Difference between pages "ALT Linux Rescue" and "Windows SuperFetch Format"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(init using Grml and Masterkey Linux as examples)
 
(SuperFetch DB files)
 
Line 1: Line 1:
{{Infobox_Software |
+
{{expand}}
  name = ALT Linux Rescue |
+
  maintainer = Michael Shigorin |
+
  os = {{Linux}} |
+
  genre = {{Live CD}} |
+
  license = {{GPL}}, others |
+
  website = [http://en.altlinux.org/Rescue en.altlinux.org/rescue] |
+
}}
+
  
'''ALT Linux Rescue''' is yet another sysadmin's [[Live CD]].
+
<b>Note that the following format specification are incomplete.</b>
  
== Intro ==
+
== SuperFetch DB files ==
 +
The <tt>Ag*.db</tt> files are of the SuperFetch file format. E.g.
 +
<pre>
 +
AgAppLaunch.db
 +
AgCx_SC*.db
 +
AgGlFaultHistory.db
 +
AgGlFgAppHistory.db
 +
AgGlGlobalHistory.db
 +
AgGlUAD_%SID%.db
 +
AgGlUAD_P_%SID%.db
 +
AgRobust.db
 +
</pre>
  
This weekly-updated image is intended to be text-only recovery toolchest with some basic forensic capabilities.
+
The SuperFetch DB files can be stored in uncompressed or compressed form, where different version of Windows use different compression methods:
 +
* Compressed SuperFetch DB - MEM file format; Windows Vista and 7
 +
* Compressed SuperFetch DB - MAM file format; Windows 8
  
It will not activate MDRAID/LVM when booted with "forensic" keyword (available via a separate isolinux boot target) and will not try to use swaps or autodetect/mount filesystems unless requested explicitly; <tt>mount-system</tt> script will use <tt>ro,loop</tt> mount options when booted in this mode.
+
=== Compressed SuperFetch DB - MEM file format ===
 +
The MEM file consists of:
 +
* file header
 +
* compressed blocks
  
Build profile suitable for ALT Linux <tt>mkimage</tt> tool is included as <tt>.disk/profile.tgz</tt>.
+
==== File header ====
 +
The file header is 84 bytes of size and consists of:
 +
{| class="wikitable"
 +
|-
 +
! Offset
 +
! Size
 +
! Value
 +
! Description
 +
|-
 +
| 0
 +
| 4
 +
| "MEMO" (0x4d, 0x45, 0x4d, 0x4f) <br> "MEM0" (0x4d, 0x45, 0x4d, 0x30)
 +
| Signature
 +
|-
 +
| 4
 +
| 4
 +
|
 +
| Uncompressed (total) data size
 +
|-
 +
|}
  
== Tools included ==
+
Where:
 +
* "MEMO" (0x4d, 0x45, 0x4d, 0x4f) is used on Windows Vista and uses the LZNT1 compression method
 +
* "MEM0" (0x4d, 0x45, 0x4d, 0x30) is used on Windows 7 and uses the LZXPRESS Huffman compression method
  
Most of the usual rescue suspects should be there; [[biew]], [[chntpw]], [[dc3dd]]/[[dcfldd]], [[foremost]], [[john]], [[md5deep]], [[nmap]], [[scalpel]], [[sleuthkit]], [[wipefreespace]] to name a few are available either.
+
==== Compressed blocks ====
 +
The file header is followed by compressed blocks:
 +
{| class="wikitable"
 +
|-
 +
! Offset
 +
! Size
 +
! Value
 +
! Description
 +
|-
 +
| 0
 +
| 4
 +
|
 +
| Compressed data size
 +
|-
 +
| 4
 +
| ...
 +
|
 +
| Compressed data
 +
|-
 +
|}
  
== Platforms ==
+
=== Compressed SuperFetch DB - MAM file format ===
 +
On Windows 8 (seen on 8.1) the MEM file format seem to have been replaced by the MAM file format.
  
i586 (BIOS) and x86_64 (BIOS/UEFI); SecureBoot might be left enabled in most occasions.
+
==== File header ====
 +
<b>TODO</b>
  
== Deliverables ==
+
{| class="wikitable"
 +
|-
 +
! Offset
 +
! Size
 +
! Value
 +
! Description
 +
|-
 +
| 0
 +
| 4
 +
| "MAM\x84" (0x4d, 0x41, 0x4d, 0x84)
 +
| Signature
 +
|-
 +
|}
  
Two separate 32/64-bit hybrid ISO images suitable for direct writing onto USB Flash media (or CD-R by chance).
+
==== Compressed blocks ====
 +
<b>TODO</b>
  
== Forensic issues ==
+
=== Uncompressed SuperFetch DB format ===
 +
<b>TODO</b>
  
No hardening against rootfs spoofing as of 20140416.
+
== TRX files ==
 +
The <tt>Ag*.db.trx</tt> files are of the TRX file format. E.g.
 +
<pre>
 +
AgCx_SC*.db.trx
 +
</pre>
  
== Credits ==
+
<b>Note that the following format specification is incomplete.</b>
  
* [[User:.FUF]] for [[Forensic Live CD issues]] page and sound advice
+
=== File header ===
 +
The file header is variable of size and consists of:
 +
{| class="wikitable"
 +
|-
 +
! Offset
 +
! Size
 +
! Value
 +
! Description
 +
|-
 +
| 0
 +
| 4
 +
| 1
 +
| Unknown (Version?)
 +
|-
 +
| 4
 +
| 4
 +
|
 +
| Unknown
 +
|-
 +
| 8
 +
| 4
 +
|
 +
| File size
 +
|-
 +
| 12
 +
| 4
 +
|
 +
| Maximum number of records (of the record offsets array)
 +
|-
 +
| 16
 +
| 4
 +
|
 +
| Number of records
 +
|-
 +
| 20
 +
| ...
 +
|
 +
| Record offsets array, where the record offset is a 32-bit integer. Unused record offset are set to 0.
 +
|-
 +
|}
 +
 
 +
=== Record ===
 +
<b>TODO describe</b>
 +
 
 +
== See Also ==
 +
* [[SuperFetch]]
  
 
== External Links ==
 
== External Links ==
* [http://en.altlinux.org/Rescue Project site] (also available in [http://www.altlinux.org/Rescue Russian])
+
* [http://blog.rewolf.pl/blog/?p=214 Windows SuperFetch file format – partial specification], by ReWolf, October 5, 2011
* Part of [http://en.altlinux.org/Regular Regular Builds] based on ALT Linux Sisyphus
+
 
 +
[[Category:File Formats]]

Revision as of 01:51, 17 April 2014

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Note that the following format specification are incomplete.

SuperFetch DB files

The Ag*.db files are of the SuperFetch file format. E.g.

AgAppLaunch.db
AgCx_SC*.db
AgGlFaultHistory.db
AgGlFgAppHistory.db
AgGlGlobalHistory.db
AgGlUAD_%SID%.db
AgGlUAD_P_%SID%.db
AgRobust.db

The SuperFetch DB files can be stored in uncompressed or compressed form, where different version of Windows use different compression methods:

  • Compressed SuperFetch DB - MEM file format; Windows Vista and 7
  • Compressed SuperFetch DB - MAM file format; Windows 8

Compressed SuperFetch DB - MEM file format

The MEM file consists of:

  • file header
  • compressed blocks

File header

The file header is 84 bytes of size and consists of:

Offset Size Value Description
0 4 "MEMO" (0x4d, 0x45, 0x4d, 0x4f)
"MEM0" (0x4d, 0x45, 0x4d, 0x30)
Signature
4 4 Uncompressed (total) data size

Where:

  • "MEMO" (0x4d, 0x45, 0x4d, 0x4f) is used on Windows Vista and uses the LZNT1 compression method
  • "MEM0" (0x4d, 0x45, 0x4d, 0x30) is used on Windows 7 and uses the LZXPRESS Huffman compression method

Compressed blocks

The file header is followed by compressed blocks:

Offset Size Value Description
0 4 Compressed data size
4 ... Compressed data

Compressed SuperFetch DB - MAM file format

On Windows 8 (seen on 8.1) the MEM file format seem to have been replaced by the MAM file format.

File header

TODO

Offset Size Value Description
0 4 "MAM\x84" (0x4d, 0x41, 0x4d, 0x84) Signature

Compressed blocks

TODO

Uncompressed SuperFetch DB format

TODO

TRX files

The Ag*.db.trx files are of the TRX file format. E.g.

AgCx_SC*.db.trx

Note that the following format specification is incomplete.

File header

The file header is variable of size and consists of:

Offset Size Value Description
0 4 1 Unknown (Version?)
4 4 Unknown
8 4 File size
12 4 Maximum number of records (of the record offsets array)
16 4 Number of records
20 ... Record offsets array, where the record offset is a 32-bit integer. Unused record offset are set to 0.

Record

TODO describe

See Also

External Links