Difference between pages "Upcoming events" and "Prefetch"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
(Conferences)
 
(Volume)
 
Line 1: Line 1:
<b>PLEASE READ BEFORE YOU EDIT THE LISTS BELOW</b><br>
+
{{Expand}}
Events should be posted in the correct section, and in date order. An event should NEVER be listed in more than one section (i.e. Ongoing/Continuous events should not be listed in Scheduled Training).  When events begin the same day, events of a longer length should be listed first.  New postings of events with the same date(s) as other events should be added after events already in the list. If a provider offers the same event at several locations simultaneously, the listing should have a single (ONE) entry in the list with the date(s) and ALL locations for the event. Please use three-letter month abbreviations (i.e. Sep, NOT Sept. or September), use two digit dates (i.e. Jan 01 NOT Jan 1), and use date ranges rather than listing every date during an event(i.e. Jan 02-05, NOT Jan 02, 03, 04, 05).<br>
+
Windows Prefetch files, introduced in [[Windows|Windows XP]], are designed to speed up the application startup process. Prefetch files contain the name of the executable, a Unicode list of DLLs used by that executable, a count of how many times the executable has been run, and a timestamp indicating the last time the program was run. Although Prefetch is present in Windows 2003, by default it is only enabled for boot prefetching. The feature is also found in [[Windows Vista]], where it has been augmented with [[SuperFetch]], [[ReadyBoot]], and [[ReadyBoost]].
<i>Some events may be <u>limited</u> to <b>Law Enforcement Only</b> or to a specific audience.  Such restrictions should be noted when known.</i>
+
  
This is a BY DATE listing of upcoming events relevant to [[digital forensics]]. It is not an all inclusive list, but includes most well-known activities. Some events may duplicate events on the generic [[conferences]] page, but entries in this list have specific dates and locations for the upcoming event.
+
Up to 128 Prefetch files are stored in the <tt>%SystemRoot%\Prefetch</tt> directory [http://blogs.msdn.com/ryanmy/archive/2005/05/25/421882.aspx]. Each file in that directory should contain the name of the application (up to eight (?) characters), a dash, and then an eight character hash of the location from which that application was run, and a <tt>.pf</tt> extension. The filenames should be all uppercase except for the extension. The format of hashes is not known. A sample filename for [[md5deep]] would look like: <tt>MD5DEEP.EXE-4F89AB0C.pf</tt>. If an application is run from two different locations on the drive (i.e. the user runs <tt>C:\md5deep.exe</tt> and then <tt>C:\Apps\Hashing\md5deep.exe</tt>), there will be two different prefetch files in the Prefetch folder.
  
This listing is divided into four sections (described as follows):<br>
 
<ol><li><b><u>Calls For Papers</u></b> - Calls for papers for either Journals or for Conferences, relevant to Digital Forensics (Name, Closing Date, URL)</li><br>
 
<li><b><u>Conferences</u></b> - Conferences relevant for Digital Forensics (Name, Date, Location, URL)</li><br>
 
<li><b><u>On-Going / Continuous Training</u></b> - Training opportunities that are either always available online/distance learning format (start anytime) or that are offered the same time every month (Name, date-if applicable, URL)</li><br>
 
<li><b><u>[[Scheduled Training Courses]]</u></b> - Training Classes/Courses that are scheduled for specific dates/locations.  This would include online (or distance learning format) courses which begin on specific dates, instead of the "start anytime" courses listed in the previous section. (Provider, URL) (''note: this has been moved to its own page.'')<br></li></ol>
 
  
The Conference and Training List is provided by the American Academy of Forensic Sciences (AAFS) Digital and Multimedia Sciences Section Listserv.
+
== Signature ==
<i> (Subscribe by sending an email to listserv@lists.mitre.org with message body containing SUBSCRIBE AAFS-DIGITAL-MULTIMEDIA-LIST)</i>
+
Each Prefetch file has a signature in the first 8 bytes of the file. Windows XP and Windows Vista will generate Prefetch files with the signature \x11\x00\x00\x00\x53\x43\x43\x41 (0x41434353 0x00000011). Windows 7 Prefetch file's signature is \x17\x00\x00\x00\x53\x43\x43\x41 (0x41434353 0x00000017). The [http://en.wikipedia.org/wiki/ASCII ASCII] representation of these bytes will display "....SCCA".
Requests for additions, deletions or corrections to this list may be sent by email to David Baker <i>(bakerd AT mitre.org)</i>.
+
  
== Calls For Papers ==
+
== Timestamps ==
{| border="0" cellpadding="2" cellspacing="2" align="top"
+
|- style="background:#bfbfbf; font-weight: bold"
+
! width="30%|Title
+
! width="15%"|Due Date
+
! width="15%"|Notification Date
+
! width="40%"|Website
+
|-
+
|Blackhat Briefings - Washington DC
+
|Jan 01, 2009
+
|Jan 16, 1009
+
|https://www.blackhat.com/html/bh-dc-09/bh-dc-09-cfp.html
+
|-
+
|USENIX '09
+
|Jan 09, 2009
+
|Mar 13, 2009
+
|http://www.usenix.org/events/usenix09/cfp/
+
|-
+
|Hacker Halted USA 2009
+
|Jan 15, 2009
+
|Feb 15, 2009
+
|http://www.eccouncil.org/hhusa/papers/page6.html
+
|-
+
|3rd Edition of Small Scale Digital Device Forensics Journal
+
|Jan 31, 2009
+
|
+
|http://www.ssddfj.org/Call.asp
+
|-
+
|4rd International Workshop on Systematic Approaches to Digital Forensic Engineering (SADFE-2009)
+
|Feb 01, 2009
+
|
+
|http://conf.ncku.edu.tw/sadfe/sadfe09/
+
|-
+
|Blackhat Briefings - Europe
+
|Feb 01, 2009
+
|Feb 15, 2009
+
|https://www.blackhat.com/html/bh-europe-09/bh-eu-09-cfp.html.
+
|-
+
|Usenix Security 2009
+
|Feb 04, 2009
+
|Apr 13, 2009
+
|http://www.usenix.org/events/sec09/cfp
+
|-
+
|1st Workshop on Internet Multimedia Search and Mining
+
|Feb 08, 2009
+
|Mar 15, 2009
+
|http://research.microsoft.com/en-us/um/people/xshua/imsm/cfp.html
+
|-
+
|2009 ADFSL Conference on Digital Forensics, Security and Law
+
|Feb 20, 2009
+
|
+
|http://www.digitalforensics-conference.org/callforpapers.htm
+
|-
+
|KDDD 2009
+
|Feb 02, 2009
+
|Apr 10, 2009
+
|http://www.sigkdd.org/kdd2009/
+
|-
+
|DFRWS 2009
+
|Mar 16, 2009
+
|Apr 28, 2009
+
|http://www.dfrws.org/2009/cfp.shtml
+
|-
+
|Layer One - 2009
+
|Apr 01, 2009
+
|Apr 15, 2009
+
|http://layerone.info/
+
|-
+
|ACM CCS 2009
+
|Apr ?? 2009
+
|
+
|http://www.sigsac.org/ccs
+
|-
+
|Usenix Lisa 2009
+
|Apr 30, 2009
+
|Jul 07, 2009
+
|http://www.usenix.org/events/lisa09/cfp/
+
|-
+
|New Security Paradigms Conference 2009
+
|Apr ?? 2009
+
|
+
|http://www.nspw.org/current/
+
|-
+
|IEEE Symposium on Security and Privacy 2010
+
|Nov ?? 2009
+
|
+
|-
+
|ShmooCon 2010
+
|Dec ??, 2008
+
|Jan ??, 2009
+
|http://www.shmoocon.org/cfp.html
+
|-
+
|AusCERT Conference 2010
+
|Dec ??, 2008
+
|Jan ??, 2009
+
|http://conference.auscert.org.au/conf2010/cfp2010.html
+
|-
+
|}
+
  
== Conferences ==
+
Both the [[NTFS]] timestamps for a Prefetch file and the timestamp embedded in each Prefetch file contain valuable information. The timestamp embedded within the Prefetch file is a 64-bit (QWORD) [http://msdn2.microsoft.com/en-us/library/ms724284.aspx FILETIME] object The creation date of the file indicates the first time the application was executed. Both the modification date of the file and the embedded timestamp indicate the last time the application was executed.
{| border="0" cellpadding="2" cellspacing="2" align="top"
+
|- style="background:#bfbfbf; font-weight: bold"
+
! width="40%"|Title
+
! width="20%"|Date/Location
+
! width="40%"|Website
+
|-
+
|2009 DoD Cyber Crime Conference
+
|Jan 24-30<br>St. Louis, MO
+
|http://www.dodcybercrime.com/
+
|-
+
|5th Annual IFIP WG 11.9 International Conference on Digital Forensics
+
|Jan 25-28<br>Orlando, FL
+
|http://www.ifip119.org/Conferences/
+
|-
+
|ShmooCon 2009
+
|Feb 06-08<br>Washington, DC
+
|http://www.shmoocon.org/
+
|-
+
|American Academy of Forensic Sciences Annual Meeting
+
|Feb 16-21<br>Denver, CO
+
|http://www.aafs.org/default.asp?section_id=meetings&page_id=aafs_annual_meeting
+
|-
+
|Blackhat DC
+
|Feb 16-19<br>Washington, DC
+
|https://www.blackhat.com/html/bh-dc-09/bh-dc-09-main.html
+
|-
+
|24th Annual ACM Symposium on Applied Computing - Computer Forensics Track
+
|Mar 08-12<br>Honolulu, HI
+
|http://www.acm.org/conferences/sac/sac2009
+
|-
+
|ARES 2009 Conference
+
|Mar 16-19<br>Fukuoka, Japan
+
|http://www.ares-conference.eu/conf/
+
|-
+
|Security Opus
+
|Mar 17-18<br>San Francisco, CA
+
|http://www.securityopus.com
+
|-
+
|e-Crime Congress 2009
+
|Mar 24-25<br>London, United Kingdom
+
|http://www.e-crimecongress.org/ecrime2009/
+
|-
+
|Blackhat Europe
+
|Apr 14-17<br>Amsterdam, The Netherlands
+
|https://www.blackhat.com/html/bh-europe-09/bh-eu-09-main.html
+
|-
+
|AusCERT2009
+
|May 17-22<br>Gold Coast, Australia
+
|http://conference.auscert.org.au/conf2009/
+
|-
+
|Computer Security Institute: Security Exchange
+
|May 17-22<br>Las Vegas, NV
+
|http://www.csisx.com/
+
|-
+
|ADFSL 2009 Conference on Digital Forensics, Security and Law
+
|May 20-22<br>Burlington, VT
+
|http://www.digitalforensics-conference.org
+
|-
+
|Fourth International Workshop on Systematic Approaches to Digital Forensic Engineering
+
|May 22<br>Oakland, CA
+
|http://conf.ncku.edu.tw/sadfe/sadfe09/
+
|-
+
|LayerOne 2009 Security Conference
+
|May 23-24<br>Anaheim, CA
+
|http://layerone.info/
+
|-
+
|Mobile Forensics World 2009
+
|May 26-30<br>Chicago, IL
+
|http://www.mobileforensicsworld.com
+
|-
+
|2009 Techno Security Conference
+
|May 31-Jun 03<br>Myrtle Beach, SC
+
|http://www.techsec.com/index.html
+
|-
+
|USENIX 2009
+
|Jun 14-19<br>San Diego, CA
+
|http://www.usenix.org/events/usenix09/
+
|-
+
|IEEE ICC Communication and Information Systems Security (CISS) Symposium
+
|Jun 14-18<br>Dresden, Germany
+
|http://www.ieee-icc.org/2009/
+
|-
+
|1st Workshop on Internet Multimedia Search and Mining (IMSM'09)
+
|Jul 03<br>Cancun, Mexico
+
|http://research.microsoft.com/en-us/um/people/xshua/imsm/index.html
+
|-
+
|Blackhat USA 2009
+
|Jul 25-30<br>Las Vegas, NV
+
|https://www.blackhat.com/
+
|-
+
|DefCon 17
+
|Jul 31-Aug 02<br>Las Vegas, NV
+
|http://www.defcon.org/
+
|-
+
|Usenix Security Sypmosium
+
|Aug 10-14<br>Montreal, Quebec, Canada
+
|http://www.usenix.org/events/sec09/
+
|-
+
|Digital Forensic Research Workshop
+
|Aug 17-19<br>Montreal, Quebec, Canada
+
|http://www.dfrws.org
+
|-
+
|Triennial Meeting of the European Academy of Forensic Science
+
|Sep 08-11<br>Glasgow, Scotland, UK
+
|http://www.eafs2009.com/
+
|-
+
|Hacker Halted USA 2009
+
|Sep 20-24<br>Miami, FL
+
|http://www.hackerhalted.com/usa
+
|-
+
|}
+
  
== On-going / Continuous Training ==
+
Windows will store timestamps according to Windows [http://msdn.microsoft.com/en-us/library/ms724290%28VS.85%29.aspx epoch].
{| border="0" cellpadding="2" cellspacing="2" align="top"
+
|- style="background:#bfbfbf; font-weight: bold"
+
! width="40%"|Title
+
! width="20%"|Date/Location
+
! width="40%"|Website
+
|-
+
|- style="background:pink;align:left"
+
! DISTANCE LEARNING
+
|-
+
|Basic Computer Examiner Course - Computer Forensic Training Online
+
|Distance Learning Format
+
|http://www.cftco.com
+
|-
+
|Linux Data Forensics Training
+
|Distance Learning Format
+
|http://www.crazytrain.com/training.html
+
|-
+
|SANS On-Demand Training
+
|Distance Learning Format
+
|http://www.sans.org/ondemand/?portal=69456f95660ade45be29c00b0c14aea1
+
|-
+
|- style="background:pink;align:left"
+
!RECURRING TRAINING
+
|-
+
|MaresWare Suite Training
+
|First full week every month<br>Atlanta, GA
+
|http://www.maresware.com/maresware/training/maresware.htm
+
|-
+
|Evidence Recovery for Windows Vista&trade;
+
|First full week every month<br>Brunswick, GA
+
|http://www.internetcrimes.net
+
|-
+
|Evidence Recovery for Windows Server&reg; 2003 R2
+
|Second full week every month<br>Brunswick, GA
+
|http://www.internetcrimes.net
+
|-
+
|Evidence Recovery for the Windows XP&trade; operating system
+
|Third full week every month<br>Brunswick, GA
+
|http://www.internetcrimes.net
+
|-
+
|Computer Forensics Training and CCE&trade; Testing for Litigation Support Professionals
+
|Third weekend of every month(Fri-Mon)<br>Dallas, TX
+
|http://www.md5group.com
+
|-
+
|}
+
  
==See Also==
+
==== Creation Time ====
* [[Scheduled Training Courses]]
+
The creation time does not have a static offset on any Windows platform. The location of the creation time can be found using the offset 0x8 + length of Volume path offset.
==References==
+
 
* [http://faculty.cs.tamu.edu/guofei/sec_conf_stat.htm Computer Security Conference Ranking and Statistic]
+
==== Last Run Time ====
* [http://www.kdnuggets.com/meetings/ Meetings and Conferences in Data Mining and Discovery]
+
A timestamp of when the application was last ran is embedded into the Prefetch file. The offset to the "Last Run Time" is located at offset 0x78 from the beginning of the file on [[Windows]] XP. The offset for Windows Vista and Windows 7 is at 0x80.
* http://www.conferencealerts.com/data.htm Data Mining Conferences World-Wide]
+
 
 +
== MetaData ==
 +
==== Header ====
 +
In each Prefetch file, the size of the header is stored and can be found at offset 0x54 on Windows XP, Windows Vista, and Windows 7. The header size for Windows XP is 0x98 (152) and 0xf0 (240) on Windows Vista and Windows 7.
 +
 
 +
The Prefetch file will embed the application's name into the header at offset 0x10.
 +
 
 +
==== Run Count ====
 +
The run count, or number of times the application has been run, is a 4-byte (DWORD) value located at offset 0x90 from the beginning of the file on [[Windows]] XP. On Windows Vista and Windows 7, the run time can be found at 0x98.
 +
 
 +
==== Volume ====
 +
Volume related information, volume path and volume serial number, are embedded into the Prefetch file. The precise offset for this information varies for each application ran. In the header at offset 0x6c, the location of the volume path is stored. The location is a 4-bytes (DWORD) value. The offset 0x6c is consistent for Windows XP and Windows 7.
 +
 
 +
At the location given from 0ffst 0x6c, a 4 byte value is stored which is the number of bytes from current offset (location from offset 0x6c) to the beginning of the volume path. The location from offset 0x6c, for ease, will be called the "volume path offset." The volume path is embedded as a NULL-terminating string.
 +
 
 +
The length of the volume path is a 4-byte value is located at volume path offset + 0x4.
 +
 
 +
The volume [http://en.wikipedia.org/wiki/Volume_serial_number serial number] is a 4-byte value that identifies a media storage. A serial number does not have a consistent offset within a Prefetch between Windows operating systems. The 4-byte value can be found eight (8) bytes from the creation time location.
 +
 
 +
== Issues ==
 +
==== End of File ====
 +
Prefetch files generated by the Windows operating system does not have any signature or sequences of bytes to indicate when the end of the Prefetch file has been reached.
 +
 
 +
== See Also ==
 +
* [[SuperFetch]]
 +
* [[Prefetch XML]]
 +
 
 +
== External Links ==
 +
* [http://milo2012.wordpress.com/2009/10/19/windows-prefetch-folder-tool/ Prefetch-Tool Script] - Python looks Prefetch files up on a web server.
 +
* [http://www.mitec.cz/wfa.html Windows File Analyzer] - Parses Prefetch files, thumbnail databases, shortcuts, index.dat files, and the recycle bin
 +
* [http://www.microsoft.com/whdc/driver/kernel/XP_kernel.mspx#ECLAC Microsoft's description of Prefetch when Windows XP was introduced]
 +
* [http://msdn.microsoft.com/msdnmag/issues/01/12/XPKernel/default.aspx More detail from Microsoft]
 +
* [http://www.tzworks.net/prototype_page.php?proto_id=1 Windows Prefetch parser] Free tool that can be run on Windows, Linux or Mac OS-X.

Revision as of 17:52, 2 July 2011

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Windows Prefetch files, introduced in Windows XP, are designed to speed up the application startup process. Prefetch files contain the name of the executable, a Unicode list of DLLs used by that executable, a count of how many times the executable has been run, and a timestamp indicating the last time the program was run. Although Prefetch is present in Windows 2003, by default it is only enabled for boot prefetching. The feature is also found in Windows Vista, where it has been augmented with SuperFetch, ReadyBoot, and ReadyBoost.

Up to 128 Prefetch files are stored in the %SystemRoot%\Prefetch directory [1]. Each file in that directory should contain the name of the application (up to eight (?) characters), a dash, and then an eight character hash of the location from which that application was run, and a .pf extension. The filenames should be all uppercase except for the extension. The format of hashes is not known. A sample filename for md5deep would look like: MD5DEEP.EXE-4F89AB0C.pf. If an application is run from two different locations on the drive (i.e. the user runs C:\md5deep.exe and then C:\Apps\Hashing\md5deep.exe), there will be two different prefetch files in the Prefetch folder.


Contents

Signature

Each Prefetch file has a signature in the first 8 bytes of the file. Windows XP and Windows Vista will generate Prefetch files with the signature \x11\x00\x00\x00\x53\x43\x43\x41 (0x41434353 0x00000011). Windows 7 Prefetch file's signature is \x17\x00\x00\x00\x53\x43\x43\x41 (0x41434353 0x00000017). The ASCII representation of these bytes will display "....SCCA".

Timestamps

Both the NTFS timestamps for a Prefetch file and the timestamp embedded in each Prefetch file contain valuable information. The timestamp embedded within the Prefetch file is a 64-bit (QWORD) FILETIME object The creation date of the file indicates the first time the application was executed. Both the modification date of the file and the embedded timestamp indicate the last time the application was executed.

Windows will store timestamps according to Windows epoch.

Creation Time

The creation time does not have a static offset on any Windows platform. The location of the creation time can be found using the offset 0x8 + length of Volume path offset.

Last Run Time

A timestamp of when the application was last ran is embedded into the Prefetch file. The offset to the "Last Run Time" is located at offset 0x78 from the beginning of the file on Windows XP. The offset for Windows Vista and Windows 7 is at 0x80.

MetaData

Header

In each Prefetch file, the size of the header is stored and can be found at offset 0x54 on Windows XP, Windows Vista, and Windows 7. The header size for Windows XP is 0x98 (152) and 0xf0 (240) on Windows Vista and Windows 7.

The Prefetch file will embed the application's name into the header at offset 0x10.

Run Count

The run count, or number of times the application has been run, is a 4-byte (DWORD) value located at offset 0x90 from the beginning of the file on Windows XP. On Windows Vista and Windows 7, the run time can be found at 0x98.

Volume

Volume related information, volume path and volume serial number, are embedded into the Prefetch file. The precise offset for this information varies for each application ran. In the header at offset 0x6c, the location of the volume path is stored. The location is a 4-bytes (DWORD) value. The offset 0x6c is consistent for Windows XP and Windows 7.

At the location given from 0ffst 0x6c, a 4 byte value is stored which is the number of bytes from current offset (location from offset 0x6c) to the beginning of the volume path. The location from offset 0x6c, for ease, will be called the "volume path offset." The volume path is embedded as a NULL-terminating string.

The length of the volume path is a 4-byte value is located at volume path offset + 0x4.

The volume serial number is a 4-byte value that identifies a media storage. A serial number does not have a consistent offset within a Prefetch between Windows operating systems. The 4-byte value can be found eight (8) bytes from the creation time location.

Issues

End of File

Prefetch files generated by the Windows operating system does not have any signature or sequences of bytes to indicate when the end of the Prefetch file has been reached.

See Also

External Links