Difference between pages "NSF DUE-0919593" and "SuperFetch"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Created page with "This page includes links to digital forensics resources produced under NSF DUE-0919593, "Creating Realistic Forensic Corpora for Undergraduate Education and Research" '''EDUCATI...")
 
 
Line 1: Line 1:
This page includes links to digital forensics resources produced under NSF DUE-0919593, "Creating Realistic Forensic Corpora for Undergraduate Education and Research"
+
{{Expand}}
  
'''EDUCATIONAL DATA SETS'''
+
SuperFetch is a performance enhancement introduced in [[Microsoft]] [[Windows|Windows Vista]] to reduce the time necessary to launch applications. SuperFetch works with the memory manager service in Windows to analyze memory usage patterns over time to determine the optimal memory content for a given user for a date or time of day. This differs from the [[Prefetch]] technique used in Microsoft Windows XP, which preloads data into memory without analyzing usage patterns.
  
1. 2009-M57 "Patents" scenario
+
From [http://msdn.microsoft.com/en-us/library/windows/hardware/dn653317(v=vs.85).aspx]: SuperFetch prioritizes the following kinds of pages to remain in memory:
 +
* Pages of applications that are used most frequently overall.
 +
* Pages of applications that are commonly used when resuming:
 +
** After extensive hibernation (for example, first thing in the morning).
 +
** After shorter periods of sleep or hibernation (for example, after lunch).
  
  This scenario involves a small company called M57 which was engaged
+
If SuperFetch detects that the system drive is a fast solid-state drive (SSD) (as measured by Windows Experience Index Disk score), then SuperFetch turns off [[ReadyBoot]].
  in prior art searches for patents. The fictional company is
+
  contacted by the local police in November 2009 after a person
+
  purchases a computer from Craigslist and discovers "kitty porn" on
+
  the computer. The police trace the computer back to the M57
+
  company.
+
  
  The scenario actually involves three separate criminal activities:
 
      1 - Exfiltration of proprietary information by an M57 employee.
 
      2 - Stealing of M57's property and selling it on Craigslist.
 
      3 - The possession of "kitty porn" photos by an M57 employee.
 
  
  This is an involved scenario which has the following information
+
== Configuration ==
  available to students trying to "solve" the case:
+
    * Disk image of the computer that was sold on Craigs List
+
    * Disk images of the firm's five computers when the police show up.
+
    * Disk images of the four USB drives that were found on-site
+
      belonging to M57 employees
+
    * The RAM image of each computer just before the disk was imaged.
+
  
There are approximately 2-4 weeks of use on each computer.
+
Because SuperFetch appears to leave a system with no available memory, some users turn it off to create the appearance of having more free memory. The feature can be configured by changing the <tt>HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters\EnableSuperfetch</tt> [[Registry]] key [http://www.codinghorror.com/blog/archives/000688.html]. A value of zero disables SuperFetch, one enables it for booting only, two for applications, and three for both applications and boot. This setting can also be changed using the Services console, <tt>services.msc</tt> [http://tiredblogger.wordpress.com/2007/03/27/superfetch-not-so-super-for-gaming/].
  
2. Nitroba University Harassment Scenario
+
== File Formats ==
  
  This scenario involves a harassment case at the fictional Nitroba
+
Data for SuperFetch is gathered by the <tt>%SystemRoot%\System32\Sysmain.dll</tt>, part of the Service Host process, <tt>%SystemRoot%\System32\Svchost.exe</tt>, and stored in a series of files in the <tt>%SystemRoot%\Prefetch</tt> directory [http://www.microsoft.com/technet/technetmag/issues/2007/03/VistaKernel/]. These files appear to start with the prefix <tt>Ag</tt> and have a <tt>.db</tt> extension. The format of these files is not fully known, there is available unofficial partial specification [http://blog.rewolf.pl/blog/?p=214] and open source (GPL) dumper for .db files [http://code.google.com/p/rewolf-superfetch-dumper/]. Some information can be gleaned from these files by searching for [[Unicode]] [[strings]] in them.
  University.
+
  
  Nitroba's IT department has received an email from Lily Tuckrige, a
+
The SuperFetch feature is seeded with some basic usage patterns when the operating system is installed [http://channel9.msdn.com/showpost.aspx?postid=242429].
  teacher in the Chemistry Department.  Tuckrige has been receiving
+
  harassing emails and she suspects that they are being sent by a
+
  student in her class Chemistry 109, which she is teaching this
+
  summer. The email was received at Tuckridge's personal email
+
  account, lilytuckrige@yahoo.com. She took a screenshot of the web
+
  browser and sent it in.
+
  
  The system administrator who received the complaint wrote back to
+
== See Also ==
  Tuckridge that Nitroba needed the full headers of the email
+
* [[Prefetch]]
  message. Tuckridge responded by clicking the "Full message headers"
+
* [[ReadyBoost]]
  button in Yahoo Mail and sent in another screen shot, this one with
+
* [[ReadyBoot]]
  mail headers.
+
* [[Windows SuperFetch Format|SuperFetch Format]]
 +
* [[Windows]]
  
  The mail header shows that the mail message originated from the IP
+
== External Links ==
  address 140.247.62.34, which is a Nitroba student dorm room. Three
+
* [http://en.wikipedia.org/wiki/Windows_Vista_I/O_technologies#SuperFetch Wikipedia: Windows Vista I/O technologies - SuperFetch]
  women share the dorm room. Nitroba provides an Ethernet connection in
+
* [http://channel9.msdn.com/showpost.aspx?postid=242429 Channel 9 Interview with Michael Fortin of Microsoft on SuperFetch]
  every dorm room but not Wi-Fi access, so one of the women's friends
+
* [http://www.informationweek.com/news/showArticle.jhtml?articleID=196902178 Microsoft Predicts The Future With Vista's SuperFetch] from Information Week
  installed a Wi-Fi router in the room. There is no password on the
+
* [http://jessekornblum.com/presentations/dodcc08-2.pdf DC3 Presentation: My You Look SuperFetching], by Jesse Kornblum
  Wi-Fi.
+
  
  Because several email messages appear to come from the IP address,
+
== Tools ==
  Nitroba decides to place a network sniffer on the ethernet port. All
+
=== Open Source ===
  of the packets are logged. On Monday 7/21 Tuckridge received another
+
* [https://code.google.com/p/rewolf-superfetch-dumper/ rewolf-superfetch-dumper]
  harassing email. But this time instead of receiving it directly, the
+
  perpetrator sent it through a web-based service called
+
  "willselfdestruct.com."  The website briefly shows the message to
+
  Tuckridge, and then the website reports that the "Message Has Been
+
  Destroyed."
+
  
  Students are provided with the screen shots, the packets that were
+
[[Category:Windows]]
  collected from the Ethernet tap, and the Chem 109 roster. Their job
+
  is to determine if one of the students in the class was responsible
+
  for the harassing email and to provide clear, conclusive evidence
+
  to support your conclusion.
+
 
+
'''RESEARCH DATA SETS'''
+
 
+
We are also making available an enlarged "research data set" which
+
contains a wealth of information that can be used by students
+
interested in RAM, Network, or Disk Forensics.
+
 
+
The research data set was created at the same time as the
+
2009-M57 Patents dataset but contains substantially more information:
+
 
+
  * All of the IP packets in and out of the M57 test network.
+
  * Daily disk images and RAM captures of each computer on the network.
+
 
+
This data is not needed to "solve" the scenario, but it might be
+
interesting for students that are:
+
 
+
  * Interested in learning about RAM analysis and needs a source of
+
    RAM images.
+
 
+
  * Interested in network forensics and wants packets.
+
 
+
  * Interested in writing software that does "disk differencing" or
+
    can detect the installation of malware.
+
 
+
  * Wants examples of how a Windows registry is modified over time
+
    with use.
+
 
+
'''OBTAINING THE DATA'''
+
 
+
You can obtain our data at the following addresses:
+
 
+
The M57 Corpus:
+
  * http://torrent.ibiblio.org/doc/187/torrents  (bit torrent form)
+
  * http://domex.nps.edu/corp/scenarios/2009-m57/  (individual files)
+
 
+
  Please download from the iBiblio bittorrent server if possible.
+
  There are a number of torrents available for your convenience.
+
  If you examine the manifests, you will notice that the files
+
  overlap (some disk images appearing in more than one torrent).
+
  Each torrent will place files into:
+
          [YOUR_LOCAL_DIRECTORY]/torrent_name/corp/scenarios/2009_m57/
+
  Please seed if possible! The "police materials" torrent references only those
+
  materials that would be captured in a raid (e.g. the final day of
+
  the scenario).
+
 
+
 
+
The 2008-Nitroba corpus:
+
  * http://domex.nps.edu/corp/scenarios/2008-nitroba/
+

Revision as of 02:48, 24 April 2014

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

SuperFetch is a performance enhancement introduced in Microsoft Windows Vista to reduce the time necessary to launch applications. SuperFetch works with the memory manager service in Windows to analyze memory usage patterns over time to determine the optimal memory content for a given user for a date or time of day. This differs from the Prefetch technique used in Microsoft Windows XP, which preloads data into memory without analyzing usage patterns.

From [1]: SuperFetch prioritizes the following kinds of pages to remain in memory:

  • Pages of applications that are used most frequently overall.
  • Pages of applications that are commonly used when resuming:
    • After extensive hibernation (for example, first thing in the morning).
    • After shorter periods of sleep or hibernation (for example, after lunch).

If SuperFetch detects that the system drive is a fast solid-state drive (SSD) (as measured by Windows Experience Index Disk score), then SuperFetch turns off ReadyBoot.


Configuration

Because SuperFetch appears to leave a system with no available memory, some users turn it off to create the appearance of having more free memory. The feature can be configured by changing the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters\EnableSuperfetch Registry key [2]. A value of zero disables SuperFetch, one enables it for booting only, two for applications, and three for both applications and boot. This setting can also be changed using the Services console, services.msc [3].

File Formats

Data for SuperFetch is gathered by the %SystemRoot%\System32\Sysmain.dll, part of the Service Host process, %SystemRoot%\System32\Svchost.exe, and stored in a series of files in the %SystemRoot%\Prefetch directory [4]. These files appear to start with the prefix Ag and have a .db extension. The format of these files is not fully known, there is available unofficial partial specification [5] and open source (GPL) dumper for .db files [6]. Some information can be gleaned from these files by searching for Unicode strings in them.

The SuperFetch feature is seeded with some basic usage patterns when the operating system is installed [7].

See Also

External Links

Tools

Open Source