Skip to content

FS_Forensic_Prefetch

Jump to bottom
Ulf Frisk edited this page Jun 13, 2024 · 1 revision

The forensic/prefetch directory

The directory forensic/prefetch exists as a sub-directory to the file system root.

The directory is hidden by default. It will appear once forensic mode has been started and processing is completed.

The directory contains data recovered from Windows prefetch files as follows:

File Description
00-prefetch-summary.txt Summary file containing prefetch information.
<N>-<name>.pf Recovered prefetch file.
<N>-<name>.pf.txt List of files referenced by the prefetched application.

Recovered prefetch data includes:

  • Executable name.
  • Number of executions (runs).
  • Last 8 execution times.
  • List of files referenced by the application.

The MemProcFS prefetch implementation parses prefetch files on Windows 8 and upwards.

Files in the forensic/prefetch directory are read-only.

00-prefetch-summary.txt

The file 00-prefetch-summary.txt contains summary prefetch summary information for recovered prefetch files. This includes name, number of runs, last eight execution times.

The file 00-prefetch-summary.txt have the following format:

   # Process              RunCount #Files PrefetchFile                           RunTime1                 RunTime2                 RunTime3                 RunTime4                 RunTime5                 RunTime6                 RunTime7                 RunTime8               
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
0000 GOOGLECRASHHANDLER64.EXE    4     34 GOOGLECRASHHANDLER64.EXE-00550B3D.pf   2019-08-12 22:00:30 UTC  2019-07-22 01:24:04 UTC  2019-06-06 17:56:14 UTC  2019-05-31 00:26:25 UTC                      ***                      ***                      ***                      ***
0001 SYSTEMSETTINGS.EXE          4    265 SYSTEMSETTINGS.EXE-45A5EC0B.pf         2019-08-12 22:51:41 UTC  2019-01-12 19:15:59 UTC  2019-01-12 19:07:26 UTC  2019-01-07 02:52:48 UTC                      ***                      ***                      ***                      ***
0002 SECURITYHEALTHSERVICE.EXE   7     83 SECURITYHEALTHSERVICE.EXE-4AC18DFE.pf  2019-08-12 22:37:20 UTC  2019-08-12 22:22:04 UTC  2019-08-12 21:59:14 UTC  2019-06-02 21:56:12 UTC  2019-05-31 00:19:46 UTC  2019-01-11 19:45:47 UTC  2019-01-07 03:00:56 UTC                      ***

Example

The example shows the prefetch file summary as well as a prefetch file listing.

For Developers

The forensic/prefetch sub-directory is implemented as a built-in native C-code plugin. The plugin source is located in the file modules/m_fc_prefetch.c in the vmm project.

Sponsor PCILeech and MemProcFS:

PCILeech and MemProcFS is free and open source!

I put a lot of time and energy into PCILeech and MemProcFS and related research to make this happen. Some aspects of the projects relate to hardware and I put quite some money into my projects and related research. If you think PCILeech and/or MemProcFS are awesome tools and/or if you had a use for them it's now possible to contribute by becoming a sponsor!

If you like what I've created with PCIleech and MemProcFS with regards to DMA, Memory Analysis and Memory Forensics and would like to give something back to support future development please consider becoming a sponsor at: https://github.com/sponsors/ufrisk

Thank You 💖

Overview

API

Root File System

Per-Process File System

Development

FAQ

Clone this wiki locally