Difference between pages "Talk:Prefetch" and "Windows SuperFetch Format"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Created page with "== External Links - Broken == * [http://42llc.net/?page_id=215 Yogesh Khatri's Prefetch Research]")
 
(MEMO file)
 
Line 1: Line 1:
== External Links - Broken ==
+
{{expand}}
* [http://42llc.net/?page_id=215 Yogesh Khatri's Prefetch Research]
+
 
 +
== MEMO file ==
 +
Th MEMO file consists of:
 +
* file header
 +
* compressed blocks
 +
 
 +
=== File header ===
 +
The file header is 84 bytes of size and consists of:
 +
{| class="wikitable"
 +
|-
 +
! Offset
 +
! Size
 +
! Value
 +
! Description
 +
|-
 +
| 0
 +
| 4
 +
| 0x304D454D ("MEM0") or 0x4F4D454D ("MEMO")
 +
| Signature
 +
|-
 +
| 4
 +
| 4
 +
|
 +
| Uncompressed (total) data size
 +
|-
 +
|}
 +
 
 +
=== Compressed blocks ===
 +
The file header is followed by compressed blocks:
 +
{| class="wikitable"
 +
|-
 +
! Offset
 +
! Size
 +
! Value
 +
! Description
 +
|-
 +
| 0
 +
| 4
 +
|
 +
| Compressed data size
 +
|-
 +
| 4
 +
| ...
 +
|
 +
| Compressed data
 +
|-
 +
|}
 +
 
 +
== See Also ==
 +
* [[SuperFetch]]
 +
 
 +
== External Links ==
 +
* [http://blog.rewolf.pl/blog/?p=214 Windows SuperFetch file format – partial specification]
 +
 
 +
[[Category:File Formats]]

Revision as of 13:37, 14 April 2014

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

MEMO file

Th MEMO file consists of:

  • file header
  • compressed blocks

File header

The file header is 84 bytes of size and consists of:

Offset Size Value Description
0 4 0x304D454D ("MEM0") or 0x4F4D454D ("MEMO") Signature
4 4 Uncompressed (total) data size

Compressed blocks

The file header is followed by compressed blocks:

Offset Size Value Description
0 4 Compressed data size
4 ... Compressed data

See Also

External Links