The first files I wanted to look at was the .thumbdata3-.... files. The first one had a modification time of the time I took the last picture with the phone and the other the modification time of the time I recorded the last video.
Further examination showed that the first file contains 9 thumbnail images starting with the first image I took and each record is 10000 bytes long, so just by looking at the file size, we can see how many image thumbnails each one of these files contain. Thus, the second thumbdata file is used to keep track of the thumbnails related to the videos in DCIM\Camera folder. Each thumbnail is stored as a JPEG image that can be manually carved out by selecting the range between the signatures FFD8FF - FFD9.
The other files that were interesting for further analysis were the image_last_thumb and video_last_thumb files. What was most interesting to see the modification time that showed the time when the last image was taken and not the last image that was viewed. Same was the case with the video_last_thumb, it showed the modification time of the last video recording.
11/30/2012
12:48am formatted using on the phone utility
12:58-12:59am took pictures 1-9
1:00 am pencil video was created
1:01am CD video was created
Thus, I wanted to see what these files contained since the file mane and modification times were not reflecting what they suggested.
The last events that actually happened on the phone was that I viewed one image and the first video.
1:19am image 6 viewed
1:20am pencil video viewed
These two files begun with the following text:
image_last_thumb
'content://media/external/images/media/9‰PNG
video_last_thumb
.&content://media/external/video/media/2‰PNG
Thus, these files are keeping the last image and last video that was added to the storage media and not the files that were last viewed. These are the imaged that show up when a user enters the Gallery application.
The signature of the PNG chunk is clearly visible in these files, so simply cutting the leading text and splicing the correct files header for a PNG file will allow us to see the actual images. So, I have created a PNG file and copied its 12 byte header into each one of these files.
The resulting files could be viewed in any image viewer and confirmed the content was matching the path and file name stored in these files and these files contained the last multimedia file added to the storage device and not the last image viewed. It is interesting why Google chose to save the thumbnail images in JPEG format and the last thumb images as PNG.
Conclusion
Always verify your hypothesis with manual methods instead of relying third party tools. The ability to verify findings in this manner gives you more confidence and develops your analytical skills.
No comments:
Post a Comment