This script parses thumbnails from MacOS QuickLook thumbnail-cache files.

A user's QuickLook thumbnail-cache will be located in a sub-folder of the `/private/var/folders` folder. The path to the thumbnail cache-folder will be derived from the user's UUID and UID, but the name of the folder itself will be `com.apple.QuickLook.thumbnailcache`.

In normal circumstances, the folder's owner-permission will reflect the user whose thumbnails are cached within that folder.

The thumbnail cache-folder will contain two significant files: `thumbnails.data` and `index.sqlite`.

The `thumbnails.data` file will contain the cached thumbnails as raw bitmaps. The `index.sqlite` file is a database that will contain the offset, length and image-metadata of each thumbnail.

Regardless of macOS version, thumbnail-specific information will be stored in table called `thumbnails`.

Earlier versions of the `index.sqlite` file stored the path and name of the original (source) file in a separate table called `files`. The fact that thumbnails can be of different sizes meant that a record in the `files` table could be joined to multiple records in the `thumbnails` table.

The `files` table was removed with the introduction of macOS Catalina, and although the file-identifier of the source file is still to be found in the `thumbnails` table as part of a bitfield value called `file_id`, it's not clear how macOS distinguishes thumbnails that relate to files from different volumes but with the same file-identifier.

Whilst on the subject of the `file_id` value, the upper 4-bits appear to be used as flags; `0x8` is a common value although its significance isn't known. 

Note that in an APFS volume group, files with an identifier greater than `0xFFFFFFF00000000` will be located on the system volume. The identifier of files on a network volume may also appear quite large.

The undecorated file-identifier value is also to be found in a field called `fileID` in a new table called `basic_files`. The full significance of this table isn't known, but the binary-plist-data contained in the `version` column of that table is thought to contain information about the QuickLook generator that created the thumbnail.

Thumbnail records contain a hit-count and last-hit date; the latter is shown according to the examiner's time-zone.

Research is on-going to determine exactly how these values are updated, but early indications suggest that the hit-count is representative of the number of times a file has been viewed.

The script will process the `thumbnails.data` files specified by the user. The `index.sqlite` file associated with each one will be read automatically. Note that there may be file-records in the `index.sqlite` file that aren't linked to any thumbnail records. These records will not be processed by the script.

The script can also be instructed to identify thumbnails referenced by redundant records contained in the free-pages of each `index.sqlite` file.

When performing this task, the script will only process records originating from the `thumbnails` table, so any file-paths or file-names will be lost. The script will only process thumbnails that haven't been overwritten.

The script will bookmark the thumbnail streams from each file into separate sub-folders. These streams cannot be bookmarked in EnCase as images directly, so they will be written as PNG files to sub-folders of the designated export folder.

The thumbnails associated with redundant records will be written into a separate sub-folder together with a SQLite database containing the redundant records.

Depending on whether the file-name is available, the name of each PNG file will be of the form `<File Name>.<File-Record ID>.<Thumbnail-Record ID><Thumbnail Offset>.<Thumbnail Length>.png` or `<File-Record ID>.<Thumbnail-Record ID>.<File ID>.<Thumbnail-Record ID><Thumbnail Offset>.<Thumbnail Length>.png`. Any Windows-incompatible file-name characters will be replaced by an underscore character.

Note that the file-record ID shown for later thumbnail-caches records will always be zero because the `basic_files` table isn't read.

In addition to the bookmarks and exported files, the script will also write a CSV-file into the root export folder. This file will contain key information about each thumbnail allowing the examiner to cross-reference the cache-file from whence each thumbnail originated, the file to which it relates (subject to the limitations mentioned above), and the output-file.

The script will write the adjusted file-identifier to the CSV-file as text rather than a numeric decimal value. This is to overcome the the fact that Excel can only display 15-significant digits.

It's worthy of note that more than one record may relate to the same redundant thumbnail. In such cases, only one copy of the thumbnail will be extracted,  but all of the records will still be written to the CSV-file. This is because the `hit_count` and `last-hit-date` values in each record may help to determine usage over time. 

This script was developed for use in EnCase training. For more details, please click the following link:

• OpenText EnCase Training