Difference between pages "Windows Prefetch File Format" and "Windows SuperFetch Format"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
 
(MEMO file)
 
Line 1: Line 1:
A Windows Prefetch file consists of one file header and multiple file sections with different content. Not all content has an obvious forensic value.
+
{{expand}}
  
As far as have been possible to ascertain, there is no public description of the format. The description below has been synthesised from examination
+
== MEMO file ==
of multiple prefetch files.
+
Th MEMO file consists of:
 
+
* file header
== Characteristics ==
+
* compressed blocks
Integer values are stored in little-endian.
+
 
+
Strings are stored as UTF-16 little-endian without a byte-order-mark (BOM).
+
 
+
Timestamps are stored as Windows Filetime in UTC.
+
 
+
== Header ==
+
 
+
This format has been observed on Windows XP, ...  will need to be modified for Vista/Win7 format
+
  
 +
=== File header ===
 +
The file header is 84 bytes of size and consists of:
 
{| class="wikitable"
 
{| class="wikitable"
 
|-
 
|-
! Field
 
 
! Offset
 
! Offset
! Length
+
! Size
! Type
+
! Value
! Notes
+
! Description
 
|-
 
|-
| H1
+
| 0
| 0x0000
+
 
| 4
 
| 4
| DWORD
+
| 0x304D454D ("MEM0") or 0x4F4D454D ("MEMO")
| Format version (see format version section below)
+
| Signature
 
|-
 
|-
| H2
 
| 0x0004
 
 
| 4
 
| 4
| DWORD
 
| Signature 'SCCA' (or in hexadecimal representation 0x53 0x43 0x43 0x4)
 
|-
 
| H3
 
| 0x0008
 
 
| 4
 
| 4
| DWORD?
+
|  
| Unknown - Values observed: 0x0F - Windows XP, 0x11 - Windows 7, Windows 8.1
+
| Uncompressed (total) data size
|-
+
| H4
+
| 0x000C
+
| 4
+
| DWORD
+
| Prefetch file length.
+
|-
+
| H5
+
|0x0010
+
| 60
+
| USTR
+
| Name of executable as Unicode string, truncated after 29 characters, if necessary, and terminated by an end-of-string character (U+0000). As it appears in the prefetch file file name.
+
|-
+
| H6
+
|0x004C
+
|4
+
|DWORD
+
|The prefetch hash, as it appears in the prefetch file name.
+
|-
+
| H7
+
|0x0050
+
|4
+
|?
+
| Unknown (flags)? Values observed: 0 for almost all prefetch files (XP); 1 for NTOSBOOT-B00DFAAD.pf (XP)
+
 
|-
 
|-
 
|}
 
|}
  
The following part of the header is likely to be format version dependent structure for format version 0x11.
+
=== Compressed blocks ===
 
+
The file header is followed by compressed blocks:
 
{| class="wikitable"
 
{| class="wikitable"
 
|-
 
|-
! Field
 
 
! Offset
 
! Offset
! Length
+
! Size
! Type
+
! Notes
+
|-
+
| H8
+
| 0x0054
+
| 4
+
| DWORD
+
| Offset to section A
+
|-
+
| H9
+
| 0x0058
+
| 4
+
| DWORD
+
| ? Nr of entries in section A
+
|-
+
| H10
+
| 0x005C
+
| 4
+
| DWORD
+
| Offset to section B
+
|-
+
| H11
+
| 0x0060
+
| 4
+
| DWORD
+
| Nr of entries in section B
+
|-
+
| H12
+
| 0x0064
+
| 4
+
| DWORD
+
| Offset to section C
+
|-
+
| H13
+
| 0x0068
+
| 4
+
| DWORD
+
| Length of section C
+
|-
+
| H14
+
| 0x006C
+
| 4
+
| DWORD
+
| Offset to section D
+
|-
+
| H15
+
| 0x0070
+
| 4
+
| DWORD
+
| ? Probably the number of entries in the D section header
+
|-
+
| H16
+
| 0x0074
+
| 4
+
| DWORD
+
| Length of section D
+
|-
+
| H17
+
| 0x0078
+
| 8
+
| FTIME
+
| Latest execution time of executable (FILETIME)
+
|-
+
| H18
+
| 0x0080
+
| 16
+
| ?
+
| ? Possibly structured as 4 DWORD. Observed values: /0x00000000 0x00000000 0x00000000 0x00000000/, /0x47868c00 0x00000000 0x47860c00 0x00000000/
+
|-
+
| H19
+
| 0x0090
+
| 4
+
| DWORD
+
| Execution counter
+
|-
+
| H20
+
| 0x0094
+
| 4
+
| DWORD?
+
| ? Observed values: 1, 2, 3, 4, 5, 6 (XP)
+
|-
+
|}
+
 
+
It's worth noting that the name of a carved prefetch file can be restored using the information in field H5 and H6, and its size can be determined by field H4.
+
 
+
=== Format version ===
+
 
+
{| class="wikitable"
+
|-
+
 
! Value
 
! Value
! Windows version
+
! Description
 
|-
 
|-
| 0x11
+
| 0
| Windows XP, Windows 2003
+
|-
+
| 0x17
+
| Windows Vista, Windows 7
+
|-
+
| 0x1a
+
| Windows 8.1
+
|-
+
|}
+
 
+
== Section A and B ==
+
 
+
The content of these two sections is unknown.
+
 
+
== Section C ==
+
 
+
== Section D ==
+
 
+
Section D contains one or more subsections. The number is (most likely) determined by the DWORD at file offset 0x0070. Each subsection refers to directories on an identified volume.
+
 
+
In this section, all offsets are assumed to be counted from the start of the D section.
+
 
+
{| class="wikitable"
+
|-
+
! Field
+
! Offset
+
! Length
+
! Type
+
! Notes
+
|-
+
| DH1
+
| +0x0000
+
 
| 4
 
| 4
| DWORD
+
|  
| Offset to volume string (Unicode, terminated by U+0000)
+
| Compressed data size
 
|-
 
|-
| DH2
 
| +0x0004
 
 
| 4
 
| 4
| DWORD
+
| ...
| Length of volume string (nr of characters, including terminating U+0000)
+
|  
 +
| Compressed data
 
|-
 
|-
| DH3
 
| +0x0008
 
| 8
 
| FTIME
 
| (File time)
 
|-
 
| DH4
 
| +0x0010
 
| 4
 
| DWORD
 
| Volume serial number of volume indicated by volume string
 
|-
 
| DH5
 
| +0x0014
 
| 4
 
| DWORD
 
| ? Offset to section DHS1
 
|-
 
| DH6
 
| +0x0018
 
| 4
 
| DWORD
 
| ? Length of section DHS1 (in bytes)
 
|-
 
| DH7
 
| +0x001C
 
| 4
 
| DWORD
 
| ? Offset to section DHS2
 
|-
 
| DH8
 
| +0x0020
 
| 4
 
| DWORD
 
| ? Nr of strings in section DHS2
 
|-
 
| ?
 
| +0x0024
 
| ?
 
| ?
 
| ? additional 28 bytes (includes one timestamp?)
 
 
|}
 
|}
 
If all the executables and libraries referenced in the C section are from one single disk volume, there will be only one section in the D section. If multiple volumes are referenced by section C, section D will contain multiple sections.  (A simple way to force this situation is to copy, say, NOTEPAD.EXE to a USB drive, and start it from that volume. The corresponding prefetch file will have one D header referring to, e.g. \DEVICE\HARDDISK1\DP(1)0-0+4 (the USB drive), and one to, e.g. \DEVICE\HARDDISKVOLUME1\ (where the .DLLs and other support files were found).
 
  
 
== See Also ==
 
== See Also ==
* [[Prefetch]]
+
* [[SuperFetch]]
  
 
== External Links ==
 
== External Links ==
 +
* [http://blog.rewolf.pl/blog/?p=214 Windows SuperFetch file format – partial specification]
 +
 +
[[Category:File Formats]]

Revision as of 13:37, 14 April 2014

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

MEMO file

Th MEMO file consists of:

  • file header
  • compressed blocks

File header

The file header is 84 bytes of size and consists of:

Offset Size Value Description
0 4 0x304D454D ("MEM0") or 0x4F4D454D ("MEMO") Signature
4 4 Uncompressed (total) data size

Compressed blocks

The file header is followed by compressed blocks:

Offset Size Value Description
0 4 Compressed data size
4 ... Compressed data

See Also

External Links