Difference between pages "OLE Compound File" and "Windows SuperFetch Format"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Contents)
 
(MEMO file)
 
Line 1: Line 1:
The '''Object Linking and Embedding (OLE) Compound File (CF)''' is used in other file formats as its underlying container file.
+
{{expand}}
It allows data to be stored in multiple streams.
+
  
The OLECF is also known as:
+
== MEMO file ==
* Compound Binary File (current name used by [[Microsoft]])
+
Th MEMO file consists of:
* Compound Document File (name used by [[OpenOffice]])
+
* file header
* OLE2 file
+
* compressed blocks
  
== MIME types ==
+
=== File header ===
 +
The file header is 84 bytes of size and consists of:
 +
{| class="wikitable"
 +
|-
 +
! Offset
 +
! Size
 +
! Value
 +
! Description
 +
|-
 +
| 0
 +
| 4
 +
| 0x304D454D ("MEM0") or 0x4F4D454D ("MEMO")
 +
| Signature
 +
|-
 +
| 4
 +
| 4
 +
|
 +
| Uncompressed (total) data size
 +
|-
 +
|}
  
Because the OLECF by itself is just a container it does not use a mime type.
+
=== Compressed blocks ===
A mime type assigned to an OLECF refers to its contents.
+
The file header is followed by compressed blocks:
 +
{| class="wikitable"
 +
|-
 +
! Offset
 +
! Size
 +
! Value
 +
! Description
 +
|-
 +
| 0
 +
| 4
 +
|
 +
| Compressed data size
 +
|-
 +
| 4
 +
| ...
 +
|
 +
| Compressed data
 +
|-
 +
|}
  
== File signature ==
+
== See Also ==
 
+
* [[SuperFetch]]
The OLECF has the following file signature:
+
hexadecimal: d0 cf 11 e0 a1 b1 1a e1
+
 
+
The OLECF has no distinct footer.
+
 
+
== Contents ==
+
 
+
The OLECF uses a FAT-like file system to define blocks that are assigned to the stream using multiple allocation tables.
+
It uses a directory structure to define the name of the streams.
+
 
+
The OLECF is used to store:
+
* [[Microsoft Office]] 97-2003 documents:
+
** [[Word Document (DOC)]]
+
** [[Excel Spreadsheet (XLS)]]
+
** [[Powerpoint Presentation (PPT)]]
+
* MSN (C:\Documents and Settings\%USERNAME%\Local Settings\Application Data\Microsoft\MSNe\msninfo.dat)
+
* [[Jump Lists]]
+
* StickyNotes.snt
+
* [[Thumbs.db]]
+
* Windows Installer (.msi) and patch file (.msp)
+
  
 
== External Links ==
 
== External Links ==
* [http://download.microsoft.com/download/0/B/E/0BE8BDD7-E5E8-422A-ABFD-4342ED7AD886/WindowsCompoundBinaryFileFormatSpecification.pdf Compound Binary File Specification], by [[Microsoft]]. Be warned this file contains at least one error: the directory entry name length is a size in bytes not in characters.
+
* [http://blog.rewolf.pl/blog/?p=214 Windows SuperFetch file format – partial specification]
* [http://msdn.microsoft.com/en-us/library/dd942138.aspx MS-CFB: Compound File Binary File Format], by [[Microsoft]]
+
* [http://www.openoffice.org/sc/compdocfileformat.pdf Microsoft Compound Document File Format], by OpenOffice.org
+
* [https://googledrive.com/host/0B3fBvzttpiiSS0hEb0pjU2h6a2c/OLE%20Compound%20File%20format.pdf OLE Compound File format specification], by the [[libolecf|libolecf project]]
+
 
+
== Tools ==
+
* [[libolecf]]
+
* [http://www.mitec.cz/ssv.html MiTec Structured Storage Viewer]
+
  
 
[[Category:File Formats]]
 
[[Category:File Formats]]

Revision as of 12:37, 14 April 2014

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

MEMO file

Th MEMO file consists of:

  • file header
  • compressed blocks

File header

The file header is 84 bytes of size and consists of:

Offset Size Value Description
0 4 0x304D454D ("MEM0") or 0x4F4D454D ("MEMO") Signature
4 4 Uncompressed (total) data size

Compressed blocks

The file header is followed by compressed blocks:

Offset Size Value Description
0 4 Compressed data size
4 ... Compressed data

See Also

External Links