Difference between pages "Windows SuperFetch Format" and "Linux Repositories"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Uncompressed SuperFetch DB format)
 
m (Repository Setup: +altlinux)
 
Line 1: Line 1:
{{expand}}
 
  
SuperFetch, is a memory management scheme that enhances the least-recently accessed approach with historical information and proactive memory management. [http://technet.microsoft.com/en-us/magazine/2007.03.vistakernel.aspx]
+
There are a number of linux distributions.
  
<b>Note that the following format specification are incomplete.</b>
+
In general they have primary repositories which are setup for every installation of the operating system and they have special purpose repositories which require specific setup.
  
== SuperFetch DB files ==
+
=Repository Setup=
The <tt>Ag*.db</tt> files are of the SuperFetch file format. E.g.
+
==openSUSE==
<pre>
+
For current openSUSE 11.4 and 12.1 users it is necessary to have the following repositories configured:
AgAppLaunch.db
+
AgCx_SC*.db
+
AgGlFaultHistory.db
+
AgGlFgAppHistory.db
+
AgGlGlobalHistory.db
+
AgGlUAD_%SID%.db
+
AgGlUAD_P_%SID%.db
+
AgRobust.db
+
</pre>
+
  
The SuperFetch DB files can be stored in uncompressed or compressed form, where different version of Windows use different compression methods:
+
*security
* Compressed SuperFetch DB - MEMO file format; Windows Vista
+
*devel:languages:perl
* Compressed SuperFetch DB - MEM0 file format; Windows  7
+
*devel:languages:python
* Compressed SuperFetch DB - MAM file format; Windows 8
+
  
=== Compressed SuperFetch DB - MEMO file format ===
+
This is most easily done from the command line via (assumes openSUSE 12.1):
The MEM file consists of:
+
* file header
+
* compressed blocks
+
  
This format uses the LZNT1 compression method
+
sudo zypper ar -f <nowiki>http://download.opensuse.org/repositories/security/openSUSE_12.1</nowiki> security
 +
sudo zypper ar -f <nowiki>http://download.opensuse.org/repositories/devel:/languages:/perl</nowiki>/openSUSE_12.1 perl
 +
sudo zypper ar -f <nowiki>http://download.opensuse.org/repositories/devel:/languages:/python/openSUSE_12.1</nowiki> python
 +
 +
zypper lr  <nowiki>          </nowiki>  # used to verify you have the repos installed
  
==== File header ====
+
==fedora==
The file header is 84 bytes of size and consists of:
+
{| class="wikitable"
+
|-
+
! Offset
+
! Size
+
! Value
+
! Description
+
|-
+
| 0
+
| 4
+
| "MEMO" (0x4d, 0x45, 0x4d, 0x4f)
+
| Signature
+
|-
+
| 4
+
| 4
+
|
+
| Uncompressed (total) data size
+
|-
+
|}
+
  
=== Compressed SuperFetch DB - MEM0 file format ===
+
[https://forensics.cert.org/ CERT] maintains a fedora security repository with a large number of DFIR applications.
The MEM file consists of:
+
* file header
+
* compressed blocks
+
  
This format uses the LZXPRESS Huffman compression method
+
==debian==
  
==== Compressed blocks ====
+
You can search for debian packages at [http://packages.debian.org/search debian's search page]
<b>TODO</b>
+
  
==== File header ====
+
==ubuntu==
The file header is 84 bytes of size and consists of:
+
{| class="wikitable"
+
|-
+
! Offset
+
! Size
+
! Value
+
! Description
+
|-
+
| 0
+
| 4
+
| "MEM0" (0x4d, 0x45, 0x4d, 0x30)
+
| Signature
+
|-
+
| 4
+
| 4
+
|
+
| Uncompressed (total) data size
+
|-
+
|}
+
  
==== Compressed blocks ====
+
==altlinux==
The file header is followed by compressed blocks:
+
{| class="wikitable"
+
|-
+
! Offset
+
! Size
+
! Value
+
! Description
+
|-
+
| 0
+
| 4
+
|
+
| Compressed data size
+
|-
+
| 4
+
| ...
+
|
+
| Compressed data
+
|-
+
|}
+
  
The uncompressed block size is 65536 (0x10000) or the remaining uncompressed data size for the last block.
+
[http://packages.altlinux.org/ ALT Linux packages] (interesting things from autoimports tend to be integrated into main repository)
  
=== Compressed SuperFetch DB - MAM file format ===
+
=Computer Forensic Tools=
The MAM file consists of:
+
Below is a list of computer forensic tools.  For each tool the repository it can be found in and the version in the repository is shown.
* file header
+
* compressed blocks
+
  
This format uses the <b>TODO</b> compression method
+
As an example, aimage is in the openSUSE security repository and it is version 3.2.5
  
==== File header ====
+
==Imaging Tools==
<b>TODO</b>
+
  
{| class="wikitable"
+
{|border="1" cellpadding="2" cellspacing="0" {{repository table}}
 
|-
 
|-
! Offset
+
|rowspan=1| '''Tool'''
! Size
+
|'''openSUSE'''
! Value
+
|'''fedora'''
! Description
+
|'''debian'''
 +
|'''ubuntu'''
 +
|'''comment'''
 +
|'''General Remarks'''
 +
 
 
|-
 
|-
| 0
+
|rowspan=1| [http://www.e-fense.com/helix/ adepto]
| 4
+
|N/A <!-- opensuse -->
| "MAM\x84" (0x4d, 0x41, 0x4d, 0x84)
+
|?              <!-- fedora-->
| Signature
+
|N/A              <!-- debian-->
 +
|?              <!-- ubuntu-->
 +
|  <!-- comment -->
 +
|adepto is included in the helix boot cd<!-- General Remarks -->
 +
 
 
|-
 
|-
|}
+
|rowspan=1| [[aimage]]
 +
|security/3.2.5 <!-- opensuse -->
 +
|?              <!-- fedora-->
 +
|squeeze/3.2.4  <!-- debian-->
 +
|?              <!-- ubuntu-->
 +
|a imaging tool to create aff format images  <!-- comment -->
 +
|aimage has been EOL'ed.  guymager or ftkimager (windows/mac) are recommended for creating aff images. <!-- General Remarks -->
  
==== Compressed blocks ====
+
|-
<b>TODO</b>
+
|rowspan=1| [[AIR]]
 +
|N/A <!-- opensuse -->
 +
|?              <!-- fedora-->
 +
|N/A              <!-- debian-->
 +
|?              <!-- ubuntu-->
 +
|Automated Image and Restore  <!-- comment -->
 +
|a GUI front-end to dd and dc3dd designed for easily creating forensic bit images <!-- General Remarks -->
  
== Uncompressed SuperFetch DB format ==
+
|-
<b>TODO</b>
+
|rowspan=1| [[dc3dd]]
 +
|security*/7.1.614 <!-- opensuse -->
 +
|?              <!-- fedora-->
 +
|sid/7.1.614    <!-- debian-->
 +
|?              <!-- ubuntu-->
 +
|DoD Cyber Crime Center DD  <!-- comment -->
 +
|This tool was formerly known as dcfldd.  When released as dc3dd it was totally rewritten. <!-- General Remarks -->
  
== TRX files ==
+
|-
The <tt>Ag*.db.trx</tt> files are of the TRX file format. E.g.
+
|rowspan=1| [[ddrescue]]
<pre>
+
|Base/1.14 <!-- opensuse -->
AgCx_SC*.db.trx
+
|?              <!-- fedora-->
</pre>
+
|squeeze/1.14 sid/1.23 <!-- debian-->
 +
|?              <!-- ubuntu-->
 +
|Also known as GNU ddrescue<!-- comment -->
 +
|This tool is different than dd_rescue.
  
<b>Note that the following format specification is incomplete.</b>
+
|-
 +
|rowspan=1| [[dd_rescue]]
 +
|N/A <!-- opensuse -->
 +
|?              <!-- fedora-->
 +
|N/A              <!-- debian-->
 +
|?              <!-- ubuntu-->
 +
|<!-- comment -->
 +
|This tool is different than GNU ddrescue.
  
=== File header ===
 
The file header is variable of size and consists of:
 
{| class="wikitable"
 
 
|-
 
|-
! Offset
+
|rowspan=1| [[libewf|ewfacquire]]
! Size
+
|security*/20100226 <!-- opensuse -->
! Value
+
|?              <!-- fedora-->
! Description
+
|squeeze/20100226              <!-- debian-->
 +
|?              <!-- ubuntu-->
 +
|a imaging tool to create ewf format images  <!-- comment -->
 +
|ewfacquire is part of ewftools in some distributions.<!-- General Remarks -->
 +
 
 
|-
 
|-
| 0
+
|rowspan=1| [[IXimager]]
| 4
+
|N/A <!-- opensuse -->
| 1
+
|?              <!-- fedora-->
| Unknown (Version?)
+
|N/A            <!-- debian-->
 +
|?             <!-- ubuntu-->
 +
|A law enforcement only imager<!-- comment -->
 +
|used in conjunction with ILook Investigator
 +
 
 
|-
 
|-
| 4
+
|rowspan=1| [[LinEn]]
| 4
+
|N/A <!-- opensuse -->
|  
+
|?              <!-- fedora-->
| Unknown
+
|N/A              <!-- debian-->
 +
|?              <!-- ubuntu-->
 +
|a proprietary imaging tool to create ewf format images  <!-- comment -->
 +
|included on the Helix boot CD<!-- General Remarks -->
 +
 
 
|-
 
|-
| 8
+
|rowspan=1| [[guymager]]
| 4
+
|N/A<!-- opensuse -->
|  
+
|?              <!-- fedora-->
| File size
+
|Squeeze/0.4.2 Sid/0.5.9-3              <!-- debian-->
 +
|?              <!-- ubuntu-->
 +
|a imaging tool to create aff format images  <!-- comment -->
 +
|Guymager is an open source forensic imager. It focuses on user friendliness and high speed.  <!-- General Remarks -->
 +
 
 
|-
 
|-
| 12
+
|rowspan=1| [http://sourceforge.net/projects/rdd rdd]
| 4
+
|N/A <!-- opensuse -->
|  
+
|?              <!-- fedora-->
| Maximum number of records (of the record offsets array)
+
|2.0.7-2              <!-- debian-->
 +
|?              <!-- ubuntu-->
 +
|a dd-like tool, with forensic imaging features  <!-- comment -->
 +
|Rdd is robust with respect to read errors<!-- General Remarks -->
 +
 
 
|-
 
|-
| 16
+
|rowspan=1| [ftp://ftp.berlios.de/pub/sdd/ sdd]
| 4
+
|Archiving:Backup/1.52 <!-- opensuse -->
|  
+
|?              <!-- fedora-->
| Number of records
+
|lenny/1.52 deprecated              <!-- debian-->
 +
|?              <!-- ubuntu-->
 +
|a dd-like tool<!-- comment -->
 +
|Designed to work well when IBS != OBS.  Working with tape is an example.<!-- General Remarks -->
 +
 
 +
|}
 +
 
 +
*package will appear in the base release with the next full distribution release.
 +
 
 +
==File Inventory Tools==
 +
 
 +
{|border="1" cellpadding="2" cellspacing="0" {{repository table}}
 
|-
 
|-
| 20
+
|rowspan=1| '''Tool'''
| ...
+
|'''openSUSE'''
|  
+
|'''fedora'''
| Record offsets array, where the record offset is a 32-bit integer. Unused record offset are set to 0.
+
|'''debian'''
 +
|'''ubuntu'''
 +
|'''comment'''
 +
|'''General Remarks'''
 +
 
 
|-
 
|-
|}
+
|rowspan=1| [[exiftool]]
 +
|base/v8.65 <!-- opensuse -->
 +
|?              <!-- fedora-->
 +
|squeeze/v8.15 sid/v8.60              <!-- debian-->
 +
|?              <!-- ubuntu-->
 +
|  <!-- comment -->
 +
|exiftool has superior metadata reporting capability -->
  
=== Record ===
+
|-
<b>TODO describe</b>
+
|rowspan=1| [[fiwalk]]
 +
|security*/v0.6.15 <!-- opensuse -->
 +
|?              <!-- fedora-->
 +
|N/A              <!-- debian-->
 +
|?              <!-- ubuntu-->
 +
|  <!-- comment -->
 +
|fiwalk is a robust $MFT walker<!-- General Remarks -->
  
== See Also ==
 
* [[SuperFetch]]
 
  
== External Links ==
+
|}
* [http://technet.microsoft.com/en-us/magazine/2007.03.vistakernel.aspx Inside the Windows Vista Kernel: Part 2], by [[Mark Russinovich]], March 2007
+
* [http://blog.rewolf.pl/blog/?p=214 Windows SuperFetch file format – partial specification], by ReWolf, October 5, 2011
+
  
[[Category:File Formats]]
+
*package will appear in the base release with the next full distribution release.

Latest revision as of 13:28, 19 April 2014

There are a number of linux distributions.

In general they have primary repositories which are setup for every installation of the operating system and they have special purpose repositories which require specific setup.

Repository Setup

openSUSE

For current openSUSE 11.4 and 12.1 users it is necessary to have the following repositories configured:

  • security
  • devel:languages:perl
  • devel:languages:python

This is most easily done from the command line via (assumes openSUSE 12.1):

sudo zypper ar -f http://download.opensuse.org/repositories/security/openSUSE_12.1 security
sudo zypper ar -f http://download.opensuse.org/repositories/devel:/languages:/perl/openSUSE_12.1 perl
sudo zypper ar -f http://download.opensuse.org/repositories/devel:/languages:/python/openSUSE_12.1 python

zypper lr               # used to verify you have the repos installed

fedora

CERT maintains a fedora security repository with a large number of DFIR applications.

debian

You can search for debian packages at debian's search page

ubuntu

altlinux

ALT Linux packages (interesting things from autoimports tend to be integrated into main repository)

Computer Forensic Tools

Below is a list of computer forensic tools. For each tool the repository it can be found in and the version in the repository is shown.

As an example, aimage is in the openSUSE security repository and it is version 3.2.5

Imaging Tools

Tool openSUSE fedora debian ubuntu comment General Remarks
adepto N/A ? N/A ? adepto is included in the helix boot cd
aimage security/3.2.5 ? squeeze/3.2.4 ? a imaging tool to create aff format images aimage has been EOL'ed. guymager or ftkimager (windows/mac) are recommended for creating aff images.
AIR N/A ? N/A ? Automated Image and Restore a GUI front-end to dd and dc3dd designed for easily creating forensic bit images
dc3dd security*/7.1.614 ? sid/7.1.614 ? DoD Cyber Crime Center DD This tool was formerly known as dcfldd. When released as dc3dd it was totally rewritten.
ddrescue Base/1.14 ? squeeze/1.14 sid/1.23 ? Also known as GNU ddrescue This tool is different than dd_rescue.
dd_rescue N/A ? N/A ? This tool is different than GNU ddrescue.
ewfacquire security*/20100226 ? squeeze/20100226 ? a imaging tool to create ewf format images ewfacquire is part of ewftools in some distributions.
IXimager N/A ? N/A ? A law enforcement only imager used in conjunction with ILook Investigator
LinEn N/A ? N/A ? a proprietary imaging tool to create ewf format images included on the Helix boot CD
guymager N/A ? Squeeze/0.4.2 Sid/0.5.9-3 ? a imaging tool to create aff format images Guymager is an open source forensic imager. It focuses on user friendliness and high speed.
rdd N/A ? 2.0.7-2 ? a dd-like tool, with forensic imaging features Rdd is robust with respect to read errors
sdd Archiving:Backup/1.52 ? lenny/1.52 deprecated ? a dd-like tool Designed to work well when IBS != OBS. Working with tape is an example.
  • package will appear in the base release with the next full distribution release.

File Inventory Tools

Tool openSUSE fedora debian ubuntu comment General Remarks
exiftool base/v8.65 ? squeeze/v8.15 sid/v8.60 ? exiftool has superior metadata reporting capability -->
fiwalk security*/v0.6.15 ? N/A ? fiwalk is a robust $MFT walker


  • package will appear in the base release with the next full distribution release.