Difference between pages "Extensible Storage Engine (ESE) Database File (EDB) format" and "Chrome Disk Cache Format"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Also see)
 
(See Also)
 
Line 1: Line 1:
[[Microsoft]] uses the '''Extensible Storage Engine (ESE) Database File (EDB) format''' for multiple purposes.
+
{{expand}}
  
== MIME types ==
+
== Cache files ==
 +
The cache is stored in multiple:
 +
{| class="wikitable"
 +
|-
 +
! Filename
 +
! Description
 +
|-
 +
| index
 +
| The index file
 +
|-
 +
| data_#
 +
| Data block files
 +
|-
 +
| f_######
 +
| (Separate) data stream file
 +
|}
  
The actual mime type of the ESDEB format is unspecified
+
== Cache address ==
 +
The cache address is 4 bytes in size and consists of:
 +
{| class="wikitable"
 +
|-
 +
! offset
 +
! size
 +
! value
 +
! description
 +
|-
 +
| <i>If file type is 0 (Separate file)</i>
 +
|
 +
|
 +
|
 +
|-
 +
| 0.0
 +
| 28 bits
 +
|
 +
| File number <br> The value represents the value of # in f_######
 +
|-
 +
| <i>Else</i>
 +
|
 +
|
 +
|
 +
|-
 +
| 0.0
 +
| 16 bits
 +
|
 +
| Block number
 +
|-
 +
| 2.0
 +
| 8 bits
 +
|
 +
| File number (or file selector) <br> The value represents the value of # in data_#
 +
|-
 +
| 3.0
 +
| 2 bits
 +
|
 +
| Block size <br> The number of contiguous blocks where 0 represents 1 block and 3 represents 4 blocks.
 +
|-
 +
| 3.2
 +
| 2 bits
 +
|
 +
| Reserved
 +
|-
 +
| <i>Common</i>
 +
|
 +
|
 +
|
 +
|-
 +
| 3.4
 +
| 3 bits
 +
|
 +
| File type
 +
|-
 +
| 3.7
 +
| 1 bit
 +
|
 +
| Initialized flag
 +
|}
  
== File signature ==
+
=== File types ===
 +
{| class="wikitable"
 +
|-
 +
! Value
 +
! Description
 +
|-
 +
| 0
 +
| (Separate) data stream file
 +
|-
 +
| 1
 +
| (Rankings) block data file (36 byte block data file)
 +
|-
 +
| 2
 +
| 256 byte block data file
 +
|-
 +
| 3
 +
| 1024 byte block data file
 +
|-
 +
| 4
 +
| 4096 byte block data file
 +
|-
 +
|
 +
|
 +
|-
 +
| 6
 +
| Unknown; seen on Mac OS  X 0x6f430074
 +
|}
  
The ESEDB has the following file signature:
+
==== Examples ====
hexadecimal: ef cd ab 89 (at offset 4)
+
{| class="wikitable"
 +
|-
 +
! Value
 +
! Description
 +
|-
 +
| 0x00000000
 +
| Not initialized
 +
|-
 +
| 0x8000002a
 +
| Data stream file: f_00002a
 +
|-
 +
| 0xa0010003
 +
| Block data file: data_1, block number 3, 1 block of size
 +
|}
  
== File types ==
+
== Index file format (index) ==
ESEDB distinguishes between the following types:
+
Overview:
* database (.edb, .sdb, ...)
+
* File header
* streaming file (.stm)
+
* least recently used (LRU) data (or eviction control data)
 +
* index table
  
There are also multiple versions of the ESEDB format.
+
=== File header ===
 +
*TODO*
  
== Contents ==
+
== Data block file format (data_#) ==
 +
Overview:
 +
* File header
 +
* array of blocks
  
The ESEDB basically is an ISAM database file format.
+
=== File header ===
 +
*TODO*
  
The ESEDB format is used by many Microsoft applications to store data such as:
+
== Data stream ==
* Active Directory (NTDS)
+
See: [[gzip]]
* File Replication service (FRS)
+
 
* Windows Internet Name service (WINS)
+
== See Also ==
* DHCP
+
* [[Google Chrome]]
* Security Configuration Engine (SCE)
+
* [[gzip]]
* Certificate Server
+
* Terminal Services Session folder
+
* Terminal Services Licensing service
+
* Catalog database
+
* Help and Support Services
+
* Directory Synchronization service (MSDSS)
+
* Remote Storage (RSS)
+
* Phone Book service
+
* Single Instance Store (SIS) Groveler
+
* Windows NT Backup/Restore
+
* Exchange store
+
* Microsoft Exchange folder (SRS and DXA)
+
* Key Management service (KMS)
+
* Instant Messaging
+
* Windows (Vista) Mail
+
* Content Indexing/Windows (Desktop) Search
+
  
 
== External Links ==
 
== External Links ==
 
* [http://code.google.com/p/libesedb/downloads/detail?name=Extensible%20Storage%20Engine%20%28ESE%29%20Database%20File%20%28EDB%29%20format.pdf Extensible Storage Engine (ESE) Database File (EDB) format]
 
* [http://en.wikipedia.org/wiki/Extensible_Storage_Engine Wikipedia on Extensible Storage Engine]
 
* [https://www.os3.nl/_media/2008-2009/students/willem_toorop/wlm2009_ese_fin.pdf Forensic examination of Windows Live Messenger 2009 Extensible Storage Engine], May 2009 by [[Wouter van Dongen]], [[Willem Toorop]], [[Joeri Blokhuis]]
 
 
== Tools ==
 
* [http://www.woanware.co.uk/?page_id=89 EsEDbViewer]
 
* [[libesedb]]
 
  
 
[[Category:File Formats]]
 
[[Category:File Formats]]

Revision as of 13:29, 21 June 2014

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Cache files

The cache is stored in multiple:

Filename Description
index The index file
data_# Data block files
f_###### (Separate) data stream file

Cache address

The cache address is 4 bytes in size and consists of:

offset size value description
If file type is 0 (Separate file)
0.0 28 bits File number
The value represents the value of # in f_######
Else
0.0 16 bits Block number
2.0 8 bits File number (or file selector)
The value represents the value of # in data_#
3.0 2 bits Block size
The number of contiguous blocks where 0 represents 1 block and 3 represents 4 blocks.
3.2 2 bits Reserved
Common
3.4 3 bits File type
3.7 1 bit Initialized flag

File types

Value Description
0 (Separate) data stream file
1 (Rankings) block data file (36 byte block data file)
2 256 byte block data file
3 1024 byte block data file
4 4096 byte block data file
6 Unknown; seen on Mac OS X 0x6f430074

Examples

Value Description
0x00000000 Not initialized
0x8000002a Data stream file: f_00002a
0xa0010003 Block data file: data_1, block number 3, 1 block of size

Index file format (index)

Overview:

  • File header
  • least recently used (LRU) data (or eviction control data)
  • index table

File header

  • TODO*

Data block file format (data_#)

Overview:

  • File header
  • array of blocks

File header

  • TODO*

Data stream

See: gzip

See Also

External Links