Difference between pages "Research Topics" and "Windows SuperFetch Format"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
m
 
(File header)
 
Line 1: Line 1:
Interested in doing research in computer forensics? Looking for a master's topic, or just some ideas for a research paper? Here is my list. Please feel free to add your own ideas.
+
{{expand}}
  
==Disk Forensics==
+
== MEMO file ==
===Stream Forensics===
+
Some of the <tt>Ag*.db</tt> files are MEMO files.
Process the entire disk with one pass, or at most two, to minimize seek time.
+
  
===Evidence Falsification===
+
The MEMO file consists of:
Automatically detect falsified digital evidence.
+
* file header
 +
* compressed blocks
  
===Sanitization===
+
=== File header ===
Detect and diagnose sanitization attempts.
+
The file header is 84 bytes of size and consists of:
 +
{| class="wikitable"
 +
|-
 +
! Offset
 +
! Size
 +
! Value
 +
! Description
 +
|-
 +
| 0
 +
| 4
 +
| 0x304D454D ("MEM0") or 0x4F4D454D ("MEMO")
 +
| Signature
 +
|-
 +
| 4
 +
| 4
 +
|
 +
| Uncompressed (total) data size
 +
|-
 +
|}
  
 +
=== Compressed blocks ===
 +
The file header is followed by compressed blocks:
 +
{| class="wikitable"
 +
|-
 +
! Offset
 +
! Size
 +
! Value
 +
! Description
 +
|-
 +
| 0
 +
| 4
 +
|
 +
| Compressed data size
 +
|-
 +
| 4
 +
| ...
 +
|
 +
| Compressed data
 +
|-
 +
|}
  
===[[AFF]] Enhancement===
+
=== Uncompressed data ===
* Replace the AFF "BADFLAG" approach for indicating bad data with a bad sector bitmap.
+
<b>TODO</b>
  
* Modify aimage so that it can take a partial disk image and a disk and just image what's missing.
+
== TRX file ==
 +
The <tt>Ag*.db.trx</tt> files are TRX files.
  
* Improve the data recovery features of aimage.
+
<b>Note that the following format specification is incomplete.</b>
  
* Replace AFF's current table-of-contents system with one based on B+ Trees.
+
=== File header ===
 +
The file header is 84 bytes of size and consists of:
 +
{| class="wikitable"
 +
|-
 +
! Offset
 +
! Size
 +
! Value
 +
! Description
 +
|-
 +
| 0
 +
| 4
 +
| 1
 +
| Unknown (Version?)
 +
|-
 +
| 4
 +
| 4
 +
|
 +
| Unknown
 +
|-
 +
| 8
 +
| 4
 +
|
 +
| File size
 +
|-
 +
| 12
 +
| 4
 +
|
 +
| Unknown (Record count?)
 +
|-
 +
| 16
 +
| 4
 +
|
 +
| Unknown (Record count?)
 +
|-
 +
| 20
 +
| 4
 +
|
 +
| Unknown (Records offset or file header size)
 +
|-
 +
|}
  
==Carving==
+
== See Also ==
===JPEG Validator===
+
* [[SuperFetch]]
Create a JPEG decompresser that supports restarts and checkpointing for use in high-speed carving.
+
  
 +
== External Links ==
 +
* [http://blog.rewolf.pl/blog/?p=214 Windows SuperFetch file format – partial specification], by ReWolf, October 5, 2011
  
==Cell Phone Exploitation==
+
[[Category:File Formats]]
===Imaging===
+
Develop a tool for imaging the contents of a cell phone memory
+
===Interpretation===
+
* Develop a tool for reassembling information in a cell phone memory
+
 
+
 
+
==Corpora Development==
+
===Realistic Disk Corpora===
+
There is need for realistic corpora that can be freely redistributed but do not contain any confidential personally identifiable information (PII).
+
 
+
These disk images may be either of an external drive or of a system boot drive. The drive images should have signs of ''wear'' --- that is, they should have resident files, deleted files, partially overwritten files, contiguous files, and fragmented files.
+
 
+
===Realistic Network Traffic===
+
Generating realistic network traffic requires constructing a test network and either recording interactions within the network or with an external network.
+

Revision as of 00:28, 15 April 2014

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Contents

MEMO file

Some of the Ag*.db files are MEMO files.

The MEMO file consists of:

  • file header
  • compressed blocks

File header

The file header is 84 bytes of size and consists of:

Offset Size Value Description
0 4 0x304D454D ("MEM0") or 0x4F4D454D ("MEMO") Signature
4 4 Uncompressed (total) data size

Compressed blocks

The file header is followed by compressed blocks:

Offset Size Value Description
0 4 Compressed data size
4 ... Compressed data

Uncompressed data

TODO

TRX file

The Ag*.db.trx files are TRX files.

Note that the following format specification is incomplete.

File header

The file header is 84 bytes of size and consists of:

Offset Size Value Description
0 4 1 Unknown (Version?)
4 4 Unknown
8 4 File size
12 4 Unknown (Record count?)
16 4 Unknown (Record count?)
20 4 Unknown (Records offset or file header size)

See Also

External Links