Difference between pages "FAT" and "Java"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(exFAT (sometimes incorrectly called FAT64))
 
(IDX file format)
 
Line 1: Line 1:
'''FAT''', or File Allocation Table, is a [[File Systems|file system]] that is designed to keep track of allocation status of clusters on a [[hard drive]].  Developed in 1977 by [[Microsoft]] Corporation, FAT was originally intended to be a [[File Systems|file system]] for the Microsoft Disk BASIC interpreter. FAT was quickly incorporated into an early version of Tim Patterson's QDOS, which was a moniker for "Quick and Dirty Operating System". [[Microsoft]] later purchased the rights to QDOS and released it under Microsoft branding as PC-DOS and later, MS-DOS. 
+
{{Expand}}
  
== Structure==
+
== Java WebStart Cache ==
 +
As of Java version 6 the Java WebStart Cache can be found in the following locations.
  
{| style="text-align:center;" cellpadding="3" border="1px"
+
On Linux
| Boot sector
+
<pre>
| More reserved<br/> sectors (optional)
+
/home/$USER/.java/deployment/cache/
| FAT #1
+
</pre>
| FAT #2
+
| Root directory<br /> (FAT12/16 only)
+
| Data region<br /> (rest of disk)
+
|}
+
  
=== Boot Record ===
+
On MacOS-X
When a computer is powered on, a POST (power-on self test) is performed, and control is then transferred to the [[Master boot record]] ([[MBR]]).  The [[MBR]] is present no matter what file system is in use, and contains information about how the storage device is logically partitioned.  When using a FAT file system, the [[MBR]] hands off control of the computer to the Boot Record, which is the first sector on the partition. The Boot Record, which occupies a reserved area on the partition, contains executable code, in addition to information such as an OEM identifier, number of FATs, media descriptor (type of storage device), and information about the operating system to be booted. Once the Boot Record code executes, control is handed off to the operating system installed on that partition.
+
<pre>
 +
/Users/$USER/Library/Caches/Java/cache/
 +
</pre>
  
=== FATs ===
+
On Windows XP
The primary task of the File Alocation Tables are to keep track of the allocation status of clusters, or logical groupings of sectors, on the disk drive.  There are four different possible FAT entries: allocated (along with the address of the next cluster associated with the file), unallocated, end of file, and bad sector.
+
<pre>
 +
C:\Documents and Settings\%USERNAME%\Application Data\Sun\Java\Deployment\cache\
 +
</pre>
  
In order to provide redundancy in case of data corruption, two FATs, FAT1 and FAT2, are stored in the file system. FAT2 is a typically a duplicate of FAT1. However, FAT mirroring can be disabled on a FAT32 drive, thus enabling any of the FATs to become the Primary FAT. This possibly leaves FAT1 empty, which can be deceiving.
+
On Windows Vista and later
 +
<pre>
 +
C:\Users\%USERNAME%\AppData\LocalLow\Sun\Java\Deployment\cache\
 +
</pre>
  
=== Root Directory ===
+
== IDX file format ==
The Root Directory, sometimes referred to as the Root Folder, contains an entry for each file and directory stored in the file system.  This information includes the file name, starting cluster number, and file size. This information is changed whenever a file is created or subsequently modified. Root directory has a fixed size of 512 entries on a hard disk and the size on a floppy disk dependsWith FAT32 it can be stored anywhere within the partition, although in previous versions it is always located immediately following the FAT region.
+
Caveat: The following information is based on analysis of several dozen *.idx files from different Windows 7 systemsAs such, the following information should not be considered to have been exhaustively researched.
  
=== Data Area ===
+
Values are in big-endian.
  
The Boot Record, FATs, and Root Directory are collectively referred to as the System AreaThe remaining space on the logical drive is called the Data Area, which is where files are actually storedIt should be noted that when a file is deleted by the operating system, the data stored in the Data Area remains intact until it is overwritten.
+
<pre>
 +
00000000  01 00 00 00 02 5b 00 00  00 00 1d c7 b4 00 00 01  |.....[..........|
 +
00000010 1f 81 29 fe b8 00 00 00  00 00 00 00 00 00 00 01  |..).............|
 +
00000020 2b 24 4a cb dd 01 00 00  00 00 00 00 00 00 00 00  |+$J.............|
 +
00000030  00 00 00 00 00 00 00 00  01 2b 24 4a a4 cd 00 00  |.........+$J....|
 +
00000040  01 2e 45 83 f4 18 00 00  00 00 00 00 00 00 00 01  |..E.............|
 +
00000050  01 00 00 00 00 00 00 00  00 00 00 00 01 2b 24 4a  |.............+$J|
 +
00000060  a4 cd 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
 +
00000070  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
 +
</pre>
  
=== Clusters ===
+
The header (or section 1) is 128 bytes in size and contains:
In order for FAT to manage files with satisfactory efficiency, it groups sectors into larger blocks referred to as clusters. A cluster is the smallest unit of disk space that can be allocated to a file, which is why clusters are often called allocation units. Each cluster can be used by one and only one resident file. Only the "data area" is divided into clusters, the rest of the partition is simply sectors. Cluster size is determined by the size of the disk volume and every file must be allocated an even number of clusters. Cluster sizing has a significant impact on performance and disk utilization. Larger cluster sizes result in more wasted space because files are less likely to fill up an even number of clusters.
+
{| class="wikitable"
 +
! align="left"| Offset
 +
! Size
 +
! Value
 +
! Description
 +
|-
 +
| 0
 +
| 1
 +
|
 +
| Busy (flag byte)
 +
|-
 +
| 1
 +
| 1
 +
|
 +
| Incomplete (flag byte)
 +
|-
 +
| 2
 +
| 4
 +
| 00 00 02 5b (603)
 +
| Format version
 +
|-
 +
| 6
 +
| 1
 +
|
 +
| Force update (flag byte)
 +
|-
 +
| 7
 +
| 1
 +
|
 +
| No-href (flag byte)
 +
|-
 +
| 8
 +
| 1
 +
|
 +
| Is shortcut image (flag byte)
 +
|-
 +
| 9
 +
| 4
 +
|
 +
| Content-Length
 +
|-
 +
| 13
 +
| 8
 +
| 00 00 01 1f 81 29 fe b8
 +
| Last modification date (Number of milli seconds since Jan 1, 1970 00:00:00)
 +
|-
 +
| 21
 +
| 8
 +
|
 +
| expiration date (Number of milli seconds since Jan 1, 1970 00:00:00) 0 if not expires?
 +
|-
 +
| 29
 +
| 8
 +
| 00 00 01 2b 24 4a cb dd
 +
| Validation timestamp (Number of milli seconds since Jan 1, 1970 00:00:00)
 +
|-
 +
| 37
 +
| 1
 +
|
 +
| Known to be signed (flag byte)
 +
|-
 +
| 38
 +
| 4
 +
|
 +
| Size of section 2
 +
|-
 +
| 42
 +
| 4
 +
|
 +
| Size of section 3
 +
|-
 +
| 46
 +
| 4
 +
|
 +
| Size of section 4
 +
|-
 +
| 50
 +
| 4
 +
|
 +
| Size of section 5
 +
|-
 +
| 54
 +
| 8
 +
| 00 00 01 2b 24 4a a4 cd
 +
| Blacklist validation time (Number of milli seconds since Jan 1, 1970 00:00:00)
 +
|-
 +
| 62
 +
| 8
 +
| 00 00 01 2e 45 83 f4 18
 +
| Certificate expiration date (Number of milli seconds since Jan 1, 1970 00:00:00)
 +
|-
 +
| 70
 +
| 1
 +
|
 +
| Class verification status
 +
|-
 +
| 71
 +
| 4
 +
|
 +
| Reduced manifest size
 +
|-
 +
| 75
 +
| 4
 +
|
 +
| section4Pre15Length?
 +
|-
 +
| 79
 +
| 1
 +
|
 +
| Has only signed entries (flag byte)
 +
|-
 +
| 80
 +
| 1
 +
|
 +
| Has single code source (flag byte)
 +
|-
 +
| 81
 +
| 4
 +
|
 +
| section4CertsLength?
 +
|-
 +
| 85
 +
| 4
 +
|
 +
| section4SignersLength?
 +
|-
 +
| 89
 +
| 1
 +
|
 +
| Has missing signed entries (flag byte)
 +
|-
 +
| 90
 +
| 8
 +
| 00 00 01 2b 24 4a a4 cd
 +
| Trusted libraries validation time (Number of milli seconds since Jan 1, 1970 00:00:00)
 +
|-
 +
| 98
 +
| 4
 +
|
 +
| reducedManifest2Length?
 +
|-
 +
| 102
 +
| 26
 +
|
 +
| Unknown, empty values (likely reserved for future expansion of the header)
 +
|}
  
The size of one cluster is specified in the Boot Record and can range from a single sector (512 bytes) to 128 sectors (65536 bytes). The sectors in a cluster are continuous, therefore each cluster is a continuous block of space on the disk. Note that only one file can be allocated to a cluster. Therefore if a 1KB file is placed within a 32KB cluster there are 31KB of wasted space. The formula for determining clusters in a partition is (# of Sectors in Partition) - (# of Sectors per Fat * 2) - (# of Reserved Sectors) ) /  (# of Sectors per Cluster).
+
The values present in the header are dependent on the version. The definition above is based on version 603 an intended as an example check the [https://github.com/woanware/javaidx/blob/master/Documents/Java.IDX.Format.pdf Java IDX Format Specification] for more actual information.
  
=== Wasted Sectors ===
+
To convert a timestamp in e.g. Python
 +
<pre>
 +
print datetime.datetime(1970, 1, 1) + datetime.timedelta(milliseconds=0x011f8129feb8)
 +
2009-02-16 22:17:07
 +
</pre>
  
'''Wasted Sectors''' (a.k.a. '''partition [[slack]]''') are a result of the number of data sectors not being evenly distributed by the cluster size. It's made up of unused bytes left at the end of a file. Also, if the partition as declared in the partition table is larger than what is claimed in the Boot Record the volume can be said to have wasted sectors. Small files on a hard drive are the reason for wasted space and the bigger the hard drive the more wasted space there is.   
+
<pre>
 +
00000080  00 00 00 39 68 74 74 70  3a 2f 2f 77 77 77 2e 74  |...9http://www.t|
 +
00000090  6f 70 63 6f 64 65 72 2e  63 6f 6d 2f 63 6f 6e 74  |opcoder.com/cont|
 +
000000a0 65 73 74 2f 63 6c 61 73  73 65 73 2f 43 6f 6e 74  |est/classes/Cont|
 +
000000b0  65 73 74 41 70 70 6c 65  74 2e 6a 61 72          |estApplet.jar  |
 +
</pre>
  
=== FAT Entry Values ===
+
{| class="wikitable"
<br>
+
! align="left"| Offset
FAT12<br>
+
! Size
<br>
+
! Value
0x000          (Free Cluster)<br>   
+
! Description
0x001          (Reserved Cluster)<br>
+
|-
0x002 - 0xFEF  (Used cluster; value points to next cluster)<br>
+
| 128
0xFF0 - 0xFF6  (Reserved values)<br>
+
| 2
0xFF7          (Bad cluster)<br>
+
| 00 00
0xFF8 - 0xFFF  (Last cluster in file)<br>
+
| Version string size
<br>
+
|-
FAT16<br>
+
| 130
<br>
+
| 2
0x0000          (Free Cluster)<br>
+
| 00 39
0x0001          (Reserved Cluster)<br>
+
| Original URL string size
0x0002 - 0xFFEF  (Used cluster; value points to next cluster)<br>
+
|-
0xFFF0 - 0xFFF6  (Reserved values)<br>
+
| 132
0xFFF7          (Bad cluster)<br>
+
| size
0xFFF8 - 0xFFFF  (Last cluster in file)<br>
+
|
<br>
+
| Original URL string (UTF-8 without an end-of-string character?)
FAT32<br>
+
|}
<br>
+
0x?0000000              (Free Cluster)<br>
+
0x?0000001              (Reserved Cluster)<br>
+
0x?0000002 - 0x?FFFFFEF  (Used cluster; value points to next cluster)<br>
+
0x?FFFFFF0 - 0x?FFFFFF6  (Reserved values)<br>
+
0x?FFFFFF7              (Bad cluster)<br>
+
0x?FFFFFF8 - 0x?FFFFFFF  (Last cluster in file)
+
  
Note: FAT32 uses only 28 of 32 possible bits, the upper 4 bits should be left alone. Typically these bits are zero, and are represented above by a question mark (?).
+
<pre>
 +
000000b0                                          00 00 00  |            ...|
 +
000000c0  0c 36 36 2e 33 37 2e 32 31 30 2e 38 36 00 00 00  |.66.37.210.86  |
 +
</pre>
  
[[Category:Disk file systems]]
+
{| class="wikitable"
 +
! align="left"| Offset
 +
! Size
 +
! Value
 +
! Description
 +
|-
 +
| ...
 +
| 2
 +
| 00 00
 +
| Namespace string size
 +
|-
 +
| ...
 +
| 2
 +
| 00 0c
 +
| IP string size
 +
|-
 +
| ...
 +
| size
 +
|
 +
| IP string (UTF-8 without an end-of-string character?)
 +
|}
  
==Versions==
+
<pre>
 +
000000c0                                          00 00 00  |            ...|
 +
000000d0  07 00 06 3c 6e 75 6c 6c  3e 00 0f 48 54 54 50 2f  |...<null>..HTTP/|
 +
000000e0  31 2e 31 20 32 30 30 20  4f 4b 00 0e 63 6f 6e 74  |1.1 200 OK..cont|
 +
000000f0  65 6e 74 2d 6c 65 6e 67  74 68 00 07 31 39 35 31  |ent-length..1951|
 +
00000100  36 36 38 00 0d 6c 61 73  74 2d 6d 6f 64 69 66 69  |668..last-modifi|
 +
00000110  65 64 00 1d 4d 6f 6e 2c  20 31 36 20 46 65 62 20  |ed..Mon, 16 Feb |
 +
00000120  32 30 30 39 20 32 32 3a  31 37 3a 30 37 20 47 4d  |2009 22:17:07 GM|
 +
00000130  54 00 0c 63 6f 6e 74 65  6e 74 2d 74 79 70 65 00  |T..content-type.|
 +
00000140  18 61 70 70 6c 69 63 61  74 69 6f 6e 2f 6a 61 76  |.application/jav|
 +
00000150  61 2d 61 72 63 68 69 76  65 00 04 64 61 74 65 00  |a-archive..date.|
 +
00000160  1d 53 61 74 2c 20 31 38  20 53 65 70 20 32 30 31  |.Sat, 18 Sep 201|
 +
00000170  30 20 31 30 3a 30 31 3a  30 36 20 47 4d 54 00 06  |0 10:01:06 GMT..|
 +
00000180  73 65 72 76 65 72 00 06  41 70 61 63 68 65 00 1b  |server..Apache..|
 +
00000190  64 65 70 6c 6f 79 2d 72  65 71 75 65 73 74 2d 63  |deploy-request-c|
 +
000001a0  6f 6e 74 65 6e 74 2d 74  79 70 65 00 1a 61 70 70  |ontent-type..app|
 +
000001b0  6c 69 63 61 74 69 6f 6e  2f 78 2d 6a 61 76 61 2d  |lication/x-java-|
 +
000001c0  61 72 63 68 69 76 65 1f  8b 08 00 00 00 00 00 00  |archive.........|
 +
...
 +
</pre>
  
There are three variants of FAT in existence: FAT12, FAT16, and FAT32.
+
{| class="wikitable"
 +
! align="left"| Offset
 +
! Size
 +
! Value
 +
! Description
 +
|-
 +
| ...
 +
| 4
 +
|
 +
| Number of header value pairs
 +
|-
 +
| ...
 +
| ...
 +
|
 +
| Array of header value pairs
 +
|}
  
=== FAT12 ===
+
A value pair is variable of size and consists of:
*  FAT12 is the oldest type of FAT that uses a 12 bit file allocation table entry. 
+
{| class="wikitable"
*  FAT12 can hold a max of 4,086 clusters (which is 2<sup>12</sup> clusters minus a few values that are reserved for values used in  the FAT). 
+
! align="left"| Offset
*  It is used for floppy disks and hard drive partitions that are smaller than 16 MB. 
+
! Size
*  All 1.44 MB 3.5" floppy disks are formatted using FAT12.
+
! Value
*  Cluster size that is used is between 0.5 KB to 4 KB.
+
! Description
 
+
|-
=== FAT16 ===
+
| 0
*  It is called FAT16 because all entries are 16 bit.
+
| 2
*  FAT16 can hold a max of 65,536 addressable units (2 <sub>26</sub>
+
|
*  It is used for small and moderate sized hard disk volumes.
+
| Header value identifier string size
*  The actual capacity is 65,525 due to some reserved values
+
|-
 
+
| 2
=== FAT32 ===
+
| size
FAT32 is the enhanced version of the FAT system implemented beginning with Windows 95 OSR2, Windows 98, and Windows Me.
+
|
Features include:
+
| Header value identifier string
*  Drives of up to 2 terabytes are supported ([[Windows]] 2000 only supports up to 32 gigabytes)
+
|-
*  Since FAT32 uses smaller clusters (of 4 kilobytes each), it uses hard drive space more efficiently. This is a 10 to 15 percent improvement over FAT or FAT16.
+
| ...
*  The limitations of FAT or FAT 16 on the number of root folder entries have been eliminated. In FAT32, the root folder is an ordinary cluster chain, and can be located anywhere on the drive.
+
| 2
*  File allocation mirroring can be disabled in FAT32. This allows a different copy of the file allocation table then the default to be active.
+
|
 
+
| Header value string size
==== Limitations with [[Windows]] 2000 & [[Windows]] XP ====
+
|-
* Clusters cannot be 64KB or larger.
+
| ...
* Cannot decrease cluster size that will result in the the FAT being larger than 16 MB minus 64KB in size.
+
| size
* Cannot contain fewer than 65,527 clusters.
+
|
* Maximum of 32KB per cluster.
+
| Header value string
* ''[[Windows]] XP'': The Windows XP installation program will not allow a user to format a drive of more than 32GB using the FAT32 file system. Using the installation program, the only way to format a disk greater than 32GB in size is to use NTFS. A disk larger than 32GB in size ''can'' be formatted with FAT32 for use with Windows XP if the system is booted from a Windows 98 or Windows ME startup disk, and formatted using the tool that will be on the disk.
+
|}
 
+
=== exFAT (sometimes incorrectly called FAT64) ===
+
exFAT (also know as Extended File Allocation Table or exFAT) is Microsoft's latest version of FAT and works with Windows Embedded CE 6.0, Windows XP/Server 2003 (with a KB patch, Vista/Server 2008 SP 1 & Later, and Windows 7.
+
Features include:
+
*  Largest file size is 2<sup>64</sup> bytes (16 exabytes) vs. FAT32's maximum file size of 4GB.
+
*  Has transaction support using Transaction-Safe Extended FAT File System (TexFAT). (Not released yet in Desktop/Server OS)
+
*  Speeds up storage allocation processes by using free space bitmaps.
+
*  Support UTC timestamps (Vista/Server 2008 SP1 does not support UTC, UTC support came out with SP2)
+
*  Maximum Cluster size of 32MB (Fat32 is 32KB)
+
*  Sector sizes from 512 bytes to 4096 bytes in size
+
*  Maximum FAT supportable volume size of 128PB
+
*  Maximum Subdirectory size of 256MB which can support up to over 2 million files in a singlr subdirectory
+
*  Uses a Bitmap for cluster allocation
+
*  Supports File Permissions (Not released yet in Desktop/Server OS)
+
*  Has been selected as the exclusive file system of the SDXC memory card by the SD Association
+
 
+
Although Microsoft has published some information on exFAT, there are more technical specifications available from third parties. For example, here is a  [http://paradigmsolutions.files.wordpress.com/2009/12/exfat-excerpt-1-4.pdf detailed presentation on exFAT].
+
Another published technical paper that goes in the internals in great detail is in the SANS Reading Room at: [http://www.sans.org/reading_room/whitepapers/forensics/rss/reverse_engineering_the_microsoft_exfat_file_system_33274 Reverse Engineering the Microsoft exFAT File System]
+
 
+
=== Comparison of FAT Versions ===
+
 
+
See the table at http://en.wikipedia.org/wiki/File_Allocation_Table for more detailed information about the various versions of FAT.
+
 
+
== Uses ==
+
Due to its low cost, mobility, and non-volatile nature, flash memory has quickly become the choice medium for storing and transferring data in consumer electronic devices. The majority of flash memory storage is formatted using the FAT file system.  In addition, FAT is also frequently used in electronic devices with miniature hard drives.
+
 
+
Examples of devices in which FAT is utilized include:
+
 
+
* [[USB]] thumb drives
+
* [[Digital camera|Digital cameras]]
+
* Digital camcorders
+
* Portable audio and video players
+
* Multifunction [[printers]]
+
* Electronic photo frames
+
* Electronic musical instruments
+
* Standard televisions
+
* [[PDAs]]
+
 
+
==Data Recovery==
+
Recovering directory entries from FAT filesystems as part of [[recovering deleted data]] can be accomplished by looking for entries that begin with a sigma 0xe5. When a file or directory is deleted under a FAT filesystem, the first character of its name is changed to sigma. The remainder of the directory entry information remains intact.
+
 
+
The pointers are also changed to zero for each cluster used by the file.  Recovery tools look at the FAT to find the entry for the file.  The location of the starting cluster will still be in the directory file.  It is not deleted or modified.  The tool will go straight to that cluster and try to recover the file using the file size to determine the number of clusters to recover.  Some tools will go to the starting cluster and recover the next "X" number of clusters needed for the specific file size.  However, this tool is not ideal.  An ideal tool will locate "X" number of available clusters.  Since files are most often fragmented, this will be a more precise way to recover the file.
+
 
+
An issue arises when two files in the same row of clusters are deleted.  If the clusters are not in sequential order, the tool will automatically receive "X" number of clusters.  However, because the file was fragmented, it's most likely that all the clusters obtained will not all contain data for that file.  If these two deleted files are in the same row of clusters, it is highly unlikely the file can be recovered.
+
  
==File [[Slack]]==
+
For the example above the size of the URL string can be found at offset 130 (0x82). The first 4 string values to extract from this data are prefaced with their lengths (or sizes) as 16-bit big-endian values. E.g. to retrieve the original URL string, read the WORD at offset 0x82, and translate it as a big-endian value (e.g. using Perl, <i>unpack("n",$data)</i>). Beginning at offset 0x84, the string is 57 (0x39) bytes long. At the end of that string, the next WORD is the length of the third string, also in big-endian format.
File [[slack]] is data that starts from the end of the file written and continues to the end of the sectors designated to the file. There are two types of file [[slack]], RAM slack and Residual [[slack]]. RAM slack starts from the end of the file and goes to the end of that sector. Residual slack then starts at the next sector and goes to the end of the cluster allocated for the file.  File slack is a helpful tool when analyzing a hard drive because the old data that is not overwritten by the new file is still in tact. Go to http://www.pcguide.com/ref/hdd/file/partSizes-c.html for examples.
+
  
 +
Once you've completed reading the initial 4 strings, there is a DWORD value which can be interpreted as the number of header values, followed by the individual header value definitions. Each header value definition consists of an identifier and a value string. Both strings are prefaced by a 16-bit big-endian (2-byte) value, containing the length of the string.
  
<table border="1" cellspacing="2" bordercolor="#000000" cellpadding="4" width="468" bordercolorlight="#C0C0C0">
+
In many cases, the first header value contains the HTTP Response code of 302. Other header values (that have been observed so far) include a response of 200, as well as additional data (including time stamps), and the *.idx files themselves appear to contain certificate (and perhaps other) information.
  <tr>
+
    <td width="101" bgcolor="#808080"><font size="2"><b><center>Cluster</center></b></font></td>
+
    <td width="177" bgcolor="#808080"><font size="2"><b><center>Sample Slack Space,
+
    50% Cluster Slack Per File</center></b></font></td>
+
    <td width="178" bgcolor="#808080"><font size="2"><b><center>Sample Slack Space,
+
    67% Cluster Slack Per File</center></b></font></td>
+
  </tr>
+
  <tr>
+
    <td width="101" bgcolor="#C0C0C0"><font size="2"><b><center>2 kiB</center></b></font></td>
+
    <td width="177"><font size="2"><center>17 MB</center></font></td>
+
    <td width="178"><font size="2"><center>22 MB</center></font></td>
+
  </tr>
+
  <tr>
+
    <td width="101" bgcolor="#C0C0C0"><font size="2"><b><center>4 kiB</center></b></font></td>
+
    <td width="177"><font size="2"><center>33 MB</center></font></td>
+
    <td width="178"><font size="2"><center>44 MB</center></font></td>
+
  </tr>
+
  <tr>
+
    <td width="101" bgcolor="#C0C0C0"><font size="2"><b><center>8 kiB</center></b></font></td>
+
    <td width="177"><font size="2"><center>66 MB</center></font></td>
+
    <td width="178"><font size="2"><center>89 MB</center></font></td>
+
  </tr>
+
  <tr>
+
    <td width="101" bgcolor="#C0C0C0"><font size="2"><b><center>16 kiB</center></b></font></td>
+
    <td width="177"><font size="2"><center>133 MB</center></font></td>
+
    <td width="178"><font size="2"><center>177 MB</center></font></td>
+
  </tr>
+
  <tr>
+
    <td width="101" bgcolor="#C0C0C0"><font size="2"><b><center>32 kiB</center></b></font></td>
+
    <td width="177"><font size="2"><center>265 MB</center></font></td>
+
    <td width="178"><font size="2"><center>354 MB</center></font></td>
+
  </tr>
+
</table>
+
  
The diagram above demonstrates the larger the cluster size used, the more disk space is wasted due to slack. This suggests it is better to use smaller cluster sizes whenever possible.
+
== External Links ==
 +
* [http://sploited.blogspot.ch/2012/08/java-forensics-using-tln-timelines.html Java Forensics using TLN Timelines]
 +
* [http://journeyintoir.blogspot.com/2011/02/almost-cooked-up-some-java.html Almost Cooked UP Some Java]
 +
* [http://journeyintoir.blogspot.com/2011/11/finding-initial-infection-vector.html Finding Initial Infection Vector]
 +
* [https://github.com/woanware/javaidx/blob/master/Documents/Java.IDX.Format.pdf Java IDX Format Specification], by [[Mark Woan]], January 2013
  
==FAT Advantages==
+
=== Java source code ===
* Files available to multiple operating systems on the same computer
+
* [http://javasourcecode.org/html/open-source/jdk/jdk-6u23/com/sun/deploy/cache/Cache.java.html Cache.java]
*  Easier to switch from FAT to [[NTFS]] than vice versa
+
* [http://javasourcecode.org/html/open-source/jdk/jdk-6u23/com/sun/deploy/cache/CacheEntry.java.html CacheEntry.java]
* Performs faster on smaller volumes (< 10GB)
+
*  Does not index files, which causes slightly higher performance
+
*  Performs better with small cache sizes (< 96MB)
+
*  More space-efficient on small volumes (< 4GB)
+
*  Performs better with slow disks (< 5400RPM)
+
  
==FAT Disadvantages==
+
[[Category:Analysis]]
*  FAT has a fixed maximum number of clusters per partition, which means as the hard disk gets bigger the size of each cluster must increase, creating more slack space
+
*  Doesn't natively support many abilities of [[NTFS]] such as on-the-fly compression, [[encryption]], or advanced security using access control lists
+
*  [[NTFS]] recommended by [[Microsoft]] for volumes larger than 32GB
+
*  FAT slows down as the number of files on the disk increases
+
*  FAT usually fragments files more
+
*  FAT does not allow for indexing of files for faster searching
+
*  FAT does not support user quotas
+
*  FAT has minimal security features including no access control list (ACL) capability.
+
== See also ==
+
[[Media:Fatgen103.doc|Microsoft's FAT32 specification]]
+
== External links ==
+
* http://en.wikipedia.org/wiki/File_Allocation_Table
+
* http://www.microsoft.com
+
* http://www.ntfs.com
+
* http://www.ntfs.com/ntfs_vs_fat.htm
+
* http://support.microsoft.com/kb/q154997/#XSLTH3126121123120121120120
+
* http://www.dewassoc.com/kbase/hard_drives/boot_sector.htm
+
* http://home.teleport.com/~brainy/fat32.htm
+
* http://www2.tech.purdue.edu/cpt/courses/cpt499s/
+
* http://home.no.net/tkos/info/fat.html
+
* http://web.ukonline.co.uk/cook/fat32.htm
+
* http://www.ntfs.com/fat-systems.htm
+
* http://www.microsoft.com/whdc/system/platform/firmware/fatgen.mspx
+
* http://support.microsoft.com/kb/q140418
+

Revision as of 15:18, 24 January 2013

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Java WebStart Cache

As of Java version 6 the Java WebStart Cache can be found in the following locations.

On Linux

/home/$USER/.java/deployment/cache/

On MacOS-X

/Users/$USER/Library/Caches/Java/cache/

On Windows XP

C:\Documents and Settings\%USERNAME%\Application Data\Sun\Java\Deployment\cache\

On Windows Vista and later

C:\Users\%USERNAME%\AppData\LocalLow\Sun\Java\Deployment\cache\

IDX file format

Caveat: The following information is based on analysis of several dozen *.idx files from different Windows 7 systems. As such, the following information should not be considered to have been exhaustively researched.

Values are in big-endian.

00000000  01 00 00 00 02 5b 00 00  00 00 1d c7 b4 00 00 01  |.....[..........|
00000010  1f 81 29 fe b8 00 00 00  00 00 00 00 00 00 00 01  |..).............|
00000020  2b 24 4a cb dd 01 00 00  00 00 00 00 00 00 00 00  |+$J.............|
00000030  00 00 00 00 00 00 00 00  01 2b 24 4a a4 cd 00 00  |.........+$J....|
00000040  01 2e 45 83 f4 18 00 00  00 00 00 00 00 00 00 01  |..E.............|
00000050  01 00 00 00 00 00 00 00  00 00 00 00 01 2b 24 4a  |.............+$J|
00000060  a4 cd 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|
00000070  00 00 00 00 00 00 00 00  00 00 00 00 00 00 00 00  |................|

The header (or section 1) is 128 bytes in size and contains:

Offset Size Value Description
0 1 Busy (flag byte)
1 1 Incomplete (flag byte)
2 4 00 00 02 5b (603) Format version
6 1 Force update (flag byte)
7 1 No-href (flag byte)
8 1 Is shortcut image (flag byte)
9 4 Content-Length
13 8 00 00 01 1f 81 29 fe b8 Last modification date (Number of milli seconds since Jan 1, 1970 00:00:00)
21 8 expiration date (Number of milli seconds since Jan 1, 1970 00:00:00) 0 if not expires?
29 8 00 00 01 2b 24 4a cb dd Validation timestamp (Number of milli seconds since Jan 1, 1970 00:00:00)
37 1 Known to be signed (flag byte)
38 4 Size of section 2
42 4 Size of section 3
46 4 Size of section 4
50 4 Size of section 5
54 8 00 00 01 2b 24 4a a4 cd Blacklist validation time (Number of milli seconds since Jan 1, 1970 00:00:00)
62 8 00 00 01 2e 45 83 f4 18 Certificate expiration date (Number of milli seconds since Jan 1, 1970 00:00:00)
70 1 Class verification status
71 4 Reduced manifest size
75 4 section4Pre15Length?
79 1 Has only signed entries (flag byte)
80 1 Has single code source (flag byte)
81 4 section4CertsLength?
85 4 section4SignersLength?
89 1 Has missing signed entries (flag byte)
90 8 00 00 01 2b 24 4a a4 cd Trusted libraries validation time (Number of milli seconds since Jan 1, 1970 00:00:00)
98 4 reducedManifest2Length?
102 26 Unknown, empty values (likely reserved for future expansion of the header)

The values present in the header are dependent on the version. The definition above is based on version 603 an intended as an example check the Java IDX Format Specification for more actual information.

To convert a timestamp in e.g. Python

print datetime.datetime(1970, 1, 1) + datetime.timedelta(milliseconds=0x011f8129feb8)
2009-02-16 22:17:07
00000080  00 00 00 39 68 74 74 70  3a 2f 2f 77 77 77 2e 74  |...9http://www.t|
00000090  6f 70 63 6f 64 65 72 2e  63 6f 6d 2f 63 6f 6e 74  |opcoder.com/cont|
000000a0  65 73 74 2f 63 6c 61 73  73 65 73 2f 43 6f 6e 74  |est/classes/Cont|
000000b0  65 73 74 41 70 70 6c 65  74 2e 6a 61 72           |estApplet.jar   |
Offset Size Value Description
128 2 00 00 Version string size
130 2 00 39 Original URL string size
132 size Original URL string (UTF-8 without an end-of-string character?)
000000b0                                          00 00 00  |             ...|
000000c0  0c 36 36 2e 33 37 2e 32  31 30 2e 38 36 00 00 00  |.66.37.210.86   |
Offset Size Value Description
... 2 00 00 Namespace string size
... 2 00 0c IP string size
... size IP string (UTF-8 without an end-of-string character?)
000000c0                                          00 00 00  |             ...|
000000d0  07 00 06 3c 6e 75 6c 6c  3e 00 0f 48 54 54 50 2f  |...<null>..HTTP/|
000000e0  31 2e 31 20 32 30 30 20  4f 4b 00 0e 63 6f 6e 74  |1.1 200 OK..cont|
000000f0  65 6e 74 2d 6c 65 6e 67  74 68 00 07 31 39 35 31  |ent-length..1951|
00000100  36 36 38 00 0d 6c 61 73  74 2d 6d 6f 64 69 66 69  |668..last-modifi|
00000110  65 64 00 1d 4d 6f 6e 2c  20 31 36 20 46 65 62 20  |ed..Mon, 16 Feb |
00000120  32 30 30 39 20 32 32 3a  31 37 3a 30 37 20 47 4d  |2009 22:17:07 GM|
00000130  54 00 0c 63 6f 6e 74 65  6e 74 2d 74 79 70 65 00  |T..content-type.|
00000140  18 61 70 70 6c 69 63 61  74 69 6f 6e 2f 6a 61 76  |.application/jav|
00000150  61 2d 61 72 63 68 69 76  65 00 04 64 61 74 65 00  |a-archive..date.|
00000160  1d 53 61 74 2c 20 31 38  20 53 65 70 20 32 30 31  |.Sat, 18 Sep 201|
00000170  30 20 31 30 3a 30 31 3a  30 36 20 47 4d 54 00 06  |0 10:01:06 GMT..|
00000180  73 65 72 76 65 72 00 06  41 70 61 63 68 65 00 1b  |server..Apache..|
00000190  64 65 70 6c 6f 79 2d 72  65 71 75 65 73 74 2d 63  |deploy-request-c|
000001a0  6f 6e 74 65 6e 74 2d 74  79 70 65 00 1a 61 70 70  |ontent-type..app|
000001b0  6c 69 63 61 74 69 6f 6e  2f 78 2d 6a 61 76 61 2d  |lication/x-java-|
000001c0  61 72 63 68 69 76 65 1f  8b 08 00 00 00 00 00 00  |archive.........|
...
Offset Size Value Description
... 4 Number of header value pairs
... ... Array of header value pairs

A value pair is variable of size and consists of:

Offset Size Value Description
0 2 Header value identifier string size
2 size Header value identifier string
... 2 Header value string size
... size Header value string

For the example above the size of the URL string can be found at offset 130 (0x82). The first 4 string values to extract from this data are prefaced with their lengths (or sizes) as 16-bit big-endian values. E.g. to retrieve the original URL string, read the WORD at offset 0x82, and translate it as a big-endian value (e.g. using Perl, unpack("n",$data)). Beginning at offset 0x84, the string is 57 (0x39) bytes long. At the end of that string, the next WORD is the length of the third string, also in big-endian format.

Once you've completed reading the initial 4 strings, there is a DWORD value which can be interpreted as the number of header values, followed by the individual header value definitions. Each header value definition consists of an identifier and a value string. Both strings are prefaced by a 16-bit big-endian (2-byte) value, containing the length of the string.

In many cases, the first header value contains the HTTP Response code of 302. Other header values (that have been observed so far) include a response of 200, as well as additional data (including time stamps), and the *.idx files themselves appear to contain certificate (and perhaps other) information.

External Links

Java source code