Difference between pages "Prefetch" and "Executable"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
 
(DBG, PDB)
 
Line 1: Line 1:
{{Expand}}
+
{{expand}}
Windows Prefetch files, introduced in [[Windows|Windows XP]], are designed to speed up the application startup process. Prefetch files contain the name of the executable, a Unicode list of DLLs used by that executable, a count of how many times the executable has been run, and a timestamp indicating the last time the program was run. Although Prefetch is present in Windows 2003, by default it is only enabled for boot prefetching. The feature is also found in [[Windows|Windows Vista]], where it has been augmented with [[SuperFetch]], [[ReadyBoot]], and [[ReadyBoost]]. For SSD drives Prefetch is disabled by default [http://blogs.msdn.com/b/e7/archive/2009/05/05/support-and-q-a-for-solid-state-drives-and.aspx].
+
  
Up to 128 Prefetch files are stored in the <tt>%SystemRoot%\Prefetch</tt> directory [http://blogs.msdn.com/ryanmy/archive/2005/05/25/421882.aspx]. Each file in that directory should contain the name of the application, a dash, and then an eight character hash of the location from which that application was run, and a <tt>.pf</tt> extension. The filenames should be all uppercase except for the extension. The format of hashes is not known. A sample filename for [[md5deep]] would look like: <tt>MD5DEEP.EXE-4F89AB0C.pf</tt>. If an application is run from two different locations on the drive (i.e. the user runs <tt>C:\md5deep.exe</tt> and then <tt>C:\Apps\Hashing\md5deep.exe</tt>), there will be two different prefetch files in the Prefetch folder.
+
An executable file is used to perform tasks according to encoded instructions. Executable files are sometimes also referred to as binaries which technically can be considered a sub class of executable files.
  
== File format ==
+
There are multiple families of executable files:
Each Prefetch file has a 4-byte signature (at offset 4) "SCCA" (or in hexadecimal notation 0x53 0x43 0x43 0x41). The signature is assumed to be preceded by a 4-byte format version indicator:
+
* Scripts; e.g. shell scripts, batch scripts (.bat)
* 17 (0x00000011) for [[Windows XP]] and [[Windows 2003]]
+
* DOS, Windows executable files (.exe) which can be of various formats like: MZ, PE/COFF, NE
* 23 (0x00000017) for [[Windows Vista]], [[Windows 2008]], [[Windows 7]] and [[Windows 2012]] (note Windows 2012 has not been confirmed)
+
* ELF
* 26 (0x0000001a) for [[Windows 8|Windows 8.1]] (note this could be Windows 8 as well but has not been confirmed)
+
* Mach-O
  
For more information about the file format see: [[Windows Prefetch File Format]]
+
== External Links ==
 +
* [http://en.wikipedia.org/wiki/Executable Wikipedia: Executable]
  
== Metadata ==
+
=== MZ, PE/COFF ===
The Prefetch file contains various metadata.
+
* [http://en.wikipedia.org/wiki/Portable_Executable Wikipedia: Portable Executable]
* The executable's name, up to 29 characters.
+
* [http://msdn.microsoft.com/en-us/windows/hardware/gg463119.aspx Microsoft PE and COFF Specification]
* The run count, or number of times the application has been run.
+
* [https://googledrive.com/host/0B3fBvzttpiiSd1dKQVU0WGVESlU/Executable%20(EXE)%20file%20format.pdf MZ, PE-COFF executable file format (EXE)], by the [[libexe|libexe project]], October 2011
* Volume related information, like volume path and volume serial number.
+
* [http://seclists.org/fulldisclosure/2013/Oct/157 The Internal of Reloc .text], Full Disclosure Mailing list, October 21, 2013
* The size of the Prefetch file (sometimes referred to as end of file (EOF)).
+
* The files and directories that were used doing the application's start-up.
+
  
=== Timestamps ===
+
=== DBG, PDB ===
The Prefetch file contains 2 types of timestamps
+
* [http://en.wikipedia.org/wiki/Program_database Wikipedia: Program database]
* The time when the application was last ran (executed). Version 26 of the Prefetch format maintains 7 previous last run times.
+
* [http://support.microsoft.com/kb/121366 Description of the .PDB files and of the .DBG files], by [[Microsoft]]
* The volume creation time (part of the volume information).
+
* [http://msdn.microsoft.com/en-us/library/ff553493(v=vs.85).aspx Public and Private Symbols], by [[Microsoft]]
 +
* [http://msdn.microsoft.com/en-us/library/windows/desktop/ms679293(v=vs.85).aspx DbgHelp Structures], by [[Microsoft]]
 +
* [https://code.google.com/p/pdbparse/wiki/StreamDescriptions Stream Descriptions], [https://code.google.com/p/pdbparse/ pdbparse project]
 +
* [http://moyix.blogspot.ch/2007/10/types-stream.html The Types Stream], by [[Brendan Dolan-Gavitt]], October 4, 2007
 +
* [https://code.google.com/p/google-breakpad/source/browse/trunk/src/google_breakpad/common/minidump_format.h minidump_format.h]
  
The creation date of the Prefetch file indicates the first time the application was executed. Both the modification date of the Prefetch file and the embedded Last Run timestamp indicate the last time the application was executed.
+
=== Mach-O ===
 
+
* [http://en.wikipedia.org/wiki/Mach-O Wikipedia: Mach-O]
== Prefetch hash ==
+
There are multiple known hashing functions to be used for prefetch file filename hashing, namely:
+
* SCCA XP hash function; used on Windows XP and Windows 2003
+
* SCCA Vista hash function; used on Windows Vista
+
* SCCA 2008 hash function; used on Windows 2008, Windows 7, (possibly: Windows 2012) and Windows 8 (including 8.1)
+
 
+
=== SCCA XP hash function ===
+
A Python implementation of the SCCA XP hash function:
+
 
+
<pre>
+
def ssca_xp_hash_function(filename):
+
    hash_value = 0
+
    for character in filename:
+
        hash_value = ((hash_value * 37) + ord(character)) % 0x100000000
+
        hash_value = (hash_value * 314159269) % 0x100000000
+
        if hash_value > 0x80000000:
+
            hash_value = 0x100000000 - hash_value
+
 
+
    return (abs(hash_value) % 1000000007) % 0x100000000
+
</pre>
+
 
+
=== SCCA Vista hash function ===
+
A Python implementation of the SCCA Vista hash function:
+
 
+
<pre>
+
def ssca_vista_hash_function(filename):
+
    hash_value = 314159
+
    for character in filename:
+
        hash_value = ((hash_value * 37) + ord(character)) % 0x100000000
+
    return hash_value
+
</pre>
+
 
+
=== SCCA 2008 hash function ===
+
A Python implementation of the SCCA 2008 hash function:
+
 
+
<pre>
+
def ssca_2008_hash_function(filename):
+
    hash_value = 314159
+
    filename_index = 0
+
    filename_length = len(filename)
+
    while filename_index + 8 < filename_length:
+
        character_value = ord(filename[filename_index + 1]) * 37
+
        character_value += ord(filename[filename_index + 2])
+
        character_value *= 37
+
        character_value += ord(filename[filename_index + 3])
+
        character_value *= 37
+
        character_value += ord(filename[filename_index + 4])
+
        character_value *= 37
+
        character_value += ord(filename[filename_index + 5])
+
        character_value *= 37
+
        character_value += ord(filename[filename_index + 6])
+
        character_value *= 37
+
        character_value += ord(filename[filename_index]) * 442596621
+
        character_value += ord(filename[filename_index + 7])
+
        hash_value = ((character_value - (hash_value * 803794207)) % 0x100000000)
+
        filename_index += 8
+
 
+
    while filename_index < filename_length:
+
      hash_value = (((37 * hash_value) + ord(filename[filename_index])) % 0x100000000)
+
      filename_index += 1
+
 
+
    return hash_value
+
</pre>
+
 
+
== Registry Keys ==
+
<pre>
+
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters
+
</pre>
+
 
+
The EnablePrefetcher Registry value can be used to disable prefetch.
+
 
+
== See Also ==
+
* [[Windows Prefetch File Format]]
+
* [[SuperFetch]]
+
* [[Prefetch XML]]
+
* [[Windows]]
+
 
+
== External Links ==
+
* [http://msdn.microsoft.com/msdnmag/issues/01/12/XPKernel/default.aspx More detail from Microsoft]
+
* [http://en.wikipedia.org/wiki/Prefetcher Wikipedia Prefetcher]
+
* [http://msdn.microsoft.com/en-us/library/ms940847(v=winembedded.5).aspx MSDN: Disabling Prefetch]
+
* [http://www.microsoft.com/whdc/driver/kernel/XP_kernel.mspx Kernel Enhancements for Windows XP], by [[Microsoft]], January 13, 2003 (Microsoft's description of Prefetch when Windows XP was introduced)
+
* [http://blogs.msdn.com/b/ryanmy/archive/2005/05/25/421882.aspx Misinformation and the The Prefetch Flag], MSDN Blogs, May 25, 2005
+
* [http://windowsir.blogspot.ch/2005/07/prefetch-file-metadata.html Prefetch file metadata], by [[Harlan Carvey]], July 13, 2005
+
* [http://windowsir.blogspot.ch/2006/04/prefetch-files-revisited.html Prefetch files, revisited], by [[Harlan Carvey]], April 13, 2006
+
* [http://blogs.msdn.com/b/e7/archive/2009/05/05/support-and-q-a-for-solid-state-drives-and.aspx Support and Q&A for Solid-State Drives], by Steven Sinofsky, May 5, 2009
+
* [http://computer-forensics.sans.org/blog/2009/08/05/de-mystifying-defrag-identifying-when-defrag-has-been-used-for-anti-forensics-part-1-windows-xp/ De-mystifying Defrag: Identifying When Defrag Has Been Used for Anti-Forensics (Part 1 - Windows XP)], by [[Chad Tilbury]], August 5, 2009
+
* [http://www.swiftforensics.com/2010/04/the-windows-prefetchfile.html Windows Prefetch File (old blog entry from 42 LLC)], by [[Yogesh Khatri]], April 14, 2010
+
* [http://www.dfinews.com/articles/2010/12/decoding-prefetch-files-forensic-purposes-part-1 Decoding Prefetch Files for Forensic Purposes: Part 1], by [[Mark Wade]], December 8, 2010
+
* [http://crucialsecurityblog.harris.com/2011/04/11/prefetch-files-at-face-value/ Prefetch Files at Face Value], by [[Mark Wade]], April 11, 2011
+
* [http://kitrap08.blogspot.hk/2011/07/windows-logical-prefetcher.html Windows Logical Prefetcher], TTS blog, July 30, 2011 (article is in Russian)
+
* [http://labit.in/pliki-prefetch-w-windows/ Prefetch i niedokładny licznik] by Paweł Hałdrzyński, August 20, 2011 (article in Polish; uncertain about the year of publication)
+
* [http://windowsir.blogspot.ch/2012/03/prefetch-analysis-revisited.html Prefetch Analysis, Revisited], by [[Harlan Carvey]], March 8, 2012
+
* [http://windowsir.blogspot.ch/2012/03/prefetch-analysis-revisitedagain.html Prefetch Analysis, Revisited...Again...], by [[Harlan Carvey]], March 15, 2012
+
* [http://www.hexacorn.com/blog/2012/06/13/prefetch-hash-calculator-a-hash-lookup-table-xpvistaw7w2k3w2k8/ Prefetch Hash Calculator + a hash lookup table xp/vista/w7/w2k3/w2k8], Hexacorn blog, June 13, 2012
+
* [http://www.hexacorn.com/blog/2012/10/29/prefetch-file-names-and-unc-paths/ Prefetch file names and UNC paths], Hexacorn blog, October 29, 2012
+
* [http://journeyintoir.blogspot.ch/2012/12/ntosboot-prefetch-file.html NTOSBOOT Prefetch File], by [[Corey Harrell]], December 5, 2012
+
* [http://www.invoke-ir.com/2013/09/whats-new-in-prefetch-for-windows-8.html What's New in the Prefetch for Windows 8??], by Jared Atkinson, September 21, 2013
+
* [http://www.swiftforensics.com/2013/10/windows-prefetch-pf-files.html?m=1 Windows Prefetch (.PF) files], by [[Yogesh Khatri]], October 21, 2013
+
  
 
== Tools ==
 
== Tools ==
  
=== Commercial ===
+
=== MZ, PE/COFF ===
 
+
* [https://code.google.com/p/pefile/ pefile], multi-platform Python module to read and work with Portable Executable (aka PE) files
=== Free - Non Open Source ===
+
* [http://www.woanware.co.uk/forensics/prefetchforensics.html PrefetchForensics], PrefetchForensics is an application to extract information from Windows Prefetch files
+
* [http://redwolfcomputerforensics.com/index.php?option=com_content&task=view&id=42&Itemid=55 Prefetch-Parser], Parse the prefetch files and display information
+
* [http://www.mitec.cz/wfa.html Windows File Analyzer] - Parses Prefetch files, thumbnail databases, shortcuts, index.dat files, and the recycle bin
+
* [http://www.tzworks.net/prototype_page.php?proto_id=1 Windows Prefetch Parser (pf)], Free tool that can be run on Windows, Linux or Mac OS-X
+
  
=== Open Source ===
+
=== PDB ===
* [https://code.google.com/p/prefetch-tool/ prefetch-tool], Script to extract information from windows prefetch folder
+
* [https://code.google.com/p/pdbparse/ pdbparse], Open-source parser for Microsoft debug symbols (PDB files)

Revision as of 05:18, 2 November 2013

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

An executable file is used to perform tasks according to encoded instructions. Executable files are sometimes also referred to as binaries which technically can be considered a sub class of executable files.

There are multiple families of executable files:

  • Scripts; e.g. shell scripts, batch scripts (.bat)
  • DOS, Windows executable files (.exe) which can be of various formats like: MZ, PE/COFF, NE
  • ELF
  • Mach-O

External Links

MZ, PE/COFF

DBG, PDB

Mach-O

Tools

MZ, PE/COFF

  • pefile, multi-platform Python module to read and work with Portable Executable (aka PE) files

PDB

  • pdbparse, Open-source parser for Microsoft debug symbols (PDB files)