- forensic software
- forensic software
- forensic software
- forensic software
:: Products
Case Exhibit Management System :: Training
:: Mailing List
:: Contact
Contact Us Email: info@filesig.co.uk Post: Filesig Software, PO Box 678, York, YO26 0FU Windows Live Photo Gallery Primer - Pictures.pd5 This article covers the program Windows LIVE Photo Gallery and analysis of data file typically titled pictures.pd5 file and how to extract the content for review. Windows Live Photo Gallery (WLPG) is a multimedia management tool developed by Microsoft and comes installed as part of the Microsoft Windows Vista operating system (optional download). It is accessible from the Start menu under 'Programs' when installed. WLPG allows you to batch preview photo and video content as a series of thumbnails serving as an electronic photo album. A user can add additional information or 'tags' to each entry including comments, ratings and other descriptive information. Furthermore Windows Live Photo Gallery has built in facial recognition. A user can assign text and descriptive information to faces within each photograph. The above picture shows WLPG running and previewing a picture file, built in facial recognition has identifed a face when the mouse was hovered over the persons face. New files are added from the menu option 'Add Folder to Gallery'. Files can be previewed by tag, date or by rating, views can be filtered to show only picture, video or both. The information generated when a user has previewed files using WLPG is written to disk in a single file, this is typically titled 'pictures.pd5', one file exists for each profile on the computer in the following location: VOLUME\Users\PROFILE\AppData\Local\Microsoft\Windows Live Photo Gallery Information is also written to disk in the Vista Operating system thumbcache file; this is where the picture information is stored. When a user previews using WLPG the generated thumbnail pictures are stored in the thumbcache files relating to that particular profile. Each user profile on the computer has its own thumbcache repository. It is important to note that the Vista operating system thumbcache is not only used by WLPG, it also stores thumbnail pictures in the cache when previewing using Windows explorer. VOLUME\Users\PROFILE\AppData\Local\Microsoft\Windows\Explorer The WLPG data file can be readily examined using the tool WPG Live Viewer a forensic software tool which is part of the Simple Carver Suite and is capable of reading the 'pictures.pd5' file. The WLPG data file ( picture.pd5 ) contains a wealth of information including but not limited to Facial Recognition Information, Path information, file properties, source label (hard disk drive label), source serial (volume serial number), user rating information, tag information, comments and descriptions and thumbnail moniker. |