Difference between pages "File Carving:SmartCarving" and "Extensible Storage Engine (ESE) Database File (EDB) format"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
 
(External Links)
 
Line 1: Line 1:
'''SmartCarving''' is a [[File Carving|file carving]] technique to recover fragmented files first proposed by [[User:PashaPal|A. Pal]], T. Sencar and [[User:NasirMemon|N. Memon]] in DFRWS 2008. The term '''smart carving''' was already proposed in [http://sandbox.dfrws.org/2006/mora/dfrws2006.pdf]
+
[[Microsoft]] uses the '''Extensible Storage Engine (ESE) Database File (EDB) format''' for multiple purposes.
  
SmartCarving utilizes a combination of structure based validation along with validation of each file's unique content. Results for the SmartCarving technique
+
== MIME types ==
were demonstrated on fragmented jpegs in the DFRWS 2006 and DFRWS 2007 challenges. From these two challenges SmartCarving was able
+
to recover all but one fragmented jpeg file.
+
  
==History==
+
The actual mime type of the ESDEB format is unspecified
[[User:NasirMemon|Memon]] et al.[1] presented an efficient algorithm based on a greedy heuristic and alpha-beta pruning for reassembling fragmented images.
+
Building on this work, [[User:NasirMemon|Memon]] et al.[2] researched and introduced sequential hypothesis testing as a an effective mechanism for detecting fragmentation points of file. This paper won the best paper award for DFRWS 2008. The techniques presented in the paper were the foundation for the overall SmartCarving design.
+
  
==Details==
+
== File signature ==
After identifying a header block of a specific file type, for example, jpeg, a SmartCarver will analyze each subsequent block to determine if it
+
belongs or does not belong to the starting block. If a block is determined not to belong, then the file is assumed to be fragmented and the
+
SmartCarving algorithm looks for the next fragment by matching the data of other available blocks with the first fragment. This process can be
+
done in parallel for many files.
+
  
==Applications==
+
The ESEDB has the following file signature:
There are currently two applications available that utilize SmartCarving, both produced by Digital Assembly:
+
hexadecimal: ef cd ab 89 (at offset 4)
* [[Adroit Photo Forensics]]
+
* Adroit Photo Recovery
+
  
== References ==
+
== File types ==
* A. Pal and N. Memon, [http://digital-assembly.com/technology/research/pubs/ieee-trans-2006.pdf "Automated reassembly of file fragmented images using greedy algorithms"] in IEEE Transactions on Image processing, February 2006, pp 385­393
+
ESEDB distinguishes between the following types:
* A. Pal, T. Sencar and N. Memon, [http://digital-assembly.com/technology/research/pubs/dfrws2008.pdf "Detecting File Fragmentation Point Using Sequential Hypothesis Testing"], Digital Investigations, Fall 2008
+
* database (.edb, .sdb, ...)
 +
* streaming file (.stm)
  
==External links==
+
There are also multiple versions of the ESEDB format.
* [http://digital-assembly.com/products/adroit-photo-recovery/ Adroit Photo Recovery]
+
 
* [http://digital-assembly.com/products/adroit-photo-forensics/ Adroit Photo Forensics]
+
== Contents ==
* [http://digital-assembly.com/technology/ Link to SmartCarving Technology and Research]
+
 
* [http://digital-assembly.com Digital Assembly]
+
The ESEDB basically is an ISAM database file format.
 +
 
 +
The ESEDB format is used by many Microsoft applications to store data such as:
 +
* Active Directory (NTDS)
 +
* File Replication service (FRS)
 +
* Windows Internet Name service (WINS)
 +
* DHCP
 +
* Security Configuration Engine (SCE)
 +
* Certificate Server
 +
* Terminal Services Session folder
 +
* Terminal Services Licensing service
 +
* Catalog database
 +
* Help and Support Services
 +
* Directory Synchronization service (MSDSS)
 +
* Remote Storage (RSS)
 +
* Phone Book service
 +
* Single Instance Store (SIS) Groveler
 +
* Windows NT Backup/Restore
 +
* Exchange store
 +
* Microsoft Exchange folder (SRS and DXA)
 +
* Key Management service (KMS)
 +
* Instant Messaging
 +
* Windows (Vista) Mail
 +
* Content Indexing/Windows (Desktop) Search
 +
 
 +
== External Links ==
 +
 
 +
* [http://code.google.com/p/libesedb/downloads/detail?name=Extensible%20Storage%20Engine%20%28ESE%29%20Database%20File%20%28EDB%29%20format.pdf Extensible Storage Engine (ESE) Database File (EDB) format], by [[libesedb|libesedb project]]
 +
* [http://en.wikipedia.org/wiki/Extensible_Storage_Engine Wikipedia on Extensible Storage Engine]
 +
* [https://www.os3.nl/_media/2008-2009/students/willem_toorop/wlm2009_ese_fin.pdf Forensic examination of Windows Live Messenger 2009 Extensible Storage Engine], May 2009 by [[Wouter van Dongen]], [[Willem Toorop]], [[Joeri Blokhuis]]
 +
 
 +
== Tools ==
 +
* [http://www.woanware.co.uk/?page_id=89 EsEDbViewer]
 +
* [[libesedb]]
 +
 
 +
[[Category:File Formats]]

Revision as of 05:45, 29 July 2012

Microsoft uses the Extensible Storage Engine (ESE) Database File (EDB) format for multiple purposes.

Contents

MIME types

The actual mime type of the ESDEB format is unspecified

File signature

The ESEDB has the following file signature: hexadecimal: ef cd ab 89 (at offset 4)

File types

ESEDB distinguishes between the following types:

  • database (.edb, .sdb, ...)
  • streaming file (.stm)

There are also multiple versions of the ESEDB format.

Contents

The ESEDB basically is an ISAM database file format.

The ESEDB format is used by many Microsoft applications to store data such as:

  • Active Directory (NTDS)
  • File Replication service (FRS)
  • Windows Internet Name service (WINS)
  • DHCP
  • Security Configuration Engine (SCE)
  • Certificate Server
  • Terminal Services Session folder
  • Terminal Services Licensing service
  • Catalog database
  • Help and Support Services
  • Directory Synchronization service (MSDSS)
  • Remote Storage (RSS)
  • Phone Book service
  • Single Instance Store (SIS) Groveler
  • Windows NT Backup/Restore
  • Exchange store
  • Microsoft Exchange folder (SRS and DXA)
  • Key Management service (KMS)
  • Instant Messaging
  • Windows (Vista) Mail
  • Content Indexing/Windows (Desktop) Search

External Links

Tools