence extracted from the thumbnail cache and provide an addition source of evidence of user behaviour. In addition to providing a useful reference for analysts when reconstructing a user’s activity, this paper also uses the thumbnail cache as an example to discuss the importance of contextual analysis within forensic computing.
In addition to the relationships shown between standard image thumbnail cache records and the rest of the system, this research also identifies how relationships are formed between the thumbnail cache and system artefacts such as the icons present on the user’s desktop, and also allows the identification of devices on the same network as the user.
Morris, S; Chivers, H; (2011); "Forming a relationship between artefacts identified in thumbnail caches and the remaining data on a storage device"; Proceedings from 5th Cybercrime Forensics Education & Training. Canterbury Christ Church University, Canterbury, UK
An analysis of the structure and behaviour of the Windows 7 operating system thumbnail cache
Operating systems such as Windows 7 implement a thumbnail cache structure to store visual thumbnails and associated metadata. There is no standard implementation of a thumbnail cache or its functions, which has led developers to implement their own structures and behaviour. The artefacts present within a thumbnail cache are of interest to a forensic analyst as they can provide information on files within the system which may be of use to the investigation. This research investigates the structure and behaviour of the thumbnail cache implemented in Windows 7 and shows that as well as storing information relating to visual thumbnails the cache also stores the names of networked computers, GUIDs relating to system artefacts and allocated drive letter information. It also shows that due to the behaviour of the cache, information such as records relating to files which are no longer on the system may be available, proving interesting forensic evidence
Morris, S; Chivers, H; (2011); "An analysis of the structure and behaviour of the Windows 7 operating system thumbnail cache"; Proceedings from 1st Cyberforensics, University of Strathclyde, Glasgow, UK