Difference between pages "Palm" and "Prefetch"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
(added table and info to Fossil)
 
(Volume)
 
Line 1: Line 1:
__TOC__
+
{{Expand}}
 +
Windows Prefetch files, introduced in [[Windows|Windows XP]], are designed to speed up the application startup process. Prefetch files contain the name of the executable, a Unicode list of DLLs used by that executable, a count of how many times the executable has been run, and a timestamp indicating the last time the program was run. Although Prefetch is present in Windows 2003, by default it is only enabled for boot prefetching. The feature is also found in [[Windows Vista]], where it has been augmented with [[SuperFetch]], [[ReadyBoot]], and [[ReadyBoost]].
  
=Overview=
+
Up to 128 Prefetch files are stored in the <tt>%SystemRoot%\Prefetch</tt> directory [http://blogs.msdn.com/ryanmy/archive/2005/05/25/421882.aspx]. Each file in that directory should contain the name of the application (up to eight (?) characters), a dash, and then an eight character hash of the location from which that application was run, and a <tt>.pf</tt> extension. The filenames should be all uppercase except for the extension. The format of hashes is not known. A sample filename for [[md5deep]] would look like: <tt>MD5DEEP.EXE-4F89AB0C.pf</tt>. If an application is run from two different locations on the drive (i.e. the user runs <tt>C:\md5deep.exe</tt> and then <tt>C:\Apps\Hashing\md5deep.exe</tt>), there will be two different prefetch files in the Prefetch folder.
  
A "Palm" is a commonly referred to as a small-scale (hand-held) computer that runs Palm's PalmOS software.
 
  
The Palm OS platform is an open architecture that provides a basis for third-party developers and original equipment manufacturers (OEMs) to create mobile computing solutions. The platform consists of five components:<br><br>
+
== Signature ==
* The reference hardware design<br>
+
Each Prefetch file has a signature in the first 8 bytes of the file. Windows XP and Windows Vista will generate Prefetch files with the signature \x11\x00\x00\x00\x53\x43\x43\x41 (0x41434353 0x00000011). Windows 7 Prefetch file's signature is \x17\x00\x00\x00\x53\x43\x43\x41 (0x41434353 0x00000017). The [http://en.wikipedia.org/wiki/ASCII ASCII] representation of these bytes will display "....SCCA".
* The device operating system called the Palm OS software<br>
+
* The HotSync conduit data synchronization technology<br>
+
* The platform component tools including an applications programming interface (API) that enables developers to write applications<br>
+
* The software interface capabilities to support hardware add-ons<br>
+
  
(http://www.palm.com/us/company/pr/2000/092000.html, 2000)
+
== Timestamps ==
  
 +
Both the [[NTFS]] timestamps for a Prefetch file and the timestamp embedded in each Prefetch file contain valuable information. The timestamp embedded within the Prefetch file is a 64-bit (QWORD) [http://msdn2.microsoft.com/en-us/library/ms724284.aspx FILETIME] object The creation date of the file indicates the first time the application was executed. Both the modification date of the file and the embedded timestamp indicate the last time the application was executed.
  
== History ==
+
Windows will store timestamps according to Windows [http://msdn.microsoft.com/en-us/library/ms724290%28VS.85%29.aspx epoch].
  
Palm Computing was founded by Jeff Hawkins, Donna Dubinsky and Ed Colligan. The original purpose of the company was to create handwriting recognition software for other devices (Graffiti).  The initial idea for the devices came from Hawkins' habit of carrying a block of wood in his pocket.
+
==== Creation Time ====
 +
The creation time does not have a static offset on any Windows platform. The location of the creation time can be found using the offset 0x8 + length of Volume path offset.
  
The initial Palm device released in 1996 was called the Pilot. Because Pilot Pen Corporation brought forth a trademark infrigement case, the second generation device released in 1997 was named the PalmPilot.
+
==== Last Run Time ====
 +
A timestamp of when the application was last ran is embedded into the Prefetch file. The offset to the "Last Run Time" is located at offset 0x78 from the beginning of the file on [[Windows]] XP. The offset for Windows Vista and Windows 7 is at 0x80.  
  
The Palm was not the original PDA device released, but benefited from the failure of Apple's Newton.
+
== MetaData ==
 +
==== Header ====
 +
In each Prefetch file, the size of the header is stored and can be found at offset 0x54 on Windows XP, Windows Vista, and Windows 7. The header size for Windows XP is 0x98 (152) and 0xf0 (240) on Windows Vista and Windows 7.
  
The Palm OS initially featured personal information management (PIM) tools such as Calendar, Contacts, Memo Pad, Expense and Tasks. As later versions were released, more features were added.  Here is a list of various Palm OS releases:
+
The Prefetch file will embed the application's name into the header at offset 0x10.
  
*  Version 3.1, 3.3, 3.5
+
==== Run Count ====
Added support for color, multiple expansion ports, new processors, etc.
+
The run count, or number of times the application has been run, is a 4-byte (DWORD) value located at offset 0x90 from the beginning of the file on [[Windows]] XP. On Windows Vista and Windows 7, the run time can be found at 0x98.
  
*  Version 4.0
+
==== Volume ====
Added a standard interface for external FS access
+
Volume related information, volume path and volume serial number, are embedded into the Prefetch file. The precise offset for this information varies for each application ran. In the header at offset 0x6c, the location of the volume path is stored. The location is a 4-bytes (DWORD) value. The offset 0x6c is consistent for Windows XP and Windows 7.
  
*  Version 5.0
+
At the location given from 0ffst 0x6c, a 4 byte value is stored which is the number of bytes from current offset (location from offset 0x6c) to the beginning of the volume path. The location from offset 0x6c, for ease, will be called the "volume path offset." The volume path is embedded as a NULL-terminating string.
First version to support Acorn Risc Machine (ARM) devices. Later versions which included OS 5.2, featured Graffiti 2. It began the separation of Palm OS and Palm One.  
+
  
Presently, version 6.1 of the Palm OS is under development (Cobalt).  Cobalt features a Linux-based kernel.  There are presently no devices released using Palm OS 6.
+
The length of the volume path is a 4-byte value is located at volume path offset + 0x4.
  
=Features=
+
The volume [http://en.wikipedia.org/wiki/Volume_serial_number serial number] is a 4-byte value that identifies a media storage. A serial number does not have a consistent offset within a Prefetch between Windows operating systems. The 4-byte value can be found eight (8) bytes from the creation time location.
<table>
+
<tr>
+
<td>'''Address Book''': Allows the user to keep track of their contacts.  Synchronized via HotSync manager</td>
+
</tr>
+
<tr>
+
<td>'''Calculator''': Basic 4 function calculator</td>
+
</tr>
+
<tr>
+
<td>'''Datebook''': Track appointments, birthdates and other important times during the year. Synchronized via HotSync manager</td>
+
</tr>
+
<tr>
+
<td>'''Expenses''': Keep track of your spending habits.</td>
+
</tr>
+
<tr>
+
<td>'''HotSync''': Application that ran on your desktop or portable PC or Mac to allow for calendars and contacts to easily be synchronized with Palm device.</td>
+
</tr>
+
<tr>
+
<td>'''Memo Pad''': Write short notes.</td>
+
</tr>
+
<tr>
+
<td>'''Note Pad''': Scribble notes in your natural writing language.</td>
+
</tr>
+
<tr>
+
<td>'''To Do List''': Create a check list of items to accomplish.   Synchronized via HotSync manager.</td>
+
</tr>
+
<tr>
+
<td>'''Palm Photos''': Photo manager that allows sharing of photos between multiple palm devices.</td>
+
</tr>
+
</table>
+
  
==Palm Pilot==
+
== Issues ==
The original creators of the Palm Pilot were Jeff Hawkins, Donna Dubinsky, and Ed Colligan. The idea of the palm pilot was established by Jeff Hawkins from a block of wood with writing on it.
+
==== End of File ====
 +
Prefetch files generated by the Windows operating system does not have any signature or sequences of bytes to indicate when the end of the Prefetch file has been reached.
  
<table border="1">
+
== See Also ==
<tr>
+
* [[SuperFetch]]
  <td> </td>
+
* [[Prefetch XML]]
  <th>
+
  Palm Pilot 1000
+
  </th>
+
  <th>
+
  Palm Pilot 5000
+
  </th>
+
  <th>
+
  Palm Pilot Personal
+
  </th>
+
  <th>
+
  Palm Pilot Professional
+
  </th>
+
</tr>
+
<tr>
+
  <th>Features</th>
+
  <td>
+
      <ul>Motorola 68328 processor</ul>
+
      <ul>128 KB memory</ul>
+
      <ul>Palm OS 1.0</ul>
+
  </td>
+
  <td>
+
      <ul>Dragonball processor</ul>
+
      <ul>512 KB memory</ul>
+
      <ul>Palm OS 1.0</ul>
+
  </td>
+
  <td>
+
      <ul>Dragonball processor</ul>
+
      <ul>512 KB memory</ul>
+
      <ul>Palm OS 2.0</ul>
+
  </td>
+
  <td>
+
      <ul>Dragonball processor</ul>
+
      <ul>1 MB memory</ul>
+
      <ul>Palm OS 2.0</ul>
+
  </td>
+
</tr>
+
</table>
+
  
==3Com Audrey==
+
== External Links ==
 
+
* [http://milo2012.wordpress.com/2009/10/19/windows-prefetch-folder-tool/ Prefetch-Tool Script] - Python looks Prefetch files up on a web server.
The 3Com Audrey was created to be a kitchen computer in 2000-2001.  It was a mainly a used to access the Internet.  Cisco then bought out 3Com and the Audrey was no more.  One noticeable aspect of the Audrey is how people can hack it.  They have turned it into anything from a web server to a chatting client.  It runs QNX with PalmOS extensions.  This allows it to be hacked extremely easily.
+
* [http://www.mitec.cz/wfa.html Windows File Analyzer] - Parses Prefetch files, thumbnail databases, shortcuts, index.dat files, and the recycle bin
 
+
* [http://www.microsoft.com/whdc/driver/kernel/XP_kernel.mspx#ECLAC Microsoft's description of Prefetch when Windows XP was introduced]
It runs on the Intel-compatible Cyrix-MediaGX processor. It uses Palm's HotSync technology to update the address book and date book with up to two Palms simultaneously.  It uses a USB Ethernet controller to connect to the Internet.  It also has built-in stereo speakers to play digital and streaming music.  You can either use the clear pen to input data, or pull out the wireless keyboard.  No graffiti is used. 
+
* [http://msdn.microsoft.com/msdnmag/issues/01/12/XPKernel/default.aspx More detail from Microsoft]
 
+
* [http://www.tzworks.net/prototype_page.php?proto_id=1 Windows Prefetch parser] Free tool that can be run on Windows, Linux or Mac OS-X.
It was discontinued on March 21, 2001.  However, there is still an Audrey frenzy going on today.
+
 
+
==Fossil==
+
This is a very neat model as it is a digital watch with the Palm OS version 4.1 installed. It comes in two brands: Abacus and Fossil.
+
 
+
<table border="1">
+
<tr>
+
  <th colspan="2">Features</th>
+
  <th>Operating System</th>
+
  <th>Memory</th>
+
  <th>LCD Dimensions</th>
+
  <th>Other Notable Features</th>
+
</tr>
+
<tr>
+
  <td>Palm OS version 4.1</td>
+
  <td>8 MB</td>
+
  <td>160 x 160 with backlight</td>
+
  <td>
+
      <ul>Touch screen</ul>
+
      <ul>3 way rocker and back button</ul>
+
      <ul>USB for Windows and Macintosh</ul>
+
      <ul>Infrared port</ul>
+
      <ul>3 hour lifespan between charges</ul>
+
  </td>
+
</table>
+
 
+
==Garmin==
+
 
+
==Kyocera==
+
 
+
Kyocera acquired QUALCOMM Incorporated's Code Division Multiple Access (CDMA) wireless phone business in February 2000 and incorporates QUALCOMM's CDMA technology in the development and manufacture of wireless phones. An agreement with Palm Inc. to license the Palm OS platform was reached by Kyocera and Palm after QUALCOMM's acquisition. It is the foundation for a suite of smartphones.
+
 
+
==QualComm==
+
 
+
In September 1998, QUALCOMM introduced the pdQ smartphone which was the first CDMA digital wireless phone to integrate the Palm OS software. QUALCOMM’s CDMA handset business was later bought by Kyocera in February 2000.
+
 
+
==Samsung==
+
 
+
==Sony Cli&Egrave;==
+
 
+
==Symbol==
+
 
+
==TapWave==
+
 
+
==TRG==
+
 
+
==Handspring Visor==
+
 
+
The original creators of the PalmPilot, Jeff Hawkins, Donna Dubinsky, and Ed Colligan, left Palm Computing after desputes with the parent company 3com. As a result, the trio founded Handspring in 1998. The first product released in 1999 was called the Handspring Visor, a clone of the original PalmPilot with minor additions, that used the newly created Palm OS. One of it's most prominent features was USB support and an expansion slot for memory cards, both of which were not yet popular at the time.
+
 
+
The Visor line includes:
+
<ul>
+
<li>Visor and Visor Deluxe</li>
+
<li>Visor Prism</li>
+
<li>Visor Platinum</li>
+
<li>Visor Edge</li>
+
<li>Visor Neo</li>
+
<li>Visor Pro</li>
+
</ul>
+
 
+
==Treo==
+
Treo manufacturers a variety of devices, including the LifeDrive, Treo 650 and 700w, Palm Z22 and Tx, and the Tungsten E2. Each of these devices is marketed at a different segment of the market. For example, the LifeDrive contains a 4GB integrated hard drive and is advertised as a portable multimedia device that plays videos and MP3s. The LifeDrive Also includes integrated WiFi and Bluetooth capabilities.  The Treo 650 and 700w are the company's Smartphones.  The Treo 650 runs Palm OS, while the 700w runs on Windows Mobile.  The Z22, Tx, and Tungsten E2 are primarily designed to be personal organizers.
+
 
+
=Forensics=
+
Forensics for Palm devices is a nascent field.  There are several tools available for the image acquisition and analysis of Palm devices.
+
 
+
==EnCase==
+
EnCase, published by Guidance Software, is a complete cyber forensics software package that handles all steps of the investigative process, from the acquisition to the report creation.  The software includes built-in capabilities for performing MD5 hashing, data carving, deleted file recovery, and many other functions.
+
 
+
Although traditionally relegated to the realm of desktop computer forensics investigations, EnCase does support the acquisition and analysis of a limited number of Palm devices.
+
 
+
==Paraben==
+
Paraben has a software application that is specifically designed for PDA forensics,PDA Seizure.  This comprehensive tool allows PDA data to be acquired, viewed, and reported on, all within a Windows environment.  The software comes equiped with quite a few key features.  These features include the ability to encrypt saved case files, Blackberry OS support, built-in recovery of Palm passwords, enhanced viewing on file data, complete physical and logical acquisition for Palm PDA devices, and many more.  It has a few draw backs, in that some of the material acquired from the PDAs is hard to interpret by a person that is not computer savi. Although, on the other hand it has features like a search portion that allows you to enter a search term and PDA Seizure will bring up all files that have that term in them.  This allows the investigator to look for case specific information easily and quickly.
+
 
+
=References=
+
http://www.answers.com/topic/palm-os
+
 
+
http://www.palm.com/us/
+
 
+
http://www.encase.com
+
 
+
http://www.paraben.com
+
 
+
http://en.wikipedia.org/wiki/Palm_(PDA)
+
 
+
http://www.etech4sale.com/products/partinfo-id-116929.html
+
 
+
http://www.noodlebug.demon.co.uk/goingmob/orpilot.htm
+

Revision as of 17:52, 2 July 2011

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Windows Prefetch files, introduced in Windows XP, are designed to speed up the application startup process. Prefetch files contain the name of the executable, a Unicode list of DLLs used by that executable, a count of how many times the executable has been run, and a timestamp indicating the last time the program was run. Although Prefetch is present in Windows 2003, by default it is only enabled for boot prefetching. The feature is also found in Windows Vista, where it has been augmented with SuperFetch, ReadyBoot, and ReadyBoost.

Up to 128 Prefetch files are stored in the %SystemRoot%\Prefetch directory [1]. Each file in that directory should contain the name of the application (up to eight (?) characters), a dash, and then an eight character hash of the location from which that application was run, and a .pf extension. The filenames should be all uppercase except for the extension. The format of hashes is not known. A sample filename for md5deep would look like: MD5DEEP.EXE-4F89AB0C.pf. If an application is run from two different locations on the drive (i.e. the user runs C:\md5deep.exe and then C:\Apps\Hashing\md5deep.exe), there will be two different prefetch files in the Prefetch folder.


Contents

Signature

Each Prefetch file has a signature in the first 8 bytes of the file. Windows XP and Windows Vista will generate Prefetch files with the signature \x11\x00\x00\x00\x53\x43\x43\x41 (0x41434353 0x00000011). Windows 7 Prefetch file's signature is \x17\x00\x00\x00\x53\x43\x43\x41 (0x41434353 0x00000017). The ASCII representation of these bytes will display "....SCCA".

Timestamps

Both the NTFS timestamps for a Prefetch file and the timestamp embedded in each Prefetch file contain valuable information. The timestamp embedded within the Prefetch file is a 64-bit (QWORD) FILETIME object The creation date of the file indicates the first time the application was executed. Both the modification date of the file and the embedded timestamp indicate the last time the application was executed.

Windows will store timestamps according to Windows epoch.

Creation Time

The creation time does not have a static offset on any Windows platform. The location of the creation time can be found using the offset 0x8 + length of Volume path offset.

Last Run Time

A timestamp of when the application was last ran is embedded into the Prefetch file. The offset to the "Last Run Time" is located at offset 0x78 from the beginning of the file on Windows XP. The offset for Windows Vista and Windows 7 is at 0x80.

MetaData

Header

In each Prefetch file, the size of the header is stored and can be found at offset 0x54 on Windows XP, Windows Vista, and Windows 7. The header size for Windows XP is 0x98 (152) and 0xf0 (240) on Windows Vista and Windows 7.

The Prefetch file will embed the application's name into the header at offset 0x10.

Run Count

The run count, or number of times the application has been run, is a 4-byte (DWORD) value located at offset 0x90 from the beginning of the file on Windows XP. On Windows Vista and Windows 7, the run time can be found at 0x98.

Volume

Volume related information, volume path and volume serial number, are embedded into the Prefetch file. The precise offset for this information varies for each application ran. In the header at offset 0x6c, the location of the volume path is stored. The location is a 4-bytes (DWORD) value. The offset 0x6c is consistent for Windows XP and Windows 7.

At the location given from 0ffst 0x6c, a 4 byte value is stored which is the number of bytes from current offset (location from offset 0x6c) to the beginning of the volume path. The location from offset 0x6c, for ease, will be called the "volume path offset." The volume path is embedded as a NULL-terminating string.

The length of the volume path is a 4-byte value is located at volume path offset + 0x4.

The volume serial number is a 4-byte value that identifies a media storage. A serial number does not have a consistent offset within a Prefetch between Windows operating systems. The 4-byte value can be found eight (8) bytes from the creation time location.

Issues

End of File

Prefetch files generated by the Windows operating system does not have any signature or sequences of bytes to indicate when the end of the Prefetch file has been reached.

See Also

External Links