Thursday, August 30, 2007

Offline Folders

Offline folders use to go by the name of Client Side Cache. This is evident with the directory this information is stored in C:\Windows\CSC, this directory is still there even if you do not use offline folders. You will find Offline folders more in a corporate environment and mainly on laptops. The thoughts behind this is that you want to store your data on a network drive but also have access to it when you are not on the network. There is a synchronization process that happens between your computer and the network drive where your data is stored. Depending on what your settings are is when the synch will happen.

One of the interesting things about this is that if you login into a laptop that is not yours at your company, your files on the network drive will start to synch to that laptop. After the synch your files should now be on that laptop. Now lets say you are looking at leaving the company and decide to remove all your files from the network drive and then resynch on your laptop, all the data is then removed from the offline folder on your laptop and is gone. Now what about that other laptop you logged into, guess what your files are still on that one and they can be potentially harvested. Now all you E-Discovery folks should be drooling at the mouth right about now since files that were deleted may be found somewhere else (especially if the backup tapes of the network drive are no good, lost, etc..). You just have to find out where you logged into besides your own laptop.

Now one downside to this is that your cube mate is an idiot and stores his porn on the network drive. He decides to login to your laptop and his files are now on your laptop. There is an investigation and they take both yours and his laptops. Without understanding Offline folders you may get accused of having porn on your laptop when you never put it there, your idiot cube mate did.

Now lets take a high level look at the offline folders (I am still gathering information so there may be some holes in it). Under the C:\Windows\CSC directory you will the following:

Directories named d1 to d8 - these hold all the files used for offline folders, the file names are system generated.

file 00000001 - this points to the network drive that you will synch to

file 00000002 - this files holds all the references to what directories your files are stored in and what there names are.

file 00000003 - Don't know have not figured this out yet (I did say this was a work in progress and any help would be appreciated)

file csc1.tmp - this appears to be a copy of file 00000002

Now in each directory (d1..d8) you will find 2 types of files, ones that have a first character of 0 or 8. The ones with a first character of 8 are the actual files that you stored there. The files that start with 0 hold the information/cross reference between the generated name and what their actual names are as well as size of the file and the date that the file was created (this is another place where I am still figuring it out but I do have some of the information).

In the next post I will dive deeper into the format of the files that start with 0 and provide some Perl programs that will be able to read those files and provide some useful information.

Now hopefully I was clear in what I just stated if not hopefully you will let me know.

Questions/Thoughts/Comments????

9 comments:

Unknown said...

Hi I was just wondering if you had made any progress with your scripts to extract files from the CSC folder. I have a user who managed to reset his offline cache, and although we were able to use Undelete to recover the CSC folder, we cant make the offline files tool "see" them in their usable format. Any help would be a lifesaver!

Mark McKinnon said...

Graeme

I am just about ready to release then but have to tweak them a little. Shoot me an email at Mark dot McKinnon at sbcglobal dot net and I can see what I can do to help you out.

Mark

Anonymous said...

I have the same problem as well

But, the CSC is 3GB

Do you have the tool to extract the files?

Anonymous said...

Hi Mark

I just try with
CSCOffline file parsercopoier with allocation file it work

http://cfed-ttf.blogspot.com/2007/09/cscoffline-file-parsercopoier.html

You are a star

Anonymous said...

Hand-dyed and stonewashed denim is patterned with replica handbags classic monogram design, set off by smooth leather trim. Exuding casual comfort, this is a lv you’ll want to carry day in and day out. Bosphore Backpack: The classic replica louis vuitton design enjoys a modern update in this head-turning backpack. With zippered pockets and a flap closure with strap, replica bags the perfect bag for toting along on a day of errands or an impromptu overnight excursion.

App Development said...

It is quite useful for all people I think, not only for me. It is really great that you have shared this information with us. Thanks a lot one more time and I will be waiting for other great information from you in the nearest future. Regards, michaelvk from 3D Animation

site said...

This will not have effect in fact, that's exactly what I suppose.

pay per head said...

Super blog and nice to read.

birkin bag said...

Thanks for sharing so significative article with us. Wonder Know is a comprehensive website that provides all kinds of articles. Just come and have fun!