Mac OS X QuickLook Thumbcache Parser
This script parses thumbnails from Mac OS X QuickLook thumbnail cache files.
A user's QuickLook thumbnail-cache will be located in a sub-folder of the '/private/var/folders' folder. The path to the thumbnail cache-folder will be random but the name of the folder itself will be 'com.apple.QuickLook.thumbnailcache'. The folder's owner-permissions will, in normal circumstances, reflect the user whose thumbnails are cached within that folder.
The thumbnail cache-folder will contain two key files: thumbnails.data and index.sqlite. The thumbnails.data file contains the cached thumbnails in a raw bitmap format; the index.sqlite file is a database containing the offset, length and image information for each thumbnail; also the path and name of the file to which the thumbnail relates.
The information in the index.sqlite database is contained in two main tables: thumbnails and files. A record in the thumbnails table may be linked to more than record in the files table. This is because thumbnails are created in different sizes and formats depending on how they're viewed in the Finder program.
Thumbnail records contain a hit-count and last-hit date; the latter is shown according to the examiner's time-zone. Research is on-going to determine exactly how these values are updated but early indications suggest the hit-count to be representative of the number of times a file is viewed.
The script will process thumbnails.data files specified by the user. The index.sqlite file associated with each one will be read automatically. Note that there may be file-records in the index.sqlite file that aren't linked to any thumbnail records. These records will not be processed by the script.
The script will bookmark the thumbnail streams from each file into separate sub-folders. These streams cannot be bookmarked as images in EnCase directly so they will also be written as PNG files to sub-folders of the designated export folder. The name of each PNG file will be of the form '<File ID>.<Thumbnail ID>.<File Name>.png'.
In addition to the bookmarks and exported files, the script will also write a CSV file into the root export folder. This file will contain key information about each thumbnail and allow the examiner to cross-reference the cache file from whence each thumbnail originated, the file to which it relates, and the output file.
Please note that this script converts each thumbnail using an embedded .NET assembly. This assembly requires the Microsoft .NET Framework 4 to be installed on the examiner's machine.
YOU MAY ALSO LIKE