Difference between pages "Upcoming events" and "Windows SuperFetch Format"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Calls For Papers)
 
 
Line 1: Line 1:
Here is a BY DATE listing of '''upcoming conferences and training events''' that pertain to [[digital forensics]]. Some of these duplicate the generic [[conferences]], but have specific dates/locations for the upcoming conference/training event.
+
{{expand}}
  
<b> The Conference and Training List is provided by the American Academy of Forensic Sciences (AAFS) Digital and Multi-media Listserv</b>
+
SuperFetch, is a memory management scheme that enhances the least-recently accessed approach with historical information and proactive memory management. [http://technet.microsoft.com/en-us/magazine/2007.03.vistakernel.aspx]
<i> (Subscribe by sending an email to listserv@lists.mitre.org with message body containing SUBSCRIBE AAFS-DIGITAL-MULTIMEDIA-LIST)</i>
+
<b> Any requests for additions, deletions or corrections to this list should be sent by email to David Baker <i>(bakerd AT mitre.org)</i>. </b>
+
  
== Calls For Papers ==
+
<b>Note that the following format specification are incomplete.</b>
{| border="0" cellpadding="2" cellspacing="2" align="top"
+
 
|- style="background:#bfbfbf; font-weight: bold"
+
== SuperFetch DB files ==
! Title
+
The <tt>Ag*.db</tt> files are of the SuperFetch file format. E.g.
! Due Date
+
<pre>
! Website
+
AgAppLaunch.db
 +
AgCx_SC*.db
 +
AgGlFaultHistory.db
 +
AgGlFgAppHistory.db
 +
AgGlGlobalHistory.db
 +
AgGlUAD_%SID%.db
 +
AgGlUAD_P_%SID%.db
 +
AgRobust.db
 +
</pre>
 +
 
 +
The SuperFetch DB files can be stored in uncompressed or compressed form, where different version of Windows use different compressed forms:
 +
* Compressed SuperFetch DB - MEMO file format; Windows Vista
 +
* Compressed SuperFetch DB - MEM0 file format; Windows  7
 +
* Compressed SuperFetch DB - MAM file format; Windows 8
 +
 
 +
=== Compressed SuperFetch DB - MEMO file format ===
 +
The MEM file consists of:
 +
* file header
 +
* compressed blocks
 +
 
 +
This format uses the LZNT1 compression method
 +
 
 +
==== File header ====
 +
The file header is 84 bytes of size and consists of:
 +
{| class="wikitable"
 
|-
 
|-
|Recent Advances in Intrusion Detection (RAID) 2007
+
! Offset
|Mar 31, 2007
+
! Size
|http://www.isi.qut.edu.au/events/conferences/raid07/cfp/
+
! Value
 +
! Description
 
|-
 
|-
|Digital Forensic Research Workshop 2007
+
| 0
|**EXTENDED ONE WEEK TO APRIL 09, 2007**
+
| 4
|http://dfrws.org/2007/cfp.html
+
| "MEMO" (0x4d, 0x45, 0x4d, 0x4f)
 +
| Signature
 
|-
 
|-
|Black and White Ball
+
| 4
|Apr 30, 2007
+
| 4
|http://www.theblackandwhiteball.co.uk/cfp.php
+
|  
 +
| Uncompressed (total) data size
 
|-
 
|-
|BlackHat USA 2007
+
|}
|May 01, 2007
+
 
|http://www.blackhat.com/html/bh-usa-07/bh-usa-07-cfp.html
+
==== Compressed blocks ====
 +
The compressed block size is the chunk data size, which is part of the LZNT1 compressed data, + 2 bytes for the size of the chunk header itself.
 +
 
 +
The uncompressed block size is 4096 (0x1000) or the remaining uncompressed data size for the last block.
 +
 
 +
=== Compressed SuperFetch DB - MEM0 file format ===
 +
The MEM file consists of:
 +
* file header
 +
* compressed blocks
 +
 
 +
This format uses the LZXPRESS Huffman compression method
 +
 
 +
==== File header ====
 +
The file header is 84 bytes of size and consists of:
 +
{| class="wikitable"
 
|-
 
|-
|International Conference on Incident Management and IT-Forensics
+
! Offset
|May 14, 2007
+
! Size
|http://www.gi-ev.de/fachbereiche/sicherheit/fg/sidar/imf/imf2007/cfp_en.html
+
! Value
 +
! Description
 
|-
 
|-
|First Annual European DeepSec In-Depth Security Conference
+
| 0
|Jun 10, 2007
+
| 4
|http://deepsec.net/cfp/
+
| "MEM0" (0x4d, 0x45, 0x4d, 0x30)
 +
| Signature
 
|-
 
|-
|DFRWS 2007 File Carving Challenge
+
| 4
|Jul 09, 2007
+
| 4
|http://www.dfrws.org/2007/challenge/submission.html
+
|  
 +
| Uncompressed (total) data size
 
|-
 
|-
 
|}
 
|}
  
== Conferences ==
+
==== Compressed blocks ====
{| border="0" cellpadding="2" cellspacing="2" align="top"
+
The file header is followed by compressed blocks:
|- style="background:#bfbfbf; font-weight: bold"
+
{| class="wikitable"
! Title
+
! Date/Location
+
! Website
+
 
|-
 
|-
|CyberCrime Summit 2007
+
! Offset
|Mar 19-23, Atlanta, GA
+
! Size
|http://www.cybercrimesummit.com/index.htm
+
! Value
 +
! Description
 
|-
 
|-
|Security OPUS
+
| 0
|Mar 19-23, San Francisco, CA
+
| 4
|http://www.securityopus.com/
+
|  
 +
| Compressed data size
 
|-
 
|-
|8th CERIAS Information Security Symposium
+
| 4
|Mar 20-21, Purdue University, IN
+
| ...
|http://www.cerias.purdue.edu/symposium/2007/
+
|  
|-
+
| Compressed data
|SHMOOCon 2007
+
|Mar 22-25, Washington, DC
+
|http://www.shmoocon.org/
+
 
|-
 
|-
|2nd Workshop on Systematic Approaches to Digital Forensic Engineering
+
|}
|Apr 10-12, Seattle, WA
+
 
|http://conf.ncku.edu.tw/sadfe/cfp.htm
+
The uncompressed block size is 65536 (0x10000) or the remaining uncompressed data size for the last block.
 +
 
 +
=== Compressed SuperFetch DB - MAM file format ===
 +
The MAM file consists of:
 +
* file header
 +
* compressed blocks
 +
 
 +
This format uses the <b>TODO</b> compression method
 +
 
 +
==== File header ====
 +
<b>TODO</b>
 +
 
 +
{| class="wikitable"
 
|-
 
|-
|First Workshop on Hot Topics in Understanding Botnets (HotBots '07)
+
! Offset
|Apr 10, Cambridge, MA
+
! Size
|http://www.usenix.org/events/hotbots07/
+
! Value
 +
! Description
 
|-
 
|-
|CanSecWest 2007
+
| 0
|Apr 16-20, Vancouver, BC, Canada
+
| 4
|http://cansecwest.com/
+
| "MAM\x84" (0x4d, 0x41, 0x4d, 0x84)
|-
+
| Signature
|Conference on Digital Forensics, Security and Law
+
|Apr 18-20, Washington, DC
+
|http://www.digitalforensics-conference.org/
+
|-
+
|IACIS Computer Forensic Training Event 2007
+
|Apr 23-May 04, Orlando, FL
+
|http://www.iacis.com/iacisv2/pages/training.php
+
|-
+
|Computer and Enterprise Investigations Conference (CEIC)
+
|May 06-09, Las Vegas, NV
+
|http://www.ceic2007.com/
+
|-
+
|CONFidence 2007
+
|May 13-14, Cracow, Poland
+
|http://2007.confidence.org.pl/
+
|-
+
|22nd IFIP International Information Security Conference
+
|May 14-16, Sandton, South Africa
+
|http://www.sbs.co.za/ifipsec2007/
+
|-
+
|Texas Regional Infrastructure Security Conference (TRISC)
+
|May 15-17, Austin, TX
+
|http://www.trisc.org/
+
|-
+
|2007 Techno-Security Conference
+
|Jun 03-06, Myrtle Beach, SC
+
|http://www.techsec.com/html/Techno2007.html
+
|-
+
|Computer Security Institute NetSec '07
+
|Jun 11-13, Scottsdale, AZ
+
|http://www.gocsi.com/netsec/
+
|-
+
|2007 USENIX Annual Technical Conference
+
|Jun 17-22, Santa Clara, CA
+
|http://www.usenix.org/events/
+
|-
+
|Third Government Forum of Incident Response and Security Teams Conference
+
|Jun 25-29, Orlando, FL
+
|http://www.us-cert.gov/GFIRST/index.html
+
|-
+
|First International Workshop on Cyber-Fraud
+
|Jul 01-06, San Jose, CA
+
|http://www.iaria.org/conferences2007/CYBERFRAUD.html
+
|-
+
|Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA) 2007
+
|Jul 12-13, Lucerne, Switzerland
+
|http://www.gi-ev.de/fachbereiche/sicherheit/fg/sidar/dimva/
+
|-
+
|16th USENIX Security Symposium
+
|Aug 06-10, Boston, MA
+
|http://www.usenix.org/events/
+
|-
+
|GMU 2007 Symposium
+
|Aug 06-10, George Mason University, Fairfax, VA
+
|http://www.rcfg.org
+
|-
+
|Digital Forensic Research Workshop 2007
+
|Aug 13-15, Pittsburgh, PA
+
|http://www.dfrws.org/2007/index.html
+
|-
+
|HTCIA 2007 International Training Conference & Exposition
+
|Aug 27-29, San Diego, CA
+
|http://www.htcia-sd.org/htcia2007.html
+
|-
+
|Recent Advances in Intrusion Detection (RAID) 2007
+
|Sep 05-07, Gold Coast, Queensland, Australia
+
|http://www.isi.qut.edu.au/events/conferences/raid07
+
|-
+
|14th International Conference on Image Analysis and Processing (ICIAP 2007)
+
|Sep 10-14, Modena, Italy
+
|http://www.iciap2007.org
+
|-
+
|3rd International Conference on IT-Incident Management & IT-Forensics
+
|Sep 11-12, Stuttgart, Germany
+
|http://www.imf-conference.org/
+
|-
+
|Black and White Ball
+
|Sep 25-28, London, UK
+
|http://www.theblackandwhiteball.co.uk/
+
|-
+
|Techno-Forensics Conference
+
|Oct 29 - 31, Rockville, MD
+
|http://www.techsec.com/html/TechnoForensics2007.html
+
|-
+
|DeepSec IDSC
+
|Nov 22-24, Vienna, Austria
+
|http://deepsec.net/
+
 
|-
 
|-
 
|}
 
|}
  
== On-going / Continuous Training ==
+
==== Compressed blocks ====
{| border="0" cellpadding="2" cellspacing="2" align="top"
+
<b>TODO</b>
|- style="background:#bfbfbf; font-weight: bold"
+
 
! Title
+
=== Uncompressed SuperFetch DB format ===
! Date/Location or Venue
+
<b>TODO</b>
! Website
+
 
 +
==== File header ====
 +
<b>TODO</b>
 +
 
 +
{| class="wikitable"
 
|-
 
|-
|Basic Computer Examiner Course
+
! Offset
|Computer Forensic Training Online
+
! Size
|http://www.cftco.com
+
! Value
 +
! Description
 
|-
 
|-
|MaresWare Suite Training
+
| 0
|First full week every month, Atlanta, GA
+
| 4
|http://www.maresware.com/maresware/training/maresware.htm
+
| 0x0000000e
 +
| Unknown (Database type or signature?)
 
|-
 
|-
|Linux Data Forensics Training
+
| 4
|Distance Learning Format
+
| 4
|http://www.crazytrain.com/training.html
+
|  
 +
| Uncompressed (total) data size
 
|-
 
|-
 
|}
 
|}
 +
== TRX files ==
 +
The <tt>Ag*.db.trx</tt> files are of the TRX file format. E.g.
 +
<pre>
 +
AgCx_SC*.db.trx
 +
</pre>
  
== Scheduled Training Courses ==
+
<b>Note that the following format specification is incomplete.</b>
{| border="0" cellpadding="2" cellspacing="2" align="top"
+
 
|- style="background:#bfbfbf; font-weight: bold"
+
=== File header ===
! Title
+
The file header is variable of size and consists of:
! Date/Location
+
{| class="wikitable"
! Website
+
! Limitation
+
 
|-
 
|-
|SMART for Linux
+
! Offset
|12-15 Mar, Austin, TX
+
! Size
|http://asrdata.com/training/training2.html
+
! Value
 +
! Description
 
|-
 
|-
|AccessData BootCamp
+
| 0
|Mar 13-15, Boise, ID
+
| 4
|http://www.accessdata.com/training
+
| 1
 +
| Unknown (Version?)
 
|-
 
|-
|AccessData Windows Forensics
+
| 4
|Mar 13-15, Chicago, IL
+
| 4
|http://www.accessdata.com/training
+
|  
 +
| Unknown
 
|-
 
|-
|EnCase Enterprise v5-Phase I
+
| 8
|Mar 13-16, Washington DC
+
| 4
|http://www.guidancesoftware.com/training/schedule.asp
+
|  
 +
| File size
 
|-
 
|-
|EnCase v5 Advanced Computer Forensics
+
| 12
|Mar 13-16, Washintgon DC
+
| 4
|http://www.guidancesoftware.com/training/schedule.asp
+
|  
 +
| Maximum number of records (of the record offsets array)
 
|-
 
|-
|EnCase v5 Intermediate Analysis and Reporting
+
| 16
|Mar 13-16, United Kingdom
+
| 4
|http://www.guidancesoftware.com/training/schedule.asp
+
|  
 +
| Number of records
 
|-
 
|-
|EnCase v5 Advanced Internet Examinations
+
| 20
|Mar 13-16, Los Angeles, CA
+
| ...
|http://www.guidancesoftware.com/training/schedule.asp
+
|  
|-
+
| Record offsets array, where the record offset is a 32-bit integer. Unused record offset are set to 0.
|Computer Forensics First Responder
+
|Mar 14, Indianapolis, IN
+
|http://www.ifi-indy.org/ifi%20training/train.html
+
|-
+
|SARC Steganography Examiner Training
+
|Mar 17 - 18, Kennesaw, GA (Cybercrime Summit 2007)
+
|http://www.sarc-wv.com/training.aspx
+
|-
+
|Advanced Data Forensics Topics
+
|19-21 Mar, Austin, TX
+
|http://asrdata.com/training/training2.html
+
|-
+
|EnCase Enterprise v5-Phase II
+
|Mar 19-22, Washington DC
+
|http://www.guidancesoftware.com/training/schedule.asp
+
|-
+
|Applied Computer Forensics Boot Camp (CCE)
+
|Mar 19-23 , Fort Lauderdale, FL and Atlanta, GA
+
|http://www.vigilar.com/training/cce
+
|-
+
|First Responder to Digital Evidence Program (FRDE)
+
|Mar 20-22, FLETC, Glynco, GA
+
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation/
+
|Limited to Law Enforcement
+
|-
+
|EnCase v5 FIM/Mobile Use of EE Live Forensics
+
|Mar 20-23, Washington DC
+
|http://www.guidancesoftware.com/training/schedule.asp
+
|-
+
|EnCase  eDiscovery with v5
+
|Mar 20-23, Los Angeles, CA
+
|http://www.guidancesoftware.com/training/schedule.asp
+
|-
+
|EnCase v5 Advanced Internet Examinations
+
|Mar 20-23, United Kingdom
+
|http://www.guidancesoftware.com/training/schedule.asp
+
|-
+
|e-fense Live Forensics and Incident Response featuring Helix
+
|Mar 27-29, New York, NY
+
|https://www.e-fense.com/register.php
+
|-
+
|AccessData Internet Forensics
+
|Mar 27-29 , London, England
+
|http://www.accessdata.com/training
+
|-
+
|AccessData Windows Forensics
+
|Mar 27-29, Albuquerque, NM
+
|http://www.accessdata.com/training
+
|-
+
|Live Forensics and Incident Response
+
|Mar 27-29, New York City, NY
+
|https://www.e-fense.com/register.php
+
|-
+
|EnCase v5 Network Intrusion Investigations-Phase I
+
|Mar 27-30, United Kingdom
+
|http://www.guidancesoftware.com/training/schedule.asp
+
|-
+
|EnCase v5 Intermediate Analysis and Reporting-Private Sector
+
|Mar 27-30, Los Angeles, CA
+
|http://www.guidancesoftware.com/training/schedule.asp
+
|-
+
|EnCase v5 Intermediate Analysis and Reporting
+
|Mar 27-30, Washington DC
+
|http://www.guidancesoftware.com/training/schedule.asp
+
|-
+
|Cyber Counterterrorism Investigations Training Program (CCITP)
+
|Apr 02-06, FLETC, Glynco, GA
+
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation/
+
|Limited to Law Enforcement
+
|-
+
|Digital Evidence Acquisition Specialist Training Program (DEASTP)
+
|Apr 02-13, FLETC, Glynco, GA
+
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation/
+
|Limited to Law Enforcement
+
|-
+
|AccessData BootCamp
+
|Apr 03-05, Dallas, TX
+
|http://www.accessdata.com/training
+
|-
+
|EnCase v5 Advanced Internet Examinations
+
|Apr 03-06, Washington DC
+
|http://www.guidancesoftware.com/training/schedule.asp
+
|-
+
|EnCase v5 Essentials
+
|Apr 03-06, Los Angeles, CA
+
|http://www.guidancesoftware.com/training/schedule.asp
+
|-
+
|SMART for Linux
+
|09-12 Apr, Austin, TX
+
|http://asrdata.com/training/training2.html
+
|-
+
|Applied Computer Forensics Boot Camp (CCE)
+
|Apr 09-13 , Springfield, VA
+
|http://www.vigilar.com/training/cce
+
|-
+
|EnCase v5 Intermediate Analysis and Reporting
+
|Apr 10-13, Los Angeles, CA
+
|http://www.guidancesoftware.com/training/schedule.asp
+
|-
+
|EnCase v5 NTFS-Phase I
+
|Apr 10-13, Los Angeles, CA
+
|http://www.guidancesoftware.com/training/schedule.asp
+
|-
+
|EnCase v5 Network Intrusion Investigations-Phase I
+
|Apr 10-13, Washington DC
+
|http://www.guidancesoftware.com/training/schedule.asp
+
|-
+
|SMART Windows Data Forensics
+
|16-18 Apr, Austin, TX
+
|http://asrdata.com/training/training2.html
+
|-
+
|EnCase v5 Network Intrusion Investigations-Phase II
+
|Apr 16-19, Washington DC
+
|http://www.guidancesoftware.com/training/schedule.asp
+
|-
+
|EnCase v5 NTFS-Phase II
+
|Apr 16-19, Los Angeles, CA
+
|http://www.guidancesoftware.com/training/schedule.asp
+
|-
+
|AccessData Windows Forensics
+
|Apr 17-19, Austin, TX
+
|http://www.accessdata.com/training
+
|-
+
|EnCase Enterprise v5-Phase II
+
|Apr 17-20, United Kingdom
+
|http://www.guidancesoftware.com/training/schedule.asp
+
|-
+
|Seized Computer Evidence Recovery Specialist (SCERS)
+
|Apr 23-May 04, FLETC, Glynco, GA
+
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation/
+
|Limited to Law Enforcement
+
|-
+
|AccessData Windows Forensics
+
|Apr 24-26, Boise, ID and Solna, Sweden
+
|http://www.accessdata.com/training
+
|-
+
|Live Forensics and Incident Response
+
|Apr 24-26, Worcester University, UK
+
|https://www.e-fense.com/register.php
+
|-
+
|EnCase v5 Intermediate Analysis and Reporting-Private Sector
+
|Apr 24-27, United Kingdom
+
|http://www.guidancesoftware.com/training/schedule.asp
+
|-
+
|EnCase v5 FIM/Mobile Use of EE Live Forensics
+
|Apr 24-27, Los Angeles, CA
+
|http://www.guidancesoftware.com/training/schedule.asp
+
|-
+
|EnCase v5 Essentials
+
|Apr 24-27, Washington DC
+
|http://www.guidancesoftware.com/training/schedule.asp
+
|-
+
|Digital Forensics In The Enterprise
+
|Apr 25-27, New York City, NY
+
|http://www.securityfocus.com/archive/104/461947/30/0/threaded
+
|-
+
|EnCase v5 Intermediate Analysis and Reporting
+
|May 01-04, Washington DC
+
|http://www.guidancesoftware.com/training/schedule.asp
+
|-
+
|EnCase v5 Essentials
+
|May 01-04, United Kingdom
+
|http://www.guidancesoftware.com/training/schedule.asp
+
|-
+
|SMART for Linux
+
|07-10 May, Austin, TX
+
|http://asrdata.com/training/training2.html
+
|-
+
|AccessData Internet Forensics
+
|May 08-10 , Albuquerque, NM
+
|http://www.accessdata.com/training
+
|-
+
|EnCase v5 Advanced Computer Forensics
+
|May 08-11, Washington DC
+
|http://www.guidancesoftware.com/training/schedule.asp
+
|-
+
|SMART Windows Data Forensics
+
|14-16 May, Austin, TX
+
|http://asrdata.com/training/training2.html
+
|-
+
|EnCase v5 Intermediate Analysis and Reporting
+
|May 15-18, United Kingdom
+
|http://www.guidancesoftware.com/training/schedule.asp
+
|-
+
|Computer Network Investigations Training Program (CNITP)
+
|May 15-25, FLETC, Glynco, GA
+
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation/
+
|Limited to Law Enforcement
+
|-
+
|AccessData Internet Forensics
+
|May 22-24 , Solna, Sweden
+
|http://www.accessdata.com/training
+
|-
+
|EnCase v5 Advanced Computer Forensics
+
|May 22-25, United Kingdom
+
|http://www.guidancesoftware.com/training/schedule.asp
+
|-
+
|First Responder to Digital Evidence Program (FRDE)
+
|May 30-Jun 01, FLETC, Glynco, GA
+
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation/
+
|Limited to Law Enforcement
+
|-
+
|Computer Forensics First Responder
+
|May 31, Indianapolis, IN
+
|http://www.ifi-indy.org/ifi%20training/train.html
+
|-
+
|AccessData BootCamp
+
|May 31-Jun 02, Myrtle Beach, SC
+
|http://www.accessdata.com/training
+
|-
+
|AccessData Windows Forensics
+
|May 31-Jun 02, Myrtle Beach, SC
+
|http://www.accessdata.com/training
+
|-
+
|SMART for Linux
+
|04-07 Jun, Austin, TX
+
|http://asrdata.com/training/training2.html
+
|-
+
|AccessData BootCamp
+
|Jun 05-07, Albuquerque, NM
+
|http://www.accessdata.com/training
+
|-
+
|Advanced Data Forensics Topics
+
|11-13 Jun, Austin, TX
+
|http://asrdata.com/training/training2.html
+
|-
+
|Digital Evidence Acquisition Specialist Training Program (DEASTP)
+
|Jun 11-22, FLETC, Glynco, GA
+
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation/
+
|Limited to Law Enforcement
+
|-
+
|AccessData Internet Forensics
+
|Jun 12-14 , Boise, ID
+
|http://www.accessdata.com/training
+
|-
+
|AccessData Windows Forensics
+
|Jun 19-21, Dallas, TX
+
|http://www.accessdata.com/training
+
|-
+
|SMART for Linux
+
|09-12 Jul, Austin, TX
+
|http://asrdata.com/training/training2.html
+
|-
+
|Cyber Counterterrorism Investigations Training Program (CCITP)
+
|Jul 09-13, FLETC, Glynco, GA
+
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation/
+
|Limited to Law Enforcement
+
|-
+
|SMART Windows Data Forensics
+
|16-18 Jul, Austin, TX
+
|http://asrdata.com/training/training2.html
+
|-
+
|Seized Computer Evidence Recovery Specialist (SCERS)
+
|Jul 16-27, FLETC, Glynco, GA
+
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation/
+
|Limited to Law Enforcement
+
|-
+
|AccessData BootCamp
+
|Jul 17-19, Boise, ID
+
|http://www.accessdata.com/training
+
|-
+
|AccessData Windows Forensics
+
|Jul 24-26, Albuquerque, NM
+
|http://www.accessdata.com/training
+
|-
+
|First Responder to Digital Evidence Program (FRDE)
+
|Jul 31-Aug 02, FLETC, Glynco, GA
+
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation/
+
|Limited to Law Enforcement
+
|-
+
|SMART for Linux
+
|06-09 Aug, Austin, TX
+
|http://asrdata.com/training/training2.html
+
|-
+
|Computer Network Investigations Training Program (CNITP)
+
|Aug 14-24, FLETC, Glynco, GA
+
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation/
+
|Limited to Law Enforcement
+
|-
+
|SMART Linux Data Forensics
+
|13-15 Aug, Austin, TX
+
|http://asrdata.com/training/training2.html
+
|-
+
|AccessData Internet Forensics
+
|Aug 14-16 , Austin, TX
+
|http://www.accessdata.com/training
+
|-
+
|SMART for Linux
+
|03-06 Sep, Austin, TX
+
|http://asrdata.com/training/training2.html
+
|-
+
|First Responder to Digital Evidence Program (FRDE)
+
|Sep 11-13, FLETC, Glynco, GA
+
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation/
+
|Limited to Law Enforcement
+
|-
+
|AccessData Applied Decryption
+
|Sep 11-13, Dallas, TX
+
|http://www.accessdata.com/training
+
|-
+
|Enterprise Data Forensics
+
|17-19 Sep, Austin, TX
+
|http://asrdata.com/training/training2.html
+
|-
+
|AccessData Applied Decryption
+
|Sep 25-27, Chicago, IL
+
|http://www.accessdata.com/training
+
|-
+
|AccessData BootCamp
+
|Sep 25-27, Solna, SE
+
|http://www.accessdata.com/training
+
|-
+
|SMART for Linux
+
|01-04 Oct, Austin, TX
+
|http://asrdata.com/training/training2.html
+
|-
+
|SMART Windows Data Forensics
+
|08-10 Oct, Austin, TX
+
|http://asrdata.com/training/training2.html
+
|-
+
|SMART for Linux
+
|05-08 Nov, Austin, TX
+
|http://asrdata.com/training/training2.html
+
|-
+
|AccessData BootCamp
+
|Nov 06-08, Austin, TX
+
|http://www.accessdata.com/training
+
|-
+
|AccessData Windows Forensics
+
|Nov 06-08, Solna, Sweden
+
|http://www.accessdata.com/training
+
|-
+
|SMART Linux Data Forensics
+
|12-14 Nov, Austin, TX
+
|http://asrdata.com/training/training2.html
+
|-
+
|SMART for Linux
+
|03-06 Dec, Austin, TX
+
|http://asrdata.com/training/training2.html
+
|-
+
|AccessData Internet Forensics
+
|Dec 04-06 , Solna, Sweden
+
|http://www.accessdata.com/training
+
|-
+
|Enterprise Data Forensics
+
|10-12 Dec, Austin, TX
+
|http://asrdata.com/training/training2.html
+
 
|-
 
|-
 
|}
 
|}
 +
 +
=== Record ===
 +
<b>TODO describe</b>
 +
 +
== See Also ==
 +
* [[SuperFetch]]
 +
 +
== External Links ==
 +
* [http://technet.microsoft.com/en-us/magazine/2007.03.vistakernel.aspx Inside the Windows Vista Kernel: Part 2], by [[Mark Russinovich]], March 2007
 +
* [http://blog.rewolf.pl/blog/?p=214 Windows SuperFetch file format – partial specification], by ReWolf, October 5, 2011
 +
 +
[[Category:File Formats]]

Revision as of 00:41, 23 April 2014

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

SuperFetch, is a memory management scheme that enhances the least-recently accessed approach with historical information and proactive memory management. [1]

Note that the following format specification are incomplete.

SuperFetch DB files

The Ag*.db files are of the SuperFetch file format. E.g.

AgAppLaunch.db
AgCx_SC*.db
AgGlFaultHistory.db
AgGlFgAppHistory.db
AgGlGlobalHistory.db
AgGlUAD_%SID%.db
AgGlUAD_P_%SID%.db
AgRobust.db

The SuperFetch DB files can be stored in uncompressed or compressed form, where different version of Windows use different compressed forms:

  • Compressed SuperFetch DB - MEMO file format; Windows Vista
  • Compressed SuperFetch DB - MEM0 file format; Windows 7
  • Compressed SuperFetch DB - MAM file format; Windows 8

Compressed SuperFetch DB - MEMO file format

The MEM file consists of:

  • file header
  • compressed blocks

This format uses the LZNT1 compression method

File header

The file header is 84 bytes of size and consists of:

Offset Size Value Description
0 4 "MEMO" (0x4d, 0x45, 0x4d, 0x4f) Signature
4 4 Uncompressed (total) data size

Compressed blocks

The compressed block size is the chunk data size, which is part of the LZNT1 compressed data, + 2 bytes for the size of the chunk header itself.

The uncompressed block size is 4096 (0x1000) or the remaining uncompressed data size for the last block.

Compressed SuperFetch DB - MEM0 file format

The MEM file consists of:

  • file header
  • compressed blocks

This format uses the LZXPRESS Huffman compression method

File header

The file header is 84 bytes of size and consists of:

Offset Size Value Description
0 4 "MEM0" (0x4d, 0x45, 0x4d, 0x30) Signature
4 4 Uncompressed (total) data size

Compressed blocks

The file header is followed by compressed blocks:

Offset Size Value Description
0 4 Compressed data size
4 ... Compressed data

The uncompressed block size is 65536 (0x10000) or the remaining uncompressed data size for the last block.

Compressed SuperFetch DB - MAM file format

The MAM file consists of:

  • file header
  • compressed blocks

This format uses the TODO compression method

File header

TODO

Offset Size Value Description
0 4 "MAM\x84" (0x4d, 0x41, 0x4d, 0x84) Signature

Compressed blocks

TODO

Uncompressed SuperFetch DB format

TODO

File header

TODO

Offset Size Value Description
0 4 0x0000000e Unknown (Database type or signature?)
4 4 Uncompressed (total) data size

TRX files

The Ag*.db.trx files are of the TRX file format. E.g.

AgCx_SC*.db.trx

Note that the following format specification is incomplete.

File header

The file header is variable of size and consists of:

Offset Size Value Description
0 4 1 Unknown (Version?)
4 4 Unknown
8 4 File size
12 4 Maximum number of records (of the record offsets array)
16 4 Number of records
20 ... Record offsets array, where the record offset is a 32-bit integer. Unused record offset are set to 0.

Record

TODO describe

See Also

External Links