Difference between revisions of "Java"

From Forensics Wiki
Jump to: navigation, search
(Java WebStart Cache)
(Java WebStart Cache)
Line 24: Line 24:
 
</pre>
 
</pre>
  
Analyzing several of the *.idx files (from Sun\Java\Deployment\cache\6.0\) in a hex editor indicates that information regarding the downloaded content starts at offset 0x80 in the *.idx files.  The first two string values to extract from this data are prefaced with their lengths in 4-byte DWORDs, stored in big endian order.  To get the first string, read the DWORD at offset 0x80, and translate it as a big endian value (in Perl, use unpack("N",$data)).  Beginning at offset 0x84, the string is <i>length</i> characters long.  At the end of that string, the next DWORD is the length of the second string, also in big endian format.
+
Analyzing several of the *.idx files (from Sun\Java\Deployment\cache\6.0\) in a hex editor indicates that information regarding the downloaded content starts at offset 0x80 in the *.idx files.  The first two string values to extract from this data are prefaced with their lengths in 4-byte DWORDs, stored in big endian order.  To get the first string, read the DWORD at offset 0x80, and translate it as a big endian value (in Perl, use <i>unpack("N",$data)</i>).  Beginning at offset 0x84, the string is <i>length</i> characters long.  At the end of that string, the next DWORD is the length of the second string, also in big endian format.
  
 
== External Links ==
 
== External Links ==

Revision as of 13:41, 16 January 2013

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Java WebStart Cache

As of Java version 6 the Java WebStart Cache can be found in the following locations.

On Linux

/home/$USER/.java/deployment/cache/

On MacOS-X

/Users/$USER/Library/Caches/Java/cache/

On Windows XP

C:\Documents and Settings\%USERNAME%\Application Data\Sun\Java\Deployment\cache\

On Windows Vista and later

C:\Users\%USERNAME%\AppData\LocalLow\Sun\Java\Deployment\cache\

Analyzing several of the *.idx files (from Sun\Java\Deployment\cache\6.0\) in a hex editor indicates that information regarding the downloaded content starts at offset 0x80 in the *.idx files. The first two string values to extract from this data are prefaced with their lengths in 4-byte DWORDs, stored in big endian order. To get the first string, read the DWORD at offset 0x80, and translate it as a big endian value (in Perl, use unpack("N",$data)). Beginning at offset 0x84, the string is length characters long. At the end of that string, the next DWORD is the length of the second string, also in big endian format.

External Links