Difference between pages "Extensible Storage Engine (ESE) Database File (EDB) format" and "GRR"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
(External Links)
 
 
Line 1: Line 1:
[[Microsoft]] uses the '''Extensible Storage Engine (ESE) Database File (EDB) format''' for multiple purposes.
+
{{Infobox_Software |
 +
  name = Rekall |
 +
  maintainer = [[Darren Bilby]] and others |
 +
  os = {{Cross-platform}} |
 +
  genre = {{Incident response}} |
 +
  license = {{APL}} |
 +
  website = [https://code.google.com/p/grr/ code.google.com/p/grr/] |
 +
}}
  
== MIME types ==
+
GRR is an Incident Response Framework focused on Remote Live Forensics.
  
The actual mime type of the ESDEB format is unspecified
+
The disk and file system analysis capabilities of GRR are provided by the [[sleuthkit]] and [[pytsk]] projects.
  
== File signature ==
+
The memory analysis and acquisition capabilities of GRR are provided by the [[rekall]] project.
  
The ESEDB has the following file signature:
+
= See also =
hexadecimal: ef cd ab 89 (at offset 4)
+
* [[rekall]]
  
== File types ==
+
= External Links =
ESEDB distinguishes between the following types:
+
* [https://code.google.com/p/grr/ Project site]
* database (.edb, .sdb, ...)
+
* [https://code.google.com/p/grr/wiki/ProjectFAQ Project FAQ]
* streaming file (.stm)
+
* [http://grr.googlecode.com/git/docs/index.html Documentation]
  
There are also multiple versions of the ESEDB format.
+
== Publications ==
 +
* [http://static.googleusercontent.com/media/research.google.com/en/us/pubs/archive/37237.pdf Distributed forensics and incident response in the enterprise], by [[Michael Cohen]], [[Darren Bilby]], G. Caronni. Digital Investigation, 2011.
 +
* [https://googledrive.com/host/0B9hc84IflFGbN2IwMTUyYTUtMTU0Mi00ZWQ3LWFhNDktM2IyMTg5MmY3OWI0/Hunting%20in%20the%20Enterprise:%20Forensic%20Triage%20and%20Incident%20Response Hunting in the enterprise: Forensic triage and incident response], by [[Andreas Moser]], [[Michael Cohen]], Digital Investigation, 2013.
  
== Contents ==
+
== Presentations ==
 +
* [https://googledrive.com/host/0B1wsLqFoT7i2N3hveC1lSEpHUnM/Docs/GRR%20Rapid%20Response%20-%20OSFC%202012.pdf OSDFC 2012 GRR Overview], by [[Darren Bilby]]
  
The ESEDB basically is an ISAM database file format.
+
== Workshops ==
 
+
* [https://drive.google.com/?usp=chrome_app#folders/0B1wsLqFoT7i2eU1jU0JldW9JUU0 OSDFC workshop 2013], by [[Darren Bilby]]
The ESEDB format is used by many Microsoft applications to store data such as:
+
* Active Directory (NTDS)
+
* File Replication service (FRS)
+
* Windows Internet Name service (WINS)
+
* DHCP
+
* Security Configuration Engine (SCE)
+
* Certificate Server
+
* Terminal Services Session folder
+
* Terminal Services Licensing service
+
* Catalog database
+
* Help and Support Services
+
* Directory Synchronization service (MSDSS)
+
* Remote Storage (RSS)
+
* Phone Book service
+
* Single Instance Store (SIS) Groveler
+
* Windows NT Backup/Restore
+
* Exchange store
+
* Microsoft Exchange folder (SRS and DXA)
+
* Key Management service (KMS)
+
* Instant Messaging
+
* Windows (Vista) Mail
+
* Content Indexing/Windows (Desktop) Search
+
 
+
== External Links ==
+
 
+
* [http://code.google.com/p/libesedb/downloads/detail?name=Extensible%20Storage%20Engine%20%28ESE%29%20Database%20File%20%28EDB%29%20format.pdf Extensible Storage Engine (ESE) Database File (EDB) format], by [[libesedb|libesedb project]]
+
* [http://en.wikipedia.org/wiki/Extensible_Storage_Engine Wikipedia on Extensible Storage Engine]
+
* [https://www.os3.nl/_media/2008-2009/students/willem_toorop/wlm2009_ese_fin.pdf Forensic examination of Windows Live Messenger 2009 Extensible Storage Engine], May 2009 by [[Wouter van Dongen]], [[Willem Toorop]], [[Joeri Blokhuis]]
+
 
+
== Tools ==
+
* [http://www.woanware.co.uk/?page_id=89 EsEDbViewer]
+
* [[libesedb]]
+
 
+
[[Category:File Formats]]
+

Revision as of 14:36, 12 January 2014

Rekall
Maintainer: Darren Bilby and others
OS: Cross-platform
Genre: Incident Response
License: APL
Website: code.google.com/p/grr/

GRR is an Incident Response Framework focused on Remote Live Forensics.

The disk and file system analysis capabilities of GRR are provided by the sleuthkit and pytsk projects.

The memory analysis and acquisition capabilities of GRR are provided by the rekall project.

Contents

See also

External Links

Publications

Presentations

Workshops