Do not miss: new thumbnail databases in Android OS

Like in Windows forensic investigations, thumbnail databases play an important role in Android examinations. It could contain thumbnails of images and videos, deleted by the user to cover the traces of committed crime.

 

Android thumbnail databases evolution

 

In early versions on Android OS thumbnail databases were stored in thumbcache_xxx.db (where xxx is the size of the thumbnail in the base) or .thumbnailsx-y (where x, y – random number combination).

android_thumbnails_forensics_weare4n6

Figure 1. Thumbnails saved in .thumbnails3—1967290299

 

Then such databases could be found in imgcache.0 and imgcache.1 files.

Now Android thumbnails are stored in imgcache.0 and imgcache.1 files.

But there are also some new thumbnail databases:

  • imgcache.idx
  • imgcacheBig.0
  • imgcacheBig.idx
  • imgcacheMicro.0
  • imgcacheMicro.idx
  • imgcacheMini.0
  • imgcacheMini.idx

New Android thumbnail databases

As it has already been mentioned, the most recent Android OS version could contain the following thumbnail database files: imgcache.idx, imgcacheBig.0, imgcacheBig.idx, imgcacheMicro.0, imgcacheMicro.idx, imgcacheMini.0 and imgcacheMini.idx.

Files with idx extension contain 96Х96px thumbnails and probably some metadata which we can’t interpret now.

Files imgcache.0, imgcacheBig.0, imgcacheMicro.0 and imgcacheMini.0 contain random-sized thumbnails:

  • imgcacheMicro.0 contains 96Х96px thumbnails
  • imgcacheMini.0 contains 240Х144px thumbnails
  • imgcacheBig.0 contains 444Х250px or 444Х333px thumbnails
  • imgcache.0 contains 240Х144px, 444Х250px or 444Х333px thumbnails

Sometimes, a digital forensic examiner can find thumbnails of a different size in these databases.

For example, during the forensic examination of the Samsung Galaxy Core 2 Duos (SM-G355H) running Android 4.4.2, we found imgcacheMicro.0 and imgcacheMini.0 files which contained 96Х96px thumbnails.

 

android_thumbnail_database_forensics

Figure 2. Thumbnails saved in imgcachebig.0

 

Android thumbnail databases structure

 

If you open an Android thumbnail database file in a hex-viewer the first thing you spot is a typical JPG file header.

 

Android_thumbnails_forensic_analysis

Figure 3. File imgcache.0 opened in a hex-viewer

 

It means that data from such databases can be extracted not only with the help of commercial mobile forensic suites, but also using a simple file carving and indexing application – Scalpel.

 

Android_thumbnail_database_carving

Figure 4. Thumbnails carved out of .thumbdata3–1967290299 file with Scalpel

 

Conclusion

Of course, digital forensic tools, for example, Oxygen Forensic, support data extraction from Android thumbnail databases, but the new DB types could be missed. So it’s very important to perform manual analysis of devices running this OS to find new thumbnail database types and extract digital evidence from them.

 

About the authors:

Igor Mikhaylov

Interests: Computer, Cell Phone & Chip-Off Forensics

Oleg Skulkin

Interests: iOS forensics, Android forensics, Mac OS X forensics, Windows forensics, Linux forensics

Leave a Reply

Your email address will not be published. Required fields are marked *