This script parses thumbnails from MacOS QuickLook thumbnail-cache files.

A user's QuickLook thumbnail-cache will be located in a sub-folder of the '/private/var/folders' folder. The path to the thumbnail cache-folder will be random but the name of the folder itself will be 'com.apple.QuickLook.thumbnailcache'.

In normal circumstances, the folder's owner-permission will reflect the user whose thumbnails are cached within that folder.

The thumbnail cache-folder will contain two significant files: thumbnails.data and index.sqlite.

The thumbnails.data file will contain the cached thumbnails as raw bitmaps. The index.sqlite file is a database that will contain the offset, length and image-metadata of each thumbnail.

Regardless of macOS version, thumbnail-specific information will be stored in table called 'thumbnails'.

Earlier versions of the index.sqlite file stored the path and name of the original (source) file in a separate table called 'files'. The fact that thumbnails can be of different sizes meant that a record in the 'files' table could be joined to multiple records in the 'thumbnails' table.

The 'files' table was removed with the introduction of macOS Catalina, and although the file-identifier of the source file is still to be found in the 'thumbnails' table as part of a bitfield value called 'file_id', it's not clear how macOS distinguishes thumbnails that relate to files from different volumes but with the same file-identifier.

Whilst on the subject of the 'file_id' value, the script assumes that the 48 low-bits of this value contain the file-identifier. The remainder are believed to be flags whose significance is unknown.

The undecorated file-identifier value is also to be found in a field called 'fileID' in a new table called 'basic_files'. The full significance of this table isn't known, but the binary-plist-data contained in the 'version' column of that table is thought to contain information about the QuickLook generator that created the thumbnail.

Thumbnail records contain a hit-count and last-hit date; the latter is shown according to the examiner's time-zone.

Research is on-going to determine exactly how these values are updated, but early indications suggest that the hit-count is representative of the number of times a file has been viewed.

The script will process the thumbnails.data files specified by the user. The index.sqlite file associated with each one will be read automatically. Note that there may be file-records in the index.sqlite file that aren't linked to any thumbnail records. These records will not be processed by the script.

The script can also be instructed to identify thumbnails referenced by redundant records contained in the free-pages of each index.sqlite file.

When performing this task, the script will only process records originating from the 'thumbnails' table, so any file-paths or file-names will be lost. The script will only process thumbnails that haven't been overwritten.

The script will bookmark the thumbnail streams from each file into separate sub-folders. These streams cannot be bookmarked in EnCase as images directly, so they will be written as PNG files to sub-folders of the designated export folder.

The thumbnails associated with redundant records will be written into a separate sub-folder together with a SQLite database containing the redundant records.

Depending on whether the file-name is available, the name of each PNG file will be of the form '<File-Record ID>.<Thumbnail-Record ID>.<File Name>.png' or '<File-Record ID>.<Thumbnail-Record ID>.<File ID>.png'. Any Windows-incompatible file-name characters will be replaced by an underscore character.

Note that the file-record ID shown for later thumbnail-caches records will always be zero because the 'basic_files' table isn't read.

In addition to the bookmarks and exported files, the script will also write a CSV-file into the root export folder. This file will contain key information about each thumbnail allowing the examiner to cross-reference the cache-file from whence each thumbnail originated, the file to which it relates (subject to the limitations mentioned above), and the output-file.

This script was developed for use in EnCase training. For more details, please click the following link:

• OpenText EnCase Training