Wednesday, February 27, 2008

Prefetch Information

Here is a quick and dirty program to parse a prefetch file and output some important information. It is only a command line program currently and does not use a database or scan the prefetch directory (I know I am slacking and that would be some good improvements to make and pretty easy). What it will do is parse the prefetch file giving you the standard information that other programs have given ie: embedded date, number of time run and executable name plus a list of directories and files that are/have been loaded. The program can be found here.

To run the program just type

prefetch_info.exe < directory/prefetch file name >
.

Here is an example of the output for the following prefetch file AID4MAIL.EXE-1EE932F2.pf. Now one thing to note is where the AID4MAIL.EXE program was run from, kinda cool to see it did not run from the hard drive of my laptop but a usb thumb drive.
You can also see what song I was listening to when I ran the AID4MAIL program as well (you can search for that one).

As always Questions/Comments/Thoughts?

File Name that was run AID4MAIL.EXE

Date/Time prefetch file was created Thu Feb 28 02:16:21 2008
Date/Time prefetch file was modified Thu Feb 28 02:16:21 2008
Date/Time prefetch file was last accessed Thu Feb 28 02:16:21 2008

File AID4MAIL.EXE was run 1 times

AID4MAIL.EXE Embeded date/time is Thu Feb 28 02:16:11 2008

List of files and Directories whose pages are to be loaded

\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\NTDLL.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\KERNEL32.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\UNICODE.NLS
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\LOCALE.NLS
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\SORTTBLS.NLS
\DEVICE\HARDDISK3\DP(1)0-0+8\AID4MAIL\AID4MAIL.EXE
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\USER32.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\GDI32.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\IMM32.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\ADVAPI32.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\RPCRT4.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\LPK.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\USP10.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\MSVCRT.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\CTYPE.NLS
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\AMINIT.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\SORTKEY.NLS
\DEVICE\HARDDISKVOLUME2\WINDOWS\TEMP\AEXAM\AEXFD.TMP
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\OLEAUT32.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\OLE32.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\MPR.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\VERSION.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\WINSXS\X86_MICROSOFT.WINDOWS.COMMON-CONTROLS_659
5B64144CCF1DF_6.0.2600.2982_X-WW_AC3F9C03\COMCTL32.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\SHLWAPI.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\WINDOWSSHELL.MANIFEST
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\WINSPOOL.DRV
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\SHELL32.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\COMDLG32.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\WINMM.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\ENTAPI.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\PSAPI.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\NETAPI32.DLL
\DEVICE\HARDDISKVOLUME2\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\NETWOR
K ASSOCIATES\BOPDATA\_DATE-20080227_TIME-171047859_ENTERCEPTEXCEPTIONS.DAT
\DEVICE\HARDDISKVOLUME2\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\NETWOR
K ASSOCIATES\BOPDATA\_DATE-20080227_TIME-171047859_ENTERCEPTRULES.DAT
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\UXTHEME.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\MSCTFIME.IME
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\RPCSS.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\WDMAUD.DRV
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\SETUPAPI.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\WINTRUST.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\CRYPT32.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\MSASN1.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\IMAGEHLP.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\MSACM32.DRV
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\MSACM32.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\MIDIMAP.DLL
\DEVICE\HARDDISKVOLUME2\$MFT
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\APPHELP.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\CLBCATQ.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\COMRES.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\REGISTRATION\R000000000013.CLB
\DEVICE\HARDDISKVOLUME2\PROGRAM FILES\TORTOISESVN\BIN\TORTOISESVN.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\WININET.DLL
\DEVICE\HARDDISKVOLUME2\PROGRAM FILES\TORTOISESVN\BIN\LIBAPR_TSVN.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\WS2_32.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\WS2HELP.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\MSWSOCK.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\WINSXS\X86_MICROSOFT.VC80.CRT_1FC8B3B9A1E18E3B_8
.0.50727.762_X-WW_6B128700\MSVCR80.DLL
\DEVICE\HARDDISKVOLUME2\PROGRAM FILES\TORTOISESVN\BIN\LIBAPRUTIL_TSVN.DLL
\DEVICE\HARDDISKVOLUME2\PROGRAM FILES\TORTOISESVN\BIN\LIBAPRICONV_TSVN.DLL
\DEVICE\HARDDISKVOLUME2\PROGRAM FILES\TORTOISESVN\BIN\INTL3_SVN.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\WINSXS\X86_MICROSOFT.VC80.CRT_1FC8B3B9A1E18E3B_8
.0.50727.762_X-WW_6B128700\MSVCP80.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\SHFOLDER.DLL
\DEVICE\HARDDISKVOLUME2\PROGRAM FILES\TORTOISESVN\ICONV\WINDOWS-1252.SO
\DEVICE\HARDDISKVOLUME2\PROGRAM FILES\TORTOISESVN\ICONV\_TBL_SIMPLE.SO
\DEVICE\HARDDISKVOLUME2\PROGRAM FILES\TORTOISESVN\ICONV\UTF-8.SO
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\CSCUI.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\CSCDLL.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\RICHED32.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\RICHED20.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\WIN.INI
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\USERENV.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\DRPROV.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\NTLANMAN.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\NETUI0.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\NETUI1.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\NETRAP.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\SAMLIB.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\DAVCLNT.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\NTSHRUI.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\ATL.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\WPDSHEXT.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\WINSXS\X86_MICROSOFT.WINDOWS.GDIPLUS_6595B64144C
CF1DF_1.0.2600.2180_X-WW_522F9F82\GDIPLUS.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\PORTABLEDEVICEAPI.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\AUDIODEV.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\WMVCORE.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\WMASF.DLL
\DEVICE\HARDDISKVOLUME2\MARK\ITUNES\EMINEM\CURTAIN CALL - THE HITS (EDITED VERSI
ON)\SHAKE THAT (EDITED VERSION).M4A
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\MSIMTF.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\SECUR32.DLL
\DEVICE\HARDDISKVOLUME2\DOCUMENTS AND SETTINGS\Mark\LOCAL SETTINGS\TEMPORARY INT
ERNET FILES\CONTENT.IE5\INDEX.DAT
\DEVICE\HARDDISKVOLUME2\DOCUMENTS AND SETTINGS\Mark\COOKIES\INDEX.DAT
\DEVICE\HARDDISKVOLUME2\DOCUMENTS AND SETTINGS\Mark\LOCAL SETTINGS\HISTORY\HISTO
RY.IE5\INDEX.DAT
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\RASAPI32.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\RASMAN.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\TAPI32.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\RTUTILS.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\MSV1_0.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\IPHLPAPI.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\SENSAPI.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\MSCTF.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\URLMON.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\MLANG.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\WSOCK32.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\HNETCFG.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\WSHTCPIP.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\DNSAPI.DLL
\DEVICE\HARDDISKVOLUME2\PROGRAM FILES\BONJOUR\MDNSNSP.DLL
\DEVICE\HARDDISKVOLUME2\WINDOWS\SYSTEM32\RASADHLP.DLL

16 comments:

Mark said...

Hi, I have tried this cli tool but my only result was a long list of


┌kÞ■`

┌kÞ■a
ð
┌kÞ■b
Ó
┌kÞ■c
­
┌kÞ■d

☺┌kÞ■e
►☺┌kÞ■f
☺┌kÞ■g

etc.

What did I do wrong ?

Mark

Mark McKinnon said...

I have only seen this when a file has been corrupted. Would it be possible for you to send me the file?

Mark

Mark said...

I'm sorry, I have used the tool on a file I did copy with FTK Imager. Now I understand your tool is for live investigation of original .pf files (and not copied ones). It would be great though when the tool could also work with copied files (but I understand that a lot of information about other processes is not available then :-)

Anonymous said...

I tried with a simple copy of a file done with windows explorer and it worked fine.

Mark McKinnon said...

Actually when I was testing it out I just sourced the files right from the prefetch folder. It should not matter whether the system is live or not. Like said before I have only run into junk being displayed when the file had somehow become corrupted.

Mark

Mark said...

I have tried it again with a (forensic) copy of a .pf file I have copied with Encase. Now the output is:

C:\temp>prefetch_info.exe WORDPAD.EXE-10E0129A.pf
File Name that was run WORDPAD.EXE

Date/Time prefetch file was created Sun Mar 11 10:02:26 2007
Date/Time prefetch file was modified Sat Apr 14 18:32:15 2007
Date/Time prefetch file was last accessed Sat Apr 14 18:32:15 2007

File WORDPAD.EXE was run 5 times

WORDPAD.EXE Embeded (*** note: please change this to embedded :-) ***) date/time is Sat Apr 14 19:32:05 2007

List of files and Directories whose pages are to be loaded

\DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\NTDLL.DLL
\DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\KERNEL32.DLL

etc.

Thanks for your work!

NetCerto said...
This comment has been removed by the author.
Anonymous said...

Cool tool. Quick qustion, are all the locations (loaded files) that are listed are they a listing of wht is currently running or are they a list of what the applications, say calc.exe has to load to run.

thanks

Anonymous said...

There’s no denying the appeal of a classic replica handbags . Whatever style you choose, a louis vuitton handbags emanates timeless style and sophistication. Since the fashion louis vuitton bags house started operations in 1854, thousands of chic women around the globe have indulged in these classic styles. In addition to the world’s most distinctive handbags, the designer also offers coordinating lv .

michaelvk said...
This comment has been removed by the author.
Anonymous said...

Cool blog you got here. It would be great to read more about that theme. Thnx for sharing that material. Margo
Kiev escort agency

puertas metalicas said...

It won't truly have success, I believe so.

sports handicapping software said...

Great information, you have a wonderful blog and an excellent article!!

ipad app development said...

Nice explanation... thanks for discussing it in detail...

Anonymous said...

Thank you for creating prefetch-info.exe I tried running it on a .PF file from a Windows 7 machine. Everything seemed to parse OK except the number of times run. According to the utility, the program in question was run 35,840 times in 3 days. Did the format of the PF file change so that your program is misreading execution count field?

Roshan said...

Did any one test this for windows 10