Difference between pages "Java" and "User:Docbit"

Latest revision as of 02:46, 28 November 2011

my main job is computer forensic my other works are the same i mean that i alwaya work in the field of forensic computer in differenst firms i like forensic computer but i hope that some day win a lottery and no work ever ;) I hope too that all people help me in the way of knowledge

Difference between pages "Java" and "User:Docbit"

Latest revision as of 02:46, 28 November 2011

Navigation menu

Personal tools

Namespaces

Variants

Views

Actions

Search

Navigation:

About forensicswiki.org:

Toolbox

@@ Line 1: / Line 1: @@
-{{Expand}}
+my main job is computer forensic
+my other works are the same i mean that i alwaya work in the field of forensic computer in differenst firms
-== Java WebStart Cache ==
+i like forensic computer but i hope that some day win a lottery and no work ever ;)
-As of Java version 6 the Java WebStart Cache can be found in the following locations.
+I hope too that all people help me in the way of knowledge
-On Linux
-<pre>
-/home/$USER/.java/deployment/cache/
-</pre>
-On MacOS-X
-<pre>
-/Users/$USER/Library/Caches/Java/cache/
-</pre>
-On Windows XP
-<pre>
-C:\Documents and Settings\%USERNAME%\Application Data\Sun\Java\Deployment\cache\
-</pre>
-On Windows Vista and later
-<pre>
-C:\Users\%USERNAME%\AppData\LocalLow\Sun\Java\Deployment\cache\
-</pre>
-== IDX file format ==
-Caveat: The following information is based on analysis of several dozen *.idx files from different Windows 7 systems.  As such, the following information should not be considered to have been exhaustively researched.
-Values are in big-endian.
-<pre>
-00000000  01 00 00 00 02 5b 00 00  00 00 1d c7 b4 00 00 01  |.....[..........|
-00000010  1f 81 29 fe b8 00 00 00  00 00 00 00 00 00 00 01  |..).............|
-00000020  2b 24 4a cb dd 01 00 00  00 00 00 00 00 00 00 00  |+$J.............|
-00000030  00 00 00 00 00 00 00 00  01 2b 24 4a a4 cd 00 00  |.........+$J....|
-00000040  01 2e 45 83 f4 18 00 00  00 00 00 00 00 00 00 01  |..E.............|
-00000050  01 00 00 00 00 00 00 00  00 00 00 00 01 2b 24 4a  |.............+$J|
-00000060  a4 cd 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
-00000070  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
-</pre>
-The header (or section 1) is 128 bytes in size and contains:
-{| class="wikitable"
-! align="left"| Offset
-! Size
-! Value
-! Description
-|-
-| 0
-| 1
-|
-| Busy (flag byte)
-|-
-| 1
-| 1
-|
-| Incomplete (flag byte)
-|-
-| 2
-| 4
-| 00 00 02 5b (603)
-| Format version
-|-
-| 6
-| 1
-|
-| Force update (flag byte)
-|-
-| 7
-| 1
-|
-| No-href (flag byte)
-|-
-| 8
-| 1
-|
-| Is shortcut image (flag byte)
-|-
-| 9
-| 4
-|
-| Content-Length
-|-
-| 13
-| 8
-| 00 00 01 1f 81 29 fe b8
-| Last modification date (Number of milli seconds since Jan 1, 1970 00:00:00)
-|-
-| 21
-| 8
-|
-| expiration date (Number of milli seconds since Jan 1, 1970 00:00:00) 0 if not expires?
-|-
-| 29
-| 8
-| 00 00 01 2b 24 4a cb dd
-| Validation timestamp (Number of milli seconds since Jan 1, 1970 00:00:00)
-|-
-| 37
-| 1
-|
-| Known to be signed (flag byte)
-|-
-| 38
-| 4
-|
-| Size of section 2
-|-
-| 42
-| 4
-|
-| Size of section 3
-|-
-| 46
-| 4
-|
-| Size of section 4
-|-
-| 50
-| 4
-|
-| Size of section 5
-|-
-| 54
-| 8
-| 00 00 01 2b 24 4a a4 cd
-| Blacklist validation time (Number of milli seconds since Jan 1, 1970 00:00:00)
-|-
-| 62
-| 8
-| 00 00 01 2e 45 83 f4 18
-| Certificate expiration date (Number of milli seconds since Jan 1, 1970 00:00:00)
-|-
-| 70
-| 1
-|
-| Class verification status
-|-
-| 71
-| 4
-|
-| Reduced manifest size
-|-
-| 75
-| 4
-|
-| section4Pre15Length?
-|-
-| 79
-| 1
-|
-| Has only signed entries (flag byte)
-|-
-| 80
-| 1
-|
-| Has single code source (flag byte)
-|-
-| 81
-| 4
-|
-| section4CertsLength?
-|-
-| 85
-| 4
-|
-| section4SignersLength?
-|-
-| 89
-| 1
-|
-| Has missing signed entries (flag byte)
-|-
-| 90
-| 8
-| 00 00 01 2b 24 4a a4 cd
-| Trusted libraries validation time (Number of milli seconds since Jan 1, 1970 00:00:00)
-|-
-| 98
-| 4
-|
-| reducedManifest2Length?
-|-
-| 102
-| 26
-|
-| Unknown, empty values (likely reserved for future expansion of the header)
-|}
-The values present in the header are dependent on the version. The definition above is based on version 603 and intended as an example check the [https://github.com/woanware/javaidx/blob/master/Documents/Java.IDX.Format.pdf Java IDX Format Specification] for more current information.
-To convert a timestamp in e.g. Python
-<pre>
-print datetime.datetime(1970, 1, 1) + datetime.timedelta(milliseconds=0x011f8129feb8)
--02-16 22:17:07
-</pre>
-<pre>
-00000080  00 00 00 39 68 74 74 70  3a 2f 2f 77 77 77 2e 74  |...9http://www.t|
-00000090  6f 70 63 6f 64 65 72 2e  63 6f 6d 2f 63 6f 6e 74  |opcoder.com/cont|
-a0  65 73 74 2f 63 6c 61 73  73 65 73 2f 43 6f 6e 74  |est/classes/Cont|
-b0  65 73 74 41 70 70 6c 65  74 2e 6a 61 72           |estApplet.jar   |
-</pre>
-{| class="wikitable"
-! align="left"| Offset
-! Size
-! Value
-! Description
-|-
-| 128
-| 2
-| 00 00
-| Version string size
-|-
-| 130
-| 2
-| 00 39
-| Original URL string size
-|-
-| 132
-| size
-|
-| Original URL string (UTF-8 without an end-of-string character?)
-|}
-<pre>
-b0                                          00 00 00  |             ...|
-c0  0c 36 36 2e 33 37 2e 32  31 30 2e 38 36 00 00 00  |.66.37.210.86   |
-</pre>
-{| class="wikitable"
-! align="left"| Offset
-! Size
-! Value
-! Description
-|-
-| ...
-| 2
-| 00 00
-| Namespace string size
-|-
-| ...
-| 2
-| 00 0c
-| IP string size
-|-
-| ...
-| size
-|
-| IP string (UTF-8 without an end-of-string character?)
-|}
-<pre>
-c0                                          00 00 00  |             ...|
-d0  07 00 06 3c 6e 75 6c 6c  3e 00 0f 48 54 54 50 2f  |...<null>..HTTP/|
-e0  31 2e 31 20 32 30 30 20  4f 4b 00 0e 63 6f 6e 74  |1.1 200 OK..cont|
-f0  65 6e 74 2d 6c 65 6e 67  74 68 00 07 31 39 35 31  |ent-length..1951|
-00000100  36 36 38 00 0d 6c 61 73  74 2d 6d 6f 64 69 66 69  |668..last-modifi|
-00000110  65 64 00 1d 4d 6f 6e 2c  20 31 36 20 46 65 62 20  |ed..Mon, 16 Feb |
-00000120  32 30 30 39 20 32 32 3a  31 37 3a 30 37 20 47 4d  |2009 22:17:07 GM|
-00000130  54 00 0c 63 6f 6e 74 65  6e 74 2d 74 79 70 65 00  |T..content-type.|
-00000140  18 61 70 70 6c 69 63 61  74 69 6f 6e 2f 6a 61 76  |.application/jav|
-00000150  61 2d 61 72 63 68 69 76  65 00 04 64 61 74 65 00  |a-archive..date.|
-00000160  1d 53 61 74 2c 20 31 38  20 53 65 70 20 32 30 31  |.Sat, 18 Sep 201|
-00000170  30 20 31 30 3a 30 31 3a  30 36 20 47 4d 54 00 06  |0 10:01:06 GMT..|
-00000180  73 65 72 76 65 72 00 06  41 70 61 63 68 65 00 1b  |server..Apache..|
-00000190  64 65 70 6c 6f 79 2d 72  65 71 75 65 73 74 2d 63  |deploy-request-c|
-a0  6f 6e 74 65 6e 74 2d 74  79 70 65 00 1a 61 70 70  |ontent-type..app|
-b0  6c 69 63 61 74 69 6f 6e  2f 78 2d 6a 61 76 61 2d  |lication/x-java-|
-c0  61 72 63 68 69 76 65 1f  8b 08 00 00 00 00 00 00  |archive.........|
-...
-</pre>
-{| class="wikitable"
-! align="left"| Offset
-! Size
-! Value
-! Description
-|-
-| ...
-| 4
-|
-| Number of header value pairs
-|-
-| ...
-| ...
-|
-| Array of header value pairs
-|}
-A value pair is variable of size and consists of:
-{| class="wikitable"
-! align="left"| Offset
-! Size
-! Value
-! Description
-|-
-| 0
-| 2
-|
-| Header value identifier string size
-|-
-| 2
-| size
-|
-| Header value identifier string
-|-
-| ...
-| 2
-|
-| Header value string size
-|-
-| ...
-| size
-|
-| Header value string
-|}
-For the example above the size of the URL string can be found at offset 130 (0x82). The first 4 string values to extract from this data are prefaced with their lengths (or sizes) as 16-bit big-endian values. E.g. to retrieve the original URL string, read the WORD at offset 0x82, and translate it as a big-endian value (e.g. using Perl, <i>unpack("n",$data)</i>). Beginning at offset 0x84, the string is 57 (0x39) bytes long. At the end of that string, the next WORD is the length of the third string, also in big-endian format.
-Once you've completed reading the initial 4 strings, there is a DWORD value which can be interpreted as the number of header values, followed by the individual header value definitions. Each header value definition consists of an identifier and a value string. Both strings are prefaced by a 16-bit big-endian (2-byte) value, containing the length of the string.
-In many cases, the first header value contains the HTTP Response code of 302. Other header values (that have been observed so far) include a response of 200, as well as additional data (including time stamps), and the *.idx files themselves appear to contain certificate (and perhaps other) information.
-== External Links ==
-* [http://sploited.blogspot.ch/2012/08/java-forensics-using-tln-timelines.html Java Forensics using TLN Timelines]
-* [http://journeyintoir.blogspot.com/2011/02/almost-cooked-up-some-java.html Almost Cooked UP Some Java]
-* [http://journeyintoir.blogspot.com/2011/11/finding-initial-infection-vector.html Finding Initial Infection Vector]
-* [https://github.com/woanware/javaidx/blob/master/Documents/Java.IDX.Format.pdf Java IDX Format Specification], by [[Mark Woan]], January 2013
-* [http://www.thebaskins.com/main/component/content/article/15-work/59-java-malware-identification-and-analysis Java Malware - Identification and Analysis], [[Brian Baskin]], January 12, 2013
-=== Java source code ===
-* [http://javasourcecode.org/html/open-source/jdk/jdk-6u23/com/sun/deploy/cache/Cache.java.html Cache.java]
-* [http://javasourcecode.org/html/open-source/jdk/jdk-6u23/com/sun/deploy/cache/CacheEntry.java.html CacheEntry.java]
-[[Category:Analysis]]