Difference between pages "Upcoming events" and "Windows SuperFetch Format"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
m (Conferences: - Added dates for DoD Cybercrime 2008)
 
 
Line 1: Line 1:
Here is a BY DATE listing of '''upcoming conferences and training events''' that pertain to [[digital forensics]]. Some of these duplicate the generic [[conferences]], but have specific dates/locations for the upcoming conference/training event.
+
{{expand}}
  
<b> The Conference and Training List is provided by the American Academy of Forensic Sciences (AAFS) Digital and Multi-media Listserv</b>
+
SuperFetch, is a memory management scheme that enhances the least-recently accessed approach with historical information and proactive memory management. [http://technet.microsoft.com/en-us/magazine/2007.03.vistakernel.aspx]
<i> (Subscribe by sending an email to listserv@lists.mitre.org with message body containing SUBSCRIBE AAFS-DIGITAL-MULTIMEDIA-LIST)</i>
+
<b> Any requests for additions, deletions or corrections to this list should be sent by email to David Baker <i>(bakerd AT mitre.org)</i>. </b>
+
  
== Calls For Papers ==
+
<b>Note that the following format specification are incomplete.</b>
{| border="0" cellpadding="2" cellspacing="2" align="top"
+
 
|- style="background:#bfbfbf; font-weight: bold"
+
== SuperFetch DB files ==
! Title
+
The <tt>Ag*.db</tt> files are of the SuperFetch file format. E.g.
! Due Date
+
<pre>
! Website
+
AgAppLaunch.db
 +
AgCx_SC*.db
 +
AgGlFaultHistory.db
 +
AgGlFgAppHistory.db
 +
AgGlGlobalHistory.db
 +
AgGlUAD_%SID%.db
 +
AgGlUAD_P_%SID%.db
 +
AgRobust.db
 +
</pre>
 +
 
 +
The SuperFetch DB files can be stored in uncompressed or compressed form, where different version of Windows use different compressed forms:
 +
* Compressed SuperFetch DB - MEMO file format; Windows Vista
 +
* Compressed SuperFetch DB - MEM0 file format; Windows  7
 +
* Compressed SuperFetch DB - MAM file format; Windows 8
 +
 
 +
=== Compressed SuperFetch DB - MEMO file format ===
 +
The MEM file consists of:
 +
* file header
 +
* compressed blocks
 +
 
 +
This format uses the LZNT1 compression method
 +
 
 +
==== File header ====
 +
The file header is 84 bytes of size and consists of:
 +
{| class="wikitable"
 
|-
 
|-
|First Annual European DeepSec In-Depth Security Conference
+
! Offset
|Jun 10, 2007
+
! Size
|http://deepsec.net/cfp/
+
! Value
 +
! Description
 
|-
 
|-
|DFRWS 2007 File Carving Challenge
+
| 0
|Jul 09, 2007
+
| 4
|http://www.dfrws.org/2007/challenge/submission.html
+
| "MEMO" (0x4d, 0x45, 0x4d, 0x4f)
 +
| Signature
 +
|-
 +
| 4
 +
| 4
 +
|
 +
| Uncompressed (total) data size
 
|-
 
|-
 
|}
 
|}
  
== Conferences ==
+
==== Compressed blocks ====
{| border="0" cellpadding="2" cellspacing="2" align="top"
+
The compressed block size is the chunk data size, which is part of the LZNT1 compressed data, + 2 bytes for the size of the chunk header itself.
|- style="background:#bfbfbf; font-weight: bold"
+
 
! Title
+
The uncompressed block size is 4096 (0x1000) or the remaining uncompressed data size for the last block.
! Date/Location
+
 
! Website
+
=== Compressed SuperFetch DB - MEM0 file format ===
 +
The MEM file consists of:
 +
* file header
 +
* compressed blocks
 +
 
 +
This format uses the LZXPRESS Huffman compression method
 +
 
 +
==== File header ====
 +
The file header is 84 bytes of size and consists of:
 +
{| class="wikitable"
 
|-
 
|-
|2007 Techno-Security Conference
+
! Offset
|Jun 03-06, Myrtle Beach, SC
+
! Size
|http://www.techsec.com/html/Techno2007.html
+
! Value
 +
! Description
 
|-
 
|-
|Computer Security Institute NetSec '07
+
| 0
|Jun 11-13, Scottsdale, AZ
+
| 4
|http://www.gocsi.com/netsec/
+
| "MEM0" (0x4d, 0x45, 0x4d, 0x30)
 +
| Signature
 
|-
 
|-
|2007 USENIX Annual Technical Conference
+
| 4
|Jun 17-22, Santa Clara, CA
+
| 4
|http://www.usenix.org/events/
+
|  
 +
| Uncompressed (total) data size
 
|-
 
|-
|Third Government Forum of Incident Response and Security Teams Conference
+
|}
|Jun 25-29, Orlando, FL
+
 
|http://www.us-cert.gov/GFIRST/index.html
+
==== Compressed blocks ====
 +
The file header is followed by compressed blocks:
 +
{| class="wikitable"
 
|-
 
|-
|First International Workshop on Cyber-Fraud
+
! Offset
|Jul 01-06, San Jose, CA
+
! Size
|http://www.iaria.org/conferences2007/CYBERFRAUD.html
+
! Value
 +
! Description
 
|-
 
|-
|Detection of Intrusions and Malware & Vulnerability Assessment (DIMVA) 2007
+
| 0
|Jul 12-13, Lucerne, Switzerland
+
| 4
|http://www.gi-ev.de/fachbereiche/sicherheit/fg/sidar/dimva/
+
|  
 +
| Compressed data size
 
|-
 
|-
|16th USENIX Security Symposium
+
| 4
|Aug 06-10, Boston, MA
+
| ...
|http://www.usenix.org/events/
+
|
 +
| Compressed data
 
|-
 
|-
|GMU 2007 Symposium
+
|}
|Aug 06-10, George Mason University, Fairfax, VA
+
 
|http://www.rcfg.org
+
The uncompressed block size is 65536 (0x10000) or the remaining uncompressed data size for the last block.
 +
 
 +
=== Compressed SuperFetch DB - MAM file format ===
 +
The MAM file consists of:
 +
* file header
 +
* compressed blocks
 +
 
 +
This format uses the <b>TODO</b> compression method
 +
 
 +
==== File header ====
 +
<b>TODO</b>
 +
 
 +
{| class="wikitable"
 
|-
 
|-
|[[Digital Forensic Research Workshop|Digital Forensic Research Workshop 2007]]
+
! Offset
|Aug 13-15, Pittsburgh, PA
+
! Size
|http://www.dfrws.org/2007/index.html
+
! Value
 +
! Description
 
|-
 
|-
|HTCIA 2007 International Training Conference & Exposition
+
| 0
|Aug 27-29, San Diego, CA
+
| 4
|http://www.htcia-sd.org/htcia2007.html
+
| "MAM\x84" (0x4d, 0x41, 0x4d, 0x84)
 +
| Signature
 
|-
 
|-
|Recent Advances in Intrusion Detection (RAID) 2007
 
|Sep 05-07, Gold Coast, Queensland, Australia
 
|http://www.isi.qut.edu.au/events/conferences/raid07
 
|-
 
|14th International Conference on Image Analysis and Processing (ICIAP 2007)
 
|Sep 10-14, Modena, Italy
 
|http://www.iciap2007.org
 
|-
 
|3rd International Conference on IT-Incident Management & IT-Forensics
 
|Sep 11-12, Stuttgart, Germany
 
|http://www.imf-conference.org/
 
|-
 
|Black and White Ball
 
|Sep 25-28, London, UK
 
|http://www.theblackandwhiteball.co.uk/
 
|-
 
|Techno-Forensics Conference
 
|Oct 29 - 31, Rockville, MD
 
|http://www.techsec.com/html/TechnoForensics2007.html
 
|-
 
|DeepSec IDSC
 
|Nov 22-24, Vienna, Austria
 
|http://deepsec.net/
 
|-
 
|DoD Cyber Crime Conference 2008
 
|Jan 13-18 2008, St. Louis, MO
 
|http://www.dodcybercrime.com/
 
 
|}
 
|}
  
== On-going / Continuous Training ==
+
==== Compressed blocks ====
{| border="0" cellpadding="2" cellspacing="2" align="top"
+
<b>TODO</b>
|- style="background:#bfbfbf; font-weight: bold"
+
 
! Title
+
=== Uncompressed SuperFetch DB format ===
! Date/Location or Venue
+
<b>TODO</b>
! Website
+
 
 +
==== File header ====
 +
<b>TODO</b>
 +
 
 +
{| class="wikitable"
 
|-
 
|-
|Basic Computer Examiner Course
+
! Offset
|Computer Forensic Training Online
+
! Size
|http://www.cftco.com
+
! Value
 +
! Description
 
|-
 
|-
|MaresWare Suite Training
+
| 0
|First full week every month, Atlanta, GA
+
| 4
|http://www.maresware.com/maresware/training/maresware.htm
+
| 0x0000000e
 +
| Unknown (Database type or signature?)
 
|-
 
|-
|Linux Data Forensics Training
+
| 4
|Distance Learning Format
+
| 4
|http://www.crazytrain.com/training.html
+
|  
 +
| Uncompressed (total) data size
 
|-
 
|-
 
|}
 
|}
 +
== TRX files ==
 +
The <tt>Ag*.db.trx</tt> files are of the TRX file format. E.g.
 +
<pre>
 +
AgCx_SC*.db.trx
 +
</pre>
  
== Scheduled Training Courses ==
+
<b>Note that the following format specification is incomplete.</b>
{| border="0" cellpadding="2" cellspacing="2" align="top"
+
 
|- style="background:#bfbfbf; font-weight: bold"
+
=== File header ===
! Title
+
The file header is variable of size and consists of:
! Date/Location
+
{| class="wikitable"
! Website
+
! Limitation
+
 
|-
 
|-
|Computer Network Investigations Training Program (CNITP)
+
! Offset
|May 15-25, FLETC, Glynco, GA
+
! Size
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation/
+
! Value
|Limited to Law Enforcement
+
! Description
 
|-
 
|-
|AccessData Internet Forensics
+
| 0
|May 22-24 , Solna, Sweden
+
| 4
|http://www.accessdata.com/training
+
| 1
 +
| Unknown (Version?)
 
|-
 
|-
|EnCase v5 Advanced Computer Forensics
+
| 4
|May 22-25, United Kingdom
+
| 4
|http://www.guidancesoftware.com/training/schedule.asp
+
|  
 +
| Unknown
 
|-
 
|-
|SARC Steganography Examiner Training
+
| 8
|May 23 - 24, Orlando, FL (National Center for Forensic Science)
+
| 4
|http://www.sarc-wv.com/training.aspx
+
|  
 +
| File size
 
|-
 
|-
|First Responder to Digital Evidence Program (FRDE)
+
| 12
|May 30-Jun 01, FLETC, Glynco, GA
+
| 4
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation/
+
|  
|Limited to Law Enforcement
+
| Maximum number of records (of the record offsets array)
 
|-
 
|-
|Computer Forensics First Responder
+
| 16
|May 31, Indianapolis, IN
+
| 4
|http://www.ifi-indy.org/ifi%20training/train.html
+
|  
 +
| Number of records
 
|-
 
|-
|AccessData BootCamp
+
| 20
|May 31-Jun 02, Myrtle Beach, SC
+
| ...
|http://www.accessdata.com/training
+
|  
|-
+
| Record offsets array, where the record offset is a 32-bit integer. Unused record offset are set to 0.
|AccessData Windows Forensics
+
|May 31-Jun 02, Myrtle Beach, SC
+
|http://www.accessdata.com/training
+
|-
+
|SMART for Linux
+
|Jun 04-07, Austin, TX
+
|http://asrdata.com/training/training2.html
+
|-
+
|AccessData BootCamp
+
|Jun 05-07, Albuquerque, NM
+
|http://www.accessdata.com/training
+
|-
+
|Advanced Data Forensics Topics
+
|Jun 11-13, Austin, TX
+
|http://asrdata.com/training/training2.html
+
|-
+
|Digital Evidence Acquisition Specialist Training Program (DEASTP)
+
|Jun 11-22, FLETC, Glynco, GA
+
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation/
+
|Limited to Law Enforcement
+
|-
+
|Helix Live Forensics and Incident Response Course
+
|Jun 12-14, SEARCH - Sacramento, CA
+
|https://www.e-fense.com/register.php
+
|-
+
|AccessData Internet Forensics
+
|Jun 12-14 , Boise, ID
+
|http://www.accessdata.com/training
+
|-
+
|AccessData Windows Forensics
+
|Jun 19-21, Dallas, TX
+
|http://www.accessdata.com/training
+
|-
+
|SMART for Linux
+
|Jul 09-12, Austin, TX
+
|http://asrdata.com/training/training2.html
+
|-
+
|Cyber Counterterrorism Investigations Training Program (CCITP)
+
|Jul 09-13, FLETC, Glynco, GA
+
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation/
+
|Limited to Law Enforcement
+
|-
+
|SMART Windows Data Forensics
+
|Jul 16-18, Austin, TX
+
|http://asrdata.com/training/training2.html
+
|-
+
|Seized Computer Evidence Recovery Specialist (SCERS)
+
|Jul 16-27, FLETC, Glynco, GA
+
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation/
+
|Limited to Law Enforcement
+
|-
+
|AccessData BootCamp
+
|Jul 17-19, Boise, ID
+
|http://www.accessdata.com/training
+
|-
+
|AccessData Windows Forensics
+
|Jul 24-26, Albuquerque, NM
+
|http://www.accessdata.com/training
+
|-
+
|Network Forensics and Investigations Workshop
+
|Jul 25-27, Washington, DC
+
|http://www.strozllc.com/trainingcenter/
+
|-
+
|First Responder to Digital Evidence Program (FRDE)
+
|Jul 31-Aug 02, FLETC, Glynco, GA
+
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation/
+
|Limited to Law Enforcement
+
|-
+
|SMART for Linux
+
|Aug 06-09, Austin, TX
+
|http://asrdata.com/training/training2.html
+
|-
+
|Computer Network Investigations Training Program (CNITP)
+
|Aug 14-24, FLETC, Glynco, GA
+
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation/
+
|Limited to Law Enforcement
+
|-
+
|SMART Linux Data Forensics
+
|Aug 13-15, Austin, TX
+
|http://asrdata.com/training/training2.html
+
|-
+
|Network Forensics and Investigations Workshop
+
|Aug 13-15, Los Angeles, CA
+
|http://www.strozllc.com/trainingcenter/
+
|-
+
|Macintosh Forensic Survival Course
+
|Aug 13-17, Fredricksburg, VA
+
|http://www.phoenixdatagroup.com/cart/index.php
+
|-
+
|AccessData Internet Forensics
+
|Aug 14-16 , Austin, TX
+
|http://www.accessdata.com/training
+
|-
+
|Helix Live Forensics and Incident Response Course
+
|Aug 28-30, Tennessee Bureau of Investigations - Nashville, TN
+
|https://www.e-fense.com/register.php
+
|-
+
|SMART for Linux
+
|Sep 03-06, Austin, TX
+
|http://asrdata.com/training/training2.html
+
|-
+
|First Responder to Digital Evidence Program (FRDE)
+
|Sep 11-13, FLETC, Glynco, GA
+
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation/
+
|Limited to Law Enforcement
+
|-
+
|AccessData Applied Decryption
+
|Sep 11-13, Dallas, TX
+
|http://www.accessdata.com/training
+
|-
+
|Enterprise Data Forensics
+
|Sep 17-19, Austin, TX
+
|http://asrdata.com/training/training2.html
+
|-
+
|Macintosh Forensic Survival Course
+
|Sep 24-28, Santa Ana, CA
+
|http://www.phoenixdatagroup.com/cart/index.php
+
|-
+
|AccessData Applied Decryption
+
|Sep 25-27, Chicago, IL
+
|http://www.accessdata.com/training
+
|-
+
|AccessData BootCamp
+
|Sep 25-27, Solna, SE
+
|http://www.accessdata.com/training
+
|-
+
|SMART for Linux
+
|Oct 01-04, Austin, TX
+
|http://asrdata.com/training/training2.html
+
|-
+
|SMART Windows Data Forensics
+
|Oct 08-10, Austin, TX
+
|http://asrdata.com/training/training2.html
+
|-
+
|SMART for Linux
+
|Nov 05-08, Austin, TX
+
|http://asrdata.com/training/training2.html
+
|-
+
|AccessData BootCamp
+
|Nov 06-08, Austin, TX
+
|http://www.accessdata.com/training
+
|-
+
|AccessData Windows Forensics
+
|Nov 06-08, Solna, Sweden
+
|http://www.accessdata.com/training
+
|-
+
|SMART Linux Data Forensics
+
|Nov 12-14, Austin, TX
+
|http://asrdata.com/training/training2.html
+
|-
+
|SMART for Linux
+
|Dec 03-06, Austin, TX
+
|http://asrdata.com/training/training2.html
+
|-
+
|AccessData Internet Forensics
+
|Dec 04-06 , Solna, Sweden
+
|http://www.accessdata.com/training
+
|-
+
|Enterprise Data Forensics
+
|Dec 10-12, Austin, TX
+
|http://asrdata.com/training/training2.html
+
 
|-
 
|-
 
|}
 
|}
 +
 +
=== Record ===
 +
<b>TODO describe</b>
 +
 +
== See Also ==
 +
* [[SuperFetch]]
 +
 +
== External Links ==
 +
* [http://technet.microsoft.com/en-us/magazine/2007.03.vistakernel.aspx Inside the Windows Vista Kernel: Part 2], by [[Mark Russinovich]], March 2007
 +
* [http://blog.rewolf.pl/blog/?p=214 Windows SuperFetch file format – partial specification], by ReWolf, October 5, 2011
 +
 +
[[Category:File Formats]]

Revision as of 00:41, 23 April 2014

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

SuperFetch, is a memory management scheme that enhances the least-recently accessed approach with historical information and proactive memory management. [1]

Note that the following format specification are incomplete.

SuperFetch DB files

The Ag*.db files are of the SuperFetch file format. E.g.

AgAppLaunch.db
AgCx_SC*.db
AgGlFaultHistory.db
AgGlFgAppHistory.db
AgGlGlobalHistory.db
AgGlUAD_%SID%.db
AgGlUAD_P_%SID%.db
AgRobust.db

The SuperFetch DB files can be stored in uncompressed or compressed form, where different version of Windows use different compressed forms:

  • Compressed SuperFetch DB - MEMO file format; Windows Vista
  • Compressed SuperFetch DB - MEM0 file format; Windows 7
  • Compressed SuperFetch DB - MAM file format; Windows 8

Compressed SuperFetch DB - MEMO file format

The MEM file consists of:

  • file header
  • compressed blocks

This format uses the LZNT1 compression method

File header

The file header is 84 bytes of size and consists of:

Offset Size Value Description
0 4 "MEMO" (0x4d, 0x45, 0x4d, 0x4f) Signature
4 4 Uncompressed (total) data size

Compressed blocks

The compressed block size is the chunk data size, which is part of the LZNT1 compressed data, + 2 bytes for the size of the chunk header itself.

The uncompressed block size is 4096 (0x1000) or the remaining uncompressed data size for the last block.

Compressed SuperFetch DB - MEM0 file format

The MEM file consists of:

  • file header
  • compressed blocks

This format uses the LZXPRESS Huffman compression method

File header

The file header is 84 bytes of size and consists of:

Offset Size Value Description
0 4 "MEM0" (0x4d, 0x45, 0x4d, 0x30) Signature
4 4 Uncompressed (total) data size

Compressed blocks

The file header is followed by compressed blocks:

Offset Size Value Description
0 4 Compressed data size
4 ... Compressed data

The uncompressed block size is 65536 (0x10000) or the remaining uncompressed data size for the last block.

Compressed SuperFetch DB - MAM file format

The MAM file consists of:

  • file header
  • compressed blocks

This format uses the TODO compression method

File header

TODO

Offset Size Value Description
0 4 "MAM\x84" (0x4d, 0x41, 0x4d, 0x84) Signature

Compressed blocks

TODO

Uncompressed SuperFetch DB format

TODO

File header

TODO

Offset Size Value Description
0 4 0x0000000e Unknown (Database type or signature?)
4 4 Uncompressed (total) data size

TRX files

The Ag*.db.trx files are of the TRX file format. E.g.

AgCx_SC*.db.trx

Note that the following format specification is incomplete.

File header

The file header is variable of size and consists of:

Offset Size Value Description
0 4 1 Unknown (Version?)
4 4 Unknown
8 4 File size
12 4 Maximum number of records (of the record offsets array)
16 4 Number of records
20 ... Record offsets array, where the record offset is a 32-bit integer. Unused record offset are set to 0.

Record

TODO describe

See Also

External Links