Java

From Forensics Wiki
Revision as of 13:53, 16 January 2013 by Keydet89 (Talk | contribs)

Jump to: navigation, search

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Java WebStart Cache

As of Java version 6 the Java WebStart Cache can be found in the following locations.

On Linux

/home/$USER/.java/deployment/cache/

On MacOS-X

/Users/$USER/Library/Caches/Java/cache/

On Windows XP

C:\Documents and Settings\%USERNAME%\Application Data\Sun\Java\Deployment\cache\

On Windows Vista and later

C:\Users\%USERNAME%\AppData\LocalLow\Sun\Java\Deployment\cache\

Caveat: The following information is based on analysis of several dozen *.idx files from different Windows 7 systems. As such, the following information should not be considered to have been exhaustively researched.

Analyzing several of the *.idx files (from Sun\Java\Deployment\cache\6.0\) in a hex editor indicates that information regarding the downloaded content starts at offset 0x80 in the *.idx files. The first two string values to extract from this data are prefaced with their lengths in 4-byte DWORDs, stored in big endian order. To get the first string, read the DWORD at offset 0x80, and translate it as a big endian value (in Perl, use unpack("N",$data)). Beginning at offset 0x84, the string is length characters long. At the end of that string, the next DWORD is the length of the second string, also in big endian format.

Following the end of the second string, there is a DWORD value which can be interpreted as a type value, of sorts, as for values of 2 or 7, the remaining data appears to follow a fairly regular pattern. For a value of 2, there appear to be 4 strings, and for a value of 7, there appear to be 14 strings. Each string is prefaced by a WORD (2-byte) value, in big endian format, which tells us how long each string is...using this information, it is a fairly straightforward process to parse through the information.

In many cases, the type values of 2 include an HTTP Response code of 302; the values of 7 include a response of 200, and the *.idx files themselves appear to contain certificate (and perhaps other) information.

External Links