Motivation
Through the forensic evaluation of a Home windows machine, you could discover the identify of a deleted prefetch file. Whereas its content material might not be recoverable, the filename itself is usually sufficient to search out the complete path of the executable for which the prefetch file was created.
Utilizing the software
The next fields have to be supplied:
-
Executable identify
Together with the extension. It will likely be embedded within the prefetch filename, except this occurs. -
Prefetch hash
8 hexadecimal digits on the finish of the prefetch filename, proper earlier than the.pf
extension. -
Hash perform
-
Bodyfile
-
Mount level
Hash perform
There are 3 identified prefetch hash features:
-
SCCA XP
Utilized in Home windows XP -
SCCA Vista
Utilized in Home windows Vista and Home windows 10 -
SCCA 2008
Utilized in Home windows 7, Home windows 8 and Home windows 8.1
Bodyfile
A bodyfile of the quantity the executable was executed from.
The bodyfile format is just not very restrictive, so there are lots of variations of it – a few of which aren’t supported. Physique information created with fls
and MFTECmd
ought to work fantastic.
Mount level
The mount level of the bodyfile, as underlined under:
0|C:/Customers/Peter/Desktop ($FILE_NAME)|62694-48-2|d/d-wx-wx-wx|...
How does it work?
The supplied bodyfile is used to get the trail of each folder on the quantity. The software appends the supplied executable identify to every of these paths to create an inventory of doable full paths for the executable. Every doable full path is then hashed utilizing the supplied hash perform. If there is a doable full path for which the end result matches the supplied hash, that path is outputted.
Limitations
The next circumstances aren’t supported:
- Internet hosting functions, corresponding to
svchost.exe
andmmc.exe
- Purposes executed with the
/prefetch:#
flag - Purposes executed from a UNC (community) path
The 29-character restrict
If the executable identify is longer than 29 characters (together with the extension), it will likely be truncated within the prefetch filename. For instance, executing this file:
It is a very lengthy file nameSo this half will probably be truncated.exe
From the C:Temp
listing on a Home windows 10 machine, will end result within the creation of this prefetch file:
THIS IS A VERY LONG FILE NAME-D0B882CC.pf
On this case, the executable identify can’t be derived from the prefetch filename, so that you won’t be able to supply it to the software.
License