Difference between pages "License transition status" and "Windows SuperFetch Format"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
 
(File header)
 
Line 1: Line 1:
This page keeps track of the '''license status''' of the wiki.
+
{{expand}}
  
All contributions after '''March 19th, 2006''' are under the [http://creativecommons.org/licenses/by-sa/2.5/ Creative Commons Attribution-ShareAlike 2.5] license. Contributions prior to that date have an unclear license. We are currently contacting the authors of the respective content, asking them whether they agree to license their contributions under the [http://creativecommons.org/licenses/by-sa/2.5/ Creative Commons Attribution-ShareAlike 2.5] license...
+
== MEMO file ==
 +
Some of the <tt>Ag*.db</tt> files are MEMO files.
  
__TOC__
+
The MEMO file consists of:
 +
* file header
 +
* compressed blocks
  
== HOWTO ==
+
=== File header ===
 
+
The file header is 84 bytes of size and consists of:
If you have contributed to this wiki '''before March 19th, 2006''', please consider (re-)licensing your contributions under this license. You can do that by adding this small paragraph to your user page:
+
{| class="wikitable"
 
+
I hereby license all my contributions to this wiki (before and after March 19th, 2006) under the [http://creativecommons.org/licenses/by-sa/2.5/ Creative Commons Attribution-ShareAlike 2.5] license.
+
 
+
Thanks in advance.
+
 
+
== Current License Status ==
+
 
+
=== Pages ===
+
 
+
{| border="0" cellpadding="2" cellspacing="2" align="top"
+
|- style="background:#bfbfbf; font-weight: bold"
+
! Page
+
! License Status
+
! Checked for copyright infringement
+
 
|-
 
|-
| [[AFF]]
+
! Offset
| style="background:lime" | OK
+
! Size
| style="background:lime" | OK
+
! Value
 +
! Description
 
|-
 
|-
| [[AFIS]]
+
| 0
| style="background:lime" | OK
+
| 4
| style="background:lime" | OK
+
| 0x304D454D ("MEM0") or 0x4F4D454D ("MEMO")
 +
| Signature
 
|-
 
|-
| [[AFOSI]]
+
| 4
| style="background:lime" | OK
+
| 4
| style="background:lime" | OK
+
|  
 +
| Uncompressed (total) data size
 
|-
 
|-
| [[ASR]]
+
|}
| style="background:lime" | OK
+
 
| style="background:lime" | OK
+
=== Compressed blocks ===
|-" | OK
+
The file header is followed by compressed blocks:
| style="background:lime" | OK
+
{| class="wikitable"
 
|-
 
|-
| [[ILook External Imager]]
+
! Offset
| style="background:lime" | OK
+
! Size
| style="background:lime" | OK
+
! Value
 +
! Description
 
|-
 
|-
| [[ILook Imager]]
+
| 0
| style="background:lime" | OK
+
| 4
| style="background:lime" | OK
+
|  
 +
| Compressed data size
 
|-
 
|-
| [[ILook Investigator]]
+
| 4
| style="background:lime" | OK
+
| ...
| style="background:lime" | OK
+
|  
|-
+
| Compressed data
| [[ILook file format]]
+
| style="background:lime" | OK
+
| style="background:lime" | OK
+
|-
+
| [[IXimager]]
+
| style="background:lime" | OK
+
| style="background:lime" | OK
+
|-
+
| [[JPEG]]
+
| style="background:lime" | OK
+
| style="background:lime" | OK
+
|-
+
| [[Jesse Kornblum]]
+
| style="background:lime" | OK
+
| style="background:lime" | OK
+
|-
+
| [[Journals]]
+
| style="background:lime" | OK
+
| style="background:lime" | OK
+
|-
+
| [[LNK]]
+
| style="background:lime" | OK
+
| style="background:lime" | OK
+
|-
+
| [[License transition status]]
+
| style="background:lime" | OK
+
| style="background:lime" | OK
+
|-
+
| [[Linux]]
+
| ?
+
| style="background:lime" | OK
+
|-
+
| [[Mailing lists]]
+
| style="background:lime" | OK
+
| style="background:lime" | OK
+
|-
+
| [[Main Page]]
+
| style="background:lime" | OK
+
| style="background:lime" | OK
+
|-
+
| [[Md5deep]]
+
| style="background:lime" | OK
+
| style="background:lime" | OK
+
|-
+
| [[Metadata]]
+
| style="background:lime" | OK
+
| style="background:lime" | OK
+
|-
+
| [[Microsoft PocketPC]]
+
| ?
+
| ?
+
|-
+
| [[Microsoft Windows]]
+
| style="background:lime" | OK
+
| style="background:lime" | OK
+
|-
+
| [[Microsoft Windows Mobile]]
+
| ?
+
| ?
+
|-
+
| [[National Software Reference Library]]
+
| style="background:lime" | OK
+
| style="background:lime" | OK
+
|-
+
| [[Ontrack Data Eraser]]
+
| style="background:lime" | OK
+
| style="background:lime" | OK
+
|-
+
| [[Organizations]]
+
| ?
+
| style="background:lime" | OK
+
|-
+
| [[Other Websites]]
+
| style="background:lime" | OK
+
| style="background:lime" | OK
+
|-
+
| [[PDAs]]
+
| ?
+
| ?
+
|-
+
| [[Palm]]
+
| ?
+
| ?
+
|-
+
| [[Papers]]
+
| style="background:lime" | OK
+
| style="background:lime" | OK
+
|-
+
| [[Paraben]]
+
| style="background:lime" | OK
+
| style="background:lime" | OK
+
|-
+
| [[People]]
+
| style="background:lime" | OK
+
| style="background:lime" | OK
+
|-
+
| [[Personal Digital Devices]]
+
| style="background:lime" | OK
+
| style="background:lime" | OK
+
|-
+
| [[ProDiscover]]
+
| style="background:lime" | OK
+
| style="background:lime" | OK
+
|-
+
| [[ProDiscovery]]
+
| style="background:lime" | OK
+
| style="background:lime" | OK
+
|-
+
| [[PyFlag]]
+
| style="background:lime" | OK
+
| style="background:lime" | OK
+
|-
+
| [[Pyflag]]
+
| style="background:lime" | OK
+
| style="background:lime" | OK
+
|-
+
| [[RIM Blackberry]]
+
| ?
+
| style="background:lime" | OK
+
|-
+
| [[Raw image file]]
+
| style="background:lime" | OK
+
| style="background:lime" | OK
+
|-
+
| [[Raw image files]]
+
| style="background:lime" | OK
+
| style="background:lime" | OK
+
|-
+
| [[Recovering Overwritten Data]]
+
| style="background:lime" | OK
+
| style="background:lime" | OK
+
|-
+
| [[Recovering bad data]]
+
| style="background:lime" | OK
+
| style="background:lime" | OK
+
|-
+
| [[Recovering deleted data]]
+
| ?
+
| style="background:lime" | OK
+
|-
+
| [[Reports]]
+
| style="background:lime" | OK
+
| style="background:lime" | OK
+
|-
+
| [[SIM Cards]]
+
| ?
+
| ?
+
|-
+
| [[SMART]]
+
| ?
+
| style="background:lime" | OK
+
|-
+
| [[Safeback]]
+
| style="background:lime" | OK
+
| style="background:lime" | OK
+
|-
+
| [[Sanitization Standards]]
+
| style="background:lime" | OK
+
| style="background:lime" | OK
+
|-
+
| [[Scalpel]]
+
| style="background:lime" | OK
+
| style="background:lime" | OK
+
|-
+
| [[Simson Garfinkel]]
+
| style="background:lime" | OK
+
| style="background:lime" | OK
+
|-
+
| [[Sleuthkit]]
+
| style="background:lime" | OK
+
| style="background:lime" | OK
+
|-
+
| [[SmartPhones]]
+
| ?
+
| style="background:lime" | OK
+
|-
+
| [[SpinRite]]
+
| style="background:lime" | OK
+
| style="background:lime" | OK
+
|-
+
| [[Symbian]]
+
| ?
+
| ?
+
|-
+
| [[Techniques]]
+
| style="background:lime" | OK
+
| style="background:lime" | OK
+
|-
+
| [[Tools]]
+
| ?
+
| style="background:lime" | OK
+
|-
+
| [[UNIX]]
+
| style="background:lime" | OK
+
| style="background:lime" | OK
+
|-
+
| [[VMware]]
+
| style="background:lime" | OK
+
| style="background:lime" | OK
+
|-
+
| [[Vendors]]
+
| style="background:lime" | OK
+
| style="background:lime" | OK
+
|-
+
| [[Websites]]
+
| style="background:lime" | OK
+
| style="background:lime" | OK
+
|-
+
| [[Wetstone]]
+
| style="background:lime" | OK
+
| style="background:lime" | OK
+
|-
+
| [[Write Blockers]]
+
| style="background:lime" | OK
+
| style="background:lime" | OK
+
 
|-
 
|-
 
|}
 
|}
  
=== Files/Images ===
+
=== Uncompressed data ===
 +
<b>TODO</b>
  
{| border="0" cellpadding="2" cellspacing="2" align="top"
+
== TRX file ==
|- style="background:#bfbfbf; font-weight: bold"
+
The <tt>Ag*.db.trx</tt> files are TRX files.
! File
+
 
! License Status
+
<b>Note that the following format specification is incomplete.</b>
! Comments
+
 
 +
=== File header ===
 +
The file header is 84 bytes of size and consists of:
 +
{| class="wikitable"
 
|-
 
|-
| [[:Image:Simpic.jpg]]
+
! Offset
| style="background:lime" | OK
+
! Size
| Replaced with free version.
+
! Value
 +
! Description
 
|-
 
|-
| [[:Image:Treo.jpg]]
+
| 0
| style="background:lime" | OK
+
| 4
| Deleted.
+
| 1
 +
| Unknown (Version?)
 
|-
 
|-
| [[:Image:Pocketpc.jpg]]
+
| 4
| style="background:lime" | OK
+
| 4
| Replaced with free version.
+
|  
 +
| Unknown
 
|-
 
|-
| [[:Image:Newton.jpg]]
+
| 8
| style="background:lime" | OK
+
| 4
| Deleted.
+
|  
 +
| File size
 
|-
 
|-
| [[:Image:Zaurus-front.jpg]]
+
| 12
| style="background:lime" | OK
+
| 4
| Replaced with free version.
+
|  
 +
| Unknown (Record count?)
 
|-
 
|-
| [[:Image:Sharp sl-c3100-thm.jpg]]
+
| 16
| style="background:lime" | OK
+
| 4
| Deleted.
+
|  
 +
| Unknown (Record count?)
 
|-
 
|-
| [[:Image:Yale fat16 diagram.jpg]]
+
| 20
| ?
+
| 4
 
|  
 
|  
 +
| Unknown (Records offset or file header size)
 
|-
 
|-
| [[:Image:Recover-FAT-volume-structur.jpg]]
+
|}
| style="background:lime" | OK
+
| Deleted.
+
|-
+
| [[:Image:HelixGroupPaper.pdf]]
+
| style="background:lime" | OK
+
| Deleted
+
|-
+
| [[:Image:Network Appliance DataFort.doc]]
+
| style="background:lime" | OK
+
| Deleted
+
|-
+
| [[:Image:Draft Paper.doc]]
+
| style="background:lime" | OK
+
| Deleted
+
|-
+
| [[:Image:Survey3.doc]]
+
| style="background:lime" | OK
+
| Deleted
+
|-
+
| [[:Image:Survey.doc]]
+
| style="background:lime" | OK
+
| Deleted
+
|-
+
| [[:Image:Biblio.doc]]
+
| style="background:lime" | OK
+
| Deleted
+
|-
+
| [[:Image:HelixCFS.doc]]
+
| style="background:lime" | OK
+
| Deleted
+
|-
+
| [[:Image:Init2.doc]]
+
| style="background:lime" | OK
+
| Deleted
+
|-
+
| [[:Image:Init.doc]]
+
| style="background:lime" | OK
+
| Deleted
+
|-
+
| [[:Image:Securing Storage White Paper.pdf]]
+
| style="background:lime" | OK
+
| Decru white paper. Not Creative Commons licensed, but we'll keep it here, as it might disappear from the net.
+
|-
+
  
|}
+
== See Also ==
 +
* [[SuperFetch]]
 +
 
 +
== External Links ==
 +
* [http://blog.rewolf.pl/blog/?p=214 Windows SuperFetch file format – partial specification], by ReWolf, October 5, 2011
 +
 
 +
[[Category:File Formats]]

Revision as of 00:28, 15 April 2014

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

MEMO file

Some of the Ag*.db files are MEMO files.

The MEMO file consists of:

  • file header
  • compressed blocks

File header

The file header is 84 bytes of size and consists of:

Offset Size Value Description
0 4 0x304D454D ("MEM0") or 0x4F4D454D ("MEMO") Signature
4 4 Uncompressed (total) data size

Compressed blocks

The file header is followed by compressed blocks:

Offset Size Value Description
0 4 Compressed data size
4 ... Compressed data

Uncompressed data

TODO

TRX file

The Ag*.db.trx files are TRX files.

Note that the following format specification is incomplete.

File header

The file header is 84 bytes of size and consists of:

Offset Size Value Description
0 4 1 Unknown (Version?)
4 4 Unknown
8 4 File size
12 4 Unknown (Record count?)
16 4 Unknown (Record count?)
20 4 Unknown (Records offset or file header size)

See Also

External Links