Difference between pages "AT Commands" and "Prefetch"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Misc. Information)
 
(Volume)
 
Line 1: Line 1:
<ul><li>AT and AT+ commands can be used to manually collect simple information. This is an ideal choice for "full control" over the communications that are sent and returned from the phone. These can also be used when there is no tool available to communicate with the phone. These commands were tested using a Motorola v551 GSM phone using Bluetooth and USB data cables. It is important to note that not all of these commands are supported by all phones, but the AT+CLAC command (usually) displays all of the available commands the GSM phone can respond to.</li>
+
{{Expand}}
<li>With Motorola phones (and many others) there are '''NO''' AT commands that can be used to retrieve multimedia content. For these, OBEX commands must be issued to the phone to return directory contents, ringtones, pictures and video.</li><li>Samsung GSM phones, on the other hand, '''DO''' have AT commands that allow access to the multimedia content.</li></ul><br/>
+
Windows Prefetch files, introduced in [[Windows|Windows XP]], are designed to speed up the application startup process. Prefetch files contain the name of the executable, a Unicode list of DLLs used by that executable, a count of how many times the executable has been run, and a timestamp indicating the last time the program was run. Although Prefetch is present in Windows 2003, by default it is only enabled for boot prefetching. The feature is also found in [[Windows Vista]], where it has been augmented with [[SuperFetch]], [[ReadyBoot]], and [[ReadyBoost]].
  
To use these AT commands:
+
Up to 128 Prefetch files are stored in the <tt>%SystemRoot%\Prefetch</tt> directory [http://blogs.msdn.com/ryanmy/archive/2005/05/25/421882.aspx]. Each file in that directory should contain the name of the application (up to eight (?) characters), a dash, and then an eight character hash of the location from which that application was run, and a <tt>.pf</tt> extension. The filenames should be all uppercase except for the extension. The format of hashes is not known. A sample filename for [[md5deep]] would look like: <tt>MD5DEEP.EXE-4F89AB0C.pf</tt>. If an application is run from two different locations on the drive (i.e. the user runs <tt>C:\md5deep.exe</tt> and then <tt>C:\Apps\Hashing\md5deep.exe</tt>), there will be two different prefetch files in the Prefetch folder.
<ol><li> Connect the phone and determine the number of the COM port that is associated with it.</li>
+
<li>Open HyperTerminal, Realterm or any other terminal program that will communicate with a specified COM port.</li>
+
<li>With the Motorola phone, type '''AT+MODE=2'''. This prepares the phone for an extended AT+ command set. (+Cxxx and +MPxx)</li></ol><br/>
+
After following these steps, you can continue with any of the commands below.
+
  
== '''Phonebook''' ==
 
'''AT+CPBS=?'''<br/>
 
Lists the phonebooks that the phone contains. (Choose phonebook storage)<br/>
 
Returns: +CPBS: ("ME","SM","MT","ON","DC","MC","RC","EN","AD","QD","SD","FD")<br/>
 
  
+CPBS="ME" sets the "retrieve mode" to the internal phonebook.<br/>
+
== Signature ==
+CPBS="SM" sets the "retrieve mode" to the SIM phonebook.
+
Each Prefetch file has a signature in the first 8 bytes of the file. Windows XP and Windows Vista will generate Prefetch files with the signature \x11\x00\x00\x00\x53\x43\x43\x41 (0x41434353 0x00000011). Windows 7 Prefetch file's signature is \x17\x00\x00\x00\x53\x43\x43\x41 (0x41434353 0x00000017). The [http://en.wikipedia.org/wiki/ASCII ASCII] representation of these bytes will display "....SCCA".
  
'''AT+CPBR=?'''<br/>
+
== Timestamps ==
Describes the phonebook selected above. (Simple) This gives the max number of entries the phone can contain. It also gives the maximum phone number (or email address) length and name length.<br/>
+
'''NOTE:''' You can substitute +MPBR for any +CPBR command, but the phone returns a much more specific (and less intelligible) response containing more fields that may act as internal “programming” flags of some sort.<br/>
+
Returns: +CPBR: (1-1000),40,24
+
  
'''AT+CPBR=[beginning index],[ending index]'''<br/>
+
Both the [[NTFS]] timestamps for a Prefetch file and the timestamp embedded in each Prefetch file contain valuable information. The timestamp embedded within the Prefetch file is a 64-bit (QWORD) [http://msdn2.microsoft.com/en-us/library/ms724284.aspx FILETIME] object The creation date of the file indicates the first time the application was executed. Both the modification date of the file and the embedded timestamp indicate the last time the application was executed.
Returns a list of numbers with the index between the two numbers entered. Also denotes what TYPE of phonebook entry was selected.<br/>
+
Returns: +CPBR: 9,"18005555555",129,"Contact Name" – 129 refers to a phone number.<br/>
+
Returns: +CPBR: 18,"user@domain.net",128,"Contact Name" – 128 refers to an email.
+
  
'''AT+CPBR=[index]'''<br/>
+
Windows will store timestamps according to Windows [http://msdn.microsoft.com/en-us/library/ms724290%28VS.85%29.aspx epoch].
Returns the specified index.<br/>
+
Returns: +CPBR: 18,"user@domain.net",128,"Contact Name"
+
  
'''AT+MPBF="Name"'''<br/>
+
==== Creation Time ====
Searches the phonebook for the Name or string.
+
The creation time does not have a static offset on any Windows platform. The location of the creation time can be found using the offset 0x8 + length of Volume path offset.
+
'''AT+MPBR=?'''<br/>
+
Similar to above, but a more verbose result is displayed.<br/>
+
Returns: +MPBR: 1-1000,40,24,8,0-1,50,(0,2,4,6,9-30,255),(0),(0-1),(1-30),(255),25,(0-1,255),264,(0),0,0,0,0,0,0,0
+
<ul><li>1-1000 denotes the number of entries that can be stored on the selected (+CPBS) phonebook.</li><li>40 represents the number of characters that the email or phone number can have.</li><li>24 indicates the number of characters the “friendly” name can have.</li><li>The 8 refers to the different “types” of phonebook entry (i.e. Mobile, Main, Email, Home, Fax, Work … etc).</li><li>The +CPBR command does not list anything after the 24 (as seen above), so there are times when the +MPBR may be useful.</li></ul>
+
  
'''AT+MPBR=[index]'''<br/>
+
==== Last Run Time ====
Returns: +MPBR: 18,"user@domain.net",128,"Contact Name",6,0,255,0,0,1,255,255,0,"",0,0,"","","","","","","",""
+
A timestamp of when the application was last ran is embedded into the Prefetch file. The offset to the "Last Run Time" is located at offset 0x78 from the beginning of the file on [[Windows]] XP. The offset for Windows Vista and Windows 7 is at 0x80.
  
== '''SMS Messages''' ==
+
== MetaData ==
'''AT+CMGF=1'''<br/>
+
==== Header ====
This tells the phone to display the entries as text rather than binary. +CMFG=0 would display the data in binary format.
+
In each Prefetch file, the size of the header is stored and can be found at offset 0x54 on Windows XP, Windows Vista, and Windows 7. The header size for Windows XP is 0x98 (152) and 0xf0 (240) on Windows Vista and Windows 7.
  
'''AT+CPMS=?'''<br/>
+
The Prefetch file will embed the application's name into the header at offset 0x10.
This displays all of the locations in which the phone can save the SMS messages.<br/>
+
Returns: +CPMS: ("MT","IM","OM","BM","DM"),("OM","DM"),("IM")
+
  
'''AT+CMGL=?'''<br/>
+
==== Run Count ====
Returns the options on which messages you wish to display.<br/>
+
The run count, or number of times the application has been run, is a 4-byte (DWORD) value located at offset 0x90 from the beginning of the file on [[Windows]] XP. On Windows Vista and Windows 7, the run time can be found at 0x98.
Returns: +CMGL: ("REC UNREAD", "REC READ", "STO UNSENT", "STO SENT", "ALL")
+
  
'''AT+CMGL="ALL"'''<br/>
+
==== Volume ====
Selects and displays all of the SMS messages on the selected source.
+
Volume related information, volume path and volume serial number, are embedded into the Prefetch file. The precise offset for this information varies for each application ran. In the header at offset 0x6c, the location of the volume path is stored. The location is a 4-bytes (DWORD) value. The offset 0x6c is consistent for Windows XP and Windows 7.
  
== '''Misc. Information''' ==
+
At the location given from 0ffst 0x6c, a 4 byte value is stored which is the number of bytes from current offset (location from offset 0x6c) to the beginning of the volume path. The location from offset 0x6c, for ease, will be called the "volume path offset." The volume path is embedded as a NULL-terminating string.
'''AT&F'''<br/>
+
Controls Local echo.
+
  
 +
The length of the volume path is a 4-byte value is located at volume path offset + 0x4.
  
'''ATi0, ATi1, ATi2, ATi3, or ATi4'''<br/>
+
The volume [http://en.wikipedia.org/wiki/Volume_serial_number serial number] is a 4-byte value that identifies a media storage. A serial number does not have a consistent offset within a Prefetch between Windows operating systems. The 4-byte value can be found eight (8) bytes from the creation time location. The [http://en.wikipedia.org/wiki/Vol_%28command%29 vol] on Windows can verify the volume serial number.
Returns various specs about the phone.<br/>
+
ATi0 Returns Manufacturer<br/>
+
ATi1 Returns IMEI<br/>
+
ATi2 Returns SW versions<br/>
+
ATi3 Returns Make and Model<br/>
+
ATi4 Returns HW Version<br/>
+
ATi4 Returns HW Version
+
  
 +
== Issues ==
 +
==== End of File ====
 +
Prefetch files generated by the Windows operating system does not have any signature or sequences of bytes to indicate when the end of the Prefetch file has been reached.
  
'''AT+CGSN'''<br/>
+
== See Also ==
Returns the IMEI of the phone.<br/>
+
* [[SuperFetch]]
Returns: +CGSN: IMEI356252000861622 <br/>
+
* [[Prefetch XML]]
Returns: +GSN: 299B5900 (Samsung)
+
  
'''AT+CGMR'''<br/>
+
== External Links ==
Returns the manufacturer’s OS revision.<br/>
+
* [http://milo2012.wordpress.com/2009/10/19/windows-prefetch-folder-tool/ Prefetch-Tool Script] - Python looks Prefetch files up on a web server.
Returns: +CGMR: "R47_G_08.17.0FR_01"
+
* [http://www.mitec.cz/wfa.html Windows File Analyzer] - Parses Prefetch files, thumbnail databases, shortcuts, index.dat files, and the recycle bin
 
+
* [http://www.microsoft.com/whdc/driver/kernel/XP_kernel.mspx#ECLAC Microsoft's description of Prefetch when Windows XP was introduced]
'''AT+GMI'''<br/>
+
* [http://msdn.microsoft.com/msdnmag/issues/01/12/XPKernel/default.aspx More detail from Microsoft]
Returns the manufacturer name (Samsung).<br/>
+
* [http://www.tzworks.net/prototype_page.php?proto_id=1 Windows Prefetch parser] Free tool that can be run on Windows, Linux or Mac OS-X.
Returns: +GMI: SAMSUNG
+
 
+
'''AT+CGMM'''<br/>
+
Returns the make, model and capabilities of the phones.<br/>
+
Returns: +CGMM: "GSM900","GSM1800","GSM1900","GSM850","MODEL=V551" <br/>
+
Returns: +GMM: SCH-A670 (Samsung)
+
 
+
'''AT+CNUM'''<br/>
+
Returns the subscriber name/number from the SIM.<br/>
+
Returns: +CNUM: Owner Name,15555555555,129
+
 
+
'''AT+CLAC'''<br/>
+
Lists AT commands that the phone supports.
+
 
+
'''AT+MODE=22'''<br/>
+
Prepares the phone (Motorola) for OBEX commands.
+
 
+
'''AT+MODE=0'''<br/>
+
This returns the phone to simple AT command mode.
+
 
+
== '''Reference Links''' ==
+
 
+
[http://gatling.ikk.sztaki.hu/~kissg/gsm/index.html AT+C Command Set of GSM]
+
 
+
[http://www.traud.de/gsm/atex.htm Alexander Traud's GSM pages ]
+
 
+
[http://www.anotherurl.com/library/at_test.htm AT Test Commands]
+
 
+
[http://www.csparks.com/MotoBackup/MotorolaAT.xhtml AT Commands to Access the Motorola]
+
 
+
[http://webapp.etsi.org/key/key.asp?GSMSpecPart1=27&GSMSpecPart2=007  ETSI-3GPP Standards]
+
 
+
[http://wiki.forum.nokia.com/index.php/AT_Commands Nokia AT Commands]
+
 
+
[http://www.parallax.com/Portals/0/Education/custapps/Nokia_AThelp.pdf Support Guide for the Nokia Phones and AT Commands]
+
 
+
[http://www.daimi.au.dk/~jones/sms/packed/Nokia_30_AT_Command_Guide_2_0.pdf Nokia 30 GSM Connectivity Terminal AT Command Guide]
+
 
+
[http://nds1.nokia.com/phones/files/guides/at_commands.pdf Nokia PremiCell List of AT Commands]
+

Revision as of 09:40, 3 July 2011

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Windows Prefetch files, introduced in Windows XP, are designed to speed up the application startup process. Prefetch files contain the name of the executable, a Unicode list of DLLs used by that executable, a count of how many times the executable has been run, and a timestamp indicating the last time the program was run. Although Prefetch is present in Windows 2003, by default it is only enabled for boot prefetching. The feature is also found in Windows Vista, where it has been augmented with SuperFetch, ReadyBoot, and ReadyBoost.

Up to 128 Prefetch files are stored in the %SystemRoot%\Prefetch directory [1]. Each file in that directory should contain the name of the application (up to eight (?) characters), a dash, and then an eight character hash of the location from which that application was run, and a .pf extension. The filenames should be all uppercase except for the extension. The format of hashes is not known. A sample filename for md5deep would look like: MD5DEEP.EXE-4F89AB0C.pf. If an application is run from two different locations on the drive (i.e. the user runs C:\md5deep.exe and then C:\Apps\Hashing\md5deep.exe), there will be two different prefetch files in the Prefetch folder.


Signature

Each Prefetch file has a signature in the first 8 bytes of the file. Windows XP and Windows Vista will generate Prefetch files with the signature \x11\x00\x00\x00\x53\x43\x43\x41 (0x41434353 0x00000011). Windows 7 Prefetch file's signature is \x17\x00\x00\x00\x53\x43\x43\x41 (0x41434353 0x00000017). The ASCII representation of these bytes will display "....SCCA".

Timestamps

Both the NTFS timestamps for a Prefetch file and the timestamp embedded in each Prefetch file contain valuable information. The timestamp embedded within the Prefetch file is a 64-bit (QWORD) FILETIME object The creation date of the file indicates the first time the application was executed. Both the modification date of the file and the embedded timestamp indicate the last time the application was executed.

Windows will store timestamps according to Windows epoch.

Creation Time

The creation time does not have a static offset on any Windows platform. The location of the creation time can be found using the offset 0x8 + length of Volume path offset.

Last Run Time

A timestamp of when the application was last ran is embedded into the Prefetch file. The offset to the "Last Run Time" is located at offset 0x78 from the beginning of the file on Windows XP. The offset for Windows Vista and Windows 7 is at 0x80.

MetaData

Header

In each Prefetch file, the size of the header is stored and can be found at offset 0x54 on Windows XP, Windows Vista, and Windows 7. The header size for Windows XP is 0x98 (152) and 0xf0 (240) on Windows Vista and Windows 7.

The Prefetch file will embed the application's name into the header at offset 0x10.

Run Count

The run count, or number of times the application has been run, is a 4-byte (DWORD) value located at offset 0x90 from the beginning of the file on Windows XP. On Windows Vista and Windows 7, the run time can be found at 0x98.

Volume

Volume related information, volume path and volume serial number, are embedded into the Prefetch file. The precise offset for this information varies for each application ran. In the header at offset 0x6c, the location of the volume path is stored. The location is a 4-bytes (DWORD) value. The offset 0x6c is consistent for Windows XP and Windows 7.

At the location given from 0ffst 0x6c, a 4 byte value is stored which is the number of bytes from current offset (location from offset 0x6c) to the beginning of the volume path. The location from offset 0x6c, for ease, will be called the "volume path offset." The volume path is embedded as a NULL-terminating string.

The length of the volume path is a 4-byte value is located at volume path offset + 0x4.

The volume serial number is a 4-byte value that identifies a media storage. A serial number does not have a consistent offset within a Prefetch between Windows operating systems. The 4-byte value can be found eight (8) bytes from the creation time location. The vol on Windows can verify the volume serial number.

Issues

End of File

Prefetch files generated by the Windows operating system does not have any signature or sequences of bytes to indicate when the end of the Prefetch file has been reached.

See Also

External Links