ForensicsWiki will continue to operate as it has before and will not be shutting down. Thank you for your continued support of ForensicsWiki.

Difference between pages "Cellebrite" and "Chrome Disk Cache Format"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Added info from Cellebrite website as well as link to vendor.)
 
(See Also)
 
Line 1: Line 1:
 
{{expand}}
 
{{expand}}
  
[[Category:Vendors]]
+
== Cache files ==
Founded in 1999 by a team of highly experienced telecom and mobile telephony professionals, Cellebrite is a global company known for its technological breakthroughs in the cellular industry.
+
The cache is stored in multiple:
Wireless Retailers
+
{| class="wikitable"
 +
|-
 +
! Filename
 +
! Description
 +
|-
 +
| index
 +
| The index file
 +
|-
 +
| data_#
 +
| Data block files
 +
|-
 +
| f_######
 +
| (Separate) data stream file
 +
|}
  
The pioneers in mobile phone to phone content transfer, today Cellebrite provides a complete range of solutions for the mobile retail industry, from stand-alone content transfer at the POS to OTA applications for subscriber content management.
+
== Cache address ==
 +
The cache address is 4 bytes in size and consists of:
 +
{| class="wikitable"
 +
|-
 +
! offset
 +
! size
 +
! value
 +
! description
 +
|-
 +
| <i>If file type is 0 (Separate file)</i>
 +
|
 +
|
 +
|
 +
|-
 +
| 0.0
 +
| 28 bits
 +
|
 +
| File number <br> The value represents the value of # in f_######
 +
|-
 +
| <i>Else</i>
 +
|
 +
|
 +
|
 +
|-
 +
| 0.0
 +
| 16 bits
 +
|
 +
| Block number
 +
|-
 +
| 2.0
 +
| 8 bits
 +
|
 +
| File number (or file selector) <br> The value represents the value of # in data_#
 +
|-
 +
| 3.0
 +
| 2 bits
 +
|
 +
| Block size <br> The number of contiguous blocks where 0 represents 1 block and 3 represents 4 blocks.
 +
|-
 +
| 3.2
 +
| 2 bits
 +
|
 +
| Reserved
 +
|-
 +
| <i>Common</i>
 +
|
 +
|
 +
|
 +
|-
 +
| 3.4
 +
| 3 bits
 +
|
 +
| File type
 +
|-
 +
| 3.7
 +
| 1 bit
 +
|
 +
| Initialized flag
 +
|}
  
With proven ability to impact sales of phones, upgrades, and services, Cellebrite customers include the world’s largest mobile operators and deployments by more than 140 major carriers.
+
=== File types ===
Mobile Forensics
+
{| class="wikitable"
 +
|-
 +
! Value
 +
! Description
 +
|-
 +
| 0
 +
| (Separate) data stream file
 +
|-
 +
| 1
 +
| (Rankings) block data file (36 byte block data file)
 +
|-
 +
| 2
 +
| 256 byte block data file
 +
|-
 +
| 3
 +
| 1024 byte block data file
 +
|-
 +
| 4
 +
| 4096 byte block data file
 +
|-
 +
|
 +
|
 +
|-
 +
| 6
 +
| Unknown; seen on Mac OS  X 0x6f430074
 +
|}
  
Building on its expertise in mobile data technology, in 2007, Cellebrite introduced a new line of products targeted to the mobile forensics industry.
+
==== Examples ====
 +
{| class="wikitable"
 +
|-
 +
! Value
 +
! Description
 +
|-
 +
| 0x00000000
 +
| Not initialized
 +
|-
 +
| 0x8000002a
 +
| Data stream file: f_00002a
 +
|-
 +
| 0xa0010003
 +
| Block data file: data_1, block number 3, 1 block of size
 +
|}
  
Cellebrite’s solution enables extraction and analysis of evidentiary data from more than 3,000 mobile phones and GPS devices.
+
== Index file format (index) ==
 +
Overview:
 +
* File header
 +
* least recently used (LRU) data (or eviction control data)
 +
* index table
  
The most complete mobile forensics experience available on the market today, Cellebrite technology is in use by military, law enforcement, and government agencies across the world.
+
=== File header ===
 +
*TODO*
  
Cellebrite is a fully-owned subsidiary of the Sun Corporation, a listed Japanese company (6736/JQ).
+
== Data block file format (data_#) ==
 +
Overview:
 +
* File header
 +
* array of blocks
  
--
+
=== File header ===
Universal Forensic Extraction Device
+
*TODO*
  
*    Logical and physical data extraction
+
== Data stream ==
*    Supports more than 3000 handset models
+
See: [[gzip]]
*    Standalone kit - portable and easy to use
+
  
 +
== See Also ==
 +
* [[Google Chrome]]
 +
* [[gzip]]
  
 +
== External Links ==
  
[http://www.cellebrite.com/]
+
[[Category:File Formats]]

Revision as of 18:29, 21 June 2014

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Cache files

The cache is stored in multiple:

Filename Description
index The index file
data_# Data block files
f_###### (Separate) data stream file

Cache address

The cache address is 4 bytes in size and consists of:

offset size value description
If file type is 0 (Separate file)
0.0 28 bits File number
The value represents the value of # in f_######
Else
0.0 16 bits Block number
2.0 8 bits File number (or file selector)
The value represents the value of # in data_#
3.0 2 bits Block size
The number of contiguous blocks where 0 represents 1 block and 3 represents 4 blocks.
3.2 2 bits Reserved
Common
3.4 3 bits File type
3.7 1 bit Initialized flag

File types

Value Description
0 (Separate) data stream file
1 (Rankings) block data file (36 byte block data file)
2 256 byte block data file
3 1024 byte block data file
4 4096 byte block data file
6 Unknown; seen on Mac OS X 0x6f430074

Examples

Value Description
0x00000000 Not initialized
0x8000002a Data stream file: f_00002a
0xa0010003 Block data file: data_1, block number 3, 1 block of size

Index file format (index)

Overview:

  • File header
  • least recently used (LRU) data (or eviction control data)
  • index table

File header

  • TODO*

Data block file format (data_#)

Overview:

  • File header
  • array of blocks

File header

  • TODO*

Data stream

See: gzip

See Also

External Links