Difference between pages "Prefetch" and "Windows Prefetch File Format"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(External Links)
 
 
Line 1: Line 1:
{{Expand}}
+
{{expand}}
Windows Prefetch files, introduced in [[Windows|Windows XP]], are designed to speed up the application startup process. Prefetch files contain the name of the executable, a Unicode list of DLLs used by that executable, a count of how many times the executable has been run, and a timestamp indicating the last time the program was run. Although Prefetch is present in Windows 2003, by default it is only enabled for boot prefetching. The feature is also found in [[Windows|Windows Vista]], where it has been augmented with [[SuperFetch]], [[ReadyBoot]], and [[ReadyBoost]]. For SSD drives Prefetch is disabled by default [http://blogs.msdn.com/b/e7/archive/2009/05/05/support-and-q-a-for-solid-state-drives-and.aspx].
+
  
Up to 128 Prefetch files are stored in the <tt>%SystemRoot%\Prefetch</tt> directory [http://blogs.msdn.com/ryanmy/archive/2005/05/25/421882.aspx]. Each file in that directory should contain the name of the application, a dash, and then an eight character hash of the location from which that application was run, and a <tt>.pf</tt> extension. The filenames should be all uppercase except for the extension. The format of hashes is not known. A sample filename for [[md5deep]] would look like: <tt>MD5DEEP.EXE-4F89AB0C.pf</tt>. If an application is run from two different locations on the drive (i.e. the user runs <tt>C:\md5deep.exe</tt> and then <tt>C:\Apps\Hashing\md5deep.exe</tt>), there will be two different prefetch files in the Prefetch folder.
+
A Windows Prefetch file consists of one file header and multiple file sections with different content. Not all content has an obvious forensic value.
  
 +
As far as have been possible to ascertain, there is no public description of the format. The description below has been synthesised from examination
 +
of multiple prefetch files.
  
== File format ==
+
== Characteristics ==
Each Prefetch file has a 4-byte signature (at offset 4) "SCCA" (or in hexadecimal notation 0x53 0x43 0x43 0x41). The signature is assumed to be preceded by a 4-byte format version indicator:
+
Integer values are stored in little-endian.
* 0x00000011 for [[Windows XP]] and [[Windows 2003]]
+
* 0x00000017 for [[Windows Vista]] and [[Windows 7]]
+
* 0x0000001a for [[Windows 8|Windows 8.1]]
+
  
For more information about the file format see: [[Windows Prefetch File Format]]
+
Strings are stored as UTF-16 little-endian without a byte-order-mark (BOM).
  
== Timestamps ==
+
Timestamps are stored as Windows Filetime in UTC.
  
Both the [[NTFS]] timestamps for a Prefetch file and the timestamp embedded in each Prefetch file contain valuable information. The timestamp embedded within the Prefetch file is a 64-bit (QWORD) [http://msdn2.microsoft.com/en-us/library/ms724284.aspx FILETIME] object The creation date of the file indicates the first time the application was executed. Both the modification date of the file and the embedded timestamp indicate the last time the application was executed.
+
== Header ==
  
Windows will store timestamps according to Windows [http://msdn.microsoft.com/en-us/library/ms724290%28VS.85%29.aspx epoch].
+
This format has been observed on Windows XP, ...  will need to be modified for Vista/Win7 format
  
==== Creation Time ====
+
{| class="wikitable"
The creation time does not have a static offset on any Windows platform. The location of the creation time can be found using the offset 0x8 + length of Volume path offset. See section Volume for more information.
+
|-
 +
! Field
 +
! Offset
 +
! Length
 +
! Type
 +
! Notes
 +
|-
 +
| H1
 +
| 0x0000
 +
| 4
 +
| DWORD
 +
| Format version (see format version section below)
 +
|-
 +
| H2
 +
| 0x0004
 +
| 4
 +
| DWORD
 +
| Signature 'SCCA' (or in hexadecimal representation 0x53 0x43 0x43 0x4)
 +
|-
 +
| H3
 +
| 0x0008
 +
| 4
 +
| DWORD?
 +
| Unknown - Values observed: 0x0F - Windows XP, 0x11 - Windows 7, Windows 8.1
 +
|-
 +
| H4
 +
| 0x000C
 +
| 4
 +
| DWORD
 +
| Prefetch file length.
 +
|-
 +
| H5
 +
|0x0010
 +
| 60
 +
| USTR
 +
| Name of executable as Unicode string, truncated after 29 characters, if necessary, and terminated by an end-of-string character (U+0000). As it appears in the prefetch file file name.
 +
|-
 +
| H6
 +
|0x004C
 +
|4
 +
|DWORD
 +
|The prefetch hash, as it appears in the prefetch file name.
 +
|-
 +
| H7
 +
|0x0050
 +
|4
 +
|?
 +
| Unknown (flags)? Values observed: 0 for almost all prefetch files (XP); 1 for NTOSBOOT-B00DFAAD.pf (XP)
 +
|-
 +
|}
  
==== Last Run Time ====
+
The following part of the header is likely to be format version dependent structure for format version 0x11.
A timestamp of when the application was last ran is embedded into the Prefetch file.
+
The offset from the beginning of the file to the "Last Run Time" is located:
+
* at offset 0x78 on Windows XP and Windows 2003.
+
* at offset 0x80 on Windows Vista and Windows 7.
+
  
== MetaData ==
+
{| class="wikitable"
==== Header ====
+
|-
In each Prefetch file, the size of the header is stored and can be found at offset 0x54 on [[Windows|Windows XP]], [[Windows|Windows Vista]], and [[Windows|Windows 7]]. The header size for [[Windows|Windows XP]] is 0x98 (152) and 0xf0 (240) on Windows Vista and Windows 7.
+
! Field
 +
! Offset
 +
! Length
 +
! Type
 +
! Notes
 +
|-
 +
| H8
 +
| 0x0054
 +
| 4
 +
| DWORD
 +
| Offset to section A
 +
|-
 +
| H9
 +
| 0x0058
 +
| 4
 +
| DWORD
 +
| ? Nr of entries in section A
 +
|-
 +
| H10
 +
| 0x005C
 +
| 4
 +
| DWORD
 +
| Offset to section B
 +
|-
 +
| H11
 +
| 0x0060
 +
| 4
 +
| DWORD
 +
| Nr of entries in section B
 +
|-
 +
| H12
 +
| 0x0064
 +
| 4
 +
| DWORD
 +
| Offset to section C
 +
|-
 +
| H13
 +
| 0x0068
 +
| 4
 +
| DWORD
 +
| Length of section C
 +
|-
 +
| H14
 +
| 0x006C
 +
| 4
 +
| DWORD
 +
| Offset to section D
 +
|-
 +
| H15
 +
| 0x0070
 +
| 4
 +
| DWORD
 +
| ? Probably the number of entries in the D section header
 +
|-
 +
| H16
 +
| 0x0074
 +
| 4
 +
| DWORD
 +
| Length of section D
 +
|-
 +
| H17
 +
| 0x0078
 +
| 8
 +
| FTIME
 +
| Latest execution time of executable (FILETIME)
 +
|-
 +
| H18
 +
| 0x0080
 +
| 16
 +
| ?
 +
| ? Possibly structured as 4 DWORD. Observed values: /0x00000000 0x00000000 0x00000000 0x00000000/, /0x47868c00 0x00000000 0x47860c00 0x00000000/
 +
|-
 +
| H19
 +
| 0x0090
 +
| 4
 +
| DWORD
 +
| Execution counter
 +
|-
 +
| H20
 +
| 0x0094
 +
| 4
 +
| DWORD?
 +
| ? Observed values: 1, 2, 3, 4, 5, 6 (XP)
 +
|-
 +
|}
  
The Prefetch file will embed the application's name into the header at offset 0x10.
+
It's worth noting that the name of a carved prefetch file can be restored using the information in field H5 and H6, and its size can be determined by field H4.
  
==== Run Count ====
+
=== Format version ===
The run count, or number of times the application has been run, is a 4-byte (DWORD) value located at offset 0x90 from the beginning of the file on [[Windows|Windows XP]]. On [[Windows|Windows Vista]] and [[Windows|Windows 7]], the run time can be found at 0x98.
+
  
==== Volume ====
+
{| class="wikitable"
Volume related information, volume path and volume serial number, are embedded into the Prefetch file. The precise offset for this information is the same for each Prefetch file and Windows operating system. In the header at offset 0x6c, the location of the volume path is stored. The location is a 4-bytes (DWORD) value.
+
|-
 +
! Value
 +
! Windows version
 +
|-
 +
| 0x11
 +
| Windows XP, Windows 2003
 +
|-
 +
| 0x17
 +
| Windows Vista, Windows 7
 +
|-
 +
| 0x1a
 +
| Windows 8.1
 +
|-
 +
|}
  
At the location given from offset 0x6c, a 4-byte value is stored which is the number of bytes from current offset (location from offset 0x6c) to the beginning of the volume path string. The location from the offset 0x6c, for ease of reading, will be called the "volume path offset." The volume path is embedded as an [http://en.wikipedia.org/wiki/UTF-16/UCS-2 UTF-16] encoded string.
+
== Section A and B ==
  
The length of the volume path string is a 4-byte value is located at volume path offset + 0x4.
+
The content of these two sections is unknown.
  
The volume [http://en.wikipedia.org/wiki/Volume_serial_number serial number] is a 4-byte value that identifies a media storage. A serial number does not have a consistent offset within a Prefetch between Windows operating systems. The 4-byte value can be found eight (8) bytes from the creation time location. The [http://en.wikipedia.org/wiki/Vol_%28command%29 vol] command on Windows can verify the volume serial number.
+
== Section C ==
  
==== End of File ====
+
== Section D ==
The end of file (EOF) for each Prefetch file is located at offset 0xc. The location of EOF also denotes the size of the Prefetch file.
+
  
==== Files ====
+
Section D contains one or more subsections. The number is (most likely) determined by the DWORD at file offset 0x0070. Each subsection refers to directories on an identified volume.
  
Embedded within each Prefetch file are files and directories that were used doing the application's startup. The Prefetch file separates both filenames and directories into two different location in the file. Each string is encoded as a [http://en.wikipedia.org/wiki/UTF-16/UCS-2 UTF-16] string. Windows operating system uses UTF-16 encoding.
+
In this section, all offsets are assumed to be counted from the start of the D section.
  
The offset to the first set of filenames are at 0x64. The size of the first set of filenames can be found at offset 0x68. Both offsets are consistent between Windows XP, Windows Vista and Windows 7.
+
{| class="wikitable"
 +
|-
 +
! Field
 +
! Offset
 +
! Length
 +
! Type
 +
! Notes
 +
|-
 +
| DH1
 +
| +0x0000
 +
| 4
 +
| DWORD
 +
| Offset to volume string (Unicode, terminated by U+0000)
 +
|-
 +
| DH2
 +
| +0x0004
 +
| 4
 +
| DWORD
 +
| Length of volume string (nr of characters, including terminating U+0000)
 +
|-
 +
| DH3
 +
| +0x0008
 +
| 8
 +
| FTIME
 +
| (File time)
 +
|-
 +
| DH4
 +
| +0x0010
 +
| 4
 +
| DWORD
 +
| Volume serial number of volume indicated by volume string
 +
|-
 +
| DH5
 +
| +0x0014
 +
| 4
 +
| DWORD
 +
| ? Offset to section DHS1
 +
|-
 +
| DH6
 +
| +0x0018
 +
| 4
 +
| DWORD
 +
| ? Length of section DHS1 (in bytes)
 +
|-
 +
| DH7
 +
| +0x001C
 +
| 4
 +
| DWORD
 +
| ? Offset to section DHS2
 +
|-
 +
| DH8
 +
| +0x0020
 +
| 4
 +
| DWORD
 +
| ? Nr of strings in section DHS2
 +
|-
 +
| ?
 +
| +0x0024
 +
| ?
 +
| ?
 +
| ? additional 28 bytes (includes one timestamp?)
 +
|}
  
In the bottom section of the Prefetch file are UTF-16 strings of directories. At the time of this writing (7/2011), the precise offset and size of the directory listing is unknown. The distance between the end of the Volume Path string and the beginning of the directory strings is given. An approach to finding the offset to the beginning of the directories listing is to obtain the distance value and the offset when the Volume Path string ends (after the NULL bytes). The distance value is at volume path offset + 0x18 (24). The distance is a 4-byte (DWORD) value. The end of second set of strings will complete the Prefetch file. The size of the directory listing is calculated by subtracting the start position of the directory listing from the end of file position.
+
If all the executables and libraries referenced in the C section are from one single disk volume, there will be only one section in the D section. If multiple volumes are referenced by section C, section D will contain multiple sections. (A simple way to force this situation is to copy, say, NOTEPAD.EXE to a USB drive, and start it from that volume. The corresponding prefetch file will have one D header referring to, e.g. \DEVICE\HARDDISK1\DP(1)0-0+4 (the USB drive), and one to, e.g. \DEVICE\HARDDISKVOLUME1\ (where the .DLLs and other support files were found).
 
+
== Registry Keys ==
+
<pre>
+
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters
+
</pre>
+
 
+
The EnablePrefetcher Registry value can be used to disable prefetch.
+
  
 
== See Also ==
 
== See Also ==
* [[Windows Prefetch File Format]]
+
* [[Prefetch]]
* [[SuperFetch]]
+
* [[Prefetch XML]]
+
* [[Windows]]
+
  
 
== External Links ==
 
== External Links ==
* [http://msdn.microsoft.com/msdnmag/issues/01/12/XPKernel/default.aspx More detail from Microsoft]
 
* [http://en.wikipedia.org/wiki/Prefetcher Wikipedia Prefetcher]
 
* [http://msdn.microsoft.com/en-us/library/ms940847(v=winembedded.5).aspx MSDN: Disabling Prefetch]
 
* [http://www.microsoft.com/whdc/driver/kernel/XP_kernel.mspx Kernel Enhancements for Windows XP], by [[Microsoft]], January 13, 2003 (Microsoft's description of Prefetch when Windows XP was introduced)
 
* [http://blogs.msdn.com/b/ryanmy/archive/2005/05/25/421882.aspx Misinformation and the The Prefetch Flag], MSDN Blogs, May 25, 2005
 
* [http://windowsir.blogspot.ch/2005/07/prefetch-file-metadata.html Prefetch file metadata], by [[Harlan Carvey]], July 13, 2005
 
* [http://windowsir.blogspot.ch/2006/04/prefetch-files-revisited.html Prefetch files, revisited], by [[Harlan Carvey]], April 13, 2006
 
* [http://blogs.msdn.com/b/e7/archive/2009/05/05/support-and-q-a-for-solid-state-drives-and.aspx Support and Q&A for Solid-State Drives], by Steven Sinofsky, May 5, 2009
 
* [http://computer-forensics.sans.org/blog/2009/08/05/de-mystifying-defrag-identifying-when-defrag-has-been-used-for-anti-forensics-part-1-windows-xp/ De-mystifying Defrag: Identifying When Defrag Has Been Used for Anti-Forensics (Part 1 - Windows XP)], by [[Chad Tilbury]], August 5, 2009
 
* [http://www.dfinews.com/articles/2010/12/decoding-prefetch-files-forensic-purposes-part-1 Decoding Prefetch Files for Forensic Purposes: Part 1], by [[Mark Wade]], December 8, 2010
 
* [http://crucialsecurityblog.harris.com/2011/04/11/prefetch-files-at-face-value/ Prefetch Files at Face Value], by [[Mark Wade]], April 11, 2011
 
* [http://windowsir.blogspot.ch/2012/03/prefetch-analysis-revisited.html Prefetch Analysis, Revisited], by [[Harlan Carvey]], March 8, 2012
 
* [http://windowsir.blogspot.ch/2012/03/prefetch-analysis-revisitedagain.html Prefetch Analysis, Revisited...Again...], by [[Harlan Carvey]], March 15, 2012
 
* [http://journeyintoir.blogspot.ch/2012/12/ntosboot-prefetch-file.html NTOSBOOT Prefetch File], by [[Corey Harrell]], December 5, 2012
 
* [http://www.invoke-ir.com/2013/09/whats-new-in-prefetch-for-windows-8.html What's New in the Prefetch for Windows 8??], by Jared Atkinson, September 21, 2013
 
 
== Tools ==
 
 
=== Commercial ===
 
 
=== Free - Non Open Source ===
 
* [http://www.woanware.co.uk/forensics/prefetchforensics.html PrefetchForensics], PrefetchForensics is an application to extract information from Windows Prefetch files
 
* [http://redwolfcomputerforensics.com/index.php?option=com_content&task=view&id=42&Itemid=55 Prefetch-Parser], Parse the prefetch files and display information
 
* [http://www.mitec.cz/wfa.html Windows File Analyzer] - Parses Prefetch files, thumbnail databases, shortcuts, index.dat files, and the recycle bin
 
* [http://www.tzworks.net/prototype_page.php?proto_id=1 Windows Prefetch Parser (pf)], Free tool that can be run on Windows, Linux or Mac OS-X
 
 
=== Open Source ===
 
* [https://code.google.com/p/prefetch-tool/ prefetch-tool], Script to extract information from windows prefetch folder
 

Revision as of 07:04, 20 October 2013

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

A Windows Prefetch file consists of one file header and multiple file sections with different content. Not all content has an obvious forensic value.

As far as have been possible to ascertain, there is no public description of the format. The description below has been synthesised from examination of multiple prefetch files.

Characteristics

Integer values are stored in little-endian.

Strings are stored as UTF-16 little-endian without a byte-order-mark (BOM).

Timestamps are stored as Windows Filetime in UTC.

Header

This format has been observed on Windows XP, ... will need to be modified for Vista/Win7 format

Field Offset Length Type Notes
H1 0x0000 4 DWORD Format version (see format version section below)
H2 0x0004 4 DWORD Signature 'SCCA' (or in hexadecimal representation 0x53 0x43 0x43 0x4)
H3 0x0008 4 DWORD? Unknown - Values observed: 0x0F - Windows XP, 0x11 - Windows 7, Windows 8.1
H4 0x000C 4 DWORD Prefetch file length.
H5 0x0010 60 USTR Name of executable as Unicode string, truncated after 29 characters, if necessary, and terminated by an end-of-string character (U+0000). As it appears in the prefetch file file name.
H6 0x004C 4 DWORD The prefetch hash, as it appears in the prefetch file name.
H7 0x0050 4 ? Unknown (flags)? Values observed: 0 for almost all prefetch files (XP); 1 for NTOSBOOT-B00DFAAD.pf (XP)

The following part of the header is likely to be format version dependent structure for format version 0x11.

Field Offset Length Type Notes
H8 0x0054 4 DWORD Offset to section A
H9 0x0058 4 DWORD  ? Nr of entries in section A
H10 0x005C 4 DWORD Offset to section B
H11 0x0060 4 DWORD Nr of entries in section B
H12 0x0064 4 DWORD Offset to section C
H13 0x0068 4 DWORD Length of section C
H14 0x006C 4 DWORD Offset to section D
H15 0x0070 4 DWORD  ? Probably the number of entries in the D section header
H16 0x0074 4 DWORD Length of section D
H17 0x0078 8 FTIME Latest execution time of executable (FILETIME)
H18 0x0080 16  ?  ? Possibly structured as 4 DWORD. Observed values: /0x00000000 0x00000000 0x00000000 0x00000000/, /0x47868c00 0x00000000 0x47860c00 0x00000000/
H19 0x0090 4 DWORD Execution counter
H20 0x0094 4 DWORD?  ? Observed values: 1, 2, 3, 4, 5, 6 (XP)

It's worth noting that the name of a carved prefetch file can be restored using the information in field H5 and H6, and its size can be determined by field H4.

Format version

Value Windows version
0x11 Windows XP, Windows 2003
0x17 Windows Vista, Windows 7
0x1a Windows 8.1

Section A and B

The content of these two sections is unknown.

Section C

Section D

Section D contains one or more subsections. The number is (most likely) determined by the DWORD at file offset 0x0070. Each subsection refers to directories on an identified volume.

In this section, all offsets are assumed to be counted from the start of the D section.

Field Offset Length Type Notes
DH1 +0x0000 4 DWORD Offset to volume string (Unicode, terminated by U+0000)
DH2 +0x0004 4 DWORD Length of volume string (nr of characters, including terminating U+0000)
DH3 +0x0008 8 FTIME (File time)
DH4 +0x0010 4 DWORD Volume serial number of volume indicated by volume string
DH5 +0x0014 4 DWORD  ? Offset to section DHS1
DH6 +0x0018 4 DWORD  ? Length of section DHS1 (in bytes)
DH7 +0x001C 4 DWORD  ? Offset to section DHS2
DH8 +0x0020 4 DWORD  ? Nr of strings in section DHS2
 ? +0x0024  ?  ?  ? additional 28 bytes (includes one timestamp?)

If all the executables and libraries referenced in the C section are from one single disk volume, there will be only one section in the D section. If multiple volumes are referenced by section C, section D will contain multiple sections. (A simple way to force this situation is to copy, say, NOTEPAD.EXE to a USB drive, and start it from that volume. The corresponding prefetch file will have one D header referring to, e.g. \DEVICE\HARDDISK1\DP(1)0-0+4 (the USB drive), and one to, e.g. \DEVICE\HARDDISKVOLUME1\ (where the .DLLs and other support files were found).

See Also

External Links