Depot
Truxton stores file contents in large files called depots.
When you store a stream of bytes in a depot, the offset of the beginning of the stream in the depot and the stream length are recorded in the [Content]
table in the database.
Contents
File Format
The depot file format is very simple. The header of the file is 64KB. The remainder of the file is streams of bytes aligned on a page boundary, 4KB by default.
Header
The depot file header is a 32-byte signature followed by XML padded with enough spaces to fill out the first 64KB of the file. Data stored in a depot file begins at offset 65536. The signature is:
This is a Truxton Depot File!!<CR><LF>
Sample
This is a Truxton Depot File!!
<?xml version="1.0" standalone="yes"?>
<truxton>
<depot_id>5D72324E-A079-1A6A-0E80-D81600000010</depot_id>
<page_size>4096</page_size>
<createdby>C:\Program Files\Truxton\Loader\Expand.exe</createdby>
<created>2019-09-06T10:17:50.744432Z</created>
<ipaddress>172.18.92.241</ipaddress>
<version>3.1.0.902</version>
<command_line>"Expand.exe" -controlledby 9622956017505175439</command_line>
<process_id>4244</process_id>
<bios_id>4C4C4544-0046-5310-804D-B2C04F515132</bios_id>
<machine_sid_hash>F7CD1C0A-F558-41EB-8994-8DC9F83F5896</machine_sid_hash>
<bios_serial_number>2FSMCC2</bios_serial_number>
<user_name>SYSTEM</user_name>
<computer_name>DESKTOP-5NRI5PO</computer_name>
<filename>5D72324E-A079-1A6A-0E80-D81600000010_expand.file.depot</filename>
<type>1</type>
<customer>D0814FE2-7794-5E33-DDD4-B6BB588CB6D4</customer>
</truxton>
XML Fields
We store a lot of information in the XML to aid anyone who has the unenviable task of recovering a depot file.
Name | Meaning |
---|---|
depot_id
|
The identifier for this depot file. This should correspond to the [ID] column of the [Depot] table in the database.
|
page_size
|
The boundary on which entries in the depot will be aligned. It can be altered via the depotpagesize setting.
|
createdby
|
The full path to the executable that created this file. |
created
|
The time the depot file was created. |
ipaddress
|
The TCP/IP v4 address of the machine where the executable that created this file was running. |
version
|
The version number of the process that created this file. |
command_line
|
The contents of the command line of the process that created this file. |
process_id
|
The integer identifier of the process that created this file. |
bios_id
|
The unique id retrieved from the BIOS firmware. |
machine_sid_hash
|
This is the MachineGuid value retrieved from the registry key HKLM/SOFTWARE/Microsoft/Cryptography
|
bios_serial_number
|
The serial number of the machine running the process that created this file as reported by the BIOS. |
user_name
|
The name of the account the process was running under. |
computer_name
|
The name of the computer the process that created this file was running on. |
filename
|
The original name of the depot file. |
type
|
The type of depot file. |
customer
|
The identifier (license) of the customer that created this depot file. |
BIOS Fields
Here's where Truxton gets the BIOS fields.
bios_id
This uuid is retrieved from the BIOS using an Windows API call.
Specifically, the 'RSMB' firmware table is retrieved and the UUID
field of the System Information (Type 1) structure is used.
It can also be retrieved via:
wmic path Win32_ComputerSystemProduct get UUID
bios_serial_number
This string is retrieved from the BIOS using an API call.
Specifically, the 'RSMB' firmware table is retrieved and the SerialNumber
field of the System Information (Type 1) structure is used.
Dell will store their service tags in this field.
Data Alignment
While data is normally aligned on a 4KB boundary, it can be modified by the depotpagesize
setting which can be put into TruxtonSettings.xml
A special case of alignment is free space depots. They are aligned on a 512 byte boundary as this most closely matches hard drive sectors. If we were to align on 4KB or 8KB boundaries, carving would be nearly impossible.
When a file is added to a depot, it begins on the page boundary. Any space left after the end of a file but before the next page boundary is filled with zeroes.
Depot Deletion
When Truxton deletes media, it will not delete the depot files by default. There are two settings that govern depot deletion:
enabledeletedepots
- A boolean value that must be set to true to enable the deletion of depot filessoftdeletedepots
- Instead of deleting the depot file, rename it giving it an extension of.ToBeDeleted
Retrieving a File
To retrieve a file from a depot, you must first know where the file's contents exist in the depot. When anything in Truxton needs a file's contents it will follow these steps:
- Retrieve the file's GUID. This comes from the
[ID]
column of the[File]
table. - Retrieve the MD5. This comes from the
[HashID]
column of the[File]
table. - Retrieve the
[DepotID]
,[Offset]
and[Length]
values from the[Content]
table when the[Hash]
column matches the MD5. - Retrieve the
[Filename]
and[URI]
columns from the[Depot]
table when the[ID]
column matches the depot identifier. - Open the file, seek to the offset and read bytes for the given length. If the file cannot be opened, open the URI and read the byte range.
When using the truxton_message_get_file
API, it performs the steps above.