Now Reading
Do not miss: new thumbnail databases in Android OS

Do not miss: new thumbnail databases in Android OS

Like in Windows forensic investigations, thumbnail databases play an important role in Android examinations. It could contain thumbnails of images and videos, deleted by the user to cover the traces of committed crime.


Android thumbnail databases evolution


In early versions on Android OS thumbnail databases were stored in thumbcache_xxx.db (where xxx is the size of the thumbnail in the base) or .thumbnailsx-y (where x, y – random number combination).

Figure 1. Thumbnails saved in .thumbnails3—1967290299


Then such databases could be found in imgcache.0 and imgcache.1 files.

Now Android thumbnails are stored in imgcache.0 and imgcache.1 files.

But there are also some new thumbnail databases:

  • imgcache.idx
  • imgcacheBig.0
  • imgcacheBig.idx
  • imgcacheMicro.0
  • imgcacheMicro.idx
  • imgcacheMini.0
  • imgcacheMini.idx

New Android thumbnail databases

As already been said, the most recent Android OS version could contain the following thumbnail database files: imgcache.idx, imgcacheBig.0, imgcacheBig.idx, imgcacheMicro.0, imgcacheMicro.idx, imgcacheMini.0, imgcacheMini.idx.

Files with “idx” extension contain 96Х96px thumbnails and probably some metadata which we can’t interpret now.

Files imgcache.0, imgcacheBig.0, imgcacheMicro.0 and imgcacheMini.0 contain random-sized thumbnails:

  • imgcacheMicro.0 contains 96Х96px thumbnails
  • imgcacheMini.0 contains 240Х144px thumbnails
  • imgcacheBig.0 contains 444Х250px or 444Х333px thumbnails
  • imgcache.0 contains 240Х144px, 444Х250px or 444Х333px thumbnails

Sometimes a digital forensic examiner can find thumbnails of a different size in these databases.

For example, during the forensic examination of the Samsung Galaxy Core 2 Duos (SM-G355H) running Android 4.4.2 we found imgcacheMicro.0 and imgcacheMini.0 files which contained 96Х96px thumbnails.



Figure 2. Thumbnails saved in imgcachebig.0


Android thumbnail databases structure


If you open an Android thumbnail database file in a hex-viewer the first thing you spot is typical JPG file header.



Figure 3. File imgcache.0 opened in a hex-viewer


It means that data from such databases can be extracted not only with help of commercial mobile forensic suites, but also with simple carving, for example, with Scalpel.



Figure 4. Thumbnails carved out of .thumbdata3–1967290299 file with Scalpel



Of course, digital forensic tools, for example, Oxygen Forensic, support data extraction from Android thumbnail databases, but the new DB types could be missed. So it’s very important to perform manual analysis of devices running this OS to find new thumbnail database types and extract digital evidence from it.


About the authors:

Igor Mikhaylov

Interests: Computer, Cell Phone & Chip-Off Forensics

Oleg Skulkin

Interests: iOS forensics, Android forensics, Mac OS X forensics, Windows forensics, Linux forensics

Leave a Response