Difference between pages "File Carving:SmartCarving" and "Extensible Storage Engine (ESE) Database File (EDB) format"

Revision as of 05:38, 29 July 2012

Microsoft uses the Extensible Storage Engine (ESE) Database File (EDB) format for multiple purposes.

MIME types

The actual mime type of the ESDEB format is unspecified

File signature

The ESEDB has the following file signature: hexadecimal: ef cd ab 89 (at offset 4)

File types

ESEDB distinguishes between the following types:

database (.edb, .sdb, ...)
streaming file (.stm)

There are also multiple versions of the ESEDB format.

Active Directory (NTDS)
File Replication service (FRS)
Windows Internet Name service (WINS)
DHCP
Security Configuration Engine (SCE)
Certificate Server
Terminal Services Session folder
Terminal Services Licensing service
Catalog database
Help and Support Services
Directory Synchronization service (MSDSS)
Remote Storage (RSS)
Phone Book service
Single Instance Store (SIS) Groveler
Windows NT Backup/Restore
Exchange store
Microsoft Exchange folder (SRS and DXA)
Key Management service (KMS)
Instant Messaging
Windows (Vista) Mail
Content Indexing/Windows (Desktop) Search

External Links

Tools

@@ Line 1: / Line 1: @@
-'''SmartCarving''' is a [[File Carving|file carving]] technique to recover fragmented files first proposed by [[User:PashaPal|A. Pal]], T. Sencar and [[User:NasirMemon|N. Memon]] in DFRWS 2008. The term '''Smart Carving''' was already proposed in [http://sandbox.dfrws.org/2006/mora/dfrws2006.pdf]
+[[Microsoft]] uses the '''Extensible Storage Engine (ESE) Database File (EDB) format''' for multiple purposes.
-SmartCarving utilizes a combination of structure based validation along with validation of each file's unique content. Results for the SmartCarving technique
+== MIME types ==
-were demonstrated on fragmented jpegs in the DFRWS 2006 and DFRWS 2007 challenges. From these two challenges SmartCarving was able
-to recover all but one fragmented jpeg file.
-==History==
+The actual mime type of the ESDEB format is unspecified
-[[User:NasirMemon|Memon]] et al.[1] presented an efficient algorithm based on a greedy heuristic and alpha-beta pruning for reassembling fragmented images.
-Building on this work, [[User:NasirMemon|Memon]] et al.[2] researched and introduced sequential hypothesis testing as a an effective mechanism for detecting fragmentation points of file. This paper won the best paper award for DFRWS 2008. The techniques presented in the paper were the foundation for the overall SmartCarving design.
-==Details==
+== File signature ==
-After identifying a header block of a specific file type, for example, jpeg, a SmartCarver will analyze each subsequent block to determine if it
-belongs or does not belong to the starting block. If a block is determined not to belong, then the file is assumed to be fragmented and the
-SmartCarving algorithm looks for the next fragment by matching the data of other available blocks with the first fragment. This process can be
-done in parallel for many files.
-==Applications==
+The ESEDB has the following file signature:
-There are currently two applications available that utilize SmartCarving, both produced by Digital Assembly:
+hexadecimal: ef cd ab 89 (at offset 4)
-* [[Adroit Photo Forensics]]
-* Adroit Photo Recovery
-== References ==
+== File types ==
-* A. Pal and N. Memon, [http://digital-assembly.com/technology/research/pubs/ieee-trans-2006.pdf "Automated reassembly of file fragmented images using greedy algorithms"] in IEEE Transactions on Image processing, February 2006, pp 385393
+ESEDB distinguishes between the following types:
-* A. Pal, T. Sencar and N. Memon, [http://digital-assembly.com/technology/research/pubs/dfrws2008.pdf "Detecting File Fragmentation Point Using Sequential Hypothesis Testing"], Digital Investigations, Fall 2008
+* database (.edb, .sdb, ...)
+* streaming file (.stm)
-==External links==
+There are also multiple versions of the ESEDB format.
-* [http://digital-assembly.com/products/adroit-photo-recovery/ Adroit Photo Recovery]
-* [http://digital-assembly.com/products/adroit-photo-forensics/ Adroit Photo Forensics]
+== Contents ==
-* [http://digital-assembly.com/technology/ Link to SmartCarving Technology and Research]
-* [http://digital-assembly.com Digital Assembly]
+The ESEDB basically is an ISAM database file format.
+The ESEDB format is used by many Microsoft applications to store data such as:
+* Active Directory (NTDS)
+* File Replication service (FRS)
+* Windows Internet Name service (WINS)
+* DHCP
+* Security Configuration Engine (SCE)
+* Certificate Server
+* Terminal Services Session folder
+* Terminal Services Licensing service
+* Catalog database
+* Help and Support Services
+* Directory Synchronization service (MSDSS)
+* Remote Storage (RSS)
+* Phone Book service
+* Single Instance Store (SIS) Groveler
+* Windows NT Backup/Restore
+* Exchange store
+* Microsoft Exchange folder (SRS and DXA)
+* Key Management service (KMS)
+* Instant Messaging
+* Windows (Vista) Mail
+* Content Indexing/Windows (Desktop) Search
+== External Links ==
+* [http://code.google.com/p/libesedb/downloads/detail?name=Extensible%20Storage%20Engine%20%28ESE%29%20Database%20File%20%28EDB%29%20format.pdf Extensible Storage Engine (ESE) Database File (EDB) format]
+* [http://en.wikipedia.org/wiki/Extensible_Storage_Engine Wikipedia on Extensible Storage Engine]
+* [https://www.os3.nl/_media/2008-2009/students/willem_toorop/wlm2009_ese_fin.pdf Forensic examination of Windows Live Messenger 2009 Extensible Storage Engine], May 2009 by [[Wouter van Dongen]], [[Willem Toorop]], [[Joeri Blokhuis]]
+== Tools ==
+* [http://www.woanware.co.uk/?page_id=89 EsEDbViewer]
+* [[libesedb]]
+[[Category:File Formats]]

Difference between pages "File Carving:SmartCarving" and "Extensible Storage Engine (ESE) Database File (EDB) format"

Revision as of 05:38, 29 July 2012

Contents

MIME types

File signature

File types

Contents

External Links

Tools

Navigation menu

Personal tools

Namespaces

Variants

Views

Actions

Search

Navigation:

About forensicswiki.org:

Toolbox