Difference between pages "Main Page" and "Chrome Disk Cache Format"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
m (WIKI NEWS)
 
 
Line 1: Line 1:
<div style="margin-top:0.5em; padding:0.5em 0.5em 0.5em 0.5em; background-color:#faf0ff; align:right; border:1px solid #ddccff;">
+
{{expand}}
This is the '''Forensics Wiki''', a [http://creativecommons.org/licenses/by-sa/2.5/ Creative Commons]-licensed [http://en.wikipedia.org/wiki/Wiki wiki] devoted to information about [[digital forensics]] (also known as computer forensics). We currently list a total of [[Special:Allpages|{{NUMBEROFARTICLES}}]] pages.
+
 
+
Much of [[computer forensics]] is focused on the [[tools]] and [[techniques]] used by [[investigator]]s, but there are also a number of important [[papers]], [[people]], and [[organizations]] involved. Many of those organizations sponsor [[Upcoming_events|conferences]] throughout the year and around the world. You may also wish to examine the popular [[journals]] and some special [[reports]].
+
</div> 
+
  
 +
== Cache files ==
 +
The cache is stored in multiple:
 +
{| class="wikitable"
 +
|-
 +
! Filename
 +
! Description
 +
|-
 +
| index
 +
| The index file
 +
|-
 +
| data_#
 +
| Data block files
 +
|-
 +
| f_######
 +
| (Separate) data stream file
 +
|}
  
==WIKI NEWS==
+
== Cache address ==
2013-MAR-18: We have moved to a new server on hostgator. Account creation is still manual.
+
The cache address is 4 bytes in size and consists of:  
 
+
{| class="wikitable"
{| width="100%"
+
 
|-
 
|-
| width="60%" style="vertical-align:top" |
+
! offset
<!-- Selected Forensics Research -->  
+
! size
<div style="margin-top:0.5em; border:2px solid #ff0000; padding:0.5em 0.5em 0.5em 0.5em; background-color:#ffff99; align:center; border:1px solid #ddccff;">
+
! value
<h2 style="margin:0; background-color:#ffff33; font-size:120%; font-weight:bold; border:1px solid #afa3bf; text-align:left; color:#000; padding-left:0.4em; padding-top:0.2em; padding-bottom:0.2em;"> Featured Forensic Research </h2>
+
! description
 
+
|-
<small>Jan 2013</small>
+
| <i>If file type is 0 (Separate file)</i>
<bibtex>
+
|
@article{young:distinct,
+
|
title="Distinct Sector hashing for Target Detection",
+
|
author="Joel Young and Kristina Foster and Simson Garfinkel and Kevin Fairbanks",
+
|-
year=2012,
+
| 0.0
month=Dec,
+
| 28 bits
journal="IEEE Computer"
+
|
}
+
| File number <br> The value represents the value of # in f_######
</bibtex>
+
|-
Using an alternative approach to traditional file hashing, digital forensic investigators can hash individually sampled subject drives on sector boundaries and then check these hashes against a prebuilt database, making it possible to process raw media without reference to the underlying file system.
+
| <i>Else</i>
 
+
|
(See also [[Past Selected Articles]])
+
|
 
+
|
| width="40%" style="vertical-align:top" |
+
|-
 
+
| 0.0
<div style="margin-top:0.5em; border:2px solid #00ff00; padding:0.5em 0.5em 0.5em 0.5em; background-color:#ffeeff; align:center; border:1px solid #ffccff;">
+
| 16 bits
<h2 style="margin:0; background-color:#ffff33; font-size:120%; font-weight:bold; border:1px solid #afa3bf; text-align:left; color:#000; padding-left:0.4em; padding-top:0.2em; padding-bottom:0.2em;"> Featured Article </h2>
+
|
;[[Forensic Linux Live CD issues]]
+
| Block number
:Forensic Linux Live CD distributions are widely used during computer forensic investigations. Currently, many vendors of such Live CD distributions state that their Linux do not modify the contents of hard drives or employ "write protection." Testing indicates that this may not always be the case. [[Forensic Linux Live CD issues|Read More...]]
+
|-
 +
| 2.0
 +
| 8 bits
 +
|
 +
| File number (or file selector) <br> The value represents the value of # in data_#
 +
|-
 +
| 3.0
 +
| 2 bits
 +
|
 +
| Block size <br> The number of contiguous blocks where 0 represents 1 block and 3 represents 4 blocks.
 +
|-
 +
| 3.2
 +
| 2 bits
 +
|
 +
| Reserved
 +
|-
 +
| <i>Common</i>
 +
|
 +
|
 +
|
 +
|-
 +
| 3.4
 +
| 3 bits
 +
|
 +
| File type
 +
|-
 +
| 3.7
 +
| 1 bit
 +
|
 +
| Initialized flag
 +
|}
  
 +
=== File types ===
 +
{| class="wikitable"
 +
|-
 +
! Value
 +
! Description
 +
|-
 +
| 0
 +
| (Separate) data stream file
 +
|-
 +
| 1
 +
| (Rankings) block data file (36 byte block data file)
 +
|-
 +
| 2
 +
| 256 byte block data file
 +
|-
 +
| 3
 +
| 1024 byte block data file
 +
|-
 +
| 4
 +
| 4096 byte block data file
 +
|-
 +
|
 +
|
 +
|-
 +
| 6
 +
| Unknown; seen on Mac OS  X 0x6f430074
 
|}
 
|}
  
 
+
==== Examples ====
<!-- This begins the two-column section -->
+
{| class="wikitable"
 
+
{| width="100%"
+
 
|-
 
|-
| width="60%" style="vertical-align:top" |
+
! Value
 +
! Description
 +
|-
 +
| 0x00000000
 +
| Not initialized
 +
|-
 +
| 0x8000002a
 +
| Data stream file: f_00002a
 +
|-
 +
| 0xa0010003
 +
| Block data file: data_1, block number 3, 1 block of size
 +
|}
  
<div style="margin-top:0.5em; padding:0.5em 0.5em 0.5em 0.5em; background-color:#eeeeff; align:right; border:1px solid #ddccff;">
+
== Index file format (index) ==
 +
Overview:
 +
* File header
 +
* least recently used (LRU) data (or eviction control data)
 +
* index table
  
<h2 style="margin:0; background-color:#ccccff; font-size:120%; font-weight:bold; border:1px solid #afa3bf; text-align:left; color:#000; padding-left:0.4em; padding-top:0.2em; padding-bottom:0.2em;">Topics</h2>
+
=== File header ===
 +
*TODO*
  
* '''[[File Analysis]]''':
+
== Data block file format (data_#) ==
** '''[[:Category:File Formats|File Formats]]''': [[PDF]], [[DOC]], [[DOCX]], [[JPEG]], [[GIF]], [[BMP]], [[LNK]], [[MP3]], [[AAC]], [[Thumbs.db]], ...
+
Overview:
** '''[[Forensic file formats]]''': [[AFF]], [[gfzip]], [[sgzip]], ...
+
* File header
* '''[[File Systems]]''': [[FAT]], [[NTFS]], [[ext2]]/[[ext3]], [[ufs]], [[ffs]], [[reiserfs]], ...
+
* array of blocks
** '''[[File Systems#Cryptographic_File_Systems|Cryptographic File Systems]]''': [[File Vault]], [[EFS]], [[CFS]], [[NCryptfs]], [[TCFS]], [[SFS]], ...
+
* '''[[Hardware]]''':
+
** '''[[Bus]]ses''': [[IDE]], [[SCSI]], [[Firewire]], [[USB]], ...
+
** '''[[Data storage media|Media]]''': [[RAM]], [[Hard Drive]]s, [[Memory Card]]s, [[SmartCard]]s, [[RFID]] Tags...
+
** '''[[Personal Digital Devices]]''': [[PDAs]], [[Cellphones]], [[SmartPhones]], [[Audio Devices]], ...
+
** '''[[Other Devices]]''': [[Printers]], [[Scanners]], ...
+
** '''[[Write Blockers]]''': ...
+
* '''Recovering data''': [[Recovering bad data|bad data]], [[Recovering deleted data|deleted data]], [[Recovering Overwritten Data|overwritten data]], [[Sanitization Standards]]
+
* [[Encryption]]
+
* [[GPS]]
+
* [[Forensic_corpora|Forensic Corpora]]
+
* [[Network forensics]]: [[OS fingerprinting]], [[Hidden channels]], [[Proxy server|Proxy servers]]
+
* [[Steganography]], [[Steganalysis]]
+
* '''[[Metadata]]:''' [[MAC times]], [[ACLs]], [[Email Headers]], [[Exif]], [[ID3]], [[OLE-2]], ...
+
* '''[[Legal issues]]:''' [[Caselaw|Case law]]
+
* '''Further information:''' [[Books]], [[Papers]], [[Reports]], [[Journals]], [[Websites]], [[Blogs]], [[Mailing lists]], [[Organizations]], [[Vendors]], [[Conferences]]
+
</div>
+
  
 +
=== File header ===
 +
*TODO*
  
 +
== Data stream ==
 +
See: [[gzip]]
  
| width="40%" style="vertical-align:top" |
+
== See Also ==
 
+
* [[Google Chrome]]
<!-- Tools -->
+
* [[gzip]]
<div style="margin-top:0.5em; padding:0.5em 0.5em 0.5em 0.5em; background-color:#e0ffe0; align:right; border:1px solid #ddccff;">
+
 
+
<h2 style="margin:0; background-color:#ccffcc; font-size:120%; font-weight:bold; border:1px solid #afa3bf; text-align:left; color:#000000; padding-left:0.4em; padding-top:0.2em; padding-bottom:0.2em;">[[Tools]]</h2>
+
 
+
* '''[[:Category:Disk Imaging|Disk Imaging]]''': [[dd]], [[dc3dd]], [[dcfldd]], [[dd_rescue]], [[sdd]], [[aimage]], [[Blackbag]], ...
+
* '''[[Tools:Data Recovery|Data Recovery]]''': ...
+
* '''[[Tools#Disk_Analysis_Tools|Disk Analysis]]''': [[EnCase]], [[SMART]], [[Sleuthkit]], [[foremost]], [[Scalpel]], [[frag_find]]...
+
* '''[[Tools#Forensics_Live_CDs|Live CDs]]''': [[DEFT Linux]], [[Helix]] ([[Helix3 Pro|Pro]]), [[FCCU Gnu/Linux Boot CD]], [[Knoppix STD]], ...
+
* '''[[Tools:Document Metadata Extraction|Metadata Extraction]]''': [[wvWare]], [[jhead]], [[Hachoir | hachoir-metadata]], ...
+
* '''[[Tools:File Analysis|File Analysis]]''': [[file]], [[ldd]], [[ltrace]], [[strace]], [[strings]], ...
+
* '''[[Tools:Network_Forensics|Network Forensics]]''': [[Snort]],  [[Wireshark]], [[Kismet]],  [[NetworkMiner]]...
+
* '''[[:Category:Anti-forensics tools|Anti-Forensics]]''': [[Slacker]], [[Timestomp]], [[wipe]], [[shred]], ...
+
* '''[[Tools#Other_Tools|Other Tools]]''': [[biew]], [[hexdump]], ...
+
</div>
+
 
+
<div style="margin-top:0.5em; padding:0.5em 0.5em 0.5em 0.5em; background-color:#c0ffff; align:right; border:1px solid #ddccff;">
+
 
+
<h2 style="margin:0; background-color:#99ffff; font-size:120%; font-weight:bold; border:1px solid #afa3bf; text-align:left; color:#000000; padding-left:0.4em; padding-top:0.2em; padding-bottom:0.2em;">[[:Category:Top-Level|Categories]]</h2>
+
 
+
The contents of this wiki are organized into various [[:Category:Top-Level|categories]]:
+
 
+
* [[:Category:Tools|Tools]]
+
* [[:Category:Disk file systems|Disk file systems]]
+
* [[:Category:File Formats|File Formats]]
+
* [[:Category:Howtos|Howtos]]
+
* [[:Category:Licenses|Licenses]]
+
* [[:Category:Operating systems|Operating systems]]
+
* [[:Category:People|People]]
+
* [[:Category:Bibliographies|Bibliographies]]
+
 
+
</div>
+
 
+
 
+
|}
+
 
+
<div style="margin-top:0.5em; padding:0.5em 0.5em 0.5em 0.5em; background-color:#faf0ff; align:right; border:1px solid #ddccff;">
+
'''You can help!'''  We have a list of [[:Category:Articles_that_need_to_be_expanded|articles that need to be expanded]]. If you know anything about any of these topics, please feel free to chip in.
+
</div>
+
+
 
+
  
 +
== External Links ==
 +
* [http://www.chromium.org/developers/design-documents/network-stack/disk-cache Disk Cache], The Chromium Projects
  
__NOTOC__
+
[[Category:File Formats]]

Revision as of 03:43, 22 June 2014

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Cache files

The cache is stored in multiple:

Filename Description
index The index file
data_# Data block files
f_###### (Separate) data stream file

Cache address

The cache address is 4 bytes in size and consists of:

offset size value description
If file type is 0 (Separate file)
0.0 28 bits File number
The value represents the value of # in f_######
Else
0.0 16 bits Block number
2.0 8 bits File number (or file selector)
The value represents the value of # in data_#
3.0 2 bits Block size
The number of contiguous blocks where 0 represents 1 block and 3 represents 4 blocks.
3.2 2 bits Reserved
Common
3.4 3 bits File type
3.7 1 bit Initialized flag

File types

Value Description
0 (Separate) data stream file
1 (Rankings) block data file (36 byte block data file)
2 256 byte block data file
3 1024 byte block data file
4 4096 byte block data file
6 Unknown; seen on Mac OS X 0x6f430074

Examples

Value Description
0x00000000 Not initialized
0x8000002a Data stream file: f_00002a
0xa0010003 Block data file: data_1, block number 3, 1 block of size

Index file format (index)

Overview:

  • File header
  • least recently used (LRU) data (or eviction control data)
  • index table

File header

  • TODO*

Data block file format (data_#)

Overview:

  • File header
  • array of blocks

File header

  • TODO*

Data stream

See: gzip

See Also

External Links