BGINFO - A Posh Recreation
Recently I have been building a lot of Windows Servers in different environments - one
In Part 1 of this blog I mentioned the metadata regarding one of the separate files contained within the deleted cache. I stated that I would further explain what is contained within that metadata, here is my interpretation and explanation.
f_00056 is a picture of the character Hermionie Granger from the film Harry Potter.
I carried out an analysis of the metadata for this picture contained within the deleted Google chrome cache I was presented with. I first needed to locate the metadata for the file and to do so I took the name of the cache file – f_000056 and this is part of the following binary breakdown which was explained in Part 1:
1 000 0000 0000 0000 0000 0000 0101 0110
- Entry initialised
- File Type 0 = Separate File which we see from a visual check of the cache folder.
- File name = f_000056
Now When we convert the above binary number to hex we get 80000056h which we will convert to little endian 56000080h which we will use to search the Data Block files within the deleted cache folder. I then opened each of those files using winhex and performed a hex search for 56000080h and received a hit within Data_1.
I extracted the following entry.
Below is a colour coded breakdown of the metadata which I created in Word:
Details of interest gleaned from the metadata for – f_000056:
- Hash of Key (URL) – A2F0BAD9
- Cache Address of Rankings –9000036A – This is the location where details are stored concerning the rankings of the object. As I mentioned in part 1 the ranking dictates when the object will be evicted from the cache.
- State –Normal – I am unsure at this time what this refers to as it is not explained further within my books. (If anyone reading this blog is aware please drop a comment below and I will amend with credit)
- creation Time-2013-11-14 18:26:10 GMT
- data size of http headers-316 bytes
- Data size of payload-109943 bytes
- Cache address of http headers- A10108C8
- Cache address of payload-08000056
- Key (URL)- http://images4.fanpop.com/image/photos/18000000/Hermione-Granger-harry-potter-18062503-959-1280.jpg
I hope you are enjoying this series of blogs as much as I am learning about the Chrome cache and the sheer amount of information it can contain. I am very sure I have only scratched the surface and of course there is only so much I can do within the confines of a blog post.
As always I appreciate the feedback and comments from my peers in the DFIR community as that is the only way we can learn and advance.