Difference between revisions of "Prefetch XML"

From Forensics Wiki
Jump to: navigation, search
(Created page with "A Prefetch file is used by Windows NT to improve the startup process of an application. Each prefetch file provides information about each ran application. ==XML Example== <pre...")
 
m (XML Example)
Line 18: Line 18:
 
   <creation>2010-08-18T06:13:10</creation>
 
   <creation>2010-08-18T06:13:10</creation>
 
   <associated_files>
 
   <associated_files>
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\NTDLL.DLL
+
    <filename>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/NTDLL.DLL</filename>
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\KERNEL32.DLL
+
    <filename>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/KERNEL32.DLL</filename>
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\APISETSCHEMA.DLL
+
    <filename>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/APISETSCHEMA.DLL</filename>
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\KERNELBASE.DLL
+
    <filename>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/KERNELBASE.DLL</filename>
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\LOCALE.NLS
+
    <filename>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/LOCALE.NLS</filename>
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\ADVAPI32.DLL
+
    <filename>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/ADVAPI32.DLL</filename>
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\MSVCRT.DLL
+
    <filename>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/MSVCRT.DLL</filename>
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\SECHOST.DLL
+
    <filename>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/SECHOST.DLL</filename>
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\RPCRT4.DLL
+
    <filename>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/RPCRT4.DLL</filename>
    \DEVICE\HARDDISKVOLUME1\WINDOWS\WINSXS\X86_MICROSOFT.VC80.CRT_1FC8B3B9A1E18E3B_8.0.50727.4927_NONE_D08A205E442DB5B5\MSVCR80.DLL
+
    <filename>/DEVICE/HARDDISKVOLUME1/WINDOWS/WINSXS/X86_MICROSOFT.VC80.CRT_1FC8B3B9A1E18E3B_8.0.50727.4927_NONE_D08A205E442DB5B5/MSVCR80.DLL</filename>
    \DEVICE\HARDDISKVOLUME1\PROGRAM FILES\ADOBE\READER 9.0\READER\ACRORD32INFO.EXE
+
    <filename>/DEVICE/HARDDISKVOLUME1/PROGRAM FILES/ADOBE/READER 9.0/READER/ACRORD32INFO.EXE</filename>
    \DEVICE\HARDDISKVOLUME1\PROGRAM FILES\ADOBE\READER 9.0\READER\ACRORD32.DLL
+
    <filename>/DEVICE/HARDDISKVOLUME1/PROGRAM FILES/ADOBE/READER 9.0/READER/ACRORD32.DLL</filename>
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\WININET.DLL
+
    <filename>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/WININET.DLL</filename>
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\SHLWAPI.DLL
+
    <filename>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/SHLWAPI.DLL</filename>
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\GDI32.DLL
+
    <filename>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/GDI32.DLL</filename>
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\USER32.DLL
+
    <filename>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/USER32.DLL</filename>
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\LPK.DLL
+
    <filename>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/LPK.DLL</filename>
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\USP10.DLL
+
    <filename>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/USP10.DLL</filename>
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\NORMALIZ.DLL
+
    <filename>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/NORMALIZ.DLL</filename>
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\URLMON.DLL
+
    <filename>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/URLMON.DLL</filename>
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\OLE32.DLL
+
    <filename>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/OLE32.DLL</filename>
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\OLEAUT32.DLL
+
    <filename>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/OLEAUT32.DLL</filename>
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\CRYPT32.DLL
+
    <filename>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/CRYPT32.DLL</filename>
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\MSASN1.DLL
+
    <filename>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/MSASN1.DLL</filename>
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\IERTUTIL.DLL
+
    <filename>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/IERTUTIL.DLL</filename>
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\VERSION.DLL
+
    \DEVICE\HARDDISKVOLUME1\PROGRAM FILES\ADOBE\READER 9.0\READER\AGM.DLL
+
    \DEVICE\HARDDISKVOLUME1\WINDOWS\WINSXS\X86_MICROSOFT.VC80.CRT_1FC8B3B9A1E18E3B_8.0.50727.4927_NONE_D08A205E442DB5B5\MSVCP80.DLL
+
    \DEVICE\HARDDISKVOLUME1\PROGRAM FILES\ADOBE\READER 9.0\READER\COOLTYPE.DLL
+
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\SHELL32.DLL
+
    \DEVICE\HARDDISKVOLUME1\WINDOWS\WINSXS\X86_MICROSOFT.WINDOWS.COMMON-CONTROLS_6595B64144CCF1DF_6.0.7600.16661_NONE_420FE3FA2B8113BD\COMCTL32.DLL
+
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\USERENV.DLL
+
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\PROFAPI.DLL
+
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\WINMM.DLL
+
    \DEVICE\HARDDISKVOLUME1\PROGRAM FILES\ADOBE\READER 9.0\READER\BIB.DLL
+
    \DEVICE\HARDDISKVOLUME1\PROGRAM FILES\ADOBE\READER 9.0\READER\ACE.DLL
+
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\IMM32.DLL
+
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\MSCTF.DLL
+
    \DEVICE\HARDDISKVOLUME1\WINDOWS\WINDOWSSHELL.MANIFEST
+
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\RPCSS.DLL
+
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\CRYPTBASE.DLL
+
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\IEFRAME.DLL
+
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\PSAPI.DLL
+
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\OLEACC.DLL
+
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\OLEACCRC.DLL
+
    \DEVICE\HARDDISKVOLUME1\WINDOWS\GLOBALIZATION\SORTING\SORTDEFAULT.NLS
+
    \DEVICE\HARDDISKVOLUME1\USERS\SIMSON GARFINKEL\APPDATA\ROAMING\ADOBE\ACROBAT\9.0\USERCACHE.BIN
+
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\CRYPTSP.DLL
+
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\RSAENH.DLL
+
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\RPCRTREMOTE.DLL
+
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\TZRES.DLL
+
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\UXTHEME.DLL
+
    \DEVICE\HARDDISKVOLUME1\WINDOWS\FONTS\STATICCACHE.DAT
+
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\MPR.DLL
+
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\VMHGFS.DLL
+
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\DRPROV.DLL
+
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\WINSTA.DLL
+
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\NTLANMAN.DLL
+
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\DAVCLNT.DLL
+
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\DAVHLPR.DLL
+
    \DEVICE\HARDDISKVOLUME1\USERS\SIMSON GARFINKEL\APPDATA\LOCAL\VMWARE\HGFS.DAT
+
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\CLBCATQ.DLL
+
    \DEVICE\HARDDISKVOLUME1\PROGRAM FILES\ADOBE\READER 9.0\READER\VIEWERPS.DLL
+
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\SETUPAPI.DLL
+
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\CFGMGR32.DLL
+
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\DEVOBJ.DLL
+
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\PROPSYS.DLL
+
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\NTMARTA.DLL
+
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\WLDAP32.DLL
+
    \DEVICE\HARDDISKVOLUME1\USERS\SIMSON GARFINKEL\APPDATA\LOCAL\MICROSOFT\WINDOWS\CACHES\CVERSIONS.1.DB
+
    \DEVICE\HARDDISKVOLUME1\USERS\SIMSON GARFINKEL\APPDATA\LOCAL\MICROSOFT\WINDOWS\CACHES\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.VER0X0000000000000039.DB
+
    \DEVICE\HARDDISKVOLUME1\PROGRAM FILES\DESKTOP.INI
+
    \DEVICE\HARDDISKVOLUME1\USERS\DESKTOP.INI
+
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\APPHELP.DLL
+
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\NETWORKEXPLORER.DLL
+
    \DEVICE\HARDDISKVOLUME1\PROGRAM FILES\MICROSOFT VISUAL STUDIO 10.0\COMMON7\TOOLS\ATLTRACETOOL8.EXE
+
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\CATROOT\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\PRNLX00Y.CAT
+
    \DEVICE\HARDDISKVOLUME1\$MFT
+
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\CATROOT\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\PRNLX005.CAT
+
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\DRIVERS\SRTSP.CAT
+
    \DEVICE\HARDDISKVOLUME1\PROGRAM FILES\WINDOWS LIVE\MAIL\WLMAIL.EXE
+
    \DEVICE\HARDDISKVOLUME1\USERS\SIMSON GARFINKEL\APPDATA\LOCAL\MICROSOFT\WINDOWS\CACHES\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.VER0X0000000000000038.DB
+
    \DEVICE\HARDDISKVOLUME1\PROGRAM FILES
+
    \DEVICE\HARDDISKVOLUME1\PROGRAM FILES\ADOBE
+
    \DEVICE\HARDDISKVOLUME1\PROGRAM FILES\ADOBE\READER 9.0
+
    \DEVICE\HARDDISKVOLUME1\PROGRAM FILES\ADOBE\READER 9.0\READER
+
    \DEVICE\HARDDISKVOLUME1\PROGRAM FILES\MICROSOFT VISUAL STUDIO 10.0
+
    \DEVICE\HARDDISKVOLUME1\PROGRAM FILES\MICROSOFT VISUAL STUDIO 10.0\COMMON7
+
    \DEVICE\HARDDISKVOLUME1\PROGRAM FILES\MICROSOFT VISUAL STUDIO 10.0\COMMON7\TOOLS
+
    \DEVICE\HARDDISKVOLUME1\USERS
+
    \DEVICE\HARDDISKVOLUME1\USERS\SIMSON GARFINKEL
+
    \DEVICE\HARDDISKVOLUME1\USERS\SIMSON GARFINKEL\APPDATA
+
    \DEVICE\HARDDISKVOLUME1\USERS\SIMSON GARFINKEL\APPDATA\LOCAL
+
    \DEVICE\HARDDISKVOLUME1\USERS\SIMSON GARFINKEL\APPDATA\LOCAL\MICROSOFT
+
    \DEVICE\HARDDISKVOLUME1\USERS\SIMSON GARFINKEL\APPDATA\LOCAL\MICROSOFT\WINDOWS
+
    \DEVICE\HARDDISKVOLUME1\USERS\SIMSON GARFINKEL\APPDATA\LOCAL\MICROSOFT\WINDOWS\CACHES
+
    \DEVICE\HARDDISKVOLUME1\USERS\SIMSON GARFINKEL\APPDATA\LOCAL\VMWARE
+
    \DEVICE\HARDDISKVOLUME1\WINDOWS
+
    \DEVICE\HARDDISKVOLUME1\WINDOWS\FONTS
+
    \DEVICE\HARDDISKVOLUME1\WINDOWS\GLOBALIZATION
+
    \DEVICE\HARDDISKVOLUME1\WINDOWS\GLOBALIZATION\SORTING
+
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32
+
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\CATROOT
+
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\CATROOT\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}
+
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\DRIVERS
+
    \DEVICE\HARDDISKVOLUME1\WINDOWS\WINSXS\X86_MICROSOFT.VC80.CRT_1FC8B3B9A1E18E3B_8.0.50727.4927_NONE_D08A205E442DB5B5
+
    \DEVICE\HARDDISKVOLUME1\WINDOWS\WINSXS\X86_MICROSOFT.WINDOWS.COMMON-CONTROLS_6595B64144CCF1DF_6.0.7600.16661_NONE_420FE3FA2B8113BD
+
 
   </associated_files>
 
   </associated_files>
 
</prefetch>
 
</prefetch>

Revision as of 15:59, 29 June 2011

A Prefetch file is used by Windows NT to improve the startup process of an application. Each prefetch file provides information about each ran application.

XML Example

<?xml version='1.0' encoding='ISO-8859-1'?>
<prefetch>
   <header>
     <os>Windows 7</os>
     <header_size>240</header_size>
     <filename>ACRORD32INFO.EXE</filename>
     <runs>3</runs>
     <atime>2011-02-07T12:24:52</atime>
   </header>
   <volume>
     <path>\DEVICE\HARDDISKVOLUME1</path>
     <serial_number>b46f6927</serial_number>
   </volume>
   <creation>2010-08-18T06:13:10</creation>
   <associated_files>
    <filename>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/NTDLL.DLL</filename>
    <filename>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/KERNEL32.DLL</filename>
    <filename>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/APISETSCHEMA.DLL</filename>
    <filename>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/KERNELBASE.DLL</filename>
    <filename>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/LOCALE.NLS</filename>
    <filename>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/ADVAPI32.DLL</filename>
    <filename>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/MSVCRT.DLL</filename>
    <filename>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/SECHOST.DLL</filename>
    <filename>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/RPCRT4.DLL</filename>
    <filename>/DEVICE/HARDDISKVOLUME1/WINDOWS/WINSXS/X86_MICROSOFT.VC80.CRT_1FC8B3B9A1E18E3B_8.0.50727.4927_NONE_D08A205E442DB5B5/MSVCR80.DLL</filename>
    <filename>/DEVICE/HARDDISKVOLUME1/PROGRAM FILES/ADOBE/READER 9.0/READER/ACRORD32INFO.EXE</filename>
    <filename>/DEVICE/HARDDISKVOLUME1/PROGRAM FILES/ADOBE/READER 9.0/READER/ACRORD32.DLL</filename>
    <filename>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/WININET.DLL</filename>
    <filename>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/SHLWAPI.DLL</filename>
    <filename>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/GDI32.DLL</filename>
    <filename>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/USER32.DLL</filename>
    <filename>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/LPK.DLL</filename>
    <filename>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/USP10.DLL</filename>
    <filename>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/NORMALIZ.DLL</filename>
    <filename>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/URLMON.DLL</filename>
    <filename>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/OLE32.DLL</filename>
    <filename>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/OLEAUT32.DLL</filename>
    <filename>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/CRYPT32.DLL</filename>
    <filename>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/MSASN1.DLL</filename>
    <filename>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/IERTUTIL.DLL</filename>
   </associated_files>
</prefetch>

See Also

Retrieved from "http://www.forensicswiki.org/w/index.php?title=Prefetch_XML&oldid=10938"
Personal tools
Namespaces

Variants
Actions
Navigation:
About forensicswiki.org:
Toolbox