Difference between pages "Windows Prefetch File Format" and "Compression"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Section A)
 
(Deflate/Inflate)
 
Line 1: Line 1:
{{expand}}
+
{{Expand}}
  
A Windows Prefetch file consists of one file header and multiple file sections with different content. Not all content has an obvious forensic value.
+
== LZ-based ==
  
As far as have been possible to ascertain, there is no public description of the format. The description below has been synthesised from examination
+
=== Deflate/Inflate ===
of multiple prefetch files.
+
Used in:
 +
* [[Gzip|gzip]]
  
== Characteristics ==
+
=== LZNT1 ===
{| class="wikitable"
+
Used in:
|-
+
* [[NTFS]]
| <b>Integers</b>
+
* [[Windows SuperFetch Format]]
| stored in little-endian
+
|-
+
| <b>Strings</b>
+
| Stored as [http://en.wikipedia.org/wiki/UTF-16/UCS-2 UTF-16 little-endian] without a byte-order-mark (BOM).
+
|-
+
| <b>Timestamps</b>
+
| Stored as [http://msdn2.microsoft.com/en-us/library/ms724284.aspx Windows FILETIME] in UTC.
+
|-
+
|}
+
  
== File header ==
+
=== LZXPRESS ===
The file header is 84 bytes of size and consists of:
+
Used in:
{| class="wikitable"
+
* [[Extensible Storage Engine (ESE) Database File (EDB) format]]
|-
+
! Field
+
! Offset
+
! Length
+
! Type
+
! Notes
+
|-
+
| H1
+
| 0x0000
+
| 4
+
| DWORD
+
| Format version (see format version section below)
+
|-
+
| H2
+
| 0x0004
+
| 4
+
| DWORD
+
| Signature 'SCCA' (or in hexadecimal representation 0x53 0x43 0x43 0x4)
+
|-
+
| H3
+
| 0x0008
+
| 4
+
| DWORD?
+
| Unknown - Values observed: 0x0F - Windows XP, 0x11 - Windows 7, Windows 8.1
+
|-
+
| H4
+
| 0x000C
+
| 4
+
| DWORD
+
| Prefetch file size (or length) (sometimes referred to as End of File (EOF)).
+
|-
+
| H5
+
|0x0010
+
| 60
+
| USTR
+
| The name of the (original) executable as a Unicode (UTF-16 litte-endian string), up to 29 characters and terminated by an end-of-string character (U+0000). This name should correspond with the one in the prefetch file filename.
+
|-
+
| H6
+
|0x004C
+
|4
+
|DWORD
+
|The prefetch hash. This hash value should correspond with the one in the prefetch file filename.
+
|-
+
| H7
+
|0x0050
+
|4
+
|?
+
| Unknown (flags)? Values observed: 0 for almost all prefetch files (XP); 1 for NTOSBOOT-B00DFAAD.pf (XP)
+
|-
+
|}
+
  
It's worth noting that the name of a carved prefetch file can be restored using the information in field H5 and H6, and its size can be determined by field H4.
+
=== LZXPRESS Huffman ===
 +
Used in:
 +
* [[Windows SuperFetch Format]]
  
=== Format version ===
+
== External Links ==
 +
* [http://en.wikipedia.org/wiki/Lempel-Ziv Wikipedia: Lempel-Ziv]
 +
* [http://www.coderforlife.com/microsoft-compression-formats/ Microsoft Compression Formats]
  
{| class="wikitable"
+
=== Deflate/Inflate ===
|-
+
* [http://en.wikipedia.org/wiki/DEFLATE Wikipedia: DEFLATE]
! Value
+
* [https://tools.ietf.org/html/rfc1950 IETF: RFC1950 - ZLIB Compressed Data Format Specification]
! Windows version
+
* [https://tools.ietf.org/html/rfc1951 IETF: RFC1951 - DEFLATE Compressed Data Format Specification]
|-
+
| 17 (0x11)
+
| Windows XP, Windows 2003
+
|-
+
| 23 (0x17)
+
| Windows Vista, Windows 7
+
|-
+
| 26 (0x1a)
+
| Windows 8.1 (note this could be Windows 8 as well but has not been confirmed)
+
|-
+
|}
+
 
+
=== File information ===
+
The format of the file information is version dependent.
+
 
+
Note that some other format specifications consider the file information part of the file header.
+
 
+
==== File information - version 17 ====
+
The file information – version 17 is 68 bytes of size and consists of:
+
{| class="wikitable"
+
|-
+
! Field
+
! Offset
+
! Length
+
! Type
+
! Notes
+
|-
+
|
+
| 0x0054
+
| 4
+
| DWORD
+
| The offset to section A. The offset is relative from the start of the file.
+
|-
+
|
+
| 0x0058
+
| 4
+
| DWORD
+
| The number of entries in section A.
+
|-
+
|
+
| 0x005C
+
| 4
+
| DWORD
+
| The offset to section B. The offset is relative from the start of the file.
+
|-
+
|
+
| 0x0060
+
| 4
+
| DWORD
+
| The number of entries in section B.
+
|-
+
|
+
| 0x0064
+
| 4
+
| DWORD
+
| The offset to section C. The offset is relative from the start of the file.
+
|-
+
|
+
| 0x0068
+
| 4
+
| DWORD
+
| Length of section C.
+
|-
+
|
+
| 0x006C
+
| 4
+
| DWORD
+
| Offset to section D. The offset is relative from the start of the file.
+
|-
+
|
+
| 0x0070
+
| 4
+
| DWORD
+
| The number of entries in section D.
+
|-
+
|
+
| 0x0074
+
| 4
+
| DWORD
+
| Length of section D.
+
|-
+
|
+
| 0x0078
+
| 8
+
| FILETIME
+
| Latest execution time (or run time) of executable (FILETIME)
+
|-
+
|
+
| 0x0080
+
| 16
+
| ?
+
| Unknown ? Possibly structured as 4 DWORD. Observed values: /0x00000000 0x00000000 0x00000000 0x00000000/, /0x47868c00 0x00000000 0x47860c00 0x00000000/ (don't exclude the possibility here that this is remnant data)
+
|-
+
|
+
| 0x0090
+
| 4
+
| DWORD
+
| Execution counter (or run count)
+
|-
+
|
+
| 0x0094
+
| 4
+
| DWORD?
+
| Unknown ? Observed values: 1, 2, 3, 4, 5, 6 (XP)
+
|-
+
|}
+
 
+
==== File information - version 23 ====
+
The file information – version 23 is 156 bytes of size and consists of:
+
{| class="wikitable"
+
|-
+
! Field
+
! Offset
+
! Length
+
! Type
+
! Notes
+
|-
+
|
+
| 0x0054
+
| 4
+
| DWORD
+
| The offset to section A. The offset is relative from the start of the file.
+
|-
+
|
+
| 0x0058
+
| 4
+
| DWORD
+
| The number of entries in section A.
+
|-
+
|
+
| 0x005C
+
| 4
+
| DWORD
+
| The offset to section B. The offset is relative from the start of the file.
+
|-
+
|
+
| 0x0060
+
| 4
+
| DWORD
+
| The number of entries in section B.
+
|-
+
|
+
| 0x0064
+
| 4
+
| DWORD
+
| The offset to section C. The offset is relative from the start of the file.
+
|-
+
|
+
| 0x0068
+
| 4
+
| DWORD
+
| Length of section C.
+
|-
+
|
+
| 0x006C
+
| 4
+
| DWORD
+
| Offset to section D. The offset is relative from the start of the file.
+
|-
+
|
+
| 0x0070
+
| 4
+
| DWORD
+
| The number of entries in section D.
+
|-
+
|
+
| 0x0074
+
| 4
+
| DWORD
+
| Length of section D.
+
|-
+
|
+
| <b>0x0078</b>
+
| <b>8</b>
+
| <b>?</b>
+
| <b>Unknown</b>
+
|-
+
|
+
| 0x0080
+
| 8
+
| FILETIME
+
| Latest execution time (or run time) of executable (FILETIME)
+
|-
+
|
+
| 0x0088
+
| 16
+
| ?
+
| Unknown
+
|-
+
|
+
| 0x0098
+
| 4
+
| DWORD
+
| Execution counter (or run count)
+
|-
+
|
+
| 0x009C
+
| 4
+
| DWORD?
+
| Unknown
+
|-
+
|
+
| <b>0x00A0</b>
+
| <b>80</b>
+
| <b>?</b>
+
| <b>Unknown</b>
+
|-
+
|}
+
 
+
==== File information - version 26 ====
+
The file information – version 23 is 224 bytes of size and consists of:
+
{| class="wikitable"
+
|-
+
! Field
+
! Offset
+
! Length
+
! Type
+
! Notes
+
|-
+
|
+
| 0x0054
+
| 4
+
| DWORD
+
| The offset to section A. The offset is relative from the start of the file.
+
|-
+
|
+
| 0x0058
+
| 4
+
| DWORD
+
| The number of entries in section A.
+
|-
+
|
+
| 0x005C
+
| 4
+
| DWORD
+
| The offset to section B. The offset is relative from the start of the file.
+
|-
+
|
+
| 0x0060
+
| 4
+
| DWORD
+
| The number of entries in section B.
+
|-
+
|
+
| 0x0064
+
| 4
+
| DWORD
+
| The offset to section C. The offset is relative from the start of the file.
+
|-
+
|
+
| 0x0068
+
| 4
+
| DWORD
+
| Length of section C.
+
|-
+
|
+
| 0x006C
+
| 4
+
| DWORD
+
| Offset to section D. The offset is relative from the start of the file.
+
|-
+
|
+
| 0x0070
+
| 4
+
| DWORD
+
| The number of entries in section D.
+
|-
+
|
+
| 0x0074
+
| 4
+
| DWORD
+
| Length of section D.
+
|-
+
|
+
| 0x0078
+
| 8
+
| ?
+
| Unknown
+
|-
+
|
+
| 0x0080
+
| 8
+
| FILETIME
+
| Latest execution time (or run time) of executable (FILETIME)
+
|-
+
|
+
| <b>0x0088</b>
+
| <b>7 x 8 = 56</b>
+
| <b>FILETIME</b>
+
| <b>Older (most recent) latest execution time (or run time) of executable (FILETIME)</b>
+
|-
+
|
+
| <b>0x00C0</b>
+
| <b>16</b>
+
| <b>?</b>
+
| <b>Unknown</b>
+
|-
+
|
+
| 0x00D0
+
| 4
+
| DWORD
+
| Execution counter (or run count)
+
|-
+
|
+
| <b>0x00D4</b>
+
| <b>4</b>
+
| <b>?</b>
+
| <b>Unknown</b>
+
|-
+
|
+
| <b>0x00D8</b>
+
| <b>4</b>
+
| <b>?</b>
+
| <b>Unknown</b>
+
|-
+
|
+
| <b>0x00DC</b>
+
| <b>88</b>
+
| <b>?</b>
+
| <b>Unknown</b>
+
|-
+
|}
+
 
+
== Section A ==
+
This section contains an array with 20 byte (version 17) or 32 byte (version 23 and 26) metrics entry records.
+
 
+
A metrics entry records conists of:
+
{| class="wikitable"
+
|-
+
! Field
+
! Offset
+
! Length
+
! Type
+
! Notes
+
|-
+
|
+
| 0
+
| 4
+
| DWORD
+
| Start time in ms
+
|-
+
|
+
| 4
+
| 4
+
| DWORD
+
| Duration in ms
+
|-
+
|
+
| 8
+
| 4
+
| DWORD
+
| Copy of duration in ms
+
|-
+
|
+
| 12
+
| 4
+
| DWORD
+
| Filename string offset <br> The offset is relative to the start of the filename string section (section C)
+
|-
+
|
+
| 16
+
| 4
+
| DWORD
+
| Filename string number of characters without end-of-string characters
+
|-
+
|
+
| 20
+
| 4
+
| DWORD
+
| Unknown flags
+
|-
+
|
+
| 24
+
| 4
+
| DWORD
+
| Unknown
+
|-
+
|
+
| 28
+
| 4
+
| DWORD
+
| Unknown
+
|}
+
 
+
== Section B ==
+
This section contains an array with 12 byte (version 17, 23 and 26) entry records.
+
 
+
The actual format and usage of these entry records is currently not known.
+
 
+
== Section C - Filename strings ==
+
This section contains filenames strings, it consists of an array of UTF-16 little-endian formatted strings with end-of-string characters (U+0000).
+
 
+
At the end of the section there seems to be alignment padding that can contain remnant values.
+
 
+
== Section D - Volumes information (block) ==
+
 
+
Section D contains one or more subsections, each subsection refers to directories on a volume.
+
 
+
If all the executables and libraries referenced in the C section are from one single disk volume, there will be only one section in the D section. If multiple volumes are referenced by section C, section D will contain multiple sections.  (A simple way to force this situation is to copy, say, NOTEPAD.EXE to a USB drive, and start it from that volume. The corresponding prefetch file will have one D header referring to, e.g. \DEVICE\HARDDISK1\DP(1)0-0+4 (the USB drive), and one to, e.g. \DEVICE\HARDDISKVOLUME1\ (where the .DLLs and other support files were found).
+
 
+
In this section, all offsets are assumed to be counted from the start of the D section.
+
 
+
=== Volume information ===
+
The structure of the volume information is version dependent.
+
 
+
==== Volume information - version 17 ====
+
The volume information – version 17 is 40 bytes in size and consists of:
+
 
+
{| class="wikitable"
+
|-
+
! Field
+
! Offset
+
! Length
+
! Type
+
! Notes
+
|-
+
| VI1
+
| +0x0000
+
| 4
+
| DWORD
+
| Offset to volume device path (Unicode, terminated by U+0000)
+
|-
+
| VI2
+
| +0x0004
+
| 4
+
| DWORD
+
| Length of volume device path (nr of characters, including terminating U+0000)
+
|-
+
| VI3
+
| +0x0008
+
| 8
+
| FILETIME
+
| Volume creation time.
+
|-
+
| VI4
+
| +0x0010
+
| 4
+
| DWORD
+
| Volume serial number of volume indicated by volume string
+
|-
+
| VI5
+
| +0x0014
+
| 4
+
| DWORD
+
| Offset to sub section E
+
|-
+
| VI6
+
| +0x0018
+
| 4
+
| DWORD
+
| Length of sub section E (in bytes)
+
|-
+
| VI7
+
| +0x001C
+
| 4
+
| DWORD
+
| Offset to sub section F
+
|-
+
| VI8
+
| +0x0020
+
| 4
+
| DWORD
+
| Number of strings in sub section F
+
|-
+
| VI9
+
| +0x0024
+
| 4
+
| ?
+
| Unknown
+
|-
+
|}
+
 
+
==== Volume information - version 23 ====
+
The volume information entry – version 23 is 104 bytes in size and consists of:
+
 
+
{| class="wikitable"
+
|-
+
! Field
+
! Offset
+
! Length
+
! Type
+
! Notes
+
|-
+
| VI1
+
| +0x0000
+
| 4
+
| DWORD
+
| Offset to volume device path (Unicode, terminated by U+0000)
+
|-
+
| VI2
+
| +0x0004
+
| 4
+
| DWORD
+
| Length of volume device path (nr of characters, including terminating U+0000)
+
|-
+
| VI3
+
| +0x0008
+
| 8
+
| FILETIME
+
| Volume creation time.
+
|-
+
| VI4
+
| +0x0010
+
| 4
+
| DWORD
+
| Volume serial number of volume indicated by volume string
+
|-
+
| VI5
+
| +0x0014
+
| 4
+
| DWORD
+
| Offset to sub section E
+
|-
+
| VI6
+
| +0x0018
+
| 4
+
| DWORD
+
| Length of sub section E (in bytes)
+
|-
+
| VI7
+
| +0x001C
+
| 4
+
| DWORD
+
| Offset to sub section F
+
|-
+
| VI8
+
| +0x0020
+
| 4
+
| DWORD
+
| Number of strings in sub section F
+
|-
+
| VI9
+
| +0x0024
+
| 4
+
| ?
+
| Unknown
+
|-
+
| <b>VI10</b>
+
| <b>+0x0028</b>
+
| <b>28</b>
+
| <b>?</b>
+
| <b>Unknown</b>
+
|-
+
| <b>VI11</b>
+
| <b>+0x0044</b>
+
| <b>4</b>
+
| <b>?</b>
+
| <b>Unknown</b>
+
|-
+
| <b>VI12</b>
+
| <b>+0x0048</b>
+
| <b>28</b>
+
| <b>?</b>
+
| <b>Unknown</b>
+
|-
+
| <b>VI13</b>
+
| <b>+0x0064</b>
+
| <b>4</b>
+
| <b>?</b>
+
| <b>Unknown</b>
+
|-
+
|}
+
 
+
==== Volume information - version 26 ====
+
The volume information entry – version 26 appears to be similar to volume information – version 23.
+
 
+
=== Sub section E - NTFS file references ===
+
This sub section can contain NTFS file references.
+
 
+
For more information see [https://googledrive.com/host/0B3fBvzttpiiSbl9XZGZzQ05hZkU/Windows%20Prefetch%20File%20(PF)%20format.pdf Windows Prefetch File (PF) format].
+
 
+
=== Sub section F - Directory strings ===
+
This sub sections contains directory strings. The number of strings is stored in the volume information.
+
 
+
A directory string is stored in the following structure:
+
{| class="wikitable"
+
|-
+
! Field
+
! Offset
+
! Length
+
! Type
+
! Notes
+
|-
+
|
+
| 0x0000
+
| 2
+
| DWORD
+
| Number of characters (WORDs) of the directory name. The value does not include the end-of-string character.
+
|-
+
|
+
| 0x0002
+
|
+
| USTR
+
| The directory name as a Unicode (UTF-16 litte-endian string) terminated by an end-of-string character (U+0000).
+
|-
+
|}
+
 
+
== See Also ==
+
* [[Prefetch]]
+
 
+
== External Links ==
+
* [https://googledrive.com/host/0B3fBvzttpiiSbl9XZGZzQ05hZkU/Windows%20Prefetch%20File%20(PF)%20format.pdf Windows Prefetch File (PF) format], by the [[libssca|libssca project]]
+
* [http://bitbucket.cassidiancybersecurity.com/prefetch-parser/wiki/Home Windows Prefetch file format], by the [http://bitbucket.cassidiancybersecurity.com/prefetch-parser prefetch-parser] project.
+
  
[[Category:File Formats]]
+
=== LZ1 ===
 +
* [http://andyh.org/LZ1.html LZ1]

Revision as of 08:56, 21 June 2014

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

LZ-based

Deflate/Inflate

Used in:

LZNT1

Used in:

LZXPRESS

Used in:

LZXPRESS Huffman

Used in:

External Links

Deflate/Inflate

LZ1