Difference between pages "Prefetch XML" and "File:2-BB9780-ScrewRemoval.jpg"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
(Created page with "A Prefetch file is used by Windows NT to improve the startup process of an application. Each prefetch file provides information about each ran application. ==XML Example== <pre...")
 
 
Line 1: Line 1:
A Prefetch file is used by Windows NT to improve the startup process of an application. Each prefetch file provides information about each ran application.
 
  
==XML Example==
 
<pre>
 
<?xml version='1.0' encoding='ISO-8859-1'?>
 
<prefetch>
 
  <header>
 
    <os>Windows 7</os>
 
    <header_size>240</header_size>
 
    <filename>ACRORD32INFO.EXE</filename>
 
    <runs>3</runs>
 
    <atime>2011-02-07T12:24:52</atime>
 
  </header>
 
  <volume>
 
    <path>\DEVICE\HARDDISKVOLUME1</path>
 
    <serial_number>b46f6927</serial_number>
 
  </volume>
 
  <creation>2010-08-18T06:13:10</creation>
 
  <associated_files>
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\NTDLL.DLL
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\KERNEL32.DLL
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\APISETSCHEMA.DLL
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\KERNELBASE.DLL
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\LOCALE.NLS
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\ADVAPI32.DLL
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\MSVCRT.DLL
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\SECHOST.DLL
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\RPCRT4.DLL
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\WINSXS\X86_MICROSOFT.VC80.CRT_1FC8B3B9A1E18E3B_8.0.50727.4927_NONE_D08A205E442DB5B5\MSVCR80.DLL
 
    \DEVICE\HARDDISKVOLUME1\PROGRAM FILES\ADOBE\READER 9.0\READER\ACRORD32INFO.EXE
 
    \DEVICE\HARDDISKVOLUME1\PROGRAM FILES\ADOBE\READER 9.0\READER\ACRORD32.DLL
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\WININET.DLL
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\SHLWAPI.DLL
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\GDI32.DLL
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\USER32.DLL
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\LPK.DLL
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\USP10.DLL
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\NORMALIZ.DLL
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\URLMON.DLL
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\OLE32.DLL
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\OLEAUT32.DLL
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\CRYPT32.DLL
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\MSASN1.DLL
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\IERTUTIL.DLL
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\VERSION.DLL
 
    \DEVICE\HARDDISKVOLUME1\PROGRAM FILES\ADOBE\READER 9.0\READER\AGM.DLL
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\WINSXS\X86_MICROSOFT.VC80.CRT_1FC8B3B9A1E18E3B_8.0.50727.4927_NONE_D08A205E442DB5B5\MSVCP80.DLL
 
    \DEVICE\HARDDISKVOLUME1\PROGRAM FILES\ADOBE\READER 9.0\READER\COOLTYPE.DLL
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\SHELL32.DLL
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\WINSXS\X86_MICROSOFT.WINDOWS.COMMON-CONTROLS_6595B64144CCF1DF_6.0.7600.16661_NONE_420FE3FA2B8113BD\COMCTL32.DLL
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\USERENV.DLL
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\PROFAPI.DLL
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\WINMM.DLL
 
    \DEVICE\HARDDISKVOLUME1\PROGRAM FILES\ADOBE\READER 9.0\READER\BIB.DLL
 
    \DEVICE\HARDDISKVOLUME1\PROGRAM FILES\ADOBE\READER 9.0\READER\ACE.DLL
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\IMM32.DLL
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\MSCTF.DLL
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\WINDOWSSHELL.MANIFEST
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\RPCSS.DLL
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\CRYPTBASE.DLL
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\IEFRAME.DLL
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\PSAPI.DLL
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\OLEACC.DLL
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\OLEACCRC.DLL
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\GLOBALIZATION\SORTING\SORTDEFAULT.NLS
 
    \DEVICE\HARDDISKVOLUME1\USERS\SIMSON GARFINKEL\APPDATA\ROAMING\ADOBE\ACROBAT\9.0\USERCACHE.BIN
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\CRYPTSP.DLL
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\RSAENH.DLL
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\RPCRTREMOTE.DLL
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\TZRES.DLL
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\UXTHEME.DLL
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\FONTS\STATICCACHE.DAT
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\MPR.DLL
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\VMHGFS.DLL
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\DRPROV.DLL
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\WINSTA.DLL
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\NTLANMAN.DLL
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\DAVCLNT.DLL
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\DAVHLPR.DLL
 
    \DEVICE\HARDDISKVOLUME1\USERS\SIMSON GARFINKEL\APPDATA\LOCAL\VMWARE\HGFS.DAT
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\CLBCATQ.DLL
 
    \DEVICE\HARDDISKVOLUME1\PROGRAM FILES\ADOBE\READER 9.0\READER\VIEWERPS.DLL
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\SETUPAPI.DLL
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\CFGMGR32.DLL
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\DEVOBJ.DLL
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\PROPSYS.DLL
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\NTMARTA.DLL
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\WLDAP32.DLL
 
    \DEVICE\HARDDISKVOLUME1\USERS\SIMSON GARFINKEL\APPDATA\LOCAL\MICROSOFT\WINDOWS\CACHES\CVERSIONS.1.DB
 
    \DEVICE\HARDDISKVOLUME1\USERS\SIMSON GARFINKEL\APPDATA\LOCAL\MICROSOFT\WINDOWS\CACHES\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.VER0X0000000000000039.DB
 
    \DEVICE\HARDDISKVOLUME1\PROGRAM FILES\DESKTOP.INI
 
    \DEVICE\HARDDISKVOLUME1\USERS\DESKTOP.INI
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\APPHELP.DLL
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\NETWORKEXPLORER.DLL
 
    \DEVICE\HARDDISKVOLUME1\PROGRAM FILES\MICROSOFT VISUAL STUDIO 10.0\COMMON7\TOOLS\ATLTRACETOOL8.EXE
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\CATROOT\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\PRNLX00Y.CAT
 
    \DEVICE\HARDDISKVOLUME1\$MFT
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\CATROOT\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\PRNLX005.CAT
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\DRIVERS\SRTSP.CAT
 
    \DEVICE\HARDDISKVOLUME1\PROGRAM FILES\WINDOWS LIVE\MAIL\WLMAIL.EXE
 
    \DEVICE\HARDDISKVOLUME1\USERS\SIMSON GARFINKEL\APPDATA\LOCAL\MICROSOFT\WINDOWS\CACHES\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.VER0X0000000000000038.DB
 
    \DEVICE\HARDDISKVOLUME1\PROGRAM FILES
 
    \DEVICE\HARDDISKVOLUME1\PROGRAM FILES\ADOBE
 
    \DEVICE\HARDDISKVOLUME1\PROGRAM FILES\ADOBE\READER 9.0
 
    \DEVICE\HARDDISKVOLUME1\PROGRAM FILES\ADOBE\READER 9.0\READER
 
    \DEVICE\HARDDISKVOLUME1\PROGRAM FILES\MICROSOFT VISUAL STUDIO 10.0
 
    \DEVICE\HARDDISKVOLUME1\PROGRAM FILES\MICROSOFT VISUAL STUDIO 10.0\COMMON7
 
    \DEVICE\HARDDISKVOLUME1\PROGRAM FILES\MICROSOFT VISUAL STUDIO 10.0\COMMON7\TOOLS
 
    \DEVICE\HARDDISKVOLUME1\USERS
 
    \DEVICE\HARDDISKVOLUME1\USERS\SIMSON GARFINKEL
 
    \DEVICE\HARDDISKVOLUME1\USERS\SIMSON GARFINKEL\APPDATA
 
    \DEVICE\HARDDISKVOLUME1\USERS\SIMSON GARFINKEL\APPDATA\LOCAL
 
    \DEVICE\HARDDISKVOLUME1\USERS\SIMSON GARFINKEL\APPDATA\LOCAL\MICROSOFT
 
    \DEVICE\HARDDISKVOLUME1\USERS\SIMSON GARFINKEL\APPDATA\LOCAL\MICROSOFT\WINDOWS
 
    \DEVICE\HARDDISKVOLUME1\USERS\SIMSON GARFINKEL\APPDATA\LOCAL\MICROSOFT\WINDOWS\CACHES
 
    \DEVICE\HARDDISKVOLUME1\USERS\SIMSON GARFINKEL\APPDATA\LOCAL\VMWARE
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\FONTS
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\GLOBALIZATION
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\GLOBALIZATION\SORTING
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\CATROOT
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\CATROOT\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\DRIVERS
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\WINSXS\X86_MICROSOFT.VC80.CRT_1FC8B3B9A1E18E3B_8.0.50727.4927_NONE_D08A205E442DB5B5
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\WINSXS\X86_MICROSOFT.WINDOWS.COMMON-CONTROLS_6595B64144CCF1DF_6.0.7600.16661_NONE_420FE3FA2B8113BD
 
  </associated_files>
 
</prefetch>
 
</pre>
 
 
==See Also==
 
* [[Prefetch]]
 
 
[[Category:Digital Forensics XML]]
 

Latest revision as of 01:31, 8 August 2013