Windows Photo Gallery Forensics

Posted: 09/03/2013 in Uncategorized

This article covers the program Windows Photo Gallery 2012 and analysis of the data file typically titled pictures.pd6 file and how to extract the content for review.

Windows Photo Gallery 2012 (WPG) is a multimedia management tool developed by Microsoft and comes installed as part of the Vista/Microsoft Windows 7 operating system (optional download). It is accessible from the Start menu under ‘Programs’ when installed.

WPG allows you to batch preview photo and video content as a series of thumbnails serving as an electronic photo album. A user can add additional information or ‘tags’ to each entry including comments, ratings and other descriptive information.

The format of the pictures.pd6 is very similar to the pictures.pd5 but with additional information relating to social networking since Windows Photo Gallery 2012 allows you to share pictures online through a number of different social network sites (see: Pictures.pd5 article).

The information generated when a user has previewed files using WPG is written to disk in a single file, this is typically titled ‘pictures.pd6’, one file exists for each profile on the computer in the following location:

VOLUME\Users\PROFILE\AppData\Local\Microsoft\Windows Live Photo Gallery

Information is also written to disk in the Operating system thumbcache file; this is where the picture information is stored. When a user previews using WPG the generated thumbnail pictures are stored in the thumbcache files relating to that particular profile. Each user profile on the computer has its own thumbcache repository. It is important to note that the Vista/Windows 7 operating system thumbcache is not only used by WPG, it also stores thumbnail pictures in the cache when previewing using Windows explorer.

The WPG data file can be readily examined using the tool WPG 2012 Viewer a forensic software tool which is part of the Simple Carver Suite and is capable of reading the ‘pictures.pd6’ file.

The WPG data file ( pictures.pd6 ) contains a wealth of information including but not limited to Facial Recognition Information, Path information, file properties, source label (hard disk drive label), source serial (volume serial number), user rating information, tag information, comments and descriptions and thumbnail moniker.

source

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s