ForensicsWiki will continue to operate as it has before and will not be shutting down. Thank you for your continued support of ForensicsWiki.

Difference between pages "Windows 7" and "Chrome Disk Cache Format"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
 
 
Line 1: Line 1:
 +
{{expand}}
  
 +
== Cache files ==
 +
The cache is stored in multiple:
 +
{| class="wikitable"
 +
|-
 +
! Filename
 +
! Description
 +
|-
 +
| index
 +
| The index file
 +
|-
 +
| data_#
 +
| Data block files
 +
|-
 +
| f_######
 +
| (Separate) data stream file
 +
|}
  
== File Structure ==  
+
== Cache address ==
File systems are covered separately.
+
The cache address is 4 bytes in size and consists of:
 +
{| class="wikitable"
 +
|-
 +
! offset
 +
! size
 +
! value
 +
! description
 +
|-
 +
| <i>If file type is 0 (Separate file)</i>
 +
|
 +
|
 +
|
 +
|-
 +
| 0.0
 +
| 28 bits
 +
|
 +
| File number <br> The value represents the value of # in f_######
 +
|-
 +
| <i>Else</i>
 +
|
 +
|
 +
|
 +
|-
 +
| 0.0
 +
| 16 bits
 +
|
 +
| Block number
 +
|-
 +
| 2.0
 +
| 8 bits
 +
|
 +
| File number (or file selector) <br> The value represents the value of # in data_#
 +
|-
 +
| 3.0
 +
| 2 bits
 +
|
 +
| Block size <br> The number of contiguous blocks where 0 represents 1 block and 3 represents 4 blocks.
 +
|-
 +
| 3.2
 +
| 2 bits
 +
|
 +
| Reserved
 +
|-
 +
| <i>Common</i>
 +
|
 +
|
 +
|
 +
|-
 +
| 3.4
 +
| 3 bits
 +
|
 +
| File type
 +
|-
 +
| 3.7
 +
| 1 bit
 +
|
 +
| Initialized flag
 +
|}
  
== SSD ==
+
=== File types ===
Per MS [http://support.microsoft.com/kb/2727880 KB2727880], when Windows 7 is installed on a system with an SSD drive, automatic defragmentation and SuperFetch/prefetching are disabled.
+
{| class="wikitable"
 +
|-
 +
! Value
 +
! Description
 +
|-
 +
| 0
 +
| (Separate) data stream file
 +
|-
 +
| 1
 +
| (Rankings) block data file (36 byte block data file)
 +
|-
 +
| 2
 +
| 256 byte block data file
 +
|-
 +
| 3
 +
| 1024 byte block data file
 +
|-
 +
| 4
 +
| 4096 byte block data file
 +
|-
 +
|
 +
|
 +
|-
 +
| 6
 +
| Unknown; seen on Mac OS  X 0x6f430074
 +
|}
  
Further, [http://technet.microsoft.com/en-us/magazine/ff356869.aspx this TechNet post] states:  
+
==== Examples ====
<i>Since ReadyBoost will not provide a performance gain when the primary disk is an SSD, Windows 7 disables ReadyBoost when reading from an SSD drive.</i>
+
{| class="wikitable"
 +
|-
 +
! Value
 +
! Description
 +
|-
 +
| 0x00000000
 +
| Not initialized
 +
|-
 +
| 0x8000002a
 +
| Data stream file: f_00002a
 +
|-
 +
| 0xa0010003
 +
| Block data file: data_1, block number 3, 1 block of size
 +
|}
  
+
== Index file format (index) ==
 +
Overview:
 +
* File header
 +
* least recently used (LRU) data (or eviction control data)
 +
* index table
  
 +
=== File header ===
 +
*TODO*
  
== Jump Lists ==
+
== Data block file format (data_#) ==
[[Jump Lists]] are Task Bar artifacts first introduced on Windows 7 (and also available on Windows 8).
+
Overview:
 +
* File header
 +
* array of blocks
  
== Registry ==  
+
=== File header ===
The [[Windows_Registry]] remains a central component of the Windows 7 operating system.
+
*TODO*
  
== Known keys of forensic interest ==
+
== Data stream ==
 +
See: [[gzip]]
  
'''SAM Registry'''
+
== See Also ==
 +
* [[Google Chrome]]
 +
* [[gzip]]
  
SAM\\SAM\\Domains\\Account\\Users
+
== External Links ==
 +
* [http://www.chromium.org/developers/design-documents/network-stack/disk-cache Disk Cache], The Chromium Projects
  
SAM\\SAM\\Domains\\Account\\UsersSAM\\Domains\\Builtin\\Aliases
+
[[Category:File Formats]]
 
+
 
+
'''Security Registry'''
+
 
+
Security\\Policy\\PolAcDmSPolicy\\PolPrDmS
+
 
+
Security\\Policy\\PolAdtEv
+
 
+
Security\\Policy\\Secrets
+
 
+
'''NTUSER Registry'''
+
NTUSER\\Control Panel\\Desktop
+
NTUSER\\Control Panel\\don\
+
NTUSER\\Environment
+
NTUSER\\Network
+
NTUSER\\Printers\\Settings\\Wizard\\ConnectMRU
+
NTUSER\\Software
+
NTUSER\\Software\\Adobe\\Acrobat Reader\\Software\\Adobe\\Acrobat Reader\\
+
NTUSER\\Software\\Ahead
+
NTUSER\\Software\\America Online\\AOL Instant Messenger (TM)\\CurrentVersion\\Users
+
NTUSER\\Software\\Ares
+
NTUSER\\Software\\bindshell.net\\Odysseus
+
NTUSER\\Software\\Blizzard Entertainment\\Warcraft III\\String
+
NTUSER\\Software\\Cain\\Settings
+
NTUSER\\Software\\DECAFme
+
NTUSER\\Software\\Google\\Google Toolbar\\4.0\\whitelist
+
NTUSER\\Software\\Google\\NavClient\\1.1\\History
+
NTUSER\\Software\\JavaSoft\\Java Update\\Policy\\JavaFX
+
NTUSER\\Software\\JavaSoft\\Prefs\\haven
+
NTUSER\\Software\\Microsoft
+
NTUSER\\Software\\Microsoft\\Command Processor
+
NTUSER\\Software\\Microsoft\\Dependency Walker\\Recent File List
+
NTUSER\\Software\\Microsoft\\IntelliPoint\\AppSpecific
+
NTUSER\\Software\\Microsoft\\Internet Explorer\\Main
+
NTUSER\\Software\\Microsoft\\Internet Explorer\\MainSoftware\\Microsoft\\Windows\\CurrentVersion\\Explorer\\AutoCompleteSoftware\\Microsoft\\Internet Account Manager\\Accounts
+
NTUSER\\Software\\Microsoft\\Internet Explorer\\Settings
+
NTUSER\\Software\\Microsoft\\Internet Explorer\\TypedURLs
+
NTUSER\\Software\\Microsoft\\Internet Explorer\\TypedURLsTime
+
NTUSER\\Software\\Microsoft\\MediaPlayer\\Player\\RecentFileList
+
NTUSER\\Software\\Microsoft\\Microsoft Management Console\\Recent File List
+
NTUSER\\Software\\Microsoft\\Multimedia\\OtherSoftware\\Microsoft\\CTF\\LangBarAddIn
+
NTUSER\\Software\\Microsoft\\Office\\14.0Software\\Microsoft\\Office\\14.0
+
NTUSER\\Software\\Microsoft\\Office\\Software\\Microsoft\\Office\\
+
NTUSER\\Software\\Microsoft\\OfficeSoftware\\Microsoft\\Office\\
+
NTUSER\\Software\\Microsoft\\PIMSRV
+
NTUSER\\Software\\Microsoft\\Search Assistant\\ACMru
+
NTUSER\\Software\\Microsoft\\Snapshot Viewer\\Recent File List
+
NTUSER\\Software\\Microsoft\\Terminal Server Client\\DefaultSoftware\\Microsoft\\Terminal Server Client\\Servers
+
NTUSER\\Software\\Microsoft\\Terminal Server Client\\Servers
+
NTUSER\\Software\\Microsoft\\User Location Service\\Client
+
NTUSER\\Software\\Microsoft\\Windows Live Contacts\\Database
+
NTUSER\\Software\\Microsoft\\Windows Live Mail
+
NTUSER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Compatibility Assistant\\Persisted
+
NTUSER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\AppCompatFlags\\Layers
+
NTUSER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\PrinterPorts
+
NTUSER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows
+
NTUSER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles
+
NTUSER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook\\0a0d020000000000c000000000000046
+
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion
+
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\App Management\\ARPCache
+
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Applets
+
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer
+
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\BitBucket
+
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComDlg32
+
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComputerDescriptions
+
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ControlPanel
+
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\FileExts
+
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Map Network Drive MRU
+
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MenuOrder
+
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2
+
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\PublishingWizard\\AddNetworkPlace\\AddNetPlace\\LocationMRU
+
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RecentDocs
+
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\RunMRU
+
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders
+
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StartPage
+
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\StreamMRU
+
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\TypedPaths
+
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist
+
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Wallpaper\\MRU
+
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\WordWheelQuery
+
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Ext\\Settings\\{8AD9C840-044E-11D1-B3E9-00805F499D93}
+
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\FileHistory
+
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings
+
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap
+
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet SettingsSoftware\\Microsoft\\Internet Explorer\\Main\\WindowsSearch
+
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer
+
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\UFH\\SHC
+
NTUSER\\Software\\Microsoft\\Windows\\CurrentVersion\\UnreadMail
+
NTUSER\\Software\\Microsoft\\Windows\\Shell\\Bags\\1\\Desktop
+
NTUSER\\Software\\Nico Mak Computing\\WinZip
+
NTUSER\\Software\\ORL\\VNCHooks\\Application_Prefs
+
NTUSER\\Software\\ORL\\VNCviewer\\MRUSoftware\\RealVNC\\VNCViewer4\\MRU
+
NTUSER\\Software\\Piriform\\CCleaner
+
NTUSER\\Software\\Privoxy
+
NTUSER\\Software\\RealNetworks\\RealPlayer\\6.0\\Preferences
+
NTUSER\\Software\\RealVNC\\VNCViewer4\\MRU
+
NTUSER\\Software\\SimonTatham\\PuTTY\\SshHostKeys
+
NTUSER\\Software\\Skype
+
NTUSER\\Software\\SmartLine Vision\\aports
+
NTUSER\\Software\\SysInternals
+
NTUSER\\Software\\Sysinternals\\RootkitRevealer
+
NTUSER\\Software\\VMware
+
NTUSER\\Software\\WinRAR\\ArcHistory
+

Revision as of 08:43, 22 June 2014

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Cache files

The cache is stored in multiple:

Filename Description
index The index file
data_# Data block files
f_###### (Separate) data stream file

Cache address

The cache address is 4 bytes in size and consists of:

offset size value description
If file type is 0 (Separate file)
0.0 28 bits File number
The value represents the value of # in f_######
Else
0.0 16 bits Block number
2.0 8 bits File number (or file selector)
The value represents the value of # in data_#
3.0 2 bits Block size
The number of contiguous blocks where 0 represents 1 block and 3 represents 4 blocks.
3.2 2 bits Reserved
Common
3.4 3 bits File type
3.7 1 bit Initialized flag

File types

Value Description
0 (Separate) data stream file
1 (Rankings) block data file (36 byte block data file)
2 256 byte block data file
3 1024 byte block data file
4 4096 byte block data file
6 Unknown; seen on Mac OS X 0x6f430074

Examples

Value Description
0x00000000 Not initialized
0x8000002a Data stream file: f_00002a
0xa0010003 Block data file: data_1, block number 3, 1 block of size

Index file format (index)

Overview:

  • File header
  • least recently used (LRU) data (or eviction control data)
  • index table

File header

  • TODO*

Data block file format (data_#)

Overview:

  • File header
  • array of blocks

File header

  • TODO*

Data stream

See: gzip

See Also

External Links