@port139 Blog

基本的にはデジタル・フォレンジックの技術について取り扱っていますが、記載内容には高確率で誤りが含まれる可能性があります。

ESENTUTLコマンド

OS 標準コマンドとして ESENTUTL なんていうコマンドがあるんですねぇ知りませんでした。ダンプも可能なようなので少し触ってみているところなのですが、とりあえず EDB ファイルのヘッダ情報を取得してみたところ↓です。わざわざバイト列を見て確認しなくても簡単に確認できますね...orz

C:\Windows\system32>esentutl /mh c:\Case\Windows.edb

Extensible Storage Engine Utilities for Microsoft(R) Windows(R)
Version 6.1
Copyright (C) Microsoft Corporation. All Rights Reserved.

Initiating FILE DUMP mode...
         Database: c:\Case\Windows.edb

DATABASE HEADER:
Checksum Information:
Expected Checksum: 0x0d08c6fa
  Actual Checksum: 0x0d08c6fa

Fields:
        File Type: Database
         Checksum: 0xd08c6fa
   Format ulMagic: 0x89abcdef
   Engine ulMagic: 0x89abcdef
 Format ulVersion: 0x620,17
 Engine ulVersion: 0x620,17
Created ulVersion: 0x620,17
     DB Signature: Create time:12/06/2009 10:05:54 Rand:1128377892 Computer:
         cbDbPage: 32768
           dbtime: 78264 (0x131b8)
            State: Dirty Shutdown
     Log Required: 16-18 (0x10-0x12)
    Log Committed: 0-18 (0x0-0x12)
  GenMax Creation: 12/13/2009 07:46:16
         Shadowed: Yes
       Last Objid: 60
     Scrub Dbtime: 0 (0x0)
       Scrub Date: 00/00/1900 00:00:00
     Repair Count: 0
      Repair Date: 00/00/1900 00:00:00
 Old Repair Count: 0
  Last Consistent: (0xD,6EE,1F4)  12/12/2009 11:13:26
      Last Attach: (0xD,6F0,7B)  12/12/2009 11:13:26
      Last Detach: (0x0,0,0)  00/00/1900 00:00:00
             Dbid: 1
    Log Signature: Create time:12/06/2009 10:05:54 Rand:1128367725 Computer:
       OS Version: (6.1.7600 SP 0 NLS 60101.60101)

Previous Full Backup:
        Log Gen: 0-0 (0x0-0x0)
           Mark: (0x0,0,0)
           Mark: 00/00/1900 00:00:00

Previous Incremental Backup:
        Log Gen: 0-0 (0x0-0x0)
           Mark: (0x0,0,0)
           Mark: 00/00/1900 00:00:00

Previous Copy Backup:
        Log Gen: 0-0 (0x0-0x0)
           Mark: (0x0,0,0)
           Mark: 00/00/1900 00:00:00

Previous Differential Backup:
        Log Gen: 0-0 (0x0-0x0)
           Mark: (0x0,0,0)
           Mark: 00/00/1900 00:00:00

Current Full Backup:
        Log Gen: 0-0 (0x0-0x0)
           Mark: (0x0,0,0)
           Mark: 00/00/1900 00:00:00

Current Shadow copy backup:
        Log Gen: 0-0 (0x0-0x0)
           Mark: (0x0,0,0)
           Mark: 00/00/1900 00:00:00

     cpgUpgrade55Format: 0
    cpgUpgradeFreePages: 0
cpgUpgradeSpaceMapPages: 0

       ECC Fix Success Count: none
   Old ECC Fix Success Count: none
         ECC Fix Error Count: none
     Old ECC Fix Error Count: none
    Bad Checksum Error Count: none
Old bad Checksum Error Count: none

  Last checksum finish Date: 00/00/1900 00:00:00
Current checksum start Date: 00/00/1900 00:00:00
      Current checksum page: 0

Operation completed successfully in 0.140 seconds.