Thumbcache Database

windowsUser ActivityDisk Image

Location

C:\Users\<username>\AppData\Local\Microsoft\Windows\Explorer\thumbcache_*.db

Description

Per-user thumbnail cache databases storing preview images of files that were displayed in Windows Explorer. Multiple databases exist for different thumbnail sizes (32, 96, 256, 1024, etc.).

Forensic Value

Thumbcache entries persist after the original files are deleted, providing visual evidence that specific files existed on the system. In insider threat and data theft cases, thumbnail previews can prove that sensitive documents, images, or other files were present even when the originals have been wiped. The thumbcache_idx.db index maps cache entries to file paths for attribution.

Tools Required

KAPEThumbcache ViewerThumbs ViewerAutopsy

Acquisition Methods

FTK Imager Full Disk Image

windows — physical

EnCase Forensic Full Disk Image

windows — physical

dd / dc3dd Raw Disk Image

windows — physical

Guymager Full Disk Image

windows — physical

FTK Imager Logical Image (AD1)

windows — logical