Difference between pages "Damaged SIM Card Data Recovery" and "Windows Prefetch File Format"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(X-Rays)
 
(Characteristics)
 
Line 1: Line 1:
== Summary ==
+
A Windows Prefetch file consists of one file header and multiple file sections with different content. Not all content has an obvious forensic value.
  
A prerequisite for the use of SIMIS, is that the SIM card must be functional. A physically damaged, broken or dirty SIM may not function correctly, resulting in the recovery of corrupted data, or no data at all. In the forensic data recovery environment, SIM's will be presented in a variety of different conditions, ranging from good, but lightly soiled, through blood soaked to physically broken. Lightly soiled and blood soaked SIM's may be cleaned using appropriate methods, ensuring that the SIM is not further damaged taking care to preserve surface printing where possible.
+
As far as have been possible to ascertain, there is no public description of the format. The description below has been synthesised from examination
 +
of multiple prefetch files.
  
However, physically damaged or broken SIM's require more specialised processing to produce a viable SIM for data recovery purposes. Crownhill has extensive experience in the area of SIM data recovery through its activity in the SIM manufacturing process. Crownhill works directly with the SIM silicon manufacturers and SIM card manufacturers. Processes developed to aid fault analysis and qualitative measurements are an invaluable advantage when attempting to repair and recover data from physically damaged SIM modules.
+
== Characteristics ==
 +
Integer values are stored in little-endian.
  
Crownhill have invested in purpose-built laboratory facilities to provide professional card cleaning, data recovery and card repair service. Based in discrete, secure premises, Crownhill can provide the full compliment of services required to clean, repair and recover data from damaged SIM's. Drawing on its own expertise and relationships with Card manufacturers and silicon vendors world-wide, Crownhill have created a centre of excellence for this specialised work. An overview of the procedures can be found here
+
Strings are stored as UTF-16 little-endian without a byte-order-mark (BOM).
  
Where a SIM is thought to be functional, Crownhill can provide a SIM cleaning service. Blood, soot, general soiling and body fluids are handled in an environmentally secure fashion, relieving the client of responsibility for Bio Hazards and other Health and Safety issues. Cleaned SIM's are returned without undue delay, ready for data recovery by the client. Cleaning by Crownhill must be carried out after the SIM has been pre-processed for any physical evidence required, such as Photography and DNA sampling.
+
Timestamps are stored as Windows Filetime in UTC.
Data Recovery Process
+
  
== Data Recovery Process ==
+
== Header ==
  
If our findings suggest that data recovery is likely to be possible, the SIM may further examined by real time X-ray, to determine the extent of the damage. Specifically we will be looking for broken or damaged wire bonds, detachment of the silicon die and possible fractures of the die.
+
This format has been observed on Windows XP, ...  will need to be modified for Vista/Win7 format
  
=== Decapsulation ===
+
{| class="wikitable"
 +
|-
 +
! Field
 +
! Offset
 +
! Length
 +
! Type
 +
! Notes
 +
|-
 +
| H1
 +
| 0x0000
 +
| 4
 +
| DWORD
 +
| Format version (see format version section below)
 +
|-
 +
| H2
 +
| 0x0004
 +
| 4
 +
| DWORD
 +
| ? Probably a file magic number. Only observed value: 0x41434353 ('SCCA')
 +
|-
 +
| H3
 +
| 0x0008
 +
| 4
 +
| DWORD?
 +
| ? Observed values: 0x0F - Windows XP, 0x11 - Windows 7
 +
|-
 +
| H4
 +
| 0x000C
 +
| 4
 +
| DWORD
 +
| Prefetch file length.
 +
|-
 +
| H5
 +
|0x0010
 +
| 60
 +
| USTR
 +
| Name of executable as Unicode string, truncated after 29 code units, if necessary, and terminated by U+0000. As it appears in the prefetch file file name.
 +
|-
 +
| H6
 +
|0x004C
 +
|4
 +
|DWORD
 +
|The prefetch hash, as it appears in the pf file name.
 +
|-
 +
| H7
 +
|0x0050
 +
|4
 +
|?
 +
|? Observed values: 0 for almost all prefetch files (XP); 1 for NTOSBOOT-B00DFAAD.pf (XP)
 +
|-
 +
| H8
 +
| 0x0054
 +
| 4
 +
| DWORD
 +
| Offset to section A
 +
|-
 +
| H9
 +
| 0x0058
 +
| 4
 +
| DWORD
 +
| ? Nr of entries in section A
 +
|-
 +
| H10
 +
| 0x005C
 +
| 4
 +
| DWORD
 +
| Offset to section B
 +
|-
 +
| H11
 +
| 0x0060
 +
| 4
 +
| DWORD
 +
| Nr of entries in section B
 +
|-
 +
| H12
 +
| 0x0064
 +
| 4
 +
| DWORD
 +
| Offset to section C
 +
|-
 +
| H13
 +
| 0x0068
 +
| 4
 +
| DWORD
 +
| Length of section C
 +
|-
 +
| H14
 +
| 0x006C
 +
| 4
 +
| DWORD
 +
| Offset to section D
 +
|-
 +
| H15
 +
| 0x0070
 +
| 4
 +
| DWORD
 +
| ? Probably the number of entries in the D section header
 +
|-
 +
| H16
 +
| 0x0074
 +
| 4
 +
| DWORD
 +
| Length of section D
 +
|-
 +
| H17
 +
| 0x0078
 +
| 8
 +
| FTIME
 +
| Latest execution time of executable (FILETIME)
 +
|-
 +
| H18
 +
| 0x0080
 +
| 16
 +
| ?
 +
| ? Possibly structured as 4 DWORD. Observed values: /0x00000000 0x00000000 0x00000000 0x00000000/, /0x47868c00 0x00000000 0x47860c00 0x00000000/
 +
|-
 +
| H19
 +
| 0x0090
 +
| 4
 +
| DWORD
 +
| Execution counter
 +
|-
 +
| H20
 +
| 0x0094
 +
| 4
 +
| DWORD?
 +
| ? Observed values: 1, 2, 3, 4, 5, 6 (XP)
 +
|-
 +
|}
  
Where a damaged bond wire(s) is clearly identified and if there is no obvious damage to the silicon die, the die encapsulation can be removed. The de-capsulation process requires a great deal of skill and the use of proprietary mixes of aggressive solvents and/or acids. The exact process used depends upon the.
+
It's worth noting that the name of a carved prefetch file can be restored using the information in field H5 and H6, and its size can be determined by field H4.
  
=== Testing ===
+
=== Format version ===
  
After de-capsulation, further electrical tests are carried out to confirm the viability of the recovered silicon die. The die bonding pads are then probed and once electrical connection is established, the silicon is accessed and the sim data recovered using proprietary software.
+
{| class="wikitable"
 +
|-
 +
! Value
 +
! Windows version
 +
|-
 +
| 0x11
 +
| Windows XP, Windows 2003
 +
|-
 +
| 0x17
 +
| Windows Vista, Windows 7
 +
|-
 +
| 0x1a
 +
| Windows 8.1
 +
|-
 +
|}
  
=== X-Rays ===
+
== Section A and B ==
  
Real time X-ray examination is used to confirm the conclusions drawn from the preceding Physical, Optical and Electrical tests. X-ray examination is only undertaken where the integrity of the silicon die is thought to be uncompromised.
+
The content of these two sections is unknown.
  
Source: [http://www.3gforensics.co.uk/sim-card-data-recovery.htm]
+
== Section C ==
 +
 
 +
== Section D ==
 +
 
 +
Section D contains one or more subsections. The number is (most likely) determined by the DWORD at file offset 0x0070. Each subsection refers to directories on an identified volume.
 +
 
 +
In this section, all offsets are assumed to be counted from the start of the D section.
 +
 
 +
{| class="wikitable"
 +
|-
 +
! Field
 +
! Offset
 +
! Length
 +
! Type
 +
! Notes
 +
|-
 +
| DH1
 +
| +0x0000
 +
| 4
 +
| DWORD
 +
| Offset to volume string (Unicode, terminated by U+0000)
 +
|-
 +
| DH2
 +
| +0x0004
 +
| 4
 +
| DWORD
 +
| Length of volume string (nr of characters, including terminating U+0000)
 +
|-
 +
| DH3
 +
| +0x0008
 +
| 8
 +
| FTIME
 +
| (File time)
 +
|-
 +
| DH4
 +
| +0x0010
 +
| 4
 +
| DWORD
 +
| Volume serial number of volume indicated by volume string
 +
|-
 +
| DH5
 +
| +0x0014
 +
| 4
 +
| DWORD
 +
| ? Offset to section DHS1
 +
|-
 +
| DH6
 +
| +0x0018
 +
| 4
 +
| DWORD
 +
| ? Length of section DHS1 (in bytes)
 +
|-
 +
| DH7
 +
| +0x001C
 +
| 4
 +
| DWORD
 +
| ? Offset to section DHS2
 +
|-
 +
| DH8
 +
| +0x0020
 +
| 4
 +
| DWORD
 +
| ? Nr of strings in section DHS2
 +
|-
 +
| ?
 +
| +0x0024
 +
| ?
 +
| ?
 +
| ? additional 28 bytes (includes one timestamp?)
 +
|}
 +
 
 +
 
 +
 
 +
If all the executables and libraries referenced in the C section are from one single disk volume, there will be only one section in the D section. If multiple volumes are referenced by section C, section D will contain multiple sections.  (A simple way to force this situation is to copy, say, NOTEPAD.EXE to a USB drive, and start it from that volume. The corresponding prefetch file will have one D header referring to, e.g. \DEVICE\HARDDISK1\DP(1)0-0+4 (the USB drive), and one to, e.g. \DEVICE\HARDDISKVOLUME1\ (where the .DLLs and other support files were found).

Revision as of 05:50, 20 October 2013

A Windows Prefetch file consists of one file header and multiple file sections with different content. Not all content has an obvious forensic value.

As far as have been possible to ascertain, there is no public description of the format. The description below has been synthesised from examination of multiple prefetch files.

Characteristics

Integer values are stored in little-endian.

Strings are stored as UTF-16 little-endian without a byte-order-mark (BOM).

Timestamps are stored as Windows Filetime in UTC.

Header

This format has been observed on Windows XP, ... will need to be modified for Vista/Win7 format

Field Offset Length Type Notes
H1 0x0000 4 DWORD Format version (see format version section below)
H2 0x0004 4 DWORD  ? Probably a file magic number. Only observed value: 0x41434353 ('SCCA')
H3 0x0008 4 DWORD?  ? Observed values: 0x0F - Windows XP, 0x11 - Windows 7
H4 0x000C 4 DWORD Prefetch file length.
H5 0x0010 60 USTR Name of executable as Unicode string, truncated after 29 code units, if necessary, and terminated by U+0000. As it appears in the prefetch file file name.
H6 0x004C 4 DWORD The prefetch hash, as it appears in the pf file name.
H7 0x0050 4 ? ? Observed values: 0 for almost all prefetch files (XP); 1 for NTOSBOOT-B00DFAAD.pf (XP)
H8 0x0054 4 DWORD Offset to section A
H9 0x0058 4 DWORD  ? Nr of entries in section A
H10 0x005C 4 DWORD Offset to section B
H11 0x0060 4 DWORD Nr of entries in section B
H12 0x0064 4 DWORD Offset to section C
H13 0x0068 4 DWORD Length of section C
H14 0x006C 4 DWORD Offset to section D
H15 0x0070 4 DWORD  ? Probably the number of entries in the D section header
H16 0x0074 4 DWORD Length of section D
H17 0x0078 8 FTIME Latest execution time of executable (FILETIME)
H18 0x0080 16  ?  ? Possibly structured as 4 DWORD. Observed values: /0x00000000 0x00000000 0x00000000 0x00000000/, /0x47868c00 0x00000000 0x47860c00 0x00000000/
H19 0x0090 4 DWORD Execution counter
H20 0x0094 4 DWORD?  ? Observed values: 1, 2, 3, 4, 5, 6 (XP)

It's worth noting that the name of a carved prefetch file can be restored using the information in field H5 and H6, and its size can be determined by field H4.

Format version

Value Windows version
0x11 Windows XP, Windows 2003
0x17 Windows Vista, Windows 7
0x1a Windows 8.1

Section A and B

The content of these two sections is unknown.

Section C

Section D

Section D contains one or more subsections. The number is (most likely) determined by the DWORD at file offset 0x0070. Each subsection refers to directories on an identified volume.

In this section, all offsets are assumed to be counted from the start of the D section.

Field Offset Length Type Notes
DH1 +0x0000 4 DWORD Offset to volume string (Unicode, terminated by U+0000)
DH2 +0x0004 4 DWORD Length of volume string (nr of characters, including terminating U+0000)
DH3 +0x0008 8 FTIME (File time)
DH4 +0x0010 4 DWORD Volume serial number of volume indicated by volume string
DH5 +0x0014 4 DWORD  ? Offset to section DHS1
DH6 +0x0018 4 DWORD  ? Length of section DHS1 (in bytes)
DH7 +0x001C 4 DWORD  ? Offset to section DHS2
DH8 +0x0020 4 DWORD  ? Nr of strings in section DHS2
 ? +0x0024  ?  ?  ? additional 28 bytes (includes one timestamp?)


If all the executables and libraries referenced in the C section are from one single disk volume, there will be only one section in the D section. If multiple volumes are referenced by section C, section D will contain multiple sections. (A simple way to force this situation is to copy, say, NOTEPAD.EXE to a USB drive, and start it from that volume. The corresponding prefetch file will have one D header referring to, e.g. \DEVICE\HARDDISK1\DP(1)0-0+4 (the USB drive), and one to, e.g. \DEVICE\HARDDISKVOLUME1\ (where the .DLLs and other support files were found).