Difference between pages "Windows Prefetch File Format" and "Gzip"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Characteristics)
 
 
Line 1: Line 1:
 
{{expand}}
 
{{expand}}
  
A Windows Prefetch file consists of one file header and multiple file sections with different content. Not all content has an obvious forensic value.
+
== File format ==
 
+
The gzip file (.gz) format consists of:
As far as have been possible to ascertain, there is no public description of the format. The description below has been synthesised from examination
+
* a file header
of multiple prefetch files.
+
* optional headers
 
+
** extra fields
== Characteristics ==
+
** original file name
Integer values are stored in little-endian.
+
** comment
 
+
** header checksum
Strings are stored as [http://en.wikipedia.org/wiki/UTF-16/UCS-2 UTF-16 little-endian] without a byte-order-mark (BOM).
+
* a body, containing a DEFLATE-compressed payload
 
+
* a file footer
Timestamps are stored as [http://msdn2.microsoft.com/en-us/library/ms724284.aspx Windows FILETIME] in UTC.
+
 
+
== File header ==
+
  
 +
=== File header ===
 +
The file header is 10 bytes in size and contains:
 
{| class="wikitable"
 
{| class="wikitable"
 +
! align="left"| Offset
 +
! Size
 +
! Value
 +
! Description
 
|-
 
|-
! Field
+
| 0
! Offset
+
| 2
! Length
+
| 0x1f 0x8b
! Type
+
| Signature (or identification byte 1 and 2)
! Notes
+
 
|-
 
|-
| H1
+
| 2
| 0x0000
+
| 1
| 4
+
|
| DWORD
+
| Compression Method
| Format version (see format version section below)
+
 
|-
 
|-
| H2
+
| 3
| 0x0004
+
| 1
| 4
+
|
| DWORD
+
| Flags
| Signature 'SCCA' (or in hexadecimal representation 0x53 0x43 0x43 0x4)
+
 
|-
 
|-
| H3
 
| 0x0008
 
 
| 4
 
| 4
| DWORD?
 
| Unknown - Values observed: 0x0F - Windows XP, 0x11 - Windows 7, Windows 8.1
 
|-
 
| H4
 
| 0x000C
 
 
| 4
 
| 4
| DWORD
+
|
| Prefetch file size (or length) (sometimes referred to as End of File (EOF)).
+
| Last modification time <br> Contains a POSIX timestamp.
 
|-
 
|-
| H5
+
| 8
|0x0010
+
| 1
| 60
+
|
| USTR
+
| Extra flags
| The name of the (original) executable as a Unicode (UTF-16 litte-endian string), up to 29 characters and terminated by an end-of-string character (U+0000). This name should correspond with the one in the prefetch file filename.
+
 
|-
 
|-
| H6
+
| 9
|0x004C
+
| 1
|4
+
|
|DWORD
+
| Operating system <br> Value that indicates on which operating system the gzip file was created.
|The prefetch hash. This hash value should correspond with the one in the prefetch file filename.
+
|}
 +
 
 +
==== Compression method ====
 +
 
 +
{| class="wikitable"
 +
! align="left"| Value
 +
! Identifier
 +
! Description
 
|-
 
|-
| H7
+
| 0 - 7
|0x0050
+
|  
|4
+
| Reserved
|?
+
| Unknown (flags)? Values observed: 0 for almost all prefetch files (XP); 1 for NTOSBOOT-B00DFAAD.pf (XP)
+
 
|-
 
|-
 +
| 8
 +
| "deflate"
 +
| zlib compressed data
 
|}
 
|}
  
=== Format version ===
+
==== Flags ====
  
 
{| class="wikitable"
 
{| class="wikitable"
 +
! align="left"| Value
 +
! Identifier
 +
! Description
 
|-
 
|-
! Value
+
| 0x01
! Windows version
+
| FTEXT
 +
| If set the uncompressed data needs to be treated as text instead of binary data. <br> This flag hints end-of-line conversion for cross-platform text files but does not enforce it.
 +
|-
 +
| 0x02
 +
| FHCRC
 +
| The file contains a header checksum (CRC-16)
 +
|-
 +
| 0x04
 +
| FEXTRA
 +
| The file contains extra fields
 +
|-
 +
| 0x08
 +
| FNAME
 +
| The file contains an original file name string
 
|-
 
|-
| 17 (0x11)
+
| 0x10
| Windows XP, Windows 2003
+
| FCOMMENT
 +
| The file contains comment
 
|-
 
|-
| 23 (0x17)
+
| 0x20
| Windows Vista, Windows 7
+
|  
 +
| Reserved
 
|-
 
|-
| 26 (0x1a)
+
| 0x40
| Windows 8.1 (note this could be Windows 8 as well but has not been confirmed)
+
|  
 +
| Reserved
 
|-
 
|-
 +
| 0x80
 +
|
 +
| Reserved
 
|}
 
|}
  
=== File information - version 17 ===
+
<b>Note:</b> The FHCRC bit was never set by versions of gzip up to 1.2.4, even though it was documented with a different meaning in gzip 1.2.4.
 
+
The following part of the file header is version dependent. It is sometime considered part of the file header. Below the structure for format version 17.
+
  
 +
==== Extra flags ====
 +
If compression method is 8 the following extra flags can be defined:
 
{| class="wikitable"
 
{| class="wikitable"
 +
! align="left"| Value
 +
! Identifier
 +
! Description
 
|-
 
|-
! Field
+
| 0x02
! Offset
+
|
! Length
+
| compressor used maximum compression, slowest algorithm
! Type
+
! Notes
+
 
|-
 
|-
| H8
+
| 0x04
| 0x0054
+
|
| 4
+
| compressor used fastest algorithm
| DWORD
+
|}
| The offset to section A. The offset is relative from the start of the file.
+
 
 +
==== Operating System ====
 +
{| class="wikitable"
 +
! align="left"| Value
 +
! Identifier
 +
! Description
 
|-
 
|-
| H9
+
| 0
| 0x0058
+
|
| 4
+
| FAT filesystem (MS-DOS, OS/2, NT/Win32)
| DWORD
+
| The number of entries in section A.
+
 
|-
 
|-
| H10
+
| 1
| 0x005C
+
|
| 4
+
| Amiga
| DWORD
+
| The offset to section B. The offset is relative from the start of the file.
+
 
|-
 
|-
| H11
+
| 2
| 0x0060
+
|
| 4
+
| VMS (or OpenVMS)
| DWORD
+
| The number of entries in section B.
+
 
|-
 
|-
| H12
+
| 3
| 0x0064
+
|
| 4
+
| Unix
| DWORD
+
| The offset to section C. The offset is relative from the start of the file.
+
 
|-
 
|-
| H13
 
| 0x0068
 
 
| 4
 
| 4
| DWORD
+
|
| Length of section C.
+
| VM/CMS
 
|-
 
|-
| H14
+
| 5
| 0x006C
+
|
| 4
+
| Atari TOS
| DWORD
+
| Offset to section D. The offset is relative from the start of the file.
+
 
|-
 
|-
| H15
+
| 6
| 0x0070
+
|
| 4
+
| HPFS filesystem (OS/2, NT)
| DWORD
+
| Unknown ? (Previously opted: Probably the number of entries in the D section header.)
+
 
|-
 
|-
| H16
+
| 7
| 0x0074
+
|
| 4
+
| Macintosh
| DWORD
+
| Unknown ? (Previously opted: Length of section D)
+
 
|-
 
|-
| H17
 
| 0x0078
 
 
| 8
 
| 8
| FTIME
+
|
| Latest execution time (or run time) of executable (FILETIME)
+
| Z-System
 
|-
 
|-
| H18
+
| 9
| 0x0080
+
|
| 16
+
| CP/M
| ?
+
| Unknown ? Possibly structured as 4 DWORD. Observed values: /0x00000000 0x00000000 0x00000000 0x00000000/, /0x47868c00 0x00000000 0x47860c00 0x00000000/ (don't exclude the possibility here that this is remnant data)
+
 
|-
 
|-
| H19
+
| 10
| 0x0090
+
|
| 4
+
| TOPS-20
| DWORD
+
| Execution counter (or run count)
+
 
|-
 
|-
| H20
+
| 11
| 0x0094
+
|
| 4
+
| NTFS filesystem (NT)
| DWORD?
+
| Unknown ? Observed values: 1, 2, 3, 4, 5, 6 (XP)
+
 
|-
 
|-
 +
| 12
 +
|
 +
| QDOS
 +
|-
 +
| 13
 +
|
 +
| Acorn RISCOS
 +
|-
 +
| 255
 +
|
 +
| unknown
 
|}
 
|}
  
It's worth noting that the name of a carved prefetch file can be restored using the information in field H5 and H6, and its size can be determined by field H4.
+
=== Optional headers ===
 +
==== Extra fields ====
 +
<b>TODO: add description</b>
  
== Section A ==
+
The extra field are variable of size and contains:
This section contains an array with 20 byte (version 17) or 32 byte (version 23 and 26) entry records.
+
{| class="wikitable"
 +
! align="left"| Offset
 +
! Size
 +
! Value
 +
! Description
 +
|-
 +
| 0
 +
| 2
 +
|
 +
| Extra field data size <br> Value in bytes.
 +
|-
 +
| 2
 +
| ...
 +
|
 +
| Extra field data
 +
|}
  
The actual format and usage of these entry records is currently not known.
+
==== Original file name ====
 +
This is the original name of the file being compressed, with any directory components removed, and, if the file being compressed is on a file system with case insensitive names, forced to lower case.
  
== Section B ==
+
Contains an ISO 8859-1 (LATIN-1) string with end-of-string character.
This section contains an array with 12 byte (version 17, 23 and 26) entry records.
+
  
The actual format and usage of these entry records is currently not known.
+
==== Comment ====
 +
Contains an ISO 8859-1 (LATIN-1) string with end-of-string character. Line breaks should be denoted by a single line feed character.
  
== Section C ==
+
==== Header checksum ====
This section contains an array of UTF-16 little-endian formatted strings with end-of-string characters (U+0000).
+
The header checksum contain a CRC-16 that consists of the two least significant bytes of the CRC-32 for all bytes of the gzip header up to and not including the CRC-16.
 
+
At the end of the section there seems to be alignment padding that can contain remnant values.
+
 
+
== Section D - Volume information (block) ==
+
 
+
Section D contains one or more subsections. The number is (most likely) determined by the DWORD at file offset 0x0070. Each subsection refers to directories on an identified volume.
+
 
+
In this section, all offsets are assumed to be counted from the start of the D section.
+
 
+
=== Volume information - version 17 ===
+
The following values are version dependent. Below the structure for format version 17.
+
  
 +
=== File footer ===
 +
The file footer is 8 bytes in size and contains:
 
{| class="wikitable"
 
{| class="wikitable"
 +
! align="left"| Offset
 +
! Size
 +
! Value
 +
! Description
 
|-
 
|-
! Field
+
| 0
! Offset
+
! Length
+
! Type
+
! Notes
+
|-
+
| DH1
+
| +0x0000
+
 
| 4
 
| 4
| DWORD
+
|
| Offset to volume string (Unicode, terminated by U+0000)
+
| Checksum (CRC-32)
 
|-
 
|-
| DH2
 
| +0x0004
 
 
| 4
 
| 4
| DWORD
 
| Length of volume string (nr of characters, including terminating U+0000)
 
|-
 
| DH3
 
| +0x0008
 
| 8
 
| FTIME
 
| (File time)
 
|-
 
| DH4
 
| +0x0010
 
 
| 4
 
| 4
| DWORD
+
|
| Volume serial number of volume indicated by volume string
+
| Uncompressed data size <br> Value in bytes.
|-
+
| DH5
+
| +0x0014
+
| 4
+
| DWORD
+
| ? Offset to section DHS1
+
|-
+
| DH6
+
| +0x0018
+
| 4
+
| DWORD
+
| ? Length of section DHS1 (in bytes)
+
|-
+
| DH7
+
| +0x001C
+
| 4
+
| DWORD
+
| ? Offset to section DHS2
+
|-
+
| DH8
+
| +0x0020
+
| 4
+
| DWORD
+
| ? Nr of strings in section DHS2
+
|-
+
| ?
+
| +0x0024
+
| ?
+
| ?
+
| ? additional 28 bytes (includes one timestamp?)
+
 
|}
 
|}
  
If all the executables and libraries referenced in the C section are from one single disk volume, there will be only one section in the D section. If multiple volumes are referenced by section C, section D will contain multiple sections.  (A simple way to force this situation is to copy, say, NOTEPAD.EXE to a USB drive, and start it from that volume. The corresponding prefetch file will have one D header referring to, e.g. \DEVICE\HARDDISK1\DP(1)0-0+4 (the USB drive), and one to, e.g. \DEVICE\HARDDISKVOLUME1\ (where the .DLLs and other support files were found).
+
== External Links ==
  
== See Also ==
+
* [http://www.gzip.org/format.txt The gzip file format], by the [http://www.gzip.org/ gzip project]
* [[Prefetch]]
+
* [http://www.gzip.org/algorithm.txt The gzip compression algorithm], by the [http://www.gzip.org/ gzip project]
 +
* [http://tools.ietf.org/html/rfc1952 RFC1952: GZIP file format specification version 4.3], by [[IETF]]
 +
* [http://en.wikipedia.org/wiki/Gzip Wikipedia: gzip]
  
== External Links ==
+
[[Category:File Formats]]
* [https://googledrive.com/host/0B3fBvzttpiiSbl9XZGZzQ05hZkU/Windows%20Prefetch%20File%20(PF)%20format.pdf Windows Prefetch File (PF) format], by the [[libssca|libssca project]]
+

Revision as of 02:05, 28 November 2013

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

File format

The gzip file (.gz) format consists of:

  • a file header
  • optional headers
    • extra fields
    • original file name
    • comment
    • header checksum
  • a body, containing a DEFLATE-compressed payload
  • a file footer

File header

The file header is 10 bytes in size and contains:

Offset Size Value Description
0 2 0x1f 0x8b Signature (or identification byte 1 and 2)
2 1 Compression Method
3 1 Flags
4 4 Last modification time
Contains a POSIX timestamp.
8 1 Extra flags
9 1 Operating system
Value that indicates on which operating system the gzip file was created.

Compression method

Value Identifier Description
0 - 7 Reserved
8 "deflate" zlib compressed data

Flags

Value Identifier Description
0x01 FTEXT If set the uncompressed data needs to be treated as text instead of binary data.
This flag hints end-of-line conversion for cross-platform text files but does not enforce it.
0x02 FHCRC The file contains a header checksum (CRC-16)
0x04 FEXTRA The file contains extra fields
0x08 FNAME The file contains an original file name string
0x10 FCOMMENT The file contains comment
0x20 Reserved
0x40 Reserved
0x80 Reserved

Note: The FHCRC bit was never set by versions of gzip up to 1.2.4, even though it was documented with a different meaning in gzip 1.2.4.

Extra flags

If compression method is 8 the following extra flags can be defined:

Value Identifier Description
0x02 compressor used maximum compression, slowest algorithm
0x04 compressor used fastest algorithm

Operating System

Value Identifier Description
0 FAT filesystem (MS-DOS, OS/2, NT/Win32)
1 Amiga
2 VMS (or OpenVMS)
3 Unix
4 VM/CMS
5 Atari TOS
6 HPFS filesystem (OS/2, NT)
7 Macintosh
8 Z-System
9 CP/M
10 TOPS-20
11 NTFS filesystem (NT)
12 QDOS
13 Acorn RISCOS
255 unknown

Optional headers

Extra fields

TODO: add description

The extra field are variable of size and contains:

Offset Size Value Description
0 2 Extra field data size
Value in bytes.
2 ... Extra field data

Original file name

This is the original name of the file being compressed, with any directory components removed, and, if the file being compressed is on a file system with case insensitive names, forced to lower case.

Contains an ISO 8859-1 (LATIN-1) string with end-of-string character.

Comment

Contains an ISO 8859-1 (LATIN-1) string with end-of-string character. Line breaks should be denoted by a single line feed character.

Header checksum

The header checksum contain a CRC-16 that consists of the two least significant bytes of the CRC-32 for all bytes of the gzip header up to and not including the CRC-16.

File footer

The file footer is 8 bytes in size and contains:

Offset Size Value Description
0 4 Checksum (CRC-32)
4 4 Uncompressed data size
Value in bytes.

External Links