Difference between pages "Windows Application Compatibility" and "Libsmraw"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(RecentFileCache.bcf)
 
(Tools)
 
Line 1: Line 1:
{{expand}}
+
{{Infobox_Software |
 +
  name = libsmraw |
 +
  maintainer = [[Joachim Metz]] |
 +
  os = [[Linux]], [[FreeBSD]], [[NetBSD]], [[OpenBSD]], [[Mac OS X]], [[Windows]] |
 +
  genre = {{Disk imaging}} |
 +
  license = {{LGPL}} |
 +
  website = [https://code.google.com/p/libsmraw/ code.google.com/p/libsmraw/] |
 +
}}
  
== sysmain.sdb ==
+
The '''libsmraw''' package contains a library and applications to read and write (split) RAW storage media bitstream copies.
 +
Libsmraw contains supports for multiple (split) RAW naming schemes.
  
== RecentFileCache.bcf ==
+
== History ==  
In Windows 7:
+
<pre>
+
C:\Windows\AppCompat\Programs\RecentFileCache.bcf
+
</pre>
+
  
==  Amcache.hve ==
+
Libsmraw was created by [[Joachim Metz]] in 2010, while working for [http://en.hoffmannbv.nl/ Hoffmann Investigations].
 +
Libsmraw is a rewrite of earlier work for the proof-of-concept multi-threaded imager: GNOME Forensic Imager.
  
== AppCompatCache ==
+
== Tools ==  
In Windows 2000 and XP:
+
The '''libsmraw''' package contains the following tools:
 +
* '''smrawmount''', which FUSE mounts (split) RAW image files.
 +
 
 +
The '''libsmraw''' package also contains the following bindings:
 +
* '''pysmraw''', bindings for Python (libsmraw 20140621 or later).
 +
 
 +
== Examples ==
 +
 
 +
FUSE mounting a split RAW image (libsmraw 20110916 or later)
 
<pre>
 
<pre>
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatibility
+
smrawmount image.raw.000 mount_point
 
</pre>
 
</pre>
  
In Windows 2003 and later:
+
Or:
 
<pre>
 
<pre>
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\AppCompatCache
+
smrawmount image.raw.??? mount_point
 
</pre>
 
</pre>
 +
 +
== Also See ==
 +
[[Raw_Image_Format | RAW Image format]]
  
 
== External Links ==
 
== External Links ==
* [http://technet.microsoft.com/en-us/library/dd837644(v=ws.10).aspx Technet: Understanding Shims], by [[Microsoft]]
+
 
* [http://msdn.microsoft.com/en-us/library/bb432182(v=vs.85).aspx MSDN: Application Compatibility Database], by [[Microsoft]]
+
* [https://code.google.com/p/libsmraw/ Project site]
* [http://www.alex-ionescu.com/?p=39 Secrets of the Application Compatilibity Database (SDB) – Part 1], by [[Alex Ionescu]], May 20, 2007
+
* [http://www.alex-ionescu.com/?p=40 Secrets of the Application Compatilibity Database (SDB) – Part 2], by [[Alex Ionescu]], May 21, 2007
+
* [http://www.alex-ionescu.com/?p=41 Secrets of the Application Compatilibity Database (SDB) – Part 3], by [[Alex Ionescu]], May 26, 2007
+
* [http://recxltd.blogspot.com/2012/04/windows-appcompat-research-notes-part-1.html Windows AppCompat Research Notes - Part 1], by Ollie, 28 April 2012
+
* [http://recxltd.blogspot.com/2012/05/windows-appcompat-research-notes-part-2.html Windows AppCompat Research Notes - Part 2], by Ollie, 4 May 2012
+
* [https://dl.mandiant.com/EE/library/Whitepaper_ShimCacheParser.pdf Leveraging the Application Compatibility Cache in Forensic Investigations], by [[Andrew Davis]], May 4, 2012
+
* [http://journeyintoir.blogspot.ch/2013/12/revealing-recentfilecachebcf-file.html Revealing the RecentFileCache.bcf File], by [[Corey Harrell]], December 2, 2013
+
* [http://journeyintoir.blogspot.ch/2013/12/revealing-program-compatibility.html Revealing Program Compatibility Assistant HKCU AppCompatFlags Registry Keys], by [[Corey Harrell]], December 17, 2013
+
* [http://journeyintoir.blogspot.ch/2014/04/triaging-with-recentfilecachebcf-file.html Triaging with the RecentFileCache.bcf File], by [[Corey Harrell]], April 21, 2014
+

Revision as of 07:46, 21 June 2014

libsmraw
Maintainer: Joachim Metz
OS: Linux, FreeBSD, NetBSD, OpenBSD, Mac OS X, Windows
Genre: Disk imaging
License: LGPL
Website: code.google.com/p/libsmraw/

The libsmraw package contains a library and applications to read and write (split) RAW storage media bitstream copies. Libsmraw contains supports for multiple (split) RAW naming schemes.

History

Libsmraw was created by Joachim Metz in 2010, while working for Hoffmann Investigations. Libsmraw is a rewrite of earlier work for the proof-of-concept multi-threaded imager: GNOME Forensic Imager.

Tools

The libsmraw package contains the following tools:

  • smrawmount, which FUSE mounts (split) RAW image files.

The libsmraw package also contains the following bindings:

  • pysmraw, bindings for Python (libsmraw 20140621 or later).

Examples

FUSE mounting a split RAW image (libsmraw 20110916 or later)

smrawmount image.raw.000 mount_point

Or:

smrawmount image.raw.??? mount_point

Also See

RAW Image format

External Links