Difference between pages "SuperFetch" and "JTAG and Chip-Off Tools and Equipment"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
 
 
Line 1: Line 1:
{{Expand}}
+
The following list contains equipment used for performing JTAG and chip-off analysis.  It is noted when equipment is used for both procedures in order to avoid overlap and duplication of equipment.  The URL's provided are for reference and other vendors and suppliers exist for said equipment.  Please search Internet for other competitive vendors.
  
SuperFetch is a performance enhancement introduced in [[Microsoft]] [[Windows|Windows Vista]] to reduce the time necessary to launch applications. SuperFetch works with the memory manager service in Windows to analyze memory usage patterns over time to determine the optimal memory content for a given user for a date or time of day. This differs from the [[Prefetch]] technique used in Microsoft Windows XP, which preloads data into memory without analyzing usage patterns.
+
''Note: This equipment is not a definitive list and substitutions can be made for equivalent tools and equipment.''
  
From [http://msdn.microsoft.com/en-us/library/windows/hardware/dn653317(v=vs.85).aspx]: SuperFetch prioritizes the following kinds of pages to remain in memory:
+
'''JTAG and Chip-Off Equipment List'''
* Pages of applications that are used most frequently overall.
+
* Pages of applications that are commonly used when resuming:
+
** After extensive hibernation (for example, first thing in the morning).
+
** After shorter periods of sleep or hibernation (for example, after lunch).
+
  
If SuperFetch detects that the system drive is a fast SSD (as measured by Windows Experience Index Disk score), then SuperFetch turns off [[ReadyBoot]], [[ReadyBoost]], and the SuperFetch service itself.
+
{| class="wikitable"
 +
! align="left"| Item
 +
! Info
 +
! Estimated Cost (CAD)
 +
|-
 +
|Carton SPZT-50PG Microscope (optional: w/trinocular)
 +
|http://valleymicroscope.com/shop/spz-50pg/
 +
|$1200
 +
|-
 +
|Xytronic 988D Solder Rework Station
 +
|http://www.howardelectronics.com/xytronic/988d.html
 +
|$300
 +
|-
 +
|Weller WES51 Solder Station
 +
|sourced locally (Electronics shop)
 +
|$100
 +
|-
 +
|Xytronic LF-852D Hot Air Station
 +
|http://www.howardelectronics.com/xytronic/LF-852D.html
 +
|$225
 +
|-
 +
|HP Agilent U8002A Variable Power Supply
 +
|http://www.home.agilent.com/agilent/product.jspx?pn=u8002a&cc=CA&lc=eng
 +
|$400
 +
|-
 +
|Amprobe 35XP Multimeter
 +
|sourced locally (Electronics shop)
 +
|$120
 +
|-
 +
|Magnifying Desk Lamp
 +
|http://www.amazon.com/Ultra-Efficient-LED-Magnifier-Lamp-Adjustable/dp/B001064VTE
 +
|$100
 +
|-
 +
|Circuit board holder
 +
|http://www.ibreakityoufixit.com/shop/mounting-kit
 +
|$13
 +
|-
 +
|Chip Epoxy Glue Remover
 +
|http://www.ebay.com/itm/BGA-IC-30ml-IC-BGA-CPU-Chip-Epoxy-Glue-Remover-Adhesive-Solution-Solvent-Liquid-/321012736931?pt=Digital_Camera_Accessories&hash=item4abdd9a3a3
 +
|$10
 +
|-
 +
|0.040 gauge transformer winding wire
 +
|sourced locally (Electronics shop)
 +
|$15
 +
|-
 +
|Kester 44 rosin flux solder
 +
|sourced locally (Electronics shop)
 +
|$50
 +
|-
 +
|Xcelite Hobby Knives
 +
|sourced locally (Electronics shop)
 +
|$15
 +
|-
 +
|Terra Dexterity PVC foam gloves
 +
|sourced locally (Costco)
 +
|$10
 +
|-
 +
|Richard 13321 blades
 +
|sourced https://www.acklandsgrainger.com/AGIPortalWeb/WebSource/ProductDisplay/globalProductDetailDisplay.do?item_code=RCH13321
 +
|~$10
 +
|-
 +
|8" x 8" x 3/8" steel plate
 +
|sourced locally (Steel fabrication shop)
 +
|free
 +
|}
  
== Configuration ==
+
'''JTAG Specific Equipment List'''
  
Because SuperFetch appears to leave a system with no available memory, some users turn it off to create the appearance of having more free memory. The feature can be configured by changing the [[Registry]] value [http://www.codinghorror.com/blog/archives/000688.html]:
+
{| class="wikitable"
<pre>
+
! align="left"| Item
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters
+
! Info
Value: EnableSuperfetch
+
! Estimated Cost (CAD)
</pre>
+
|-
 +
|RIFF Box
 +
|http://www.multi-com.pl/index.php/en_US,details,id_pr,7883,menu_mode,categories.html
 +
|$120
 +
|-
 +
|Octoplus Box
 +
|http://gsmserver.com/shop/gsm/octoplus_box_full_set.php
 +
|$340
 +
|}
  
A value of zero disables SuperFetch, one enables it for booting only, two for applications, and three for both applications and boot. This setting can also be changed using the Services console, <tt>services.msc</tt> [http://tiredblogger.wordpress.com/2007/03/27/superfetch-not-so-super-for-gaming/].
 
  
== File Formats ==
+
'''Chip-Off Specific Equipment List'''
  
Data for SuperFetch is gathered by the <tt>%SystemRoot%\System32\Sysmain.dll</tt>, part of the Service Host process, <tt>%SystemRoot%\System32\Svchost.exe</tt>, and stored in a series of files in the <tt>%SystemRoot%\Prefetch</tt> directory [http://www.microsoft.com/technet/technetmag/issues/2007/03/VistaKernel/]. These files appear to start with the prefix <tt>Ag</tt> and have a <tt>.db</tt> extension. Note that there are likely more SuperFetch database files named differently, presumably all using the .db extension.
+
{| class="wikitable"
 +
! align="left"| Item
 +
! Info
 +
! Estimated Cost (CAD)
 +
|-
 +
|Wagner HT1000 Heat Gun
 +
|http://www.wagnerspraytech.com/portal/ht1000_en_spray,362096,358970.html
 +
|$30
 +
|-
 +
|Heat Gun stand
 +
|http://www.ibreakityoufixit.com/shop/air-gun-holder
 +
|$60
 +
|-
 +
|UP-828 Programmer
 +
|http://www.up48.com/english/programmer/up828.htm
 +
|$1300 - $1700 depending on source
 +
|-
 +
|UP-828 SBGA152 Adapter
 +
|BlackBerry
 +
|$600 - $1000 depending on source
 +
|-
 +
|UP-828 BGA110 Adapter
 +
|
 +
|$600 - $1000 depending on source
 +
|-
 +
|UP-828 VBGA169E Adapter
 +
| BlackBerry and Android
 +
|$600 - $1000 depending on source
 +
|-
 +
|UP-828 VBGA133 Adapter
 +
|iPhone 4
 +
|$600 - $1000 depending on source
 +
|-
 +
|Sireda eMMC Test Socket Adapters
 +
|http://www.teeltech.com/forensic-tools/sireda-adapter-kit/
 +
|$2200
 +
|}
  
The format of the SuperFetch database files is not fully known, there is available unofficial partial specification [http://blog.rewolf.pl/blog/?p=214] and open source (GPL) dumper for .db files [http://code.google.com/p/rewolf-superfetch-dumper/]. For more information see [[Windows SuperFetch Format|SuperFetch Format]].
+
'''Notes'''
  
The SuperFetch feature is seeded with some basic usage patterns when the operating system is installed [http://channel9.msdn.com/showpost.aspx?postid=242429].
+
1. The UP-828 driver is not signed and therefore doesn't work by default in Windows 7 64-bit. The programmer is identified as a as a Cypess Semiconductor Corp. CY7C68013. The signed Windows 7 64-bit driver can be installed by downloading and installing the Cypress EZ-USB FX2LP Development Kit, then using the CyUSB.sys driver found in '<installdir>\CY3684_EZ-USB_FX2LP_DVK\1.0\Drivers\cyusbfx1_fx2lp' for the UP-828 programmer.
 
+
== See Also ==
+
* [[Prefetch]]
+
* [[ReadyBoost]]
+
* [[ReadyBoot]]
+
* [[Windows SuperFetch Format|SuperFetch Format]]
+
* [[Windows]]
+
 
+
== External Links ==
+
* [http://en.wikipedia.org/wiki/Windows_Vista_I/O_technologies#SuperFetch Wikipedia: Windows Vista I/O technologies - SuperFetch]
+
* [http://channel9.msdn.com/showpost.aspx?postid=242429 Channel 9 Interview with Michael Fortin of Microsoft on SuperFetch]
+
* [http://www.informationweek.com/news/showArticle.jhtml?articleID=196902178 Microsoft Predicts The Future With Vista's SuperFetch] from Information Week
+
* [http://jessekornblum.com/presentations/dodcc08-2.pdf DC3 Presentation: My You Look SuperFetching], by Jesse Kornblum
+
 
+
== Tools ==
+
=== Open Source ===
+
* [https://code.google.com/p/rewolf-superfetch-dumper/ rewolf-superfetch-dumper]
+
 
+
[[Category:Windows]]
+

Latest revision as of 12:01, 24 April 2014

The following list contains equipment used for performing JTAG and chip-off analysis. It is noted when equipment is used for both procedures in order to avoid overlap and duplication of equipment. The URL's provided are for reference and other vendors and suppliers exist for said equipment. Please search Internet for other competitive vendors.

Note: This equipment is not a definitive list and substitutions can be made for equivalent tools and equipment.

JTAG and Chip-Off Equipment List

Item Info Estimated Cost (CAD)
Carton SPZT-50PG Microscope (optional: w/trinocular) http://valleymicroscope.com/shop/spz-50pg/ $1200
Xytronic 988D Solder Rework Station http://www.howardelectronics.com/xytronic/988d.html $300
Weller WES51 Solder Station sourced locally (Electronics shop) $100
Xytronic LF-852D Hot Air Station http://www.howardelectronics.com/xytronic/LF-852D.html $225
HP Agilent U8002A Variable Power Supply http://www.home.agilent.com/agilent/product.jspx?pn=u8002a&cc=CA&lc=eng $400
Amprobe 35XP Multimeter sourced locally (Electronics shop) $120
Magnifying Desk Lamp http://www.amazon.com/Ultra-Efficient-LED-Magnifier-Lamp-Adjustable/dp/B001064VTE $100
Circuit board holder http://www.ibreakityoufixit.com/shop/mounting-kit $13
Chip Epoxy Glue Remover http://www.ebay.com/itm/BGA-IC-30ml-IC-BGA-CPU-Chip-Epoxy-Glue-Remover-Adhesive-Solution-Solvent-Liquid-/321012736931?pt=Digital_Camera_Accessories&hash=item4abdd9a3a3 $10
0.040 gauge transformer winding wire sourced locally (Electronics shop) $15
Kester 44 rosin flux solder sourced locally (Electronics shop) $50
Xcelite Hobby Knives sourced locally (Electronics shop) $15
Terra Dexterity PVC foam gloves sourced locally (Costco) $10
Richard 13321 blades sourced https://www.acklandsgrainger.com/AGIPortalWeb/WebSource/ProductDisplay/globalProductDetailDisplay.do?item_code=RCH13321 ~$10
8" x 8" x 3/8" steel plate sourced locally (Steel fabrication shop) free

JTAG Specific Equipment List

Item Info Estimated Cost (CAD)
RIFF Box http://www.multi-com.pl/index.php/en_US,details,id_pr,7883,menu_mode,categories.html $120
Octoplus Box http://gsmserver.com/shop/gsm/octoplus_box_full_set.php $340


Chip-Off Specific Equipment List

Item Info Estimated Cost (CAD)
Wagner HT1000 Heat Gun http://www.wagnerspraytech.com/portal/ht1000_en_spray,362096,358970.html $30
Heat Gun stand http://www.ibreakityoufixit.com/shop/air-gun-holder $60
UP-828 Programmer http://www.up48.com/english/programmer/up828.htm $1300 - $1700 depending on source
UP-828 SBGA152 Adapter BlackBerry $600 - $1000 depending on source
UP-828 BGA110 Adapter $600 - $1000 depending on source
UP-828 VBGA169E Adapter BlackBerry and Android $600 - $1000 depending on source
UP-828 VBGA133 Adapter iPhone 4 $600 - $1000 depending on source
Sireda eMMC Test Socket Adapters http://www.teeltech.com/forensic-tools/sireda-adapter-kit/ $2200

Notes

1. The UP-828 driver is not signed and therefore doesn't work by default in Windows 7 64-bit. The programmer is identified as a as a Cypess Semiconductor Corp. CY7C68013. The signed Windows 7 64-bit driver can be installed by downloading and installing the Cypress EZ-USB FX2LP Development Kit, then using the CyUSB.sys driver found in '<installdir>\CY3684_EZ-USB_FX2LP_DVK\1.0\Drivers\cyusbfx1_fx2lp' for the UP-828 programmer.