Making complex data simple and compelling
From digital device to digital evidence
Unlock your vehicle's digital evidence potential
Forensic Analysis and Enhancement
Investigating and analyzing financial records
Gain access to the online accounts of deceased loved ones
Clear, precise evidence for a messy world
Expert reports to suit your specific needs
We can locate people anywhere
Stop worrying and learn the truth
Prevent, Detect, Respond To Cyberattacks
First response is crucial. Every minute counts.
The first response is critical to reduce liability
Detection & Removing Spyware Services
Reduce your electronic risk from digital transmittals
Find out who you are really talking to
Experienced, Confidential Services
Swift, professional incident response
Complicated cases require compelling digital facts
Find, recover and document digital evidence
Bring solid evidence before a judge
Cases can be investigated using Social Media
Like in Windows forensic investigations, thumbnail databases play an important role in Android examinations. It could contain thumbnails of images and videos, deleted by the user to cover the traces of committed crime.
Android thumbnail databases evolution
In early versions on Android OS thumbnail databases were stored in thumbcache_xxx.db (where xxx is the size of the thumbnail in the base) or .thumbnailsx-y (where x, y – random number combination).
Figure 1. Thumbnails saved in .thumbnails3—1967290299
Then such databases could be found in imgcache.0 and imgcache.1 files.
Now Android thumbnails are stored in imgcache.0 and imgcache.1 files.
But there are also some new thumbnail databases:
New Android thumbnail databases
As it has already been mentioned, the most recent Android OS version could contain the following thumbnail database files: imgcache.idx, imgcacheBig.0, imgcacheBig.idx, imgcacheMicro.0, imgcacheMicro.idx, imgcacheMini.0 and imgcacheMini.idx.
Files with idx extension contain 96Х96px thumbnails and probably some metadata which we can’t interpret now.
Files imgcache.0, imgcacheBig.0, imgcacheMicro.0 and imgcacheMini.0 contain random-sized thumbnails:
Sometimes, a digital forensic examiner can find thumbnails of a different size in these databases.
For example, during the forensic examination of the Samsung Galaxy Core 2 Duos (SM-G355H) running Android 4.4.2, we found imgcacheMicro.0 and imgcacheMini.0 files which contained 96Х96px thumbnails.
Figure 2. Thumbnails saved in imgcachebig.0
Android thumbnail databases structure
If you open an Android thumbnail database file in a hex-viewer the first thing you spot is a typical JPG file header.
Figure 3. File imgcache.0 opened in a hex-viewer
It means that data from such databases can be extracted not only with the help of commercial mobile forensic suites, but also using a simple file carving and indexing application – Scalpel.
Figure 4. Thumbnails carved out of .thumbdata3–1967290299 file with Scalpel
Conclusion
Of course, digital forensic tools, for example, Oxygen Forensic, support data extraction from Android thumbnail databases, but the new DB types could be missed. So it’s very important to perform manual analysis of devices running this OS to find new thumbnail database types and extract digital evidence from them.
About the authors:
Igor Mikhaylov
Interests: Computer, Cell Phone & Chip-Off Forensics
Oleg Skulkin
Interests: iOS forensics, Android forensics, Mac OS X forensics, Windows forensics, Linux forensics
Speak to a Specialist Now
Get Help Now