Thumbcache Database

WindowsUser ActivityDisk Image

Location

C:\Users\<username>\AppData\Local\Microsoft\Windows\Explorer\thumbcache_*.db

Description

Per-user thumbnail cache databases storing preview images of files that were displayed in Windows Explorer. Multiple databases exist for different thumbnail sizes (32, 96, 256, 1024, etc.).

Forensic Value

Thumbcache entries persist after the original files are deleted, providing visual evidence that specific files existed on the system. In insider threat and data theft cases, thumbnail previews can prove that sensitive documents, images, or other files were present even when the originals have been wiped. The thumbcache_idx.db index maps cache entries to file paths for attribution.

Tools Required

KAPEThumbcache ViewerThumbs ViewerAutopsy

Collection Commands

KAPE

kape.exe --tsource C: --tdest C:\output --target ThumbCache

Thumbcache Viewer

thumbcache_viewer.exe (GUI - open thumbcache_*.db files for visual inspection)

PowerShell

Copy-Item "C:\Users\*\AppData\Local\Microsoft\Windows\Explorer\thumbcache_*.db" -Destination C:\output\ThumbCache\

Collection Constraints

•Availability, retention, and field coverage depend on the Windows release, SKU, per-host audit policy, and user activity. Treat absence as inconclusive unless you verified the feature was enabled.

MITRE ATT&CK Techniques

T1005T1083

References

Windows PowerShell Logging NTFS Change Journals Additional LSA Protection

Acquisition Methods

KAPE Triage Collection

windows — triage

FTK Imager Logical Image (AD1)

windows — logical

Velociraptor Remote Collection

windows — remote