ForensicsWiki will continue to operate as it has before and will not be shutting down. Thank you for your continued support of ForensicsWiki.
Windows SuperFetch Format
Note that the following format specification are incomplete.
SuperFetch DB files
The Ag*.db files are of the SuperFetch file format. E.g.
AgAppLaunch.db AgCx_SC*.db AgGlFaultHistory.db AgGlFgAppHistory.db AgGlGlobalHistory.db AgGlUAD_P_%SID%.db AgRobust.db
The SuperFetch DB files can be stored in uncompressed or compressed form.
- Compressed SuperFetch DB - MEM file format; Windows Vista and 7
- Compressed SuperFetch DB - MAM file format; Windows 8
Compressed SuperFetch DB - MEM file format
The MEM file consists of:
- file header
- compressed blocks
The file header is 84 bytes of size and consists of:
|0||4||"MEMO" (0x4d, 0x45, 0x4d, 0x4f) or "MEM0" (0x4d, 0x45, 0x4d, 0x30)||Signature|
|4||4||Uncompressed (total) data size|
- "MEMO" (0x4d, 0x45, 0x4d, 0x4f) is used on Windows Vista
- "MEM0" (0x4d, 0x45, 0x4d, 0x30) is used on Windows 7
The file header is followed by compressed blocks:
|0||4||Compressed data size|
Compressed SuperFetch DB - MAM file format
On Windows 8 (seen on 8.1) the MEM file format seem to have been replaced by the MAM file format.
|0||4||"MAM\x84" (0x4d, 0x41, 0x4d, 0x84)||Signature|
The Ag*.db.trx files are of the TRX file format. E.g.
Note that the following format specification is incomplete.
The file header is variable of size and consists of:
|12||4||Maximum number of records (of the record offsets array)|
|16||4||Number of records|
|20||...||Record offsets array, where the record offset is a 32-bit integer. Unused record offset are set to 0.|
- Windows SuperFetch file format – partial specification, by ReWolf, October 5, 2011