Difference between pages "Java" and "User:Docbit"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
(External Links)
 
m (Creating user page with biography of new user.)
 
Line 1: Line 1:
{{Expand}}
+
my main job is computer forensic
 
+
my other works are the same i mean that i alwaya work in the field of forensic computer in differenst firms
== Java WebStart Cache ==
+
i like forensic computer but i hope that some day win a lottery and no work ever ;)  
As of Java version 6 the Java WebStart Cache can be found in the following locations.
+
I hope too that all people help me in the way of knowledge
 
+
On Linux
+
<pre>
+
/home/$USER/.java/deployment/cache/
+
</pre>
+
 
+
On MacOS-X
+
<pre>
+
/Users/$USER/Library/Caches/Java/cache/
+
</pre>
+
 
+
On Windows XP
+
<pre>
+
C:\Documents and Settings\%USERNAME%\Application Data\Sun\Java\Deployment\cache\
+
</pre>
+
 
+
On Windows Vista and later
+
<pre>
+
C:\Users\%USERNAME%\AppData\LocalLow\Sun\Java\Deployment\cache\
+
</pre>
+
 
+
== IDX file format ==
+
Caveat: The following information is based on analysis of several dozen *.idx files from different Windows 7 systems.  As such, the following information should not be considered to have been exhaustively researched.
+
 
+
Values are in big-endian.
+
 
+
<pre>
+
00000000  01 00 00 00 02 5b 00 00  00 00 1d c7 b4 00 00 01  |.....[..........|
+
00000010  1f 81 29 fe b8 00 00 00  00 00 00 00 00 00 00 01  |..).............|
+
00000020  2b 24 4a cb dd 01 00 00  00 00 00 00 00 00 00 00  |+$J.............|
+
00000030  00 00 00 00 00 00 00 00  01 2b 24 4a a4 cd 00 00  |.........+$J....|
+
00000040  01 2e 45 83 f4 18 00 00  00 00 00 00 00 00 00 01  |..E.............|
+
00000050  01 00 00 00 00 00 00 00  00 00 00 00 01 2b 24 4a  |.............+$J|
+
00000060  a4 cd 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
+
00000070  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
+
</pre>
+
 
+
The header (or section 1) is 128 bytes in size and contains:
+
{| class="wikitable"
+
! align="left"| Offset
+
! Size
+
! Value
+
! Description
+
|-
+
| 0
+
| 1
+
|
+
| Busy (flag byte)
+
|-
+
| 1
+
| 1
+
|
+
| Incomplete (flag byte)
+
|-
+
| 2
+
| 4
+
| 00 00 02 5b (603)
+
| Format version
+
|-
+
| 6
+
| 1
+
|
+
| Force update (flag byte)
+
|-
+
| 7
+
| 1
+
|
+
| No-href (flag byte)
+
|-
+
| 8
+
| 1
+
|
+
| Is shortcut image (flag byte)
+
|-
+
| 9
+
| 4
+
|
+
| Content-Length
+
|-
+
| 13
+
| 8
+
| 00 00 01 1f 81 29 fe b8
+
| Last modification date (Number of milli seconds since Jan 1, 1970 00:00:00)
+
|-
+
| 21
+
| 8
+
|
+
| expiration date (Number of milli seconds since Jan 1, 1970 00:00:00) 0 if not expires?
+
|-
+
| 29
+
| 8
+
| 00 00 01 2b 24 4a cb dd
+
| Validation timestamp (Number of milli seconds since Jan 1, 1970 00:00:00)
+
|-
+
| 37
+
| 1
+
|
+
| Known to be signed (flag byte)
+
|-
+
| 38
+
| 4
+
|
+
| Size of section 2
+
|-
+
| 42
+
| 4
+
|
+
| Size of section 3
+
|-
+
| 46
+
| 4
+
|
+
| Size of section 4
+
|-
+
| 50
+
| 4
+
|
+
| Size of section 5
+
|-
+
| 54
+
| 8
+
| 00 00 01 2b 24 4a a4 cd
+
| Blacklist validation time (Number of milli seconds since Jan 1, 1970 00:00:00)
+
|-
+
| 62
+
| 8
+
| 00 00 01 2e 45 83 f4 18
+
| Certificate expiration date (Number of milli seconds since Jan 1, 1970 00:00:00)
+
|-
+
| 70
+
| 1
+
|
+
| Class verification status
+
|-
+
| 71
+
| 4
+
|
+
| Reduced manifest size
+
|-
+
| 75
+
| 4
+
|
+
| section4Pre15Length?
+
|-
+
| 79
+
| 1
+
|
+
| Has only signed entries (flag byte)
+
|-
+
| 80
+
| 1
+
|
+
| Has single code source (flag byte)
+
|-
+
| 81
+
| 4
+
|
+
| section4CertsLength?
+
|-
+
| 85
+
| 4
+
|
+
| section4SignersLength?
+
|-
+
| 89
+
| 1
+
|
+
| Has missing signed entries (flag byte)
+
|-
+
| 90
+
| 8
+
| 00 00 01 2b 24 4a a4 cd
+
| Trusted libraries validation time (Number of milli seconds since Jan 1, 1970 00:00:00)
+
|-
+
| 98
+
| 4
+
|
+
| reducedManifest2Length?
+
|-
+
| 102
+
| 26
+
|
+
| Unknown, empty values (likely reserved for future expansion of the header)
+
|}
+
 
+
The values present in the header are dependent on the version. The definition above is based on version 603 and intended as an example check the [https://github.com/woanware/javaidx/blob/master/Documents/Java.IDX.Format.pdf Java IDX Format Specification] for more current information.
+
 
+
To convert a timestamp in e.g. Python
+
<pre>
+
print datetime.datetime(1970, 1, 1) + datetime.timedelta(milliseconds=0x011f8129feb8)
+
2009-02-16 22:17:07
+
</pre>
+
 
+
<pre>
+
00000080  00 00 00 39 68 74 74 70  3a 2f 2f 77 77 77 2e 74  |...9http://www.t|
+
00000090  6f 70 63 6f 64 65 72 2e  63 6f 6d 2f 63 6f 6e 74  |opcoder.com/cont|
+
000000a0  65 73 74 2f 63 6c 61 73  73 65 73 2f 43 6f 6e 74  |est/classes/Cont|
+
000000b0  65 73 74 41 70 70 6c 65  74 2e 6a 61 72          |estApplet.jar  |
+
</pre>
+
 
+
{| class="wikitable"
+
! align="left"| Offset
+
! Size
+
! Value
+
! Description
+
|-
+
| 128
+
| 2
+
| 00 00
+
| Version string size
+
|-
+
| 130
+
| 2
+
| 00 39
+
| Original URL string size
+
|-
+
| 132
+
| size
+
|
+
| Original URL string (UTF-8 without an end-of-string character?)
+
|}
+
 
+
<pre>
+
000000b0                                          00 00 00  |            ...|
+
000000c0  0c 36 36 2e 33 37 2e 32  31 30 2e 38 36 00 00 00  |.66.37.210.86  |
+
</pre>
+
 
+
{| class="wikitable"
+
! align="left"| Offset
+
! Size
+
! Value
+
! Description
+
|-
+
| ...
+
| 2
+
| 00 00
+
| Namespace string size
+
|-
+
| ...
+
| 2
+
| 00 0c
+
| IP string size
+
|-
+
| ...
+
| size
+
|
+
| IP string (UTF-8 without an end-of-string character?)
+
|}
+
 
+
<pre>
+
000000c0                                          00 00 00  |            ...|
+
000000d0  07 00 06 3c 6e 75 6c 6c  3e 00 0f 48 54 54 50 2f  |...<null>..HTTP/|
+
000000e0  31 2e 31 20 32 30 30 20  4f 4b 00 0e 63 6f 6e 74  |1.1 200 OK..cont|
+
000000f0  65 6e 74 2d 6c 65 6e 67  74 68 00 07 31 39 35 31  |ent-length..1951|
+
00000100  36 36 38 00 0d 6c 61 73  74 2d 6d 6f 64 69 66 69  |668..last-modifi|
+
00000110  65 64 00 1d 4d 6f 6e 2c  20 31 36 20 46 65 62 20  |ed..Mon, 16 Feb |
+
00000120  32 30 30 39 20 32 32 3a  31 37 3a 30 37 20 47 4d  |2009 22:17:07 GM|
+
00000130  54 00 0c 63 6f 6e 74 65  6e 74 2d 74 79 70 65 00  |T..content-type.|
+
00000140  18 61 70 70 6c 69 63 61  74 69 6f 6e 2f 6a 61 76  |.application/jav|
+
00000150  61 2d 61 72 63 68 69 76  65 00 04 64 61 74 65 00  |a-archive..date.|
+
00000160  1d 53 61 74 2c 20 31 38  20 53 65 70 20 32 30 31  |.Sat, 18 Sep 201|
+
00000170  30 20 31 30 3a 30 31 3a  30 36 20 47 4d 54 00 06  |0 10:01:06 GMT..|
+
00000180  73 65 72 76 65 72 00 06  41 70 61 63 68 65 00 1b  |server..Apache..|
+
00000190  64 65 70 6c 6f 79 2d 72  65 71 75 65 73 74 2d 63  |deploy-request-c|
+
000001a0  6f 6e 74 65 6e 74 2d 74  79 70 65 00 1a 61 70 70  |ontent-type..app|
+
000001b0  6c 69 63 61 74 69 6f 6e  2f 78 2d 6a 61 76 61 2d  |lication/x-java-|
+
000001c0  61 72 63 68 69 76 65 1f  8b 08 00 00 00 00 00 00  |archive.........|
+
...
+
</pre>
+
 
+
{| class="wikitable"
+
! align="left"| Offset
+
! Size
+
! Value
+
! Description
+
|-
+
| ...
+
| 4
+
|
+
| Number of header value pairs
+
|-
+
| ...
+
| ...
+
|
+
| Array of header value pairs
+
|}
+
 
+
A value pair is variable of size and consists of:
+
{| class="wikitable"
+
! align="left"| Offset
+
! Size
+
! Value
+
! Description
+
|-
+
| 0
+
| 2
+
|
+
| Header value identifier string size
+
|-
+
| 2
+
| size
+
|
+
| Header value identifier string
+
|-
+
| ...
+
| 2
+
|
+
| Header value string size
+
|-
+
| ...
+
| size
+
|
+
| Header value string
+
|}
+
 
+
For the example above the size of the URL string can be found at offset 130 (0x82). The first 4 string values to extract from this data are prefaced with their lengths (or sizes) as 16-bit big-endian values. E.g. to retrieve the original URL string, read the WORD at offset 0x82, and translate it as a big-endian value (e.g. using Perl, <i>unpack("n",$data)</i>). Beginning at offset 0x84, the string is 57 (0x39) bytes long. At the end of that string, the next WORD is the length of the third string, also in big-endian format.
+
 
+
Once you've completed reading the initial 4 strings, there is a DWORD value which can be interpreted as the number of header values, followed by the individual header value definitions. Each header value definition consists of an identifier and a value string. Both strings are prefaced by a 16-bit big-endian (2-byte) value, containing the length of the string.
+
 
+
In many cases, the first header value contains the HTTP Response code of 302. Other header values (that have been observed so far) include a response of 200, as well as additional data (including time stamps), and the *.idx files themselves appear to contain certificate (and perhaps other) information.
+
 
+
== External Links ==
+
* [http://sploited.blogspot.ch/2012/08/java-forensics-using-tln-timelines.html Java Forensics using TLN Timelines]
+
* [http://journeyintoir.blogspot.com/2011/02/almost-cooked-up-some-java.html Almost Cooked UP Some Java]
+
* [http://journeyintoir.blogspot.com/2011/11/finding-initial-infection-vector.html Finding Initial Infection Vector]
+
* [https://github.com/woanware/javaidx/blob/master/Documents/Java.IDX.Format.pdf Java IDX Format Specification], by [[Mark Woan]], January 2013
+
* [http://www.thebaskins.com/main/component/content/article/15-work/59-java-malware-identification-and-analysis Java Malware - Identification and Analysis], [[Brian Baskin]], January 12, 2013
+
 
+
=== Java source code ===
+
* [http://javasourcecode.org/html/open-source/jdk/jdk-6u23/com/sun/deploy/cache/Cache.java.html Cache.java]
+
* [http://javasourcecode.org/html/open-source/jdk/jdk-6u23/com/sun/deploy/cache/CacheEntry.java.html CacheEntry.java]
+
 
+
[[Category:Analysis]]
+

Latest revision as of 02:46, 28 November 2011

my main job is computer forensic my other works are the same i mean that i alwaya work in the field of forensic computer in differenst firms i like forensic computer but i hope that some day win a lottery and no work ever ;) I hope too that all people help me in the way of knowledge