Difference between pages "Windows SuperFetch Format" and "ALT Linux Rescue"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
(SuperFetch DB files)
 
(init using Grml and Masterkey Linux as examples)
 
Line 1: Line 1:
{{expand}}
+
{{Infobox_Software |
 +
  name = ALT Linux Rescue |
 +
  maintainer = Michael Shigorin |
 +
  os = {{Linux}} |
 +
  genre = {{Live CD}} |
 +
  license = {{GPL}}, others |
 +
  website = [http://en.altlinux.org/Rescue en.altlinux.org/rescue] |
 +
}}
  
<b>Note that the following format specification are incomplete.</b>
+
'''ALT Linux Rescue''' is yet another sysadmin's [[Live CD]].
  
== SuperFetch DB files ==
+
== Intro ==
The <tt>Ag*.db</tt> files are of the SuperFetch file format. E.g.
+
<pre>
+
AgAppLaunch.db
+
AgCx_SC*.db
+
AgGlFaultHistory.db
+
AgGlFgAppHistory.db
+
AgGlGlobalHistory.db
+
AgGlUAD_P_%SID%.db
+
AgRobust.db
+
</pre>
+
  
The SuperFetch DB files can be stored in uncompressed or compressed form, where different version of Windows use different compression methods:
+
This weekly-updated image is intended to be text-only recovery toolchest with some basic forensic capabilities.
* Compressed SuperFetch DB - MEM file format; Windows Vista and 7
+
* Compressed SuperFetch DB - MAM file format; Windows 8
+
  
=== Compressed SuperFetch DB - MEM file format ===
+
It will not activate MDRAID/LVM when booted with "forensic" keyword (available via a separate isolinux boot target) and will not try to use swaps or autodetect/mount filesystems unless requested explicitly; <tt>mount-system</tt> script will use <tt>ro,loop</tt> mount options when booted in this mode.
The MEM file consists of:
+
* file header
+
* compressed blocks
+
  
==== File header ====
+
Build profile suitable for ALT Linux <tt>mkimage</tt> tool is included as <tt>.disk/profile.tgz</tt>.
The file header is 84 bytes of size and consists of:
+
{| class="wikitable"
+
|-
+
! Offset
+
! Size
+
! Value
+
! Description
+
|-
+
| 0
+
| 4
+
| "MEMO" (0x4d, 0x45, 0x4d, 0x4f) <br> "MEM0" (0x4d, 0x45, 0x4d, 0x30)
+
| Signature
+
|-
+
| 4
+
| 4
+
|
+
| Uncompressed (total) data size
+
|-
+
|}
+
  
Where:
+
== Tools included ==
* "MEMO" (0x4d, 0x45, 0x4d, 0x4f) is used on Windows Vista and uses the LZNT1 compression method
+
* "MEM0" (0x4d, 0x45, 0x4d, 0x30) is used on Windows 7 and uses the LZXPRESS Huffman compression method
+
  
==== Compressed blocks ====
+
Most of the usual rescue suspects should be there; [[biew]], [[chntpw]], [[dc3dd]]/[[dcfldd]], [[foremost]], [[john]], [[md5deep]], [[nmap]], [[scalpel]], [[sleuthkit]], [[wipefreespace]] to name a few are available either.
The file header is followed by compressed blocks:
+
{| class="wikitable"
+
|-
+
! Offset
+
! Size
+
! Value
+
! Description
+
|-
+
| 0
+
| 4
+
|
+
| Compressed data size
+
|-
+
| 4
+
| ...
+
|
+
| Compressed data
+
|-
+
|}
+
  
=== Compressed SuperFetch DB - MAM file format ===
+
== Platforms ==
On Windows 8 (seen on 8.1) the MEM file format seem to have been replaced by the MAM file format.
+
  
==== File header ====
+
i586 (BIOS) and x86_64 (BIOS/UEFI); SecureBoot might be left enabled in most occasions.
<b>TODO</b>
+
  
{| class="wikitable"
+
== Deliverables ==
|-
+
! Offset
+
! Size
+
! Value
+
! Description
+
|-
+
| 0
+
| 4
+
| "MAM\x84" (0x4d, 0x41, 0x4d, 0x84)
+
| Signature
+
|-
+
|}
+
  
==== Compressed blocks ====
+
Two separate 32/64-bit hybrid ISO images suitable for direct writing onto USB Flash media (or CD-R by chance).
<b>TODO</b>
+
  
=== Uncompressed SuperFetch DB format ===
+
== Forensic issues ==
<b>TODO</b>
+
  
== TRX files ==
+
No hardening against rootfs spoofing as of 20140416.
The <tt>Ag*.db.trx</tt> files are of the TRX file format. E.g.
+
<pre>
+
AgCx_SC*.db.trx
+
</pre>
+
  
<b>Note that the following format specification is incomplete.</b>
+
== Credits ==
  
=== File header ===
+
* [[User:.FUF]] for [[Forensic Live CD issues]] page and sound advice
The file header is variable of size and consists of:
+
{| class="wikitable"
+
|-
+
! Offset
+
! Size
+
! Value
+
! Description
+
|-
+
| 0
+
| 4
+
| 1
+
| Unknown (Version?)
+
|-
+
| 4
+
| 4
+
|
+
| Unknown
+
|-
+
| 8
+
| 4
+
|
+
| File size
+
|-
+
| 12
+
| 4
+
|
+
| Maximum number of records (of the record offsets array)
+
|-
+
| 16
+
| 4
+
|
+
| Number of records
+
|-
+
| 20
+
| ...
+
|
+
| Record offsets array, where the record offset is a 32-bit integer. Unused record offset are set to 0.
+
|-
+
|}
+
 
+
=== Record ===
+
<b>TODO describe</b>
+
 
+
== See Also ==
+
* [[SuperFetch]]
+
  
 
== External Links ==
 
== External Links ==
* [http://blog.rewolf.pl/blog/?p=214 Windows SuperFetch file format – partial specification], by ReWolf, October 5, 2011
+
* [http://en.altlinux.org/Rescue Project site] (also available in [http://www.altlinux.org/Rescue Russian])
 
+
* Part of [http://en.altlinux.org/Regular Regular Builds] based on ALT Linux Sisyphus
[[Category:File Formats]]
+

Latest revision as of 07:31, 16 April 2014

ALT Linux Rescue
Maintainer: Michael Shigorin
OS: Linux
Genre: Live CD
License: GPL, others
Website: en.altlinux.org/rescue

ALT Linux Rescue is yet another sysadmin's Live CD.

Contents

Intro

This weekly-updated image is intended to be text-only recovery toolchest with some basic forensic capabilities.

It will not activate MDRAID/LVM when booted with "forensic" keyword (available via a separate isolinux boot target) and will not try to use swaps or autodetect/mount filesystems unless requested explicitly; mount-system script will use ro,loop mount options when booted in this mode.

Build profile suitable for ALT Linux mkimage tool is included as .disk/profile.tgz.

Tools included

Most of the usual rescue suspects should be there; biew, chntpw, dc3dd/dcfldd, foremost, john, md5deep, nmap, scalpel, sleuthkit, wipefreespace to name a few are available either.

Platforms

i586 (BIOS) and x86_64 (BIOS/UEFI); SecureBoot might be left enabled in most occasions.

Deliverables

Two separate 32/64-bit hybrid ISO images suitable for direct writing onto USB Flash media (or CD-R by chance).

Forensic issues

No hardening against rootfs spoofing as of 20140416.

Credits

External Links