From ForensicsWiki
Revision as of 14:41, 16 January 2013 by Keydet89 (Talk | contribs) (Java WebStart Cache)

Jump to: navigation, search

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Java WebStart Cache

As of Java version 6 the Java WebStart Cache can be found in the following locations.

On Linux


On MacOS-X


On Windows XP

C:\Documents and Settings\%USERNAME%\Application Data\Sun\Java\Deployment\cache\

On Windows Vista and later


Analyzing several of the *.idx files (from Sun\Java\Deployment\cache\6.0\) in a hex editor indicates that information regarding the downloaded content starts at offset 0x80 in the *.idx files. The first two string values to extract from this data are prefaced with their lengths in 4-byte DWORDs, stored in big endian order. To get the first string, read the DWORD at offset 0x80, and translate it as a big endian value (in Perl, use unpack("N",$data)). Beginning at offset 0x84, the string is length characters long. At the end of that string, the next DWORD is the length of the second string, also in big endian format.

External Links