Difference between pages "SQLite database format" and "Windows SuperFetch Format"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
 
(MEMO file)
 
Line 1: Line 1:
 
{{expand}}
 
{{expand}}
{{Infobox_Software |
 
  name = SQLite |
 
  maintainer = [http://sqlite.org/consortium.html SQLite Consortium] |
 
  os = {{Linux}}, {{Windows}}, {{Mac OS X}} |
 
  genre = [[Database]] |
 
  license = {{Public Domain}} |
 
  website = [http://sqlite.org/ sqlite.org] |
 
}}
 
<i>SQLite is a software library that implements a self-contained, serverless, zero-configuration, transactional SQL database engine.</i> --SQLite project definition
 
  
Details about the software and general use are available from the project web site http://sqlite.org/.
+
== MEMO file ==
SQLite databases are used by many programs including several forensics tools, eg [[Autopsy]] 3.
+
Th MEMO file consists of:
SQLite 3 is current and older SQLite packages cannot use sqlite3 databases so use sqlite3 tools.
+
* file header
 +
* compressed blocks
  
== Web Browser Data ==
+
=== File header ===
[[Mozilla Firefox]] and [[Google Chrome]] both use SQLite version 3 databases for user data such as history, downloaded files.
+
The file header is 84 bytes of size and consists of:
 +
{| class="wikitable"
 +
|-
 +
! Offset
 +
! Size
 +
! Value
 +
! Description
 +
|-
 +
| 0
 +
| 4
 +
| 0x304D454D ("MEM0") or 0x4F4D454D ("MEMO")
 +
| Signature
 +
|-
 +
| 4
 +
| 4
 +
|
 +
| Uncompressed (total) data size
 +
|-
 +
|}
  
== Tools ==
+
=== Compressed blocks ===
* [[SQLite]]
+
The file header is followed by compressed blocks:
* [[SQLite Forensic Reporter]]
+
{| class="wikitable"
 +
|-
 +
! Offset
 +
! Size
 +
! Value
 +
! Description
 +
|-
 +
| 0
 +
| 4
 +
|
 +
| Compressed data size
 +
|-
 +
| 4
 +
| ...
 +
|
 +
| Compressed data
 +
|-
 +
|}
 +
 
 +
== See Also ==
 +
* [[SuperFetch]]
 +
 
 +
== External Links ==
 +
* [http://blog.rewolf.pl/blog/?p=214 Windows SuperFetch file format – partial specification]
 +
 
 +
[[Category:File Formats]]

Revision as of 12:37, 14 April 2014

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Contents

MEMO file

Th MEMO file consists of:

  • file header
  • compressed blocks

File header

The file header is 84 bytes of size and consists of:

Offset Size Value Description
0 4 0x304D454D ("MEM0") or 0x4F4D454D ("MEMO") Signature
4 4 Uncompressed (total) data size

Compressed blocks

The file header is followed by compressed blocks:

Offset Size Value Description
0 4 Compressed data size
4 ... Compressed data

See Also

External Links