Difference between pages "Linux Repositories" and "Windows Application Compatibility"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(fedora)
 
(sysmain.sdb)
 
Line 1: Line 1:
 +
{{expand}}
  
There are a number of linux distributions.
+
== sysmain.sdb ==
 +
System compatibility database.
  
In general they have primary repositories which are setup for every installation of the operating system and they have special purpose repositories which require specific setup.
+
== RecentFileCache.bcf ==
 +
In Windows 7 the RecentFileCache.bcf file is stored in:
 +
<pre>
 +
C:\Windows\AppCompat\Programs\
 +
</pre>
  
=Repository Setup=
+
== Amcache.hve ==
==openSUSE==
+
The Amcache.hve file is a [[Windows NT Registry File (REGF)]].
For current openSUSE 11.4 and 12.1 users it is necessary to have the following repositories configured:
+
  
*security
+
In Windows 8 the Amcache.hve file is stored in:
*devel:languages:perl
+
<pre>
*devel:languages:python
+
C:\Windows\AppCompat\Programs\
 +
</pre>
  
This is most easily done from the command line via (assumes openSUSE 12.1):
+
== AppCompatCache ==
 +
In Windows 2000 and XP:
 +
<pre>
 +
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatibility
 +
</pre>
  
sudo zypper ar -f <nowiki>http://download.opensuse.org/repositories/security/openSUSE_12.1</nowiki> security
+
In Windows 2003 and later:
sudo zypper ar -f <nowiki>http://download.opensuse.org/repositories/devel:/languages:/perl</nowiki>/openSUSE_12.1 perl
+
<pre>
sudo zypper ar -f <nowiki>http://download.opensuse.org/repositories/devel:/languages:/python/openSUSE_12.1</nowiki> python
+
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache
+
</pre>
zypper lr  <nowiki>          </nowiki> # used to verify you have the repos installed
+
  
==fedora==
+
== External Links ==
 
+
* [http://technet.microsoft.com/en-us/library/dd837644(v=ws.10).aspx Technet: Understanding Shims], by [[Microsoft]]
[http://www.cert.org/forensics/tools/ CERT] maintains a fedora security repository with a large number of DFIR applicaitons.
+
* [http://msdn.microsoft.com/en-us/library/bb432182(v=vs.85).aspx MSDN: Application Compatibility Database], by [[Microsoft]]
 
+
* [http://www.alex-ionescu.com/?p=39 Secrets of the Application Compatilibity Database (SDB) – Part 1], by [[Alex Ionescu]], May 20, 2007
==debian==
+
* [http://www.alex-ionescu.com/?p=40 Secrets of the Application Compatilibity Database (SDB) – Part 2], by [[Alex Ionescu]], May 21, 2007
==ubuntu==
+
* [http://www.alex-ionescu.com/?p=41 Secrets of the Application Compatilibity Database (SDB) – Part 3], by [[Alex Ionescu]], May 26, 2007
 
+
* [http://recxltd.blogspot.com/2012/04/windows-appcompat-research-notes-part-1.html Windows AppCompat Research Notes - Part 1], by Ollie, 28 April 2012
=Computer Forensic Tools=
+
* [http://recxltd.blogspot.com/2012/05/windows-appcompat-research-notes-part-2.html Windows AppCompat Research Notes - Part 2], by Ollie, 4 May 2012
Below is a list of computer forensic tools. For each tool the repository it can be found in and the version in the repository is shown.
+
* [https://dl.mandiant.com/EE/library/Whitepaper_ShimCacheParser.pdf Leveraging the Application Compatibility Cache in Forensic Investigations], by [[Andrew Davis]], May 4, 2012
 
+
* [http://journeyintoir.blogspot.ch/2013/12/revealing-recentfilecachebcf-file.html Revealing the RecentFileCache.bcf File], by [[Corey Harrell]], December 2, 2013
As an example, aimage is in the openSUSE security repository and it is version 3.2.5
+
* [http://journeyintoir.blogspot.ch/2013/12/revealing-program-compatibility.html Revealing Program Compatibility Assistant HKCU AppCompatFlags Registry Keys], by [[Corey Harrell]], December 17, 2013
 
+
* [http://journeyintoir.blogspot.ch/2014/04/triaging-with-recentfilecachebcf-file.html Triaging with the RecentFileCache.bcf File], by [[Corey Harrell]], April 21, 2014
==Imaging Tools==
+
 
+
{|border="1" cellpadding="2" cellspacing="0" {{repository table}}
+
|-
+
|rowspan=1| '''Tool'''
+
|'''openSUSE'''
+
|'''fedora'''
+
|'''debian'''
+
|'''ubuntu'''
+
|'''comment'''
+
|'''General Remarks'''
+
 
+
|-
+
|rowspan=1| [http://www.e-fense.com/helix/ adepto]
+
|N/A <!-- opensuse -->
+
|?              <!-- fedora-->
+
|?              <!-- debian-->
+
|?              <!-- ubuntu-->
+
|  <!-- comment -->
+
|adepto is included in the helix boot cd<!-- General Remarks -->
+
 
+
|-
+
|rowspan=1| [[aimage]]
+
|security/3.2.5 <!-- opensuse -->
+
|?             <!-- fedora-->
+
|?              <!-- debian-->
+
|?              <!-- ubuntu-->
+
|a imaging tool to create aff format images  <!-- comment -->
+
|aimage has been EOL'ed.  guymager or ftkimager (windows/mac) are recommended for creating aff images. <!-- General Remarks -->
+
 
+
|-
+
|rowspan=1| [[AIR]]
+
|N/A <!-- opensuse -->
+
|?             <!-- fedora-->
+
|?              <!-- debian-->
+
|?              <!-- ubuntu-->
+
|Automated Image and Restore  <!-- comment -->
+
|a GUI front-end to dd and dc3dd designed for easily creating forensic bit images <!-- General Remarks -->
+
 
+
|-
+
|rowspan=1| [[dc3dd]]
+
|security*/7.1.614 <!-- opensuse -->
+
|?             <!-- fedora-->
+
|?              <!-- debian-->
+
|?              <!-- ubuntu-->
+
|DoD Cyber Crime Center DD  <!-- comment -->
+
|This tool was formerly known as dcfldd.  When released as dc3dd it was totally rewritten. <!-- General Remarks -->
+
 
+
|-
+
|rowspan=1| [[ddrescue]]
+
|Base/1.14 <!-- opensuse -->
+
|?              <!-- fedora-->
+
|?              <!-- debian-->
+
|?              <!-- ubuntu-->
+
|Also known as GNU ddrescue<!-- comment -->
+
|This tool is different than dd_rescue.
+
 
+
|-
+
|rowspan=1| [[dd_rescue]]
+
|N/A <!-- opensuse -->
+
|?              <!-- fedora-->
+
|?              <!-- debian-->
+
|?              <!-- ubuntu-->
+
|<!-- comment -->
+
|This tool is different than GNU ddrescue.
+
 
+
|-
+
|rowspan=1| [[IXimager]]
+
|N/A <!-- opensuse -->
+
|?              <!-- fedora-->
+
|?              <!-- debian-->
+
|?              <!-- ubuntu-->
+
|A law enforcement only imager<!-- comment -->
+
|used in conjunction with ILook Investigator
+
 
+
|-
+
|rowspan=1| [[libewf|ewfacquire]]
+
|security*/20100226 <!-- opensuse -->
+
|?              <!-- fedora-->
+
|?              <!-- debian-->
+
|?              <!-- ubuntu-->
+
|a imaging tool to create ewf format images  <!-- comment -->
+
|ewfacquire is part of ewftools in some distributions.<!-- General Remarks -->
+
 
+
|-
+
|rowspan=1| [[LinEn]]
+
|N/A <!-- opensuse -->
+
|?              <!-- fedora-->
+
|?              <!-- debian-->
+
|?              <!-- ubuntu-->
+
|a proprietary imaging tool to create ewf format images  <!-- comment -->
+
|included on the Helix boot CD<!-- General Remarks -->
+
 
+
|-
+
|rowspan=1| [[guymager]]
+
|N/A<!-- opensuse -->
+
|?              <!-- fedora-->
+
|?              <!-- debian-->
+
|?              <!-- ubuntu-->
+
|a imaging tool to create aff format images  <!-- comment -->
+
|Guymager is an open source forensic imager. It focuses on user friendliness and high speed.  <!-- General Remarks -->
+
 
+
|-
+
|rowspan=1| [http://sourceforge.net/projects/rdd rdd]
+
|N/A <!-- opensuse -->
+
|?              <!-- fedora-->
+
|?              <!-- debian-->
+
|?              <!-- ubuntu-->
+
|a dd-like tool, with forensic imaging features  <!-- comment -->
+
|Rdd is robust with respect to read errors<!-- General Remarks -->
+
 
+
|-
+
|rowspan=1| [ftp://ftp.berlios.de/pub/sdd/ sdd]
+
|Archiving:Backup/1.52 <!-- opensuse -->
+
|?              <!-- fedora-->
+
|?              <!-- debian-->
+
|?              <!-- ubuntu-->
+
|a dd-like tool<!-- comment -->
+
|Designed to work well when IBS != OBS. Working with tape is an example.<!-- General Remarks -->
+
 
+
|}
+
 
+
*package will appear in the base release with the next full distribution release.
+

Latest revision as of 00:06, 9 July 2014

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

sysmain.sdb

System compatibility database.

RecentFileCache.bcf

In Windows 7 the RecentFileCache.bcf file is stored in:

C:\Windows\AppCompat\Programs\

Amcache.hve

The Amcache.hve file is a Windows NT Registry File (REGF).

In Windows 8 the Amcache.hve file is stored in:

C:\Windows\AppCompat\Programs\

AppCompatCache

In Windows 2000 and XP:

Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatibility

In Windows 2003 and later:

Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache

External Links