Difference between revisions of "Windows SuperFetch Format"

From ForensicsWiki
Jump to: navigation, search
(TRX file)
(17 intermediate revisions by the same user not shown)
Line 1: Line 1:
 
{{expand}}
 
{{expand}}
  
== MEMO file ==
+
== MEM file ==
Some of the <tt>Ag*.db</tt> files are MEMO files.
+
Some of the <tt>Ag*.db</tt> files are of the MEM file format.
  
The MEMO file consists of:
+
E.g.
 +
<pre>
 +
AgCx_SC*.db
 +
AgGlFaultHistory.db
 +
AgGlFgAppHistory.db
 +
AgGlGlobalHistory.db
 +
AgGlUAD_P_%SID%.db
 +
</pre>
 +
 
 +
<b>Note that the following format specification is incomplete.</b>
 +
 
 +
The MEM file consists of:
 
* file header
 
* file header
 
* compressed blocks
 
* compressed blocks
Line 19: Line 30:
 
| 0
 
| 0
 
| 4
 
| 4
| 0x304D454D ("MEM0") or 0x4F4D454D ("MEMO")
+
| "MEMO" (0x4d, 0x45, 0x4d, 0x4f) or "MEM0" (0x4d, 0x45, 0x4d, 0x30)
 
| Signature
 
| Signature
 
|-
 
|-
Line 28: Line 39:
 
|-
 
|-
 
|}
 
|}
 +
 +
Where:
 +
* "MEMO" (0x4d, 0x45, 0x4d, 0x4f) is used on Windows Vista
 +
* "MEM0" (0x4d, 0x45, 0x4d, 0x30) is used on Windows 7
  
 
=== Compressed blocks ===
 
=== Compressed blocks ===
Line 52: Line 67:
 
=== Uncompressed data ===
 
=== Uncompressed data ===
 
<b>TODO</b>
 
<b>TODO</b>
 +
 +
== MAM file ==
 +
On Windows 8 (seen on 8.1) the MEM file format seem to have been replaced by the MAM file format.
 +
 +
<b>Note that the following format specification is incomplete.</b>
 +
 +
{| class="wikitable"
 +
|-
 +
! Offset
 +
! Size
 +
! Value
 +
! Description
 +
|-
 +
| 0
 +
| 4
 +
| "MAM\x84" (0x4d, 0x41, 0x4d, 0x84)
 +
| Signature
 +
|-
 +
|}
  
 
== TRX file ==
 
== TRX file ==
The <tt>Ag*.db.trx</tt> files are TRX files.
+
The <tt>Ag*.db.trx</tt> files are of the TRX file format.
  
<b>Note that the following format specification is incomplete.<b>
+
E.g.
 +
<pre>
 +
AgCx_SC*.db.trx
 +
</pre>
 +
 
 +
<b>Note that the following format specification is incomplete.</b>
  
 
=== File header ===
 
=== File header ===
The file header is 84 bytes of size and consists of:
+
The file header is variable of size and consists of:
 
{| class="wikitable"
 
{| class="wikitable"
 
|-
 
|-
Line 85: Line 124:
 
| 4
 
| 4
 
|  
 
|  
| Unknown (Record count?)
+
| Maximum number of records (of the record offsets array)
 
|-
 
|-
 
| 16
 
| 16
 
| 4
 
| 4
 
|  
 
|  
| Unknown (Record count?)
+
| Number of records
 +
|-
 +
| 20
 +
| ...
 +
|
 +
| Record offsets array, where the record offset is a 32-bit integer. Unused record offset are set to 0.
 
|-
 
|-
 
|}
 
|}
 +
 +
=== Record ===
 +
<b>TODO describe</b>
  
 
== See Also ==
 
== See Also ==

Revision as of 04:43, 15 April 2014

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

MEM file

Some of the Ag*.db files are of the MEM file format.

E.g.

AgCx_SC*.db
AgGlFaultHistory.db
AgGlFgAppHistory.db
AgGlGlobalHistory.db
AgGlUAD_P_%SID%.db

Note that the following format specification is incomplete.

The MEM file consists of:

  • file header
  • compressed blocks

File header

The file header is 84 bytes of size and consists of:

Offset Size Value Description
0 4 "MEMO" (0x4d, 0x45, 0x4d, 0x4f) or "MEM0" (0x4d, 0x45, 0x4d, 0x30) Signature
4 4 Uncompressed (total) data size

Where:

  • "MEMO" (0x4d, 0x45, 0x4d, 0x4f) is used on Windows Vista
  • "MEM0" (0x4d, 0x45, 0x4d, 0x30) is used on Windows 7

Compressed blocks

The file header is followed by compressed blocks:

Offset Size Value Description
0 4 Compressed data size
4 ... Compressed data

Uncompressed data

TODO

MAM file

On Windows 8 (seen on 8.1) the MEM file format seem to have been replaced by the MAM file format.

Note that the following format specification is incomplete.

Offset Size Value Description
0 4 "MAM\x84" (0x4d, 0x41, 0x4d, 0x84) Signature

TRX file

The Ag*.db.trx files are of the TRX file format.

E.g.

AgCx_SC*.db.trx

Note that the following format specification is incomplete.

File header

The file header is variable of size and consists of:

Offset Size Value Description
0 4 1 Unknown (Version?)
4 4 Unknown
8 4 File size
12 4 Maximum number of records (of the record offsets array)
16 4 Number of records
20 ... Record offsets array, where the record offset is a 32-bit integer. Unused record offset are set to 0.

Record

TODO describe

See Also

External Links