Difference between revisions of "Windows SuperFetch Format"

From ForensicsWiki
Jump to: navigation, search
(MEMO file)
(File header)
Line 19: Line 19:
 
| 0
 
| 0
 
| 4
 
| 4
| "MEMO" (0x4D, 0x45, 0x4D, 0x4f) or "MEM0" (0x4D, 0x45, 0x4D, 0x30)
+
| "MEMO" (0x4d, 0x45, 0x4d, 0x4f) or "MEM0" (0x4d, 0x45, 0x4d, 0x30)
 
| Signature
 
| Signature
 
|-
 
|-
Line 30: Line 30:
  
 
Where:
 
Where:
* "MEMO" (0x4D, 0x45, 0x4D, 0x4f) is used on Windows Vista
+
* "MEMO" (0x4d, 0x45, 0x4d, 0x4f) is used on Windows Vista
* "MEM0" (0x4D, 0x45, 0x4D, 0x30) is used on Windows 7
+
* "MEM0" (0x4d, 0x45, 0x4d, 0x30) is used on Windows 7
  
 
=== Compressed blocks ===
 
=== Compressed blocks ===

Revision as of 01:58, 15 April 2014

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

MEM file

Some of the Ag*.db files are MEM files.

The MEM file consists of:

  • file header
  • compressed blocks

File header

The file header is 84 bytes of size and consists of:

Offset Size Value Description
0 4 "MEMO" (0x4d, 0x45, 0x4d, 0x4f) or "MEM0" (0x4d, 0x45, 0x4d, 0x30) Signature
4 4 Uncompressed (total) data size

Where:

  • "MEMO" (0x4d, 0x45, 0x4d, 0x4f) is used on Windows Vista
  • "MEM0" (0x4d, 0x45, 0x4d, 0x30) is used on Windows 7

Compressed blocks

The file header is followed by compressed blocks:

Offset Size Value Description
0 4 Compressed data size
4 ... Compressed data

Uncompressed data

TODO

MAM file

On Windows 8.1 the MEM file format seem to have been replaced by the MAM file format.

Offset Size Value Description
0 4 "MAM\x84" (0x4d, 0x41, 0x4d, 0x84) Signature

TRX file

The Ag*.db.trx files are TRX files.

Note that the following format specification is incomplete.

File header

The file header is variable of size and consists of:

Offset Size Value Description
0 4 1 Unknown (Version?)
4 4 Unknown
8 4 File size
12 4 Maximum number of records (of the record offsets array)
16 4 Number of records
20 ... Record offsets array, where the record offset is a 32-bit integer. Unused record offset are set to 0.

Record

TODO describe

See Also

External Links