(EN) ThumbCache IconCache - Forensic Cheatsheet

## Introduction We have dealt some artifacts about program execution. Most elements are categorized as artifacts because it proves the execution traces, and because of anti-forensic activities or system capacity managements there are numerous cases deleting such evidences. Its a pain in the ass for these circumstances. However there is always a way to find about program execution. Today Iconcache will be introduced which is one of them. Iconcache is literally a function for windows operating system to load icons of previously used program. You should have probably heard of word “Thumbnail” since media such as youtube arose. The word Thumb that comes from thumbnail is the same word that comes from ThumbCache which resembles its similarity. Iconcache saves the preview of the file icon. So the word is consisted of multiple meanings “small preview” + “cache”. It would be awesome if you catch what I’m trying to say! Thumbcache and Iconcache is a small cache database that saves a icon of program or preview of an image file. ## Path ThumbCache as well as Iconcache is saved under the AppData directory in a database format. The specific path is written below. ``` %AppData%\Local\Microsoft\Windows\Explorer %AppData%\Local\Iconcache.db ``` You might be confused with the path having only the directory name not a file name, but this is because Thumbcache saves files in different database by size of a file. Looking into the image below, You can find 2 types of file. One is `iconcache`, and the other is `thumbcache` file. The difference between two will be dealt in the next chapter. ![[%E1%84%89%E1%85%B3%E1%84%8F%E1%85%B3%E1%84%85%E1%85%B5%E1%86%AB%E1%84%89%E1%85%A3%E1%86%BA_2023-03-20_%E1%84%8B%E1%85%A9%E1%84%92%E1%85%AE_5.11.37.png]] ## Data Before handling the specific structure of ThumbCache file, we will first talk about the difference between `thumbcahce` and `iconcache`. As said before, their most strikable difference is the type of file that is being saved. ThumbCache is a word from Thumbnail, which saves preview files of media such as image or videos. And Iconcache is a function that saves a image of programs icon to prevent reading image file every time when program is executed. So if you want to find user informations about media, go for Thumbcache, and if you want something about program execution Iconcache will be your best option. One feature that you must understand is that this function is a centralized function that helps to retrieve data from database fast as possible, so when original image is deleted, it would only be unavailable in the Cache but there will be copy of deleted data. Different from cases when original file is deleted, take it as a special concept of file being orphan from original file, allocated state without missing links. ### Iconcache The way iconcache saves images differ by windows version. the turning point would be windows 7. Since windows 7, there was only one `iconcache.db` file saving every kind of images by its resolution. After windows 8, there is no image data directly in the database, and there are only paths written in the database so there would be a efficiency saving data. And the image will not be saved as single image, but it is saved each by resolutions. As a result there may be small differences depending on the windows version. With Iconcache, we will only discuss about versions after windows vista. **Header** | **Offset (hex)** | **Size (bytes)** | **Description** | | ---------------- | ---------------- | ----------------------------------------------------- | | 0x00 | 4 | The signature ("CMMM") | | 0x04 | 4 | Format version | | 0x08 | 4 | Cache type <br>(0~4) Depends on the image resolution | | 0x0C | 4 | Offset to first cache entry or file header | | 0x10 | 4 | Offset to first available cache entry | | 0x14 | 4 | Number of cache entries | **Cache Entry** |Offset (hex)|Size (bytes)|Value| |---|---|---| |0x00|4|Signature "CMMM"| |0x04|4|Cache entry size| |0x08|8|Entry hash| |0x10|8|File extension| |0x18|4|Identifier string size| |0x1C|4|Padding size| |0x20|4|Data size| |0x24|4|(empty)| |0x28|8|Data checksum| |0x30|8|Header checksum| |0x38|-|Identifier string| |-|-|Padding & Data| ### Thumbcache Also there are small differences in ways saving Thumbcache files by windows version. It shows difference by each windows version Vista, Windows7, Windows 10. ThumbCache file is consisted of file header and Cache Entry array that saves subordinary entries. Header and entry show up simultaneously. If you need a example that could help your understanding, refer the graph below. ``` Header | Entry1 | Entry2| ... | Entry N | End ``` Artifacts are mainly described with Windows 10/11 because that is the main environment most people confront nowadays. **Windows 10/11** **Header** |**Offset**|**Size**|**Description**| |---|---|---| |0x00|4|Signature( “CMMM”)| |0x04|4|Format Version| |0x08|4|Cache Type| |0x0C|4|File Header Size| |0x10|4|First Available Cache Entry offset| |0x14|4|Number of Cache Entries| **Cache Entry Array** |Offset|Size|Description| |---|---|---| |0x00|4|Entry Size| |0x04|4|Header Size| |0x08|8|Thumbnail Offset| |0x10|8|Thumbnail Size| |0x18|16|Last Modified Timestamp| |0x28|4|Cache Entry Flags| |0x2C|4|Cache Entry Type| |0x30|4|File Attributes| |0x34|4|File Size| |0x38|4|Filename Length| |0x3C|n|Filename| > [!Question] ** Why there are so many Unknowns??!** > > There needs additional investigation since there are many unknown items. However to speak frankly, there are most data that is used in digital forensic investigation area. > > Most data structure was written based on the structure that @Joachim Metz described in his github. There were some invalid columns. And those data was corrected by personally experimenting it. > > Since there are many data written as Unknown, and some data has invalid offsets, so keep in mind and try to correct your own data with experimenting it :) ## Conclusion Experimentally presuming that ThumbCache and IconCache was frequently used when there were anti-forensic activities done while looking for file execution traces. The reason may not be precise, It may be because there are informations about recently used informations about images. But Thumb/IconCache seems quite insufficient for an artifact to genuinely prove user activity. This is why this artifact should be used as an evidence that proves your statement indirectly. Although it does not contain tremendous amount of data, they are usually abandoned in anti-forensic activities because of its value and also it could be certainly known when you delete iconcache because your ico ns and shortcuts will not show normal. We looked through an artifact called ThumbCache and IconCache which could be trivial but useful. They are known for proving traces of execution. They could be tricky when you go through its binary since it has a strange encoding styles. My personal suggestion was always try parsing it on your own but sometimes it could be more helpful using a publicly open parsing tools.