Difference between pages "DeepSpar Disk Imager" and "Windows Application Compatibility"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
 
(sysmain.sdb)
 
Line 1: Line 1:
[[Image:DeepSpardiskimager.jpg|frame|DeepSpar Disk Imager Kit]]
+
{{expand}}
:The DeepSpar Disk Imager is a hardware, drive to drive, data recovery imaging device. It makes use of a fairly standard PC system but connects directly to the source drive (the drive being imaged.) Through this hardware connection, it is able to command the source drive on a low ATA register level. It thus bypasses normal BIOS calls to the hard drive. Standard BIOS / hard drive operations will not allow the retrieval of damaged or corrupted sectors as it would invariably cause a system (OS) failure. For data recovery purposes however, it is important to be able to access any available data.
+
  
:Additionally, the DeepSpar Disk Imager controls the power input of the source drive so that it can, if required, re-power the source without rebooting the system. (This is significant with highly unstable drives that will continually “hang.”)
+
== sysmain.sdb ==
 +
System compatibility database.
  
:To control and pre-configure the source drive, the DeepSpar Disk Imager makes use of specific ATA commands (see also: [http://www.t13.org Technical Committee T13]) as well as some vendor specific commands. This includes the ability to read sectors while ignoring [[Error Correction Code |ECC errors]] as well as the ability to send software and hardware reset commands to the drive which creates the ability to control “read timeout.” (Read timeout is a user defined amount of time in milliseconds that the hard drive will be given to read any particular sector. If the read timeout is reached before the sector is correctly read, it will be skipped. The imager then marks in its “map” that the sector was skipped so that it can be reprocessed on later passes.)
+
== RecentFileCache.bcf ==
 +
In Windows 7 the RecentFileCache.bcf file is stored in:
 +
<pre>
 +
C:\Windows\AppCompat\Programs\
 +
</pre>
  
:Through the tool’s software interface, the end user is able to configure all parameters and commands that they wish the imager to use over multiple imaging passes. As previously mentioned, the DeepSpar Disk Imager stores a “map” of all the sectors from the source drive. This map allows the imager to always remember which sectors have been imaged, which were skipped, and which had errors etc. This in turn allows the imager to run multiple passes without reprocessing sectors that had been previous read correctly. It also allows the imager run imaging passes to target specific sector errors.
+
== Amcache.hve ==
 +
The Amcache.hve file is a [[Windows NT Registry File (REGF)]].
  
:Unlike forensics tools, the DeepSpar Disk Imager does not create an image file. Instead, it uses commands and techniques to image all sectors on the source drive directly to the destination drive. The image drive can then be used by any data retrieval or forensics software for file recovery or forensics investigation.
+
In Windows 8 the Amcache.hve file is stored in:
 +
<pre>
 +
C:\Windows\AppCompat\Programs\
 +
</pre>
 +
 
 +
== AppCompatCache ==
 +
In Windows 2000 and XP:
 +
<pre>
 +
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatibility
 +
</pre>
 +
 
 +
In Windows 2003 and later:
 +
<pre>
 +
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache
 +
</pre>
  
 
== External Links ==
 
== External Links ==
* [http://www.driveimager.com/ Official website]
+
* [http://technet.microsoft.com/en-us/library/dd837644(v=ws.10).aspx Technet: Understanding Shims], by [[Microsoft]]
* [http://www.deepspar.com/pdf/DeepSparDiskImager.pdf Product data sheet]
+
* [http://msdn.microsoft.com/en-us/library/bb432182(v=vs.85).aspx MSDN: Application Compatibility Database], by [[Microsoft]]
* [http://www.deepspar.com/mjm-ds-disk-imager.html Review of the DeepSpar Disk Imager] by Mike Montgomery of MJM Data Recovery in the UK.
+
* [http://www.alex-ionescu.com/?p=39 Secrets of the Application Compatilibity Database (SDB) – Part 1], by [[Alex Ionescu]], May 20, 2007
* ''[http://www.deepspar.com/pdf/DeepSparDiskImagingWhitepaper3.pdf Disk Imaging: A Vital Step in Data Recovery]'', a whitepaper on the product
+
* [http://www.alex-ionescu.com/?p=40 Secrets of the Application Compatilibity Database (SDB) – Part 2], by [[Alex Ionescu]], May 21, 2007
 +
* [http://www.alex-ionescu.com/?p=41 Secrets of the Application Compatilibity Database (SDB) – Part 3], by [[Alex Ionescu]], May 26, 2007
 +
* [http://recxltd.blogspot.com/2012/04/windows-appcompat-research-notes-part-1.html Windows AppCompat Research Notes - Part 1], by Ollie, 28 April 2012
 +
* [http://recxltd.blogspot.com/2012/05/windows-appcompat-research-notes-part-2.html Windows AppCompat Research Notes - Part 2], by Ollie, 4 May 2012
 +
* [https://dl.mandiant.com/EE/library/Whitepaper_ShimCacheParser.pdf Leveraging the Application Compatibility Cache in Forensic Investigations], by [[Andrew Davis]], May 4, 2012
 +
* [http://journeyintoir.blogspot.ch/2013/12/revealing-recentfilecachebcf-file.html Revealing the RecentFileCache.bcf File], by [[Corey Harrell]], December 2, 2013
 +
* [http://journeyintoir.blogspot.ch/2013/12/revealing-program-compatibility.html Revealing Program Compatibility Assistant HKCU AppCompatFlags Registry Keys], by [[Corey Harrell]], December 17, 2013
 +
* [http://journeyintoir.blogspot.ch/2014/04/triaging-with-recentfilecachebcf-file.html Triaging with the RecentFileCache.bcf File], by [[Corey Harrell]], April 21, 2014

Latest revision as of 01:06, 9 July 2014

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

sysmain.sdb

System compatibility database.

RecentFileCache.bcf

In Windows 7 the RecentFileCache.bcf file is stored in:

C:\Windows\AppCompat\Programs\

Amcache.hve

The Amcache.hve file is a Windows NT Registry File (REGF).

In Windows 8 the Amcache.hve file is stored in:

C:\Windows\AppCompat\Programs\

AppCompatCache

In Windows 2000 and XP:

Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatibility

In Windows 2003 and later:

Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache

External Links