Like in Windows forensic investigations, thumbnail databases play an important role in Android examinations. It could contain thumbnails of images and videos, deleted by the user to cover the traces of committed crime.
Android thumbnail databases evolution
In early versions on Android OS thumbnail databases were stored in thumbcache_xxx.db (where xxx is the size of the thumbnail in the base) or .thumbnailsx-y (where x, y – random number combination).
Figure 1. Thumbnails saved in .thumbnails3—1967290299
Then such databases could be found in imgcache.0 and imgcache.1 files.
Now Android thumbnails are stored in imgcache.0 and imgcache.1 files.
But there are also some new thumbnail databases:
- imgcache.idx
- imgcacheBig.0
- imgcacheBig.idx
- imgcacheMicro.0
- imgcacheMicro.idx
- imgcacheMini.0
- imgcacheMini.idx
New Android thumbnail databases
As it has already been mentioned, the most recent Android OS version could contain the following thumbnail database files: imgcache.idx, imgcacheBig.0, imgcacheBig.idx, imgcacheMicro.0, imgcacheMicro.idx, imgcacheMini.0 and imgcacheMini.idx.
Files with idx extension contain 96Х96px thumbnails and probably some metadata which we can’t interpret now.
Files imgcache.0, imgcacheBig.0, imgcacheMicro.0 and imgcacheMini.0 contain random-sized thumbnails:
- imgcacheMicro.0 contains 96Х96px thumbnails
- imgcacheMini.0 contains 240Х144px thumbnails
- imgcacheBig.0 contains 444Х250px or 444Х333px thumbnails
- imgcache.0 contains 240Х144px, 444Х250px or 444Х333px thumbnails
Sometimes, a digital forensic examiner can find thumbnails of a different size in these databases.
For example, during the forensic examination of the Samsung Galaxy Core 2 Duos (SM-G355H) running Android 4.4.2, we found imgcacheMicro.0 and imgcacheMini.0 files which contained 96Х96px thumbnails.
Figure 2. Thumbnails saved in imgcachebig.0
Android thumbnail databases structure
If you open an Android thumbnail database file in a hex-viewer the first thing you spot is a typical JPG file header.
Figure 3. File imgcache.0 opened in a hex-viewer
It means that data from such databases can be extracted not only with the help of commercial mobile forensic suites, but also using a simple file carving and indexing application – Scalpel.
Figure 4. Thumbnails carved out of .thumbdata3–1967290299 file with Scalpel
Conclusion
Of course, digital forensic tools, for example, Oxygen Forensic, support data extraction from Android thumbnail databases, but the new DB types could be missed. So it’s very important to perform manual analysis of devices running this OS to find new thumbnail database types and extract digital evidence from them.
About the authors:
Interests: Computer, Cell Phone & Chip-Off Forensics
Interests: iOS forensics, Android forensics, Mac OS X forensics, Windows forensics, Linux forensics