Back in 2003, on a rainy night, an idea came to mind, ..all your base are belong to us.
How does MS Windows® OS stores information about displaying thumbnails within the folders? That was easy to find. The "thumbs.db" file was basically introduced since the release of W2K. (Actually Win98 had the functionality of displaying thumbnails but you had to do a trick first. In Windows Millennium the functionality was included but there was no thumb.db file).

Recently, the "thumbs.db" files have been mentioned in some books that they do contain computer forensics evidence. Since Dec 2004 we have developed a working application that proves the concept that these files can reveal a wide area of information.

The hidden file "thumbs.db" exists in every directory especially the ones that you have or had photos within. This file is composed of the preview version (thumb nail version) of each photo that has been in this directory even if it no longer exists any more. Thus, one who could write an application that could extract all the "thumbs.db" files from your system and hence he/she could have a large number of photos that you have seen, downloaded, created, copied, and deleted over the years. (e.g. The Peer-to-Peer programs like KaZaA allows you to browse a specifically allowed directory in someone’s computer. That directory contains a thumb.db file. Instead of downloading meaning less files from his computer you can easily download the small, usually in size, thumb.db and have a preview of all the pictures he has ever had in this directory.)

To avoid this you should deactivate the caching process of Windows. This can be done by going to My Computer > Tools > Folder Options… > View and check (tick) the "Do not cache thumbnails" check box.


Update:  Version 0.004 has been released.(link corrected – 14/11/2006)


This entry was posted in Uncategorized. Bookmark the permalink.


  1. Daniel Cunliffe says:

    Shouldn’t this be “All your base are belong to us”?

  2. Fatma says:

    you know it sounds illegal to me that the default process is to keep these evidence even when a user deletes them. What is this?
    Or at least they should make it obvious to people somehow.
    This is a very interesting information actually. I never knew what this thumbs.db file was for.
    And now that I know, I am not very happy still hehe

  3. Mistake corrected! Page has been updated, thank you Daniel Cunliffe for pointing it out. Yes, that is what we intended to write.
    Fatma, to answer your question I think it was easier to just keep appending newer picture thumbnails rather than also finding which one was erased and deleting it. Once again lessons in economy and not programming paid off and they have resulted in a wonderful cache of thumbnails.

Leave a Reply

Your email address will not be published. Required fields are marked *