Difference between pages "Volatility Framework" and "Chrome Disk Cache Format"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
 
(See Also)
 
Line 1: Line 1:
{{Infobox_Software |
+
{{expand}}
  name = Volatility |
+
  maintainer = [[AAron Walters]] |
+
  os = {{Cross-platform}} |
+
  genre = {{Memory analysis}} |
+
  license = {{GPL}} |
+
  website = [https://www.volatilesystems.com/default/volatility https://www.volatilesystems.com/] |
+
}}
+
  
The '''Volatility Framework''' is a completely open collection of tools, implemented in Python under the GNU General Public License, for the extraction of digital artifacts from volatile memory (RAM) samples. The extraction techniques are performed completely independent of the system being investigated but offer unprecedented visibility into the runtime state of the system. The framework is intended to introduce people to the techniques and complexities associated with extracting digital artifacts from volatile memory samples and provide a platform for further work into this exciting area of research.
+
== Cache files ==
 +
The cache is stored in multiple:
 +
{| class="wikitable"
 +
|-
 +
! Filename
 +
! Description
 +
|-
 +
| index
 +
| The index file
 +
|-
 +
| data_#
 +
| Data block files
 +
|-
 +
| f_######
 +
| (Separate) data stream file
 +
|}
  
The project was originally developed by and is now headed up by [[AAron Walters]] of [[Volatile Systems]].
+
== Cache address ==
 +
The cache address is 4 bytes in size and consists of:
 +
{| class="wikitable"
 +
|-
 +
! offset
 +
! size
 +
! value
 +
! description
 +
|-
 +
| <i>If file type is 0 (Separate file)</i>
 +
|
 +
|
 +
|
 +
|-
 +
| 0.0
 +
| 28 bits
 +
|
 +
| File number <br> The value represents the value of # in f_######
 +
|-
 +
| <i>Else</i>
 +
|
 +
|
 +
|
 +
|-
 +
| 0.0
 +
| 16 bits
 +
|
 +
| Block number
 +
|-
 +
| 2.0
 +
| 8 bits
 +
|
 +
| File number (or file selector) <br> The value represents the value of # in data_#
 +
|-
 +
| 3.0
 +
| 2 bits
 +
|
 +
| Block size <br> The number of contiguous blocks where 0 represents 1 block and 3 represents 4 blocks.
 +
|-
 +
| 3.2
 +
| 2 bits
 +
|
 +
| Reserved
 +
|-
 +
| <i>Common</i>
 +
|
 +
|
 +
|
 +
|-
 +
| 3.4
 +
| 3 bits
 +
|
 +
| File type
 +
|-
 +
| 3.7
 +
| 1 bit
 +
|
 +
| Initialized flag
 +
|}
  
== Plugins ==
+
=== File types ===
See: [[List of Volatility Plugins]]
+
{| class="wikitable"
 +
|-
 +
! Value
 +
! Description
 +
|-
 +
| 0
 +
| (Separate) data stream file
 +
|-
 +
| 1
 +
| (Rankings) block data file (36 byte block data file)
 +
|-
 +
| 2
 +
| 256 byte block data file
 +
|-
 +
| 3
 +
| 1024 byte block data file
 +
|-
 +
| 4
 +
| 4096 byte block data file
 +
|-
 +
|
 +
|
 +
|-
 +
| 6
 +
| Unknown; seen on Mac OS  X 0x6f430074
 +
|}
  
== Memory acquisition drivers ==
+
==== Examples ====
 +
{| class="wikitable"
 +
|-
 +
! Value
 +
! Description
 +
|-
 +
| 0x00000000
 +
| Not initialized
 +
|-
 +
| 0x8000002a
 +
| Data stream file: f_00002a
 +
|-
 +
| 0xa0010003
 +
| Block data file: data_1, block number 3, 1 block of size
 +
|}
  
In 2012 [[Michael Cohen]] contributed both a Linux and a Windows Open Source memory (acquisition) driver to the Volatility project as part of the Technology Preview (TP) version, aka scudette branch.
+
== Index file format (index) ==
Since the scudette branch of Volatility has moved on as a separate project, the drivers can now be found as part of the [[rekall]] project.
+
Overview:
 +
* File header
 +
* least recently used (LRU) data (or eviction control data)
 +
* index table
 +
 
 +
=== File header ===
 +
*TODO*
 +
 
 +
== Data block file format (data_#) ==
 +
Overview:
 +
* File header
 +
* array of blocks
 +
 
 +
=== File header ===
 +
*TODO*
 +
 
 +
== Data stream ==
 +
See: [[gzip]]
  
 
== See Also ==
 
== See Also ==
* [[List of Volatility Plugins]]
+
* [[Google Chrome]]
 +
* [[gzip]]
  
 
== External Links ==
 
== External Links ==
* [https://www.volatilesystems.com/default/volatility Official web site]
+
 
* [http://code.google.com/p/volatility/ Code repository], direct link to [http://code.google.com/p/volatility/source/browse/ source]
+
[[Category:File Formats]]
* [http://code.google.com/p/volatility/w/list Volatility Documentation]
+

Revision as of 14:29, 21 June 2014

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Cache files

The cache is stored in multiple:

Filename Description
index The index file
data_# Data block files
f_###### (Separate) data stream file

Cache address

The cache address is 4 bytes in size and consists of:

offset size value description
If file type is 0 (Separate file)
0.0 28 bits File number
The value represents the value of # in f_######
Else
0.0 16 bits Block number
2.0 8 bits File number (or file selector)
The value represents the value of # in data_#
3.0 2 bits Block size
The number of contiguous blocks where 0 represents 1 block and 3 represents 4 blocks.
3.2 2 bits Reserved
Common
3.4 3 bits File type
3.7 1 bit Initialized flag

File types

Value Description
0 (Separate) data stream file
1 (Rankings) block data file (36 byte block data file)
2 256 byte block data file
3 1024 byte block data file
4 4096 byte block data file
6 Unknown; seen on Mac OS X 0x6f430074

Examples

Value Description
0x00000000 Not initialized
0x8000002a Data stream file: f_00002a
0xa0010003 Block data file: data_1, block number 3, 1 block of size

Index file format (index)

Overview:

  • File header
  • least recently used (LRU) data (or eviction control data)
  • index table

File header

  • TODO*

Data block file format (data_#)

Overview:

  • File header
  • array of blocks

File header

  • TODO*

Data stream

See: gzip

See Also

External Links