Please select a template

EnCase App Central

Extend the power of EnCase. Access, download and install software apps built by expert EnScript developers that help you get down to business – faster.

Become a Developer

Mac OS X QuickLook Thumbcache Parser

This script parses thumbnails from Mac OS X QuickLook thumbnail cache files.

A user's QuickLook thumbnail-cache will be located in a sub-folder of the '/private/var/folders' folder. The path to the thumbnail cache-folder will be random but the name of the folder itself will be 'com.apple.QuickLook.thumbnailcache'. The folder's owner-permissions will, in normal circumstances, reflect the user whose thumbnails are cached within that folder.

The thumbnail cache-folder will contain two key files: thumbnails.data and index.sqlite. The thumbnails.data file contains the cached thumbnails in a raw bitmap format; the index.sqlite file is a database containing the offset, length and image information for each thumbnail; also the path and name of the file to which the thumbnail relates.

The information in the index.sqlite database is contained in two main tables: thumbnails and files. A record in the thumbnails table may be linked to more than record in the files table. This is because thumbnails are created in different sizes and formats depending on how they're viewed in the Finder program.

Thumbnail records contain a hit-count and last-hit date; the latter is shown according to the examiner's time-zone. Research is on-going to determine exactly how these values are updated but early indications suggest the hit-count to be representative of the number of times a file is viewed.

The script will process thumbnails.data files specified by the user. The index.sqlite file associated with each one will be read automatically. Note that there may be file-records in the index.sqlite file that aren't linked to any thumbnail records. These records will not be processed by the script.

The script will bookmark the thumbnail streams from each file into separate sub-folders. These streams cannot be bookmarked as images in EnCase directly so they will also be written as PNG files to sub-folders of the designated export folder. The name of each PNG file will be of the form '<File ID>.<Thumbnail ID>.<File Name>.png'.

In addition to the bookmarks and exported files, the script will also write a CSV file into the root export folder. This file will contain key information about each thumbnail and allow the examiner to cross-reference the cache file from whence each thumbnail originated, the file to which it relates, and the output file.

Please note that this script converts each thumbnail using an embedded .NET assembly. This assembly requires the Microsoft .NET Framework 4 to be installed on the examiner's machine.

Download Now



Version: 1.0.2
Tested with:
EnCase Forensic 8.07
Developer: Simon Key
Category: Artifact

7898 DOWNLOADS

YOU MAY ALSO LIKE

Artifact

WebCacheV01.dat Internet History Decoder

This EnScript parses Internet history data from WebCacheV01.dat files. This includes the Internet history data generated by the Microsoft Internet Explorer and Edge web-browser programs.
By Simon Key
9092 Downloads
App
Artifact

ShellBags Parser

Parses recent-folder view settings maintained by the Microsoft Windows operating system.
By Simon Key
745 Downloads
App
Artifact

User Assist Registry Value Decoder

Decodes data used by the Microsoft Windows operating system to populate each user's start menu with frequently used applications.
By Simon Key
555 Downloads
App
Artifact

Windows Search Application Data Parser

This script parses data maintained by the Windows search function relating to recently-used applications and documents
By Simon Key
454 Downloads
App