Difference between pages "Prefetch XML" and "File:2-BB9780-ScrewRemoval.jpg"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Created page with "A Prefetch file is used by Windows NT to improve the startup process of an application. Each prefetch file provides information about each ran application. ==XML Example== <pre...")
 
 
Line 1: Line 1:
A Prefetch file is used by Windows NT to improve the startup process of an application. Each prefetch file provides information about each ran application.
 
  
==XML Example==
 
<pre>
 
<?xml version='1.0' encoding='ISO-8859-1'?>
 
<prefetch>
 
  <header>
 
    <os>Windows 7</os>
 
    <header_size>240</header_size>
 
    <filename>ACRORD32INFO.EXE</filename>
 
    <runs>3</runs>
 
    <atime>2011-02-07T12:24:52</atime>
 
  </header>
 
  <volume>
 
    <path>\DEVICE\HARDDISKVOLUME1</path>
 
    <serial_number>b46f6927</serial_number>
 
  </volume>
 
  <creation>2010-08-18T06:13:10</creation>
 
  <associated_files>
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\NTDLL.DLL
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\KERNEL32.DLL
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\APISETSCHEMA.DLL
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\KERNELBASE.DLL
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\LOCALE.NLS
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\ADVAPI32.DLL
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\MSVCRT.DLL
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\SECHOST.DLL
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\RPCRT4.DLL
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\WINSXS\X86_MICROSOFT.VC80.CRT_1FC8B3B9A1E18E3B_8.0.50727.4927_NONE_D08A205E442DB5B5\MSVCR80.DLL
 
    \DEVICE\HARDDISKVOLUME1\PROGRAM FILES\ADOBE\READER 9.0\READER\ACRORD32INFO.EXE
 
    \DEVICE\HARDDISKVOLUME1\PROGRAM FILES\ADOBE\READER 9.0\READER\ACRORD32.DLL
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\WININET.DLL
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\SHLWAPI.DLL
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\GDI32.DLL
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\USER32.DLL
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\LPK.DLL
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\USP10.DLL
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\NORMALIZ.DLL
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\URLMON.DLL
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\OLE32.DLL
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\OLEAUT32.DLL
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\CRYPT32.DLL
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\MSASN1.DLL
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\IERTUTIL.DLL
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\VERSION.DLL
 
    \DEVICE\HARDDISKVOLUME1\PROGRAM FILES\ADOBE\READER 9.0\READER\AGM.DLL
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\WINSXS\X86_MICROSOFT.VC80.CRT_1FC8B3B9A1E18E3B_8.0.50727.4927_NONE_D08A205E442DB5B5\MSVCP80.DLL
 
    \DEVICE\HARDDISKVOLUME1\PROGRAM FILES\ADOBE\READER 9.0\READER\COOLTYPE.DLL
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\SHELL32.DLL
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\WINSXS\X86_MICROSOFT.WINDOWS.COMMON-CONTROLS_6595B64144CCF1DF_6.0.7600.16661_NONE_420FE3FA2B8113BD\COMCTL32.DLL
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\USERENV.DLL
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\PROFAPI.DLL
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\WINMM.DLL
 
    \DEVICE\HARDDISKVOLUME1\PROGRAM FILES\ADOBE\READER 9.0\READER\BIB.DLL
 
    \DEVICE\HARDDISKVOLUME1\PROGRAM FILES\ADOBE\READER 9.0\READER\ACE.DLL
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\IMM32.DLL
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\MSCTF.DLL
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\WINDOWSSHELL.MANIFEST
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\RPCSS.DLL
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\CRYPTBASE.DLL
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\IEFRAME.DLL
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\PSAPI.DLL
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\OLEACC.DLL
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\OLEACCRC.DLL
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\GLOBALIZATION\SORTING\SORTDEFAULT.NLS
 
    \DEVICE\HARDDISKVOLUME1\USERS\SIMSON GARFINKEL\APPDATA\ROAMING\ADOBE\ACROBAT\9.0\USERCACHE.BIN
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\CRYPTSP.DLL
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\RSAENH.DLL
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\RPCRTREMOTE.DLL
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\TZRES.DLL
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\UXTHEME.DLL
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\FONTS\STATICCACHE.DAT
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\MPR.DLL
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\VMHGFS.DLL
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\DRPROV.DLL
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\WINSTA.DLL
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\NTLANMAN.DLL
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\DAVCLNT.DLL
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\DAVHLPR.DLL
 
    \DEVICE\HARDDISKVOLUME1\USERS\SIMSON GARFINKEL\APPDATA\LOCAL\VMWARE\HGFS.DAT
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\CLBCATQ.DLL
 
    \DEVICE\HARDDISKVOLUME1\PROGRAM FILES\ADOBE\READER 9.0\READER\VIEWERPS.DLL
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\SETUPAPI.DLL
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\CFGMGR32.DLL
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\DEVOBJ.DLL
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\PROPSYS.DLL
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\NTMARTA.DLL
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\WLDAP32.DLL
 
    \DEVICE\HARDDISKVOLUME1\USERS\SIMSON GARFINKEL\APPDATA\LOCAL\MICROSOFT\WINDOWS\CACHES\CVERSIONS.1.DB
 
    \DEVICE\HARDDISKVOLUME1\USERS\SIMSON GARFINKEL\APPDATA\LOCAL\MICROSOFT\WINDOWS\CACHES\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.VER0X0000000000000039.DB
 
    \DEVICE\HARDDISKVOLUME1\PROGRAM FILES\DESKTOP.INI
 
    \DEVICE\HARDDISKVOLUME1\USERS\DESKTOP.INI
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\APPHELP.DLL
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\NETWORKEXPLORER.DLL
 
    \DEVICE\HARDDISKVOLUME1\PROGRAM FILES\MICROSOFT VISUAL STUDIO 10.0\COMMON7\TOOLS\ATLTRACETOOL8.EXE
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\CATROOT\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\PRNLX00Y.CAT
 
    \DEVICE\HARDDISKVOLUME1\$MFT
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\CATROOT\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\PRNLX005.CAT
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\DRIVERS\SRTSP.CAT
 
    \DEVICE\HARDDISKVOLUME1\PROGRAM FILES\WINDOWS LIVE\MAIL\WLMAIL.EXE
 
    \DEVICE\HARDDISKVOLUME1\USERS\SIMSON GARFINKEL\APPDATA\LOCAL\MICROSOFT\WINDOWS\CACHES\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.VER0X0000000000000038.DB
 
    \DEVICE\HARDDISKVOLUME1\PROGRAM FILES
 
    \DEVICE\HARDDISKVOLUME1\PROGRAM FILES\ADOBE
 
    \DEVICE\HARDDISKVOLUME1\PROGRAM FILES\ADOBE\READER 9.0
 
    \DEVICE\HARDDISKVOLUME1\PROGRAM FILES\ADOBE\READER 9.0\READER
 
    \DEVICE\HARDDISKVOLUME1\PROGRAM FILES\MICROSOFT VISUAL STUDIO 10.0
 
    \DEVICE\HARDDISKVOLUME1\PROGRAM FILES\MICROSOFT VISUAL STUDIO 10.0\COMMON7
 
    \DEVICE\HARDDISKVOLUME1\PROGRAM FILES\MICROSOFT VISUAL STUDIO 10.0\COMMON7\TOOLS
 
    \DEVICE\HARDDISKVOLUME1\USERS
 
    \DEVICE\HARDDISKVOLUME1\USERS\SIMSON GARFINKEL
 
    \DEVICE\HARDDISKVOLUME1\USERS\SIMSON GARFINKEL\APPDATA
 
    \DEVICE\HARDDISKVOLUME1\USERS\SIMSON GARFINKEL\APPDATA\LOCAL
 
    \DEVICE\HARDDISKVOLUME1\USERS\SIMSON GARFINKEL\APPDATA\LOCAL\MICROSOFT
 
    \DEVICE\HARDDISKVOLUME1\USERS\SIMSON GARFINKEL\APPDATA\LOCAL\MICROSOFT\WINDOWS
 
    \DEVICE\HARDDISKVOLUME1\USERS\SIMSON GARFINKEL\APPDATA\LOCAL\MICROSOFT\WINDOWS\CACHES
 
    \DEVICE\HARDDISKVOLUME1\USERS\SIMSON GARFINKEL\APPDATA\LOCAL\VMWARE
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\FONTS
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\GLOBALIZATION
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\GLOBALIZATION\SORTING
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\CATROOT
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\CATROOT\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\DRIVERS
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\WINSXS\X86_MICROSOFT.VC80.CRT_1FC8B3B9A1E18E3B_8.0.50727.4927_NONE_D08A205E442DB5B5
 
    \DEVICE\HARDDISKVOLUME1\WINDOWS\WINSXS\X86_MICROSOFT.WINDOWS.COMMON-CONTROLS_6595B64144CCF1DF_6.0.7600.16661_NONE_420FE3FA2B8113BD
 
  </associated_files>
 
</prefetch>
 
</pre>
 
 
==See Also==
 
* [[Prefetch]]
 
 
[[Category:Digital Forensics XML]]
 

Latest revision as of 02:31, 8 August 2013