dissect.thumbcache

View on GitHub

A Dissect module implementing parsers for the thumbcache of Windows systems. This is commonly used to see which files were opened on a system.

Installation

dissect.thumbcache is available on PyPI.

$ pip install dissect.thumbcache

This module is also automatically installed if you install the dissect package.

Usage

This package is a library with a few CLI tools, so you primarily interact with it from Python. For example, to access thumbnail entries from thumbnail_*.db files:

from dissect.thumbcache import ThumbcacheFile

path = Path("path/to/thumbcache_file.db")

with path.open("rb") as file:
    cache_file = ThumbcacheFile(file)
    entries = cache_file.entries()

Or only the indexed entries:

from dissect.thumbcache import Thumbcache

path = Path("path/to/thumbcache_files/")

cache = Thumbcache(path=path)
entries = list(cache.entries())

Tools

thumbcache-extract - CLI interface

thumbcache-extract [-h] [--output-dir OUTPUT_DIR] cache_path

thumbcache-extract positional arguments

thumbcache-extract optional arguments

thumbcache-extract-indexed - CLI interface

thumbcache-extract-indexed [-h] [--output-dir OUTPUT_DIR] [--prefix PREFIX] cache_path

thumbcache-extract-indexed positional arguments

thumbcache-extract-indexed optional arguments

  • -h, --help - show this help message and exit

  • --output-dir OUTPUT_DIR, -o OUTPUT_DIR (default: .)

  • --prefix PREFIX, -p PREFIX - The file prefix to search for inside the thumbcache directory. (default: thumbcache)

Reference

For more details, please refer to the API documentation of dissect.thumbcache.