Difference between pages "Upcoming events" and "Windows SuperFetch Format"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Conferences)
 
 
Line 1: Line 1:
<b>PLEASE READ BEFORE YOU EDIT THE LISTS BELOW</b><br>
+
{{expand}}
Events should be posted in the correct section, and in date order.  An event should NEVER be listed in more than one section (i.e. Ongoing/Continuous events should not be listed in Scheduled Training).  When events begin the same day, events of a longer length should be listed first.  New postings of events with the same date(s) as other events should be added after events already in the list. If a provider offers the same event at several locations simultaneously, the listing should have a single (ONE) entry in the list with the date(s) and ALL locations for the event. Please use three-letter month abbreviations (i.e. Sep, NOT Sept. or September), use two digit dates (i.e. Jan 01 NOT Jan 1), and use date ranges rather than listing every date during an event(i.e. Jan 02-05, NOT Jan 02, 03, 04, 05).<br>
+
<i>Some conferences or training opportunities may be <u>limited</u> to <b>Law Enforcement Only</b> or to a specific audience.  Such restrictions should be noted when known.</i>
+
  
This is a BY DATE listing of upcoming conferences and training events relevant to [[digital forensics]]. It is not an all inclusive list, but includes most well-known activities. Some events may duplicate events on the generic [[conferences]] page, but entries in this list have specific dates and locations for the upcoming event.
+
SuperFetch, is a memory management scheme that enhances the least-recently accessed approach with historical information and proactive memory management. [http://technet.microsoft.com/en-us/magazine/2007.03.vistakernel.aspx]
  
This listing is divided into four sections (described as follows):<br>
+
<b>Note that the following format specification are incomplete.</b>
<ol><li><b><u>Calls For Papers</u></b> - Calls for papers for either Journals or for Conferences, relevant to Digital Forensics (Name, Closing Date, URL)</li><br>
+
<li><b><u>Conferences</u></b> - Conferences relevant for Digital Forensics (Name, Date, Location, URL)</li><br>
+
<li><b><u>On-Going / Continuous Training</u></b> - Training opportunities that are either always available online/distance learning format or that are offered the same time every month (Name, date-if applicable, URL)</li><br>
+
<li><b><u>[[Scheduled Training Courses]]</u></b> - Training Classes/Courses that are scheduled for specific dates/locations.  This would include online (or distance learning format) courses which begin on specific dates, instead of the "start anytime" courses listed in the previous section. (Name, Date(s), Location(s), URL) (''note: this has been moved to its own page.'')<br></li></ol>
+
  
The Conference and Training List is provided by the American Academy of Forensic Sciences (AAFS) Digital and Multimedia Sciences Section Listserv. 
+
== SuperFetch DB files ==
<i> (Subscribe by sending an email to listserv@lists.mitre.org with message body containing SUBSCRIBE AAFS-DIGITAL-MULTIMEDIA-LIST)</i>
+
The <tt>Ag*.db</tt> files are of the SuperFetch file format. E.g.
Requests for additions, deletions or corrections to this list may be sent by email to David Baker <i>(bakerd AT mitre.org)</i>.
+
<pre>
 +
AgAppLaunch.db
 +
AgCx_SC*.db
 +
AgGlFaultHistory.db
 +
AgGlFgAppHistory.db
 +
AgGlGlobalHistory.db
 +
AgGlUAD_%SID%.db
 +
AgGlUAD_P_%SID%.db
 +
AgRobust.db
 +
</pre>
  
== Calls For Papers ==
+
The SuperFetch DB files can be stored in uncompressed or compressed form, where different version of Windows use different compressed forms:
{| border="0" cellpadding="2" cellspacing="2" align="top"
+
* Compressed SuperFetch DB - MEMO file format; Windows Vista
|- style="background:#bfbfbf; font-weight: bold"
+
* Compressed SuperFetch DB - MEM0 file format; Windows  7
! Title
+
* Compressed SuperFetch DB - MAM file format; Windows 8
! Due Date
+
 
! Website
+
=== Compressed SuperFetch DB - MEMO file format ===
|-
+
The MEM file consists of:
|Digital Forensics Forum Arabia 2008
+
* file header
|Aug 31, 2008
+
* compressed blocks
|http://dff-worldwide.com/index.php?page=call-for-papers&hl=en_US
+
 
 +
This format uses the LZNT1 compression method
 +
 
 +
==== File header ====
 +
The file header is 84 bytes of size and consists of:
 +
{| class="wikitable"
 
|-
 
|-
|IEEE ICC Communication and Information Systems Security (CISS) Symposium
+
! Offset
|Sep 8, 2008
+
! Size
|http://www.ieee-icc.org/2009/cfp.html
+
! Value
 +
! Description
 
|-
 
|-
|5th Annual IFIP WG 11.9 International Conference on Digital Forensics
+
| 0
|Oct 15, 2008
+
| 4
|http://www.ifip119.org/Conferences/WG11-9-CFP-2009.pdf
+
| "MEMO" (0x4d, 0x45, 0x4d, 0x4f)
 +
| Signature
 
|-
 
|-
|3rd Edition of Small Scale Digital Device Forensics Journal
+
| 4
|Jan 31, 2009
+
| 4
|http://www.ssddfj.org/Call.asp
+
|  
 +
| Uncompressed (total) data size
 
|-
 
|-
 
|}
 
|}
  
== Conferences ==
+
==== Compressed blocks ====
{| border="0" cellpadding="2" cellspacing="2" align="top"
+
The compressed block size is the chunk data size, which is part of the LZNT1 compressed data, + 2 bytes for the size of the chunk header itself.
|- style="background:#bfbfbf; font-weight: bold"
+
 
! Title
+
The uncompressed block size is 4096 (0x1000) or the remaining uncompressed data size for the last block.
! Date/Location
+
 
! Website
+
=== Compressed SuperFetch DB - MEM0 file format ===
 +
The MEM file consists of:
 +
* file header
 +
* compressed blocks
 +
 
 +
This format uses the LZXPRESS Huffman compression method
 +
 
 +
==== File header ====
 +
The file header is 84 bytes of size and consists of:
 +
{| class="wikitable"
 
|-
 
|-
|2nd French-Speaking Days on Digital Investigations - Journées Francophones de l'Investigation Numérique 2008
+
! Offset
|Sep 03-05, Vandoeuvre-lès-Nancy, France
+
! Size
|http://www.afsin.org/
+
! Value
 +
! Description
 
|-
 
|-
|1st Workshop on Open Source Software for Computer and Network Forensics
+
| 0
|Sep 07-10, Milan Italy
+
| 4
|http://conferenze.dei.polimi.it/ossconf/index.php
+
| "MEM0" (0x4d, 0x45, 0x4d, 0x30)
 +
| Signature
 
|-
 
|-
|11th International Symposium on Recent Advances in Intrusion Detection
+
| 4
|Sep 15-17, Cambridge, MA
+
| 4
|http://www.ll.mit.edu/IST/RAID2008/
+
|  
 +
| Uncompressed (total) data size
 
|-
 
|-
|4th International Conference on IT Incident Management & IT Forensics
+
|}
|Sep 23-25, Mannheim,  Germany
+
 
|http://www.imf-conference.org/
+
==== Compressed blocks ====
 +
The file header is followed by compressed blocks:
 +
{| class="wikitable"
 
|-
 
|-
|Open Web Application Security Project (OWASP) AppSec 2008 Conference
+
! Offset
|Sep 24-25, New York City, NY
+
! Size
|http://www.owasp.org/index.php/OWASP_NYC_AppSec_2008_Conference
+
! Value
 +
! Description
 
|-
 
|-
|VB2008 anti-malware conference
+
| 0
|Oct 01-03, Ottawa, Canada
+
| 4
|http://www.virusbtn.com/conference/vb2008/
+
|  
 +
| Compressed data size
 
|-
 
|-
|ENFSI Forensic IT Working Group meeting Limited to law enforcement
+
| 4
|Oct 01-03, Madrid, Spain
+
| ...
|http://www.enfsi.eu/page.php?uid=2
+
|
 +
| Compressed data
 
|-
 
|-
|ANZFSS - 19th International Symposium on the Forensic Sciences
+
|}
|Oct 06-09, Melbourne, Australia
+
 
|http://www.anzfss2008.org.au/
+
The uncompressed block size is 65536 (0x10000) or the remaining uncompressed data size for the last block.
 +
 
 +
=== Compressed SuperFetch DB - MAM file format ===
 +
The MAM file consists of:
 +
* file header
 +
* compressed blocks
 +
 
 +
This format uses the <b>TODO</b> compression method
 +
 
 +
==== File header ====
 +
<b>TODO</b>
 +
 
 +
{| class="wikitable"
 
|-
 
|-
|13th European Symposium on Research in Computer Security
+
! Offset
|Oct 06-08, Malaga, Spain
+
! Size
|http://www.isac.uma.es/esorics08/
+
! Value
 +
! Description
 
|-
 
|-
|Economic and High Tech Crime Summit 2008
+
| 0
|Oct 07-08, Memphis, TN
+
| 4
|http://summit.nw3c.org/
+
| "MAM\x84" (0x4d, 0x41, 0x4d, 0x84)
 +
| Signature
 
|-
 
|-
|First Eurasian Congress of Forensic Sciences
+
|}
|Oct 08-11, Istanbul, Turkey
+
 
|http://www.adlitip2008.com/indexen.asp
+
==== Compressed blocks ====
|-
+
<b>TODO</b>
|3nd International Annual Workshop on Digital Forensics & Incident Analysis
+
 
|Oct 09, Malaga, Spain
+
=== Uncompressed SuperFetch DB format ===
|http://www.icsd.aegean.gr/wdfia08/
+
<b>TODO</b>
 +
 
 +
==== File header ====
 +
<b>TODO</b>
 +
 
 +
{| class="wikitable"
 
|-
 
|-
|Anti-Phishing Working Group eCrime Researchers Summit
+
! Offset
|Oct 15-16, Atlanta, GA
+
! Size
|http://www.ecrimeresearch.org/
+
! Value
 +
! Description
 
|-
 
|-
|2008 HTCIA International Training Conference
+
| 0
|Oct 22-28, Atlantic City, NJ
+
| 4
|http://www.htcia.org/conference.shtml
+
| 0x0000000e
 +
| Unknown (Database type or signature?)
 
|-
 
|-
|2008 International Video Evidence Symposium and Training Conference
+
| 4
|Oct 22-24, Orlando, FL
+
| 4
|http://leva.org/index.php?option=com_content&task=view&id=56&Itemid=98
+
|  
|-
+
| Uncompressed (total) data size
|DeepSec 2008
+
|Nov 11-14, Vienna, Austria
+
|https://deepsec.net/
+
|-
+
|Digital Forensics Forum Arabia 2008
+
|Dec 15-17, Manama, Bahrain
+
|http://dff-worldwide.com/index.php?page=dff-arabia-2008-conference&hl=en_US
+
|-
+
|2009 DoD Cyber Crime Conference
+
|Jan 24-30, St. Louis, MO
+
|http://www.dodcybercrime.com/
+
|-
+
|5th Annual IFIP WG 11.9 International Conference on Digital Forensics
+
|Jan 25-28, Orlando, FL
+
|http://www.ifip119.org/Conferences/
+
|-
+
|American Academy of Forensic Sciences Annual Meeting
+
|Feb 16-21, Denver, CO
+
|http://www.aafs.org/default.asp?section_id=meetings&page_id=aafs_annual_meeting
+
|-
+
|24th Annual ACM Symposium on Applied Computing - Computer Forensics Track
+
|Mar 08-12, Honolulu, HI
+
|http://www.acm.org/conferences/sac/sac2009
+
|-
+
|2009 Techno Security Conference
+
|May 31- Jun 03, Myrtle Beach, SC
+
|http://www.techsec.com/index.html
+
|-
+
|Mobile Forensics World 2009
+
|Jun 01 - Jun 06, Chicago, IL
+
|http://www.mobileforensicsworld.com
+
|-
+
|IEEE ICC Communication and Information Systems Security (CISS) Symposium
+
|Jun 14-18, Dresden, Germany
+
|http://www.ieee-icc.org/2009/
+
|-
+
|Digital Forensic Research Workshop
+
|Aug 17-19, Montreal, Quebec, Canada
+
|http://www.dfrws.org
+
 
|-
 
|-
 
|}
 
|}
 +
== TRX files ==
 +
The <tt>Ag*.db.trx</tt> files are of the TRX file format. E.g.
 +
<pre>
 +
AgCx_SC*.db.trx
 +
</pre>
  
== On-going / Continuous Training ==
+
<b>Note that the following format specification is incomplete.</b>
{| border="0" cellpadding="2" cellspacing="2" align="top"
+
 
|- style="background:#bfbfbf; font-weight: bold"
+
=== File header ===
! Title
+
The file header is variable of size and consists of:
! Date/Location or Venue
+
{| class="wikitable"
! Website
+
 
|-
 
|-
|Basic Computer Examiner Course - Computer Forensic Training Online
+
! Offset
|Distance Learning Format
+
! Size
|http://www.cftco.com
+
! Value
 +
! Description
 
|-
 
|-
|Computer Forensics Training and CCE&trade; Testing for Litigation Support Professionals
+
| 0
|Third weekend of every month (Fri-Mon), Dallas, TX
+
| 4
|http://www.md5group.com
+
| 1
 +
| Unknown (Version?)
 
|-
 
|-
|Evidence Recovery for Windows Vista&trade;
+
| 4
|First full week every month, Brunswick, GA
+
| 4
|http://www.internetcrimes.net
+
|  
 +
| Unknown
 
|-
 
|-
|Evidence Recovery for Windows Server&reg; 2003 R2
+
| 8
|Second full week every month, Brunswick, GA
+
| 4
|http://www.internetcrimes.net
+
|  
 +
| File size
 
|-
 
|-
|Evidence Recovery for the Windows XP&trade; operating system
+
| 12
|Third full week every month, Brunswick, GA
+
| 4
|http://www.internetcrimes.net
+
|  
 +
| Maximum number of records (of the record offsets array)
 
|-
 
|-
|Linux Data Forensics Training
+
| 16
|Distance Learning Format
+
| 4
|http://www.crazytrain.com/training.html
+
|  
 +
| Number of records
 
|-
 
|-
|MaresWare Suite Training
+
| 20
|First full week every month, Atlanta, GA
+
| ...
|http://www.maresware.com/maresware/training/maresware.htm
+
|  
|-
+
| Record offsets array, where the record offset is a 32-bit integer. Unused record offset are set to 0.
|SANS On-Demand Training
+
|Distance Learning Format
+
|http://www.sans.org/ondemand/?portal=69456f95660ade45be29c00b0c14aea1
+
 
|-
 
|-
 
|}
 
|}
  
==[[Scheduled Training Courses]]==
+
=== Record ===
 +
<b>TODO describe</b>
 +
 
 +
== See Also ==
 +
* [[SuperFetch]]
 +
 
 +
== External Links ==
 +
* [http://technet.microsoft.com/en-us/magazine/2007.03.vistakernel.aspx Inside the Windows Vista Kernel: Part 2], by [[Mark Russinovich]], March 2007
 +
* [http://blog.rewolf.pl/blog/?p=214 Windows SuperFetch file format – partial specification], by ReWolf, October 5, 2011
 +
 
 +
[[Category:File Formats]]

Revision as of 00:41, 23 April 2014

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

SuperFetch, is a memory management scheme that enhances the least-recently accessed approach with historical information and proactive memory management. [1]

Note that the following format specification are incomplete.

SuperFetch DB files

The Ag*.db files are of the SuperFetch file format. E.g.

AgAppLaunch.db
AgCx_SC*.db
AgGlFaultHistory.db
AgGlFgAppHistory.db
AgGlGlobalHistory.db
AgGlUAD_%SID%.db
AgGlUAD_P_%SID%.db
AgRobust.db

The SuperFetch DB files can be stored in uncompressed or compressed form, where different version of Windows use different compressed forms:

  • Compressed SuperFetch DB - MEMO file format; Windows Vista
  • Compressed SuperFetch DB - MEM0 file format; Windows 7
  • Compressed SuperFetch DB - MAM file format; Windows 8

Compressed SuperFetch DB - MEMO file format

The MEM file consists of:

  • file header
  • compressed blocks

This format uses the LZNT1 compression method

File header

The file header is 84 bytes of size and consists of:

Offset Size Value Description
0 4 "MEMO" (0x4d, 0x45, 0x4d, 0x4f) Signature
4 4 Uncompressed (total) data size

Compressed blocks

The compressed block size is the chunk data size, which is part of the LZNT1 compressed data, + 2 bytes for the size of the chunk header itself.

The uncompressed block size is 4096 (0x1000) or the remaining uncompressed data size for the last block.

Compressed SuperFetch DB - MEM0 file format

The MEM file consists of:

  • file header
  • compressed blocks

This format uses the LZXPRESS Huffman compression method

File header

The file header is 84 bytes of size and consists of:

Offset Size Value Description
0 4 "MEM0" (0x4d, 0x45, 0x4d, 0x30) Signature
4 4 Uncompressed (total) data size

Compressed blocks

The file header is followed by compressed blocks:

Offset Size Value Description
0 4 Compressed data size
4 ... Compressed data

The uncompressed block size is 65536 (0x10000) or the remaining uncompressed data size for the last block.

Compressed SuperFetch DB - MAM file format

The MAM file consists of:

  • file header
  • compressed blocks

This format uses the TODO compression method

File header

TODO

Offset Size Value Description
0 4 "MAM\x84" (0x4d, 0x41, 0x4d, 0x84) Signature

Compressed blocks

TODO

Uncompressed SuperFetch DB format

TODO

File header

TODO

Offset Size Value Description
0 4 0x0000000e Unknown (Database type or signature?)
4 4 Uncompressed (total) data size

TRX files

The Ag*.db.trx files are of the TRX file format. E.g.

AgCx_SC*.db.trx

Note that the following format specification is incomplete.

File header

The file header is variable of size and consists of:

Offset Size Value Description
0 4 1 Unknown (Version?)
4 4 Unknown
8 4 File size
12 4 Maximum number of records (of the record offsets array)
16 4 Number of records
20 ... Record offsets array, where the record offset is a 32-bit integer. Unused record offset are set to 0.

Record

TODO describe

See Also

External Links