ForensicsWiki will continue to operate as it has before and will not be shutting down. Thank you for your continued support of ForensicsWiki.

Difference between pages "Fiwalk" and "Windows Application Compatibility"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
m
 
(sysmain.sdb)
 
Line 1: Line 1:
fiwalk is a batch forensics analysis program written in C that uses SleuthKit. The program can output in XML or ARFF formats.
+
{{expand}}
  
fiwalk can be downloaded from http://afflib.org/fiwalk
+
== sysmain.sdb ==
 +
System compatibility database.
  
==XML Example==
+
== RecentFileCache.bcf ==
 +
In Windows 7 the RecentFileCache.bcf file is stored in:
 
<pre>
 
<pre>
<?xml version='1.0' encoding='ISO-8859-1'?>
+
C:\Windows\AppCompat\Programs\
<fiwalk xmloutputversion='0.2'>
+
  <metadata
+
  xmlns='http://example.org/myapp/'
+
  xmlns:xsi='http://www.w3.org/2001/XMLSchema-instance'
+
  xmlns:dc='http://purl.org/dc/elements/1.1/'>
+
    <dc:type>Disk Image</dc:type>
+
  </metadata>
+
  <creator>
+
    <program>fiwalk</program>
+
    <version>0.5.7</version>
+
    <os>Darwin</os>
+
    <library name="tsk" version="3.0.1"></library>
+
    <library name="afflib" version="3.5.2"></library>
+
    <command_line>fiwalk -x /dev/disk2</command_line>
+
  </creator>
+
  <source>
+
    <imagefile>/dev/disk2</imagefile>
+
  </source>
+
<!-- fs start: 512 -->
+
  <volume offset='512'>
+
    <Partition_Offset>512</Partition_Offset>
+
    <block_size>512</block_size>
+
    <ftype>2</ftype>
+
    <ftype_str>fat12</ftype_str>
+
    <block_count>5062</block_count>
+
    <first_block>0</first_block>
+
    <last_block>5061</last_block>
+
    <fileobject>
+
      <filename>README.txt</filename>
+
      <id>2</id>
+
      <filesize>43</filesize>
+
      <partition>1</partition>
+
      <alloc>1</alloc>
+
      <used>1</used>
+
      <inode>6</inode>
+
      <type>1</type>
+
      <mode>511</mode>
+
      <nlink>1</nlink>
+
      <uid>0</uid>
+
      <gid>0</gid>
+
      <mtime>1258916904</mtime>
+
      <atime>1258876800</atime>
+
      <crtime>1258916900</crtime>
+
      <byte_runs>
+
      <run file_offset='0' fs_offset='37376' img_offset='37888' len='43'/>
+
      </byte_runs>
+
      <hashdigest type='md5'>2bbe5c3b554b14ff710a0a2e77ce8c4d</hashdigest>
+
      <hashdigest type='sha1'>b3ccdbe2db1c568e817c25bf516e3bf976a1dea6</hashdigest>
+
    </fileobject>
+
  </volume>
+
<!-- end of volume -->
+
<!-- clock: 0 -->
+
  <runstats>
+
    <user_seconds>0</user_seconds>
+
    <system_seconds>0</system_seconds>
+
    <maxrss>1814528</maxrss>
+
    <reclaims>546</reclaims>
+
    <faults>1</faults>
+
    <swaps>0</swaps>
+
    <inputs>56</inputs>
+
    <outputs>0</outputs>
+
    <stop_time>Sun Nov 22 11:08:36 2009</stop_time>
+
  </runstats>
+
</fiwalk>
+
 
</pre>
 
</pre>
  
 +
== Amcache.hve ==
 +
The Amcache.hve file is a [[Windows NT Registry File (REGF)]].
  
==See Also==
+
In Windows 8 the Amcache.hve file is stored in:
* [[fileobject]]
+
<pre>
* [http://domex.nps.edu/deep/Fiwalk.html fiwalk on the DEEP website]
+
C:\Windows\AppCompat\Programs\
 +
</pre>
 +
 
 +
== AppCompatCache ==
 +
In Windows 2000 and XP:
 +
<pre>
 +
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatibility
 +
</pre>
 +
 
 +
In Windows 2003 and later:
 +
<pre>
 +
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache
 +
</pre>
  
[[Category:Digital Forensics XML]]
+
== External Links ==
 +
* [http://technet.microsoft.com/en-us/library/dd837644(v=ws.10).aspx Technet: Understanding Shims], by [[Microsoft]]
 +
* [http://msdn.microsoft.com/en-us/library/bb432182(v=vs.85).aspx MSDN: Application Compatibility Database], by [[Microsoft]]
 +
* [http://www.alex-ionescu.com/?p=39 Secrets of the Application Compatilibity Database (SDB) – Part 1], by [[Alex Ionescu]], May 20, 2007
 +
* [http://www.alex-ionescu.com/?p=40 Secrets of the Application Compatilibity Database (SDB) – Part 2], by [[Alex Ionescu]], May 21, 2007
 +
* [http://www.alex-ionescu.com/?p=41 Secrets of the Application Compatilibity Database (SDB) – Part 3], by [[Alex Ionescu]], May 26, 2007
 +
* [http://recxltd.blogspot.com/2012/04/windows-appcompat-research-notes-part-1.html Windows AppCompat Research Notes - Part 1], by Ollie, 28 April 2012
 +
* [http://recxltd.blogspot.com/2012/05/windows-appcompat-research-notes-part-2.html Windows AppCompat Research Notes - Part 2], by Ollie, 4 May 2012
 +
* [https://dl.mandiant.com/EE/library/Whitepaper_ShimCacheParser.pdf Leveraging the Application Compatibility Cache in Forensic Investigations], by [[Andrew Davis]], May 4, 2012
 +
* [http://journeyintoir.blogspot.ch/2013/12/revealing-recentfilecachebcf-file.html Revealing the RecentFileCache.bcf File], by [[Corey Harrell]], December 2, 2013
 +
* [http://journeyintoir.blogspot.ch/2013/12/revealing-program-compatibility.html Revealing Program Compatibility Assistant HKCU AppCompatFlags Registry Keys], by [[Corey Harrell]], December 17, 2013
 +
* [http://journeyintoir.blogspot.ch/2014/04/triaging-with-recentfilecachebcf-file.html Triaging with the RecentFileCache.bcf File], by [[Corey Harrell]], April 21, 2014

Revision as of 05:06, 9 July 2014

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

sysmain.sdb

System compatibility database.

RecentFileCache.bcf

In Windows 7 the RecentFileCache.bcf file is stored in:

C:\Windows\AppCompat\Programs\

Amcache.hve

The Amcache.hve file is a Windows NT Registry File (REGF).

In Windows 8 the Amcache.hve file is stored in:

C:\Windows\AppCompat\Programs\

AppCompatCache

In Windows 2000 and XP:

Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatibility

In Windows 2003 and later:

Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache

External Links