Difference between pages "Academic Forensics Programs - Graduate Level" and "Windows SuperFetch Format"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
m (US Programs)
 
 
Line 1: Line 1:
==US Programs==
+
{{expand}}
* California Sciences Institute
+
* Dartmouth College
+
* George Mason University
+
* George Washington University
+
* [http://www.jjay.cuny.edu/690.php John Jay College]
+
* [http://www.forensic.msu.edu/ Michigan State University]
+
* Mississippi State
+
* Naval Postgraduate School
+
* Polytechnic Institute of New York University
+
* [http://cyberforensics.purdue.edu/  Purdue University]
+
* Sam Houston State University
+
* Stevenson University
+
* Texas State University
+
* [http://ncfs.ucf.edu/ University of Central Florida]
+
* University of Massachusetts, Amherst
+
* University of Mississippi
+
* University of New Haven
+
* [http://cs.uno.edu/research/ia.htm University of New Orleans]
+
* [http://forensics.cs.uri.edu/ University of Rhode Island]
+
* University of Texas at San Antonio
+
* Utica College [http://www.onlineuticacollege.com/programs/bachelor-degrees.asp [Online]]
+
* [http://www.cis.utulsa.edu/ Center for Information Security University of Tulsa]
+
* [http://forensics.wvu.edu/ West Virginia University]
+
  
==Europe==
+
SuperFetch, is a memory management scheme that enhances the least-recently accessed approach with historical information and proactive memory management. [http://technet.microsoft.com/en-us/magazine/2007.03.vistakernel.aspx]
* [http://www.cranfield.ac.uk/cds/postgraduatestudy/forensiccomputing/index.jsp Cranfield University, UK]
+
* [http://www.lit.ie/departments/IT/MSC_Computing.html Limerick Institute of Technology]
+
* [http://www.studeren.uva.nl/ma-forensic-science University of Amsterdam]
+
* University of Bradford
+
* University of East London
+
* [http://cci.ucd.ie/fcci University College Dublin]
+
* [http://www.utm.ac.mu University of Technology, Mauritius]
+
* [http://www.strath.ac.uk/science/forensicinformatics/ University of Strathclyde]
+
* [http://www.glam.ac.uk/coursedetails/685/549 University of Glamorgan, Wales, UK]
+
  
==Africa==
+
<b>Note that the following format specification are incomplete.</b>
* [http://www.commerce.uct.ac.za/InformationSystems/Courses/inf4016w/ University of Cape Town]
+
  
==See Also==
+
== SuperFetch DB files ==
* [http://www.aafs.org/default.asp?section_id=resources&page_id=colleges_and_universities AAFS]
+
The <tt>Ag*.db</tt> files are of the SuperFetch file format. E.g.
* [http://www.digitalforensicsassociation.org/formal-education/ Digital Forensics Association List]
+
<pre>
* [http://www.forensicfocus.com/computer-forensics-education-directory Forensics Focus List]
+
AgAppLaunch.db
 +
AgCx_SC*.db
 +
AgGlFaultHistory.db
 +
AgGlFgAppHistory.db
 +
AgGlGlobalHistory.db
 +
AgGlUAD_%SID%.db
 +
AgGlUAD_P_%SID%.db
 +
AgRobust.db
 +
</pre>
 +
 
 +
The SuperFetch DB files can be stored in uncompressed or compressed form, where different version of Windows use different compressed forms:
 +
* Compressed SuperFetch DB - MEMO file format; Windows Vista
 +
* Compressed SuperFetch DB - MEM0 file format; Windows  7
 +
* Compressed SuperFetch DB - MAM file format; Windows 8
 +
 
 +
=== Compressed SuperFetch DB - MEMO file format ===
 +
The MEM file consists of:
 +
* file header
 +
* compressed blocks
 +
 
 +
This format uses the LZNT1 compression method
 +
 
 +
==== File header ====
 +
The file header is 84 bytes of size and consists of:
 +
{| class="wikitable"
 +
|-
 +
! Offset
 +
! Size
 +
! Value
 +
! Description
 +
|-
 +
| 0
 +
| 4
 +
| "MEMO" (0x4d, 0x45, 0x4d, 0x4f)
 +
| Signature
 +
|-
 +
| 4
 +
| 4
 +
|
 +
| Uncompressed (total) data size
 +
|-
 +
|}
 +
 
 +
==== Compressed blocks ====
 +
The compressed block size is the chunk data size, which is part of the LZNT1 compressed data, + 2 bytes for the size of the chunk header itself.
 +
 
 +
The uncompressed block size is 4096 (0x1000) or the remaining uncompressed data size for the last block.
 +
 
 +
=== Compressed SuperFetch DB - MEM0 file format ===
 +
The MEM file consists of:
 +
* file header
 +
* compressed blocks
 +
 
 +
This format uses the LZXPRESS Huffman compression method
 +
 
 +
==== File header ====
 +
The file header is 84 bytes of size and consists of:
 +
{| class="wikitable"
 +
|-
 +
! Offset
 +
! Size
 +
! Value
 +
! Description
 +
|-
 +
| 0
 +
| 4
 +
| "MEM0" (0x4d, 0x45, 0x4d, 0x30)
 +
| Signature
 +
|-
 +
| 4
 +
| 4
 +
|
 +
| Uncompressed (total) data size
 +
|-
 +
|}
 +
 
 +
==== Compressed blocks ====
 +
The file header is followed by compressed blocks:
 +
{| class="wikitable"
 +
|-
 +
! Offset
 +
! Size
 +
! Value
 +
! Description
 +
|-
 +
| 0
 +
| 4
 +
|
 +
| Compressed data size
 +
|-
 +
| 4
 +
| ...
 +
|
 +
| Compressed data
 +
|-
 +
|}
 +
 
 +
The uncompressed block size is 65536 (0x10000) or the remaining uncompressed data size for the last block.
 +
 
 +
=== Compressed SuperFetch DB - MAM file format ===
 +
The MAM file consists of:
 +
* file header
 +
* compressed blocks
 +
 
 +
This format uses the <b>TODO</b> compression method
 +
 
 +
==== File header ====
 +
<b>TODO</b>
 +
 
 +
{| class="wikitable"
 +
|-
 +
! Offset
 +
! Size
 +
! Value
 +
! Description
 +
|-
 +
| 0
 +
| 4
 +
| "MAM\x84" (0x4d, 0x41, 0x4d, 0x84)
 +
| Signature
 +
|-
 +
|}
 +
 
 +
==== Compressed blocks ====
 +
<b>TODO</b>
 +
 
 +
=== Uncompressed SuperFetch DB format ===
 +
<b>TODO</b>
 +
 
 +
==== File header ====
 +
<b>TODO</b>
 +
 
 +
{| class="wikitable"
 +
|-
 +
! Offset
 +
! Size
 +
! Value
 +
! Description
 +
|-
 +
| 0
 +
| 4
 +
| 0x0000000e
 +
| Unknown (Database type or signature?)
 +
|-
 +
| 4
 +
| 4
 +
|
 +
| Uncompressed (total) data size
 +
|-
 +
|}
 +
== TRX files ==
 +
The <tt>Ag*.db.trx</tt> files are of the TRX file format. E.g.
 +
<pre>
 +
AgCx_SC*.db.trx
 +
</pre>
 +
 
 +
<b>Note that the following format specification is incomplete.</b>
 +
 
 +
=== File header ===
 +
The file header is variable of size and consists of:
 +
{| class="wikitable"
 +
|-
 +
! Offset
 +
! Size
 +
! Value
 +
! Description
 +
|-
 +
| 0
 +
| 4
 +
| 1
 +
| Unknown (Version?)
 +
|-
 +
| 4
 +
| 4
 +
|
 +
| Unknown
 +
|-
 +
| 8
 +
| 4
 +
|
 +
| File size
 +
|-
 +
| 12
 +
| 4
 +
|
 +
| Maximum number of records (of the record offsets array)
 +
|-
 +
| 16
 +
| 4
 +
|
 +
| Number of records
 +
|-
 +
| 20
 +
| ...
 +
|
 +
| Record offsets array, where the record offset is a 32-bit integer. Unused record offset are set to 0.
 +
|-
 +
|}
 +
 
 +
=== Record ===
 +
<b>TODO describe</b>
 +
 
 +
== See Also ==
 +
* [[SuperFetch]]
 +
 
 +
== External Links ==
 +
* [http://technet.microsoft.com/en-us/magazine/2007.03.vistakernel.aspx Inside the Windows Vista Kernel: Part 2], by [[Mark Russinovich]], March 2007
 +
* [http://blog.rewolf.pl/blog/?p=214 Windows SuperFetch file format – partial specification], by ReWolf, October 5, 2011
 +
 
 +
[[Category:File Formats]]

Revision as of 01:41, 23 April 2014

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

SuperFetch, is a memory management scheme that enhances the least-recently accessed approach with historical information and proactive memory management. [1]

Note that the following format specification are incomplete.

SuperFetch DB files

The Ag*.db files are of the SuperFetch file format. E.g.

AgAppLaunch.db
AgCx_SC*.db
AgGlFaultHistory.db
AgGlFgAppHistory.db
AgGlGlobalHistory.db
AgGlUAD_%SID%.db
AgGlUAD_P_%SID%.db
AgRobust.db

The SuperFetch DB files can be stored in uncompressed or compressed form, where different version of Windows use different compressed forms:

  • Compressed SuperFetch DB - MEMO file format; Windows Vista
  • Compressed SuperFetch DB - MEM0 file format; Windows 7
  • Compressed SuperFetch DB - MAM file format; Windows 8

Compressed SuperFetch DB - MEMO file format

The MEM file consists of:

  • file header
  • compressed blocks

This format uses the LZNT1 compression method

File header

The file header is 84 bytes of size and consists of:

Offset Size Value Description
0 4 "MEMO" (0x4d, 0x45, 0x4d, 0x4f) Signature
4 4 Uncompressed (total) data size

Compressed blocks

The compressed block size is the chunk data size, which is part of the LZNT1 compressed data, + 2 bytes for the size of the chunk header itself.

The uncompressed block size is 4096 (0x1000) or the remaining uncompressed data size for the last block.

Compressed SuperFetch DB - MEM0 file format

The MEM file consists of:

  • file header
  • compressed blocks

This format uses the LZXPRESS Huffman compression method

File header

The file header is 84 bytes of size and consists of:

Offset Size Value Description
0 4 "MEM0" (0x4d, 0x45, 0x4d, 0x30) Signature
4 4 Uncompressed (total) data size

Compressed blocks

The file header is followed by compressed blocks:

Offset Size Value Description
0 4 Compressed data size
4 ... Compressed data

The uncompressed block size is 65536 (0x10000) or the remaining uncompressed data size for the last block.

Compressed SuperFetch DB - MAM file format

The MAM file consists of:

  • file header
  • compressed blocks

This format uses the TODO compression method

File header

TODO

Offset Size Value Description
0 4 "MAM\x84" (0x4d, 0x41, 0x4d, 0x84) Signature

Compressed blocks

TODO

Uncompressed SuperFetch DB format

TODO

File header

TODO

Offset Size Value Description
0 4 0x0000000e Unknown (Database type or signature?)
4 4 Uncompressed (total) data size

TRX files

The Ag*.db.trx files are of the TRX file format. E.g.

AgCx_SC*.db.trx

Note that the following format specification is incomplete.

File header

The file header is variable of size and consists of:

Offset Size Value Description
0 4 1 Unknown (Version?)
4 4 Unknown
8 4 File size
12 4 Maximum number of records (of the record offsets array)
16 4 Number of records
20 ... Record offsets array, where the record offset is a 32-bit integer. Unused record offset are set to 0.

Record

TODO describe

See Also

External Links