Difference between pages "Training Courses and Providers" and "Windows SuperFetch Format"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
 
 
Line 1: Line 1:
This is the list of Scheduled Training Courses, referred to by [[Upcoming_events]].  Please refer to the instructions on the [[Upcoming_events]] page if you wish to edit this page.
+
{{expand}}
  
The Conference and Training List is provided by the American Academy of Forensic Sciences (AAFS) Digital and Multi-media Listserv.
+
SuperFetch, is a memory management scheme that enhances the least-recently accessed approach with historical information and proactive memory management. [http://technet.microsoft.com/en-us/magazine/2007.03.vistakernel.aspx]
<i> (Subscribe by sending an email to listserv@lists.mitre.org with message body containing SUBSCRIBE AAFS-DIGITAL-MULTIMEDIA-LIST)</i>
+
Requests for additions, deletions or corrections to this list may be sent by email to David Baker <i>(bakerd AT mitre.org)</i>.
+
  
{| border="0" cellpadding="2" cellspacing="2" align="top"
+
<b>Note that the following format specification are incomplete.</b>
|- style="background:#bfbfbf; font-weight: bold"
+
 
! Title
+
== SuperFetch DB files ==
! Date/Location
+
The <tt>Ag*.db</tt> files are of the SuperFetch file format. E.g.
! Website
+
<pre>
! Limitation
+
AgAppLaunch.db
 +
AgCx_SC*.db
 +
AgGlFaultHistory.db
 +
AgGlFgAppHistory.db
 +
AgGlGlobalHistory.db
 +
AgGlUAD_%SID%.db
 +
AgGlUAD_P_%SID%.db
 +
AgRobust.db
 +
</pre>
 +
 
 +
The SuperFetch DB files can be stored in uncompressed or compressed form, where different version of Windows use different compressed forms:
 +
* Compressed SuperFetch DB - MEMO file format; Windows Vista
 +
* Compressed SuperFetch DB - MEM0 file format; Windows  7
 +
* Compressed SuperFetch DB - MAM file format; Windows 8
 +
 
 +
=== Compressed SuperFetch DB - MEMO file format ===
 +
The MEM file consists of:
 +
* file header
 +
* compressed blocks
 +
 
 +
This format uses the LZNT1 compression method
 +
 
 +
==== File header ====
 +
The file header is 84 bytes of size and consists of:
 +
{| class="wikitable"
 
|-
 
|-
|Macintosh Forensic Survival Course (MFSC)
+
! Offset
|Jun 30-Jul 04, Brisbane, Australia
+
! Size
|http://www.forwarddiscovery.com/shop/index.php?act=viewCat&catId=3
+
! Value
|Limited to Law Enforcement
+
! Description
 
|-
 
|-
|EnCase&reg; Enterprise v6 - Phase II
+
| 0
|Jun 30-Jul 03, Los Angeles, CA
+
| 4
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
| "MEMO" (0x4d, 0x45, 0x4d, 0x4f)
 +
| Signature
 
|-
 
|-
|AccessData&reg; BootCamp
+
| 4
|Jul 01-03, Manchester, United Kingdom
+
| 4
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|  
 +
| Uncompressed (total) data size
 
|-
 
|-
|BlackBag Intermediate MacIntosh Forensics
+
|}
|Jul 07-11, Los Angeles, CA
+
 
|http://www.blackbagtech.com/products/training.htm
+
==== Compressed blocks ====
|Limited to Law Enforcement
+
The compressed block size is the chunk data size, which is part of the LZNT1 compressed data, + 2 bytes for the size of the chunk header itself.
 +
 
 +
The uncompressed block size is 4096 (0x1000) or the remaining uncompressed data size for the last block.
 +
 
 +
=== Compressed SuperFetch DB - MEM0 file format ===
 +
The MEM file consists of:
 +
* file header
 +
* compressed blocks
 +
 
 +
This format uses the LZXPRESS Huffman compression method
 +
 
 +
==== File header ====
 +
The file header is 84 bytes of size and consists of:
 +
{| class="wikitable"
 
|-
 
|-
|Linux /Unix Security
+
! Offset
|Jul 07-10, Reston, VA
+
! Size
|http://www.securityuniversity.net/classes_linux_sec.php
+
! Value
 +
! Description
 
|-
 
|-
|Certified Ethical Hacker/Qualified Security Hacker/Network Defender
+
| 0
|Jul 07-10, San Francisco, CA
+
| 4
|http://www.securityuniversity.net/classes_QSH.php
+
| "MEM0" (0x4d, 0x45, 0x4d, 0x30)
 +
| Signature
 
|-
 
|-
|Computer Hacking Forensic Investigator CHFI Prep/QFE Qualified Forensics Expert
+
| 4
|Jul 12-16, Reston, VA
+
| 4
|http://www.securityuniversity.net/classes_CHFI_QFE.php
+
|  
 +
| Uncompressed (total) data size
 
|-
 
|-
|Mobile Device Investigations Program (MDIP)
+
|}
|Jul 14-18, Glynco, GA
+
 
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation
+
==== Compressed blocks ====
|Limited to Law Enforcement
+
The file header is followed by compressed blocks:
 +
{| class="wikitable"
 
|-
 
|-
|AccessData&reg; Applied Decryption
+
! Offset
|Jul 15-17, St Paul, MN
+
! Size
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
! Value
 +
! Description
 
|-
 
|-
|AccessData&reg; Windows Forensics
+
| 0
|Jul 15-17, London, United Kingdom
+
| 4
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|  
 +
| Compressed data size
 
|-
 
|-
|WetStone- Steganography Investigator Training
+
| 4
|Jul 16-17, Online Training
+
| ...
|https://www.wetstonetech.com/trainings.html
+
|
 +
| Compressed data
 
|-
 
|-
|Computer Network Investigations Training Program (CNITP)
+
|}
|Jul 21-Aug 01, Glynco, GA
+
 
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation
+
The uncompressed block size is 65536 (0x10000) or the remaining uncompressed data size for the last block.
|Limited to Law Enforcement
+
 
 +
=== Compressed SuperFetch DB - MAM file format ===
 +
The MAM file consists of:
 +
* file header
 +
* compressed blocks
 +
 
 +
This format uses the <b>TODO</b> compression method
 +
 
 +
==== File header ====
 +
<b>TODO</b>
 +
 
 +
{| class="wikitable"
 
|-
 
|-
|Internet Investigations Training Program (IITP
+
! Offset
|Jul 21-25, Glynco, GA
+
! Size
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation
+
! Value
|Limited to Law Enforcement
+
! Description
 
|-
 
|-
|BlackBag Intermediate MacIntosh Forensics
+
| 0
|Jul 21-25, San Jose, CA
+
| 4
|http://www.blackbagtech.com/products/training.htm
+
| "MAM\x84" (0x4d, 0x41, 0x4d, 0x84)
 +
| Signature
 
|-
 
|-
|EC-Council Certified Security Analyst/Qualified Security Analyst/Pen Testing Methods
+
|}
|Jul 21-25, San Francisco, CA
+
 
|http://www.securityuniversity.net/classes_anti-hacking_pentest.php
+
==== Compressed blocks ====
 +
<b>TODO</b>
 +
 
 +
=== Uncompressed SuperFetch DB format ===
 +
<b>TODO</b>
 +
 
 +
==== File header ====
 +
<b>TODO</b>
 +
 
 +
{| class="wikitable"
 
|-
 
|-
|Licensed Penetration Tester/Qualified Penetration Tester
+
! Offset
|Jul 21-25, San Francisco, CA
+
! Size
|http://www.securityuniversity.net/classes_Licensed_Penetration_Tester.php
+
! Value
 +
! Description
 
|-
 
|-
|WetStone- Live Investigator Training
+
| 0
|Jul 22-23, Fairfax, VA
+
| 4
|https://www.wetstonetech.com/trainings.html
+
| 0x0000000e
 +
| Unknown (Database type or signature?)
 
|-
 
|-
|AccessData&reg; Windows Forensics
+
| 4
|Jul 22-24, St Louis, MO
+
| 4
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|  
 +
| Uncompressed (total) data size
 
|-
 
|-
|Computer Hacking Forensic Investigator CHFI Prep/Qualified Forensics Expert
+
|}
|July 28-Aug 01, San Francisco, CA
+
== TRX files ==
|http://www.securityuniversity.net/classes_CHFI_QFE.php
+
The <tt>Ag*.db.trx</tt> files are of the TRX file format. E.g.
 +
<pre>
 +
AgCx_SC*.db.trx
 +
</pre>
 +
 
 +
<b>Note that the following format specification is incomplete.</b>
 +
 
 +
=== File header ===
 +
The file header is variable of size and consists of:
 +
{| class="wikitable"
 
|-
 
|-
|ILook® Automated Forensic Application(ILook)
+
! Offset
|Jul 28-Aug 01, St. Louis, MO
+
! Size
|http://www.nw3c.org/ocr/courses_desc.cfm
+
! Value
|Limited to Law Enforcement
+
! Description
 
|-
 
|-
|Certified Wireless Network Administrator
+
| 0
|July 28-Aug 01, San Francisco, CA
+
| 4
|http://www.securityuniversity.net/www.classes_wireless_CWNA.php
+
| 1
 +
| Unknown (Version?)
 
|-
 
|-
|Certified Wireless Network Admin/Wireless Security Professional Bootcamp
+
| 4
|July 29-Aug 07, San Francisco, CA
+
| 4
|http://www.securityuniversity.net/classes_wireless_bootcamp.php
+
|  
 +
| Unknown
 
|-
 
|-
|WetStone- Steganography Investigator Training
+
| 8
|Aug 02-03, 04-05, Black Hat USA
+
| 4
|https://www.blackhat.com
+
|  
 +
| File size
 
|-
 
|-
|WetStone- Live Investigator Training
+
| 12
|Aug 02-03, 04-05, Black Hat USA
+
| 4
|https://www.blackhat.com
+
|  
 +
| Maximum number of records (of the record offsets array)
 
|-
 
|-
|WetStone- Hacking Investigator BootCamp
+
| 16
|Aug 02-05, Black Hat USA
+
| 4
|https://www.blackhat.com
+
|  
 +
| Number of records
 
|-
 
|-
|Certified Wireless Security Professional CWSP
+
| 20
|Aug 04-07, San Francisco, CA
+
| ...
|http://www.securityuniversity.net/classes_wireless_CWSP.php
+
|  
|-
+
| Record offsets array, where the record offset is a 32-bit integer. Unused record offset are set to 0.
|Linux /Unix Security
+
|Aug 04-07, Reston, VA
+
|http://www.securityuniversity.net/classes_linux_sec.php
+
|-
+
|Qualified Edge Protection: Firewalls, IPS, Spyware, Trojans and Viruses
+
|Aug 04-07, Reston, VA
+
|http://www.securityuniversity.net/classes_QEP.php
+
|-
+
|Macintosh Forensic Survival Course (MFSC)
+
|Aug 04-08, Huntington Beach, CA
+
|http://www.forwarddiscovery.com/shop/index.php?act=viewCat&catId=3
+
|-
+
|Certified Wireless Network Admin/Wireless Security Professional Bootcamp
+
|Aug 05-14, Reston, VA
+
|http://www.securityuniversity.net/classes_wireless_bootcamp.php
+
|-
+
|Certified Wireless Network Administrator
+
|Aug 05-08, Reston, VA
+
|http://www.securityuniversity.net/classes_wireless_CWNA.php
+
|-
+
|AccessData&reg; BootCamp
+
|Aug 05-07, London, United Kingdom
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|AccessData&reg; Windows Forensics
+
|Aug 05-07, Louisville, KY
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|Limited to Law Enforcement
+
|-
+
|Certified Steganography Examiner™
+
|Aug 06-07, Huntington, WV
+
|http://www.sarc-wv.com/training/training_huntington.aspx
+
|-
+
|Certified Wireless Security Professional
+
|Aug 11-14, Reston, VA
+
|http://www.securityuniversity.net/classes_wireless_CWSP.php
+
|-
+
|X-Ways Forensics
+
|Aug 12-14, Wheaton, IL
+
|http://www.x-ways.net/training/chicago.html
+
|-
+
|AccessData&reg; Windows Forensics
+
|Aug 12-14, St Paul, MN
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|AccessData&reg; BootCamp
+
|Aug 12-14, Albany, NY and New York City, NY
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|Digital Evidence Acquisition Specialist Training Program (DEASTP)
+
|Aug 18-29, Glynco, GA
+
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation
+
|Limited to Law Enforcement
+
|-
+
|BlackBag Introductory MacIntosh Forensics
+
|Aug 18-22, San Jose, CA
+
|http://www.blackbagtech.com/products/training.htm
+
|-
+
|WetStone- Steganography Investigator Training
+
|Aug 19-20, Fairfax, VA
+
|https://www.wetstonetech.com/trainings.html
+
|-
+
|AccessData&reg; BootCamp
+
|Aug 19-21, Manchester, United Kingdom
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|WetStone- Live Investigator Training
+
|Aug 26-27, Vancouver BC
+
|https://www.wetstonetech.com/trainings.html
+
|-
+
|AccessData&reg; BootCamp
+
|Aug 26-28, Ft Lauderdale, FL
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|AccessData&reg; BootCamp
+
|Sep 02-04, London, United Kingdom
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|Seized Computer Evidence Recovery Specialist (SCERS)
+
|Sep 08-19, Glynco, GA
+
|http://www.fletc.gov/training/programs/computer-financial-investigations/technology-investigation
+
|Limited to Law Enforcement
+
|-
+
|Computer Hacking Forensic Investigator CHFI Prep/QFE Qualified Forensics Expert
+
|Sep 08-12, Reston, VA
+
|http://www.securityuniversity.net/classes_CHFI_QFE.php
+
|-
+
|BlackBag Introductory MacIntosh Forensics
+
|Sep 08-12, Washington D.C.
+
|http://www.blackbagtech.com/products/training.htm
+
|-
+
|Macintosh Forensic Survival Course (MFSC)
+
|Sep 08-12, Bellingham, WA
+
|http://www.forwarddiscovery.com/shop/index.php?act=viewCat&catId=3
+
|-
+
|Windows NT File System(NTFS)
+
|Sep 08-11, St. Louis, MO
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|Fundamentals of Computer Forensics Imaging
+
|Sep 9-12, Falls Church, VA
+
|http://www.mantech.com/msma/isso.asp
+
|-
+
|WetStone- Steganography Investigator Training
+
|Sep 10-11, Online
+
|https://www.wetstonetech.com/trainings.html
+
|-
+
|ILook® Automated Forensic Application(ILook)
+
|Sep 15-19, Meriden, CT
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|WetStone- Hacking BootCamp for Investigators
+
|Sep 16-19, Charleston, SC
+
|https://www.wetstonetech.com/trainings.html
+
|-
+
|EnCase&reg; v6 Computer Forensics II
+
|Sep 16-19, Toronto, Canada
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|AccessData&reg; Windows Forensics
+
|Sep 16-18, Columbia, SC
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|BlackBag Intermediate MacIntosh Forensics
+
|Sep 22-26, Richmond, VA
+
|http://www.blackbagtech.com/products/training.htm
+
|Limited to Law Enforcement
+
|-
+
|EnCase&reg; v6 Advanced Computer Forensics
+
|Sep 23-26, Toronto, Canada
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|AccessData&reg; Windows Forensics
+
|Sep 23-25, London, United Kingdom
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|AccessData&reg; BootCamp
+
|Sep 23-25, Dallas, TX
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|AccessData&reg; Applied Decryption
+
|Sep 23-25, Ft Lauderdale, FL
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|X-Ways Forensics
+
|Sep 24-26, Alexandria, VA
+
|http://www.x-ways.net/training/washington_dc.html
+
|-
+
|BlackBag Introductory MacIntosh Forensics
+
|Sep 29-Oct 3, San Jose, CA
+
|http://www.blackbagtech.com/products/training.htm
+
|-
+
|X-Ways Forensics
+
|Sep 29-Oct 1, New York City, NY
+
|http://www.x-ways.net/training/new_york.html
+
|-
+
|WetStone- Live Investigator Training
+
|Sep 30- Oct 1, Fairfax, VA
+
|https://www.wetstonetech.com/trainings.html
+
|-
+
|EnCase&reg; v6 Computer Forensics II
+
|Sep 30-Oct 03, Toronto, Canada
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|BlackBag Introductory MacIntosh Forensics
+
|Oct 06-10, Los Angeles, CA
+
|http://www.blackbagtech.com/products/training.htm
+
|-
+
|X-Ways Forensics
+
|Oct 07-09, London, UK
+
|http://www.x-ways.net/training/london.html
+
|-
+
|AccessData&reg; Applied Decryption
+
|Oct 07-09, London, UK
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|AccessData&reg; Windows Forensics
+
|Oct 07-09, Las Vegas, NV and New York City, NY
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|WetStone- Steganography Investigator Training
+
|Oct 13-14, The Netherlands ENFSC Conference
+
|https://www.wetstonetech.com/trainings.html
+
|-
+
|AccessData&reg; BootCamp
+
|Oct 14-16, Louisville, KY
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|Limited to Law Enforcement
+
|-
+
|WetStone- Live Investigator Training
+
|Oct 18-19, Atlantic City, NJ HTCIA Conference
+
|https://www.wetstonetech.com/trainings.html
+
|-
+
|Computer Hacking Forensic Investigator CHFI Prep/QFE Qualified Forensics Expert
+
|Oct 20-24, Reston, VA
+
|http://www.securityuniversity.net/classes_CHFI_QFE.php
+
|-
+
|Windows NT Operating System(NTOS)
+
|Oct 20-23, St. Louis, MO
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|EnCase&reg; v6 Computer Forensics II
+
|Oct 21-24, Toronto, Canada
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|Certified Steganography Examiner™
+
|Oct 23-24, Gaithersburg, MD
+
|http://www.sarc-wv.com/training/training_gaithersburg.aspx
+
|-
+
|WetStone- Live Investigator Training
+
|Oct 24-25, Gaithersburg, MD Techno Forensics Conference
+
|https://www.wetstonetech.com/trainings.html
+
|-
+
|WetStone- Steganography Investigator Training
+
|Oct 24-25, Gaithersburg, MD Techno Forensics Conference
+
|https://www.wetstonetech.com/trainings.html
+
|-
+
|X-Ways Forensics (3 days), File Systems Revealed (2 days)
+
|Oct 27-31, Canberra, Australia
+
|http://www.x-ways.net/training/
+
|Limited to Law Enforcement/Government
+
|-
+
|EnCase&reg; v6 EnScript&reg;  Programming - Phase I
+
|Oct 28-31, Toronto, Canada
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|AccessData&reg; Windows Forensics
+
|Oct 28-30, Manchester, United Kingdom
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|X-Ways Forensics
+
|Nov 03-05, Sydney, Australia
+
|http://www.x-ways.net/training/sydney.html
+
|-
+
|Macintosh Forensic Survival Course (MFSC)
+
|Nov 03-07, Bern, Switzerland
+
|http://www.forwarddiscovery.com/shop/index.php?act=viewCat&catId=3
+
|-
+
|Windows NT File System(NTFS)
+
|Nov 03-06, Meriden, CT
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|EnCase&reg; v6 Computer Forensics II
+
|Nov 04-07, Toronto, Canada
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|AccessData&reg; BootCamp
+
|Nov 04-06, London, United Kingdom
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|AccessData&reg; Internet Forensics
+
|Nov 04-06, St Paul, MN
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|AccessData&reg; Windows Forensics
+
|Nov 04-06, Albany, NY
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|X-Ways Forensics
+
|Nov 11-13, Hong Kong
+
|http://www.x-ways.net/training/hong_kong.html
+
|-
+
|WetStone- Steganography Investigator Training
+
|Nov 11-12, Fairfax, VA
+
|https://www.wetstonetech.com/trainings.html
+
|-
+
|BlackBag Intermediate MacIntosh Forensics
+
|Nov 17-21, Washington D.C.
+
|http://www.blackbagtech.com/products/training.htm
+
|-
+
|WetStone- Hacking BootCamp for Investigators
+
|Nov 18-21, Vancouver BC
+
|https://www.wetstonetech.com/trainings.html
+
|-
+
|EnCase&reg; v6 Network Intrusion Investigations - Phase I
+
|Nov 18-21, Toronto, Canada
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|EnCase&reg; v6 Computer Forensics II
+
|Nov 25-28, Toronto, Canada
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|AccessData&reg; Internet Forensics
+
|Nov 25-27, Manchester, United Kingdom
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|BlackBag Intermediate MacIntosh Forensics
+
|Dec 01-05, San Diego, CA
+
|http://www.blackbagtech.com/products/training.htm
+
|-
+
|Windows Internet Trace Evidence(INET)
+
|Dec 01-05, St. Louis, MO
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|AccessData&reg; Windows Forensics
+
|Dec 02-04, Ft Lauderdale, FL; New York City, NY; and London, United Kingdom
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|Fundamentals of Computer Forensics Imaging
+
|Dec 02-05, Falls Church, VA
+
|http://www.mantech.com/msma/isso.asp
+
|-
+
|Computer Hacking Forensic Investigator CHFI Prep/QFE Qualified Forensics Expert
+
|Dec 08-12, Reston, VA
+
|http://www.securityuniversity.net/classes_CHFI_QFE.php
+
|-
+
|Windows NT Operating System(NTOS)
+
|Dec 08-11, Meriden, CT
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|Application Forensics Course
+
|Dec 08-19, Hong Kong Police College
+
|http://www.police.gov.hk/police/policecollege/english/pdl/pold.htm
+
|Limited to Law Enforcement
+
|-
+
|EnCase&reg; v6 Computer Forensics II
+
|Dec 09-12, Toronto, Canada
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|AccessData&reg; Internet Forensics
+
|Dec 09-11, Dallas, TX and New York City, NY
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|AccessData&reg; Windows Forensics
+
|Dec 09-11, Louisville, KY
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|Limited to Law Enforcement
+
|-
+
|EnCase&reg; v6 Advanced Computer Forensics
+
|Dec 16-19, Toronto, Canada
+
|http://www.guidancesoftware.com/training/course_schedule.aspx
+
|-
+
|AccessData&reg; BootCamp
+
|Dec 16-18, Manchester, United Kingdom
+
|http://www.accessdata.com/common/pagedetail.aspx?PageCode=train
+
|-
+
|**__2009 EVENTS__**
+
|_______2009_______
+
|-
+
|Linux File System for Computer Forensic Examiners(Linux)
+
|Jan 12-16, 2009, St. Louis, MO
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|Windows Internet Trace Evidence(INET)
+
|Jan 19-23, 2009, Meriden, CT
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
|-
+
|Linux File System for Computer Forensic Examiners(Linux)
+
|Mar 02-06, 2009, Meriden, CT
+
|http://www.nw3c.org/ocr/courses_desc.cfm
+
|Limited to Law Enforcement
+
 
|-
 
|-
 
|}
 
|}
 +
 +
=== Record ===
 +
<b>TODO describe</b>
 +
 +
== See Also ==
 +
* [[SuperFetch]]
 +
 +
== External Links ==
 +
* [http://technet.microsoft.com/en-us/magazine/2007.03.vistakernel.aspx Inside the Windows Vista Kernel: Part 2], by [[Mark Russinovich]], March 2007
 +
* [http://blog.rewolf.pl/blog/?p=214 Windows SuperFetch file format – partial specification], by ReWolf, October 5, 2011
 +
 +
[[Category:File Formats]]

Revision as of 01:41, 23 April 2014

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

SuperFetch, is a memory management scheme that enhances the least-recently accessed approach with historical information and proactive memory management. [1]

Note that the following format specification are incomplete.

SuperFetch DB files

The Ag*.db files are of the SuperFetch file format. E.g.

AgAppLaunch.db
AgCx_SC*.db
AgGlFaultHistory.db
AgGlFgAppHistory.db
AgGlGlobalHistory.db
AgGlUAD_%SID%.db
AgGlUAD_P_%SID%.db
AgRobust.db

The SuperFetch DB files can be stored in uncompressed or compressed form, where different version of Windows use different compressed forms:

  • Compressed SuperFetch DB - MEMO file format; Windows Vista
  • Compressed SuperFetch DB - MEM0 file format; Windows 7
  • Compressed SuperFetch DB - MAM file format; Windows 8

Compressed SuperFetch DB - MEMO file format

The MEM file consists of:

  • file header
  • compressed blocks

This format uses the LZNT1 compression method

File header

The file header is 84 bytes of size and consists of:

Offset Size Value Description
0 4 "MEMO" (0x4d, 0x45, 0x4d, 0x4f) Signature
4 4 Uncompressed (total) data size

Compressed blocks

The compressed block size is the chunk data size, which is part of the LZNT1 compressed data, + 2 bytes for the size of the chunk header itself.

The uncompressed block size is 4096 (0x1000) or the remaining uncompressed data size for the last block.

Compressed SuperFetch DB - MEM0 file format

The MEM file consists of:

  • file header
  • compressed blocks

This format uses the LZXPRESS Huffman compression method

File header

The file header is 84 bytes of size and consists of:

Offset Size Value Description
0 4 "MEM0" (0x4d, 0x45, 0x4d, 0x30) Signature
4 4 Uncompressed (total) data size

Compressed blocks

The file header is followed by compressed blocks:

Offset Size Value Description
0 4 Compressed data size
4 ... Compressed data

The uncompressed block size is 65536 (0x10000) or the remaining uncompressed data size for the last block.

Compressed SuperFetch DB - MAM file format

The MAM file consists of:

  • file header
  • compressed blocks

This format uses the TODO compression method

File header

TODO

Offset Size Value Description
0 4 "MAM\x84" (0x4d, 0x41, 0x4d, 0x84) Signature

Compressed blocks

TODO

Uncompressed SuperFetch DB format

TODO

File header

TODO

Offset Size Value Description
0 4 0x0000000e Unknown (Database type or signature?)
4 4 Uncompressed (total) data size

TRX files

The Ag*.db.trx files are of the TRX file format. E.g.

AgCx_SC*.db.trx

Note that the following format specification is incomplete.

File header

The file header is variable of size and consists of:

Offset Size Value Description
0 4 1 Unknown (Version?)
4 4 Unknown
8 4 File size
12 4 Maximum number of records (of the record offsets array)
16 4 Number of records
20 ... Record offsets array, where the record offset is a 32-bit integer. Unused record offset are set to 0.

Record

TODO describe

See Also

External Links