Difference between pages "Windows 7" and "Chrome Disk Cache Format"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
 
 
Line 1: Line 1:
 +
{{expand}}
  
 +
== Cache files ==
 +
The cache is stored in multiple:
 +
{| class="wikitable"
 +
|-
 +
! Filename
 +
! Description
 +
|-
 +
| index
 +
| The index file
 +
|-
 +
| data_#
 +
| Data block files
 +
|-
 +
| f_######
 +
| (Separate) data stream file
 +
|}
  
== File Structure ==  
+
== Cache address ==
File systems are covered separately.
+
The cache address is 4 bytes in size and consists of:
 +
{| class="wikitable"
 +
|-
 +
! offset
 +
! size
 +
! value
 +
! description
 +
|-
 +
| <i>If file type is 0 (Separate file)</i>
 +
|
 +
|
 +
|
 +
|-
 +
| 0.0
 +
| 28 bits
 +
|
 +
| File number <br> The value represents the value of # in f_######
 +
|-
 +
| <i>Else</i>
 +
|
 +
|
 +
|
 +
|-
 +
| 0.0
 +
| 16 bits
 +
|
 +
| Block number
 +
|-
 +
| 2.0
 +
| 8 bits
 +
|
 +
| File number (or file selector) <br> The value represents the value of # in data_#
 +
|-
 +
| 3.0
 +
| 2 bits
 +
|
 +
| Block size <br> The number of contiguous blocks where 0 represents 1 block and 3 represents 4 blocks.
 +
|-
 +
| 3.2
 +
| 2 bits
 +
|
 +
| Reserved
 +
|-
 +
| <i>Common</i>
 +
|
 +
|
 +
|
 +
|-
 +
| 3.4
 +
| 3 bits
 +
|
 +
| File type
 +
|-
 +
| 3.7
 +
| 1 bit
 +
|
 +
| Initialized flag
 +
|}
  
== SSD ==
+
=== File types ===
Per MS [http://support.microsoft.com/kb/2727880 KB2727880], when Windows 7 is installed on a system with an SSD drive, automatic defragmentation and SuperFetch/prefetching are disabled.
+
{| class="wikitable"
 +
|-
 +
! Value
 +
! Description
 +
|-
 +
| 0
 +
| (Separate) data stream file
 +
|-
 +
| 1
 +
| (Rankings) block data file (36 byte block data file)
 +
|-
 +
| 2
 +
| 256 byte block data file
 +
|-
 +
| 3
 +
| 1024 byte block data file
 +
|-
 +
| 4
 +
| 4096 byte block data file
 +
|-
 +
|
 +
|
 +
|-
 +
| 6
 +
| Unknown; seen on Mac OS  X 0x6f430074
 +
|}
  
Further, [http://technet.microsoft.com/en-us/magazine/ff356869.aspx this TechNet post] states:  
+
==== Examples ====
<i>Since ReadyBoost will not provide a performance gain when the primary disk is an SSD, Windows 7 disables ReadyBoost when reading from an SSD drive.</i>
+
{| class="wikitable"
 +
|-
 +
! Value
 +
! Description
 +
|-
 +
| 0x00000000
 +
| Not initialized
 +
|-
 +
| 0x8000002a
 +
| Data stream file: f_00002a
 +
|-
 +
| 0xa0010003
 +
| Block data file: data_1, block number 3, 1 block of size
 +
|}
  
+
== Index file format (index) ==
 +
Overview:
 +
* File header
 +
* least recently used (LRU) data (or eviction control data)
 +
* index table
  
 +
=== File header ===
 +
*TODO*
  
== Jump Lists ==
+
== Data block file format (data_#) ==
[[Jump Lists]] are Task Bar artifacts first introduced on Windows 7 (and also available on Windows 8).
+
Overview:
 +
* File header
 +
* array of blocks
  
== Registry ==  
+
=== File header ===
The [[Windows_Registry]] remains a central component of the Windows 7 operating system.
+
*TODO*
  
== Known keys of forensic interest ==
+
== Data stream ==
 +
See: [[gzip]]
  
'''SAM Registry'''
+
== See Also ==
 +
* [[Google Chrome]]
 +
* [[gzip]]
  
SAM\\SAM\\Domains\\Account\\Users
+
== External Links ==
 +
* [http://www.chromium.org/developers/design-documents/network-stack/disk-cache Disk Cache], The Chromium Projects
  
SAM\\SAM\\Domains\\Account\\UsersSAM\\Domains\\Builtin\\Aliases
+
[[Category:File Formats]]
 
+
 
+
'''Security Registry'''
+
 
+
Security\\Policy\\PolAcDmSPolicy\\PolPrDmS
+
 
+
Security\\Policy\\PolAdtEv
+
 
+
Security\\Policy\\Secrets
+
 
+
'''NTUSER Registry'''
+
NTUSER\\Control Panel\\Desktop
+
NTUSER\\Control Panel\\don\
+
NTUSER\\Environment
+
NTUSER\\Network
+
NTUSER\\Printers\\Settings\\Wizard\\ConnectMRU
+
NTUSER\\Software
+
NTUSER\\Software\\Adobe\\Acrobat Reader\\Software\\Adobe\\Acrobat Reader\\
+
NTUSER\\Software\\Ahead
+
NTUSER\\Software\\America Online\\AOL Instant Messenger (TM)\\CurrentVersion\\Users
+
NTUSER\\Software\\Ares
+
NTUSER\\Software\\bindshell.net\\Odysseus
+
NTUSER\\Software\\Blizzard Entertainment\\Warcraft III\\String
+
NTUSER\\Software\\Cain\\Settings
+
NTUSER\\Software\\DECAFme
+
NTUSER\\Software\\Google\\Google Toolbar\\4.0\\whitelist
+
NTUSER\\Software\\Google\\NavClient\\1.1\\History
+
NTUSER\\Software\\JavaSoft\\Java Update\\Policy\\JavaFX
+
NTUSER\\Software\\JavaSoft\\Prefs\\haven
+
NTUSER\\Software\\Microsoft
+
NTUSER\\Software\\Microsoft\\Command Processor
+
NTUSER\\Software\\Microsoft\\Dependency Walker\\Recent File List
+
NTUSER\\Software\\Microsoft\\IntelliPoint\\AppSpecific
+
NTUSER\\Software\\Microsoft\\Internet Explorer\\Main
+
NTUSER\\Software\\Microsoft\\Internet Explorer\\MainSoftware\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AutoCompleteSoftware\\Microsoft\\Internet Account Manager\\Accounts
+
NTUSER\\Software\\Microsoft\\Internet Explorer\\Settings
+
NTUSER\\Software\\Microsoft\\Internet Explorer\\TypedURLs
+
NTUSER\\Software\\Microsoft\\Internet Explorer\\TypedURLsTime
+
NTUSER\\Software\\Microsoft\\MediaPlayer\\Player\\RecentFileList
+
NTUSER\\Software\\Microsoft\\Microsoft Management Console\\Recent File List
+
NTUSER\\Software\\Microsoft\\Multimedia\\OtherSoftware\\Microsoft\\CTF\\LangBarAddIn
+
NTUSER\\Software\\Microsoft\\Office\\14.0Software\\Microsoft\\Office\\14.0
+
NTUSER\\Software\\Microsoft\\Office\\Software\\Microsoft\\Office\\
+
NTUSER\\Software\\Microsoft\\OfficeSoftware\\Microsoft\\Office\\
+
NTUSER\\Software\\Microsoft\\PIMSRV
+
NTUSER\\Software\\Microsoft\\Search Assistant\\ACMru
+
NTUSER\\Software\\Microsoft\\Snapshot Viewer\\Recent File List
+
NTUSER\\Software\\Microsoft\\Terminal Server Client\\DefaultSoftware\\Microsoft\\Terminal Server Client\\Servers
+
NTUSER\\Software\\Microsoft\\Terminal Server Client\\Servers
+
NTUSER\\Software\\Microsoft\\User Location Service\\Client
+
NTUSER\\Software\\Microsoft\\Windows Live Contacts\\Database
+
NTUSER\\Software\\Microsoft\\Windows Live Mail
+
NTUSER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Compatibility Assistant\\Persisted
+
NTUSER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Layers
+
NTUSER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\PrinterPorts
+
NTUSER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows
+
NTUSER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles
+
NTUSER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\0a0d020000000000c000000000000046
+
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion
+
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\App Management\\ARPCache
+
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Applets
+
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer
+
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\BitBucket
+
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComDlg32
+
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComputerDescriptions
+
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ControlPanel
+
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts
+
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Map Network Drive MRU
+
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MenuOrder
+
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2
+
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\PublishingWizard\\AddNetworkPlace\\AddNetPlace\\LocationMRU
+
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RecentDocs
+
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU
+
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders
+
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartPage
+
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StreamMRU
+
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\TypedPaths
+
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist
+
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Wallpaper\\MRU
+
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\WordWheelQuery
+
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Ext\\Settings\\{8AD9C840-044E-11D1-B3E9-00805F499D93}
+
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\FileHistory
+
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings
+
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap
+
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet SettingsSoftware\\Microsoft\\Internet Explorer\\Main\\WindowsSearch
+
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer
+
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\UFH\\SHC
+
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\UnreadMail
+
NTUSER\\Software\\Microsoft\\Windows\\Shell\\Bags\\1\\Desktop
+
NTUSER\\Software\\Nico Mak Computing\\WinZip
+
NTUSER\\Software\\ORL\\VNCHooks\\Application_Prefs
+
NTUSER\\Software\\ORL\\VNCviewer\\MRUSoftware\\RealVNC\\VNCViewer4\\MRU
+
NTUSER\\Software\\Piriform\\CCleaner
+
NTUSER\\Software\\Privoxy
+
NTUSER\\Software\\RealNetworks\\RealPlayer\\6.0\\Preferences
+
NTUSER\\Software\\RealVNC\\VNCViewer4\\MRU
+
NTUSER\\Software\\SimonTatham\\PuTTY\\SshHostKeys
+
NTUSER\\Software\\Skype
+
NTUSER\\Software\\SmartLine Vision\\aports
+
NTUSER\\Software\\SysInternals
+
NTUSER\\Software\\Sysinternals\\RootkitRevealer
+
NTUSER\\Software\\VMware
+
NTUSER\\Software\\WinRAR\\ArcHistory
+

Revision as of 04:43, 22 June 2014

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Cache files

The cache is stored in multiple:

Filename Description
index The index file
data_# Data block files
f_###### (Separate) data stream file

Cache address

The cache address is 4 bytes in size and consists of:

offset size value description
If file type is 0 (Separate file)
0.0 28 bits File number
The value represents the value of # in f_######
Else
0.0 16 bits Block number
2.0 8 bits File number (or file selector)
The value represents the value of # in data_#
3.0 2 bits Block size
The number of contiguous blocks where 0 represents 1 block and 3 represents 4 blocks.
3.2 2 bits Reserved
Common
3.4 3 bits File type
3.7 1 bit Initialized flag

File types

Value Description
0 (Separate) data stream file
1 (Rankings) block data file (36 byte block data file)
2 256 byte block data file
3 1024 byte block data file
4 4096 byte block data file
6 Unknown; seen on Mac OS X 0x6f430074

Examples

Value Description
0x00000000 Not initialized
0x8000002a Data stream file: f_00002a
0xa0010003 Block data file: data_1, block number 3, 1 block of size

Index file format (index)

Overview:

  • File header
  • least recently used (LRU) data (or eviction control data)
  • index table

File header

  • TODO*

Data block file format (data_#)

Overview:

  • File header
  • array of blocks

File header

  • TODO*

Data stream

See: gzip

See Also

External Links