Skip to main content

Research Repository

Advanced Search

Fast Forensic Triage Using Centralised Thumbnail Caches on Windows Operating Systems

Mckeown, Sean; Russell, Gordon; Leimich, Petra



A common investigative task is to identify known contraband images on a device, which typically involves calculating cryptographic hashes for all the files on a disk and checking these against a database of known contraband. However, modern drives are now so large that it can take several hours just to read this data from the disk, and can contribute to the large investigative backlogs suffered by many law enforcement bodies. Digital forensic triage techniques may thus be used to prioritise evidence and effect faster investigation turnarounds. This paper proposes a new forensic triage method for investigating disk evidence relating to picture files, making use of centralised thumbnail caches that are present in the Windows operating system. Such centralised caches serve as a catalogue of images on the device, allowing for fast triage. This work includes a comprehensive analysis of the thumbnail variants across a range of windows operating systems, which causes difficulties when detecting contraband using cryptographic hash databases. A novel method for large-scale hash database generation is described which allows precalculated cryptographic hash databases to be built from arbitrary image sets for use in thumbnail contraband detection. This approach allows for cryptographic hashes to be generated for multiple Windows versions from the original source image, facilitating wider detection. Finally, a more flexible approach is also proposed which makes novel use of perceptual hashing techniques, mitigating issues caused by the differences between thumbnails across Windows versions. A key contribution of this work demonstrates that by using new techniques, thumbnail caches can be used to robustly and effectively detect contraband in seconds, with processing times being largely independent of disk capacity.

Journal Article Type Article
Acceptance Date Sep 16, 2019
Online Publication Date Jan 9, 2020
Publication Date Jan 9, 2020
Deposit Date Oct 22, 2019
Publicly Available Date Mar 2, 2020
Print ISSN 1558-7215
Electronic ISSN 1558-7223
Publisher Association of Digital Forensics, Security and Law
Peer Reviewed Peer Reviewed
Volume 14
Issue 3
Article Number 1
Keywords digital forensics; triage; image comparison; image processing; known file analysis; image thumbnails; cryptographic hashing; perceptual hashing
Public URL


You might also like

Downloadable Citations