tag:blogger.com,1999:blog-1195942519600924603.post1202783436673840306..comments2024-02-03T07:10:49.088-05:00Comments on Computer Forensics/E-Discovery Tips/Tricks and Information: Prefetch InformationMark McKinnonhttp://www.blogger.com/profile/06597353327384503465noreply@blogger.comBlogger16125tag:blogger.com,1999:blog-1195942519600924603.post-88055676473303406102015-09-17T00:49:18.670-05:002015-09-17T00:49:18.670-05:00Did any one test this for windows 10Did any one test this for windows 10Roshanhttps://www.blogger.com/profile/01875696820447308738noreply@blogger.comtag:blogger.com,1999:blog-1195942519600924603.post-79626971519366349172014-08-27T16:10:03.237-05:002014-08-27T16:10:03.237-05:00Thank you for creating prefetch-info.exe I tried r...Thank you for creating prefetch-info.exe I tried running it on a .PF file from a Windows 7 machine. Everything seemed to parse OK except the number of times run. According to the utility, the program in question was run 35,840 times in 3 days. Did the format of the PF file change so that your program is misreading execution count field?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-1195942519600924603.post-79804879613185637742012-12-11T02:09:46.133-05:002012-12-11T02:09:46.133-05:00Nice explanation... thanks for discussing it in de...Nice explanation... thanks for discussing it in detail...ipad app developmenthttp://www.ixtentia.com/ipad-application-development.htmlnoreply@blogger.comtag:blogger.com,1999:blog-1195942519600924603.post-88143574705085947372012-04-27T20:20:32.096-05:002012-04-27T20:20:32.096-05:00Great information, you have a wonderful blog and a...Great information, you have a wonderful blog and an excellent article!!sports handicapping softwarehttp://www.priceperheadcostarica.com/noreply@blogger.comtag:blogger.com,1999:blog-1195942519600924603.post-65497768728684801702012-02-25T17:53:59.151-05:002012-02-25T17:53:59.151-05:00It won't truly have success, I believe so.It won't truly have success, I believe so.puertas metalicashttp://www.josemoretsa.esnoreply@blogger.comtag:blogger.com,1999:blog-1195942519600924603.post-77821387274797944332011-08-31T13:05:08.720-05:002011-08-31T13:05:08.720-05:00Cool blog you got here. It would be great to read ...Cool blog you got here. It would be great to read more about that theme. Thnx for sharing that material. Margo<br><a href="http://1000kievescorts.com/" rel="nofollow">Kiev escort agency</a>Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-1195942519600924603.post-58464053472990240772011-07-28T00:28:35.130-05:002011-07-28T00:28:35.130-05:00This comment has been removed by the author.michaelvkhttps://www.blogger.com/profile/10047819924694514805noreply@blogger.comtag:blogger.com,1999:blog-1195942519600924603.post-40020508255667030262010-07-06T20:12:03.108-05:002010-07-06T20:12:03.108-05:00There’s no denying the appeal of a classic replic...There’s no denying the appeal of a classic <b><a href="http://www.replicahandbags.uk.com/" rel="nofollow">replica handbags</a></b> . Whatever style you choose, a <b><a href="http://www.replicahandbags.uk.com/louis-vuitton.html" rel="nofollow">louis vuitton handbags</a></b> emanates timeless style and sophistication. Since the fashion <b><a href="http://www.replicahandbags.uk.com/louis-vuitton.html" rel="nofollow">louis vuitton bags</a></b> house started operations in 1854, thousands of chic women around the globe have indulged in these classic styles. In addition to the world’s most distinctive handbags, the designer also offers coordinating <b><a href="http://www.replicahandbags.uk.com/louis-vuitton.html" rel="nofollow">lv</a></b> .Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-1195942519600924603.post-20209066314895433552008-07-10T06:40:00.000-05:002008-07-10T06:40:00.000-05:00Cool tool. Quick qustion, are all the locations (...Cool tool. Quick qustion, are all the locations (loaded files) that are listed are they a listing of wht is currently running or are they a list of what the applications, say calc.exe has to load to run.<BR/><BR/>thanksAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-1195942519600924603.post-38879964298623458872008-04-18T16:13:00.000-05:002008-04-18T16:13:00.000-05:00This comment has been removed by the author.NetCertohttps://www.blogger.com/profile/03315573033094459129noreply@blogger.comtag:blogger.com,1999:blog-1195942519600924603.post-67983269260284663912008-03-14T03:08:00.000-05:002008-03-14T03:08:00.000-05:00I have tried it again with a (forensic) copy of a ...I have tried it again with a (forensic) copy of a .pf file I have copied with Encase. Now the output is:<BR/><BR/>C:\temp>prefetch_info.exe WORDPAD.EXE-10E0129A.pf<BR/>File Name that was run WORDPAD.EXE<BR/><BR/>Date/Time prefetch file was created Sun Mar 11 10:02:26 2007<BR/>Date/Time prefetch file was modified Sat Apr 14 18:32:15 2007<BR/>Date/Time prefetch file was last accessed Sat Apr 14 18:32:15 2007<BR/><BR/>File WORDPAD.EXE was run 5 times<BR/><BR/>WORDPAD.EXE Embeded (*** note: please change this to embedded :-) ***) date/time is Sat Apr 14 19:32:05 2007<BR/><BR/>List of files and Directories whose pages are to be loaded<BR/><BR/>\DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\NTDLL.DLL<BR/>\DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\KERNEL32.DLL<BR/><BR/>etc.<BR/><BR/>Thanks for your work!Markhttps://www.blogger.com/profile/18344712385296494044noreply@blogger.comtag:blogger.com,1999:blog-1195942519600924603.post-54923432184493350352008-03-13T10:57:00.000-05:002008-03-13T10:57:00.000-05:00Actually when I was testing it out I just sourced ...Actually when I was testing it out I just sourced the files right from the prefetch folder. It should not matter whether the system is live or not. Like said before I have only run into junk being displayed when the file had somehow become corrupted.<BR/><BR/>MarkMark McKinnonhttps://www.blogger.com/profile/06597353327384503465noreply@blogger.comtag:blogger.com,1999:blog-1195942519600924603.post-15976854193218607382008-03-13T05:34:00.000-05:002008-03-13T05:34:00.000-05:00I tried with a simple copy of a file done with win...I tried with a simple copy of a file done with windows explorer and it worked fine.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-1195942519600924603.post-30948273167772192392008-03-13T04:57:00.000-05:002008-03-13T04:57:00.000-05:00I'm sorry, I have used the tool on a file I did co...I'm sorry, I have used the tool on a file I did copy with FTK Imager. Now I understand your tool is for live investigation of original .pf files (and not copied ones). It would be great though when the tool could also work with copied files (but I understand that a lot of information about other processes is not available then :-)Markhttps://www.blogger.com/profile/18344712385296494044noreply@blogger.comtag:blogger.com,1999:blog-1195942519600924603.post-4143592655786452862008-03-12T08:38:00.000-05:002008-03-12T08:38:00.000-05:00I have only seen this when a file has been corrupt...I have only seen this when a file has been corrupted. Would it be possible for you to send me the file?<BR/><BR/>MarkMark McKinnonhttps://www.blogger.com/profile/06597353327384503465noreply@blogger.comtag:blogger.com,1999:blog-1195942519600924603.post-21370137421786853782008-03-12T02:22:00.000-05:002008-03-12T02:22:00.000-05:00Hi, I have tried this cli tool but my only result ...Hi, I have tried this cli tool but my only result was a long list of <BR/><BR/>░<BR/>┌kÞ■`<BR/>└<BR/>┌kÞ■a<BR/>ð<BR/>┌kÞ■b<BR/>Ó<BR/>┌kÞ■c<BR/><BR/>┌kÞ■d<BR/><BR/>☺┌kÞ■e<BR/>►☺┌kÞ■f<BR/> ☺┌kÞ■g<BR/><BR/>etc.<BR/><BR/>What did I do wrong ?<BR/><BR/>MarkMarkhttps://www.blogger.com/profile/18344712385296494044noreply@blogger.com