Monday, 2 February 2009

Corel Paint Shop Pro Photo X2

Paint Shop Pro has a slightly longer title nowadays. From a forensic perspective the older version had a thumbnail cache stored within .jbf files. Tim Coakley wrote a tool for parsing the contents out. I stumbled across this new version when I saw some subfolders in my suspect's My Pictures folder entitled 2008.01.02 and a subfolder entitled Thumbs at the path C:\Documents and Settings\username\Local Settings\Application Data\Corel\Thumbs. This folder had a number of jpgs within it with filenames in the format yyyy.mm.dd.jpg.

The software can be installed as a trial. It has two components that leave good evidence - an Organizer that creates a thumbnail database of selected folders (by default the current users C:\Documents and Settings\Username\My Pictures, C:\Documents and Settings\All Users\My Pictures and My Corel Shows) and the Corel Photo Downloader.

Organizer
When the program is first run it will catalogue all supported picture types in the default folders. This allows the user to view a thumbnail gallery of the catalogued folders within the program. The thumnails are created and stored at the path:

C:\Documents and Settings\Username\Local Settings\Application Data\Corel\Thumbs

These catologued thumbnails retain the filename of the original picture. Metadata is stored in a database imagedb.db.

Corel Photo Downloader
This utility was responsible for creating some good evidence in my recent case. It is installed as part of Corel Paint Shop Pro Photo X2 and is intended to automate the download of photographs from cameras, flash media cards and CDs. The following dialogue box shows the relevant configuration settings:


Photos downloaded with this utility form the folders and files I had found.



Thumbnails of them are catalogued as part of the Organizer function - a function your suspect may be unaware of.





Thumbnail issues
When Coral Paint Shop Pro Photo X2 is running thumbnails are pruned if the underlying source folders/files are deleted. However if the program is not run after the underlying source folders/files are deleted the thumbnails remain. In my case it appears that the trial expired which allowed a considerable number of thumbnails to remain at the path C:\Documents and Settings\username\Local Settings\Application Data\Corel\Thumbs.

Imagedb.db
Both the organizer and the photo downloader utilise a SQLite3 database to store metadata in relation to the catalogued pictures. The database can be viewed using the SQLite database browser. It is possible to walk through the database to establish the original filenames of any thumbnails and the source folder. Other useful information is stored in the database including program configuration. In my case the date of download was useful.





Figure 1
Details pictures downloaded (in this case from a casio camera). The highlighted picture has been given an image ID number - 5210 and has a Download ID number 1.



Figure 2
Image ID 5210 has been allocated the filename 20090129_3.jpg and is stored in Folder 851.


Figure 3
Folder 851's entry detailing the folder name and path



Figure 4
Showing Download ID number 1's download date.

No comments: