Difference between pages "Upcoming events" and "Windows Prefetch File Format"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Conferences)
 
(Header)
 
Line 1: Line 1:
<b>PLEASE READ BEFORE YOU EDIT THE LISTS BELOW</b><br>
+
A Windows Prefetch file consists of one file header and multiple file sections with different content. Not all content has an obvious forensic value.
When events begin the same day, events of a longer length should be listed first.  New postings of events with the same date(s) as other events should be added after events already in the list. Please use three-letter month abbreviations (i.e. Sep, NOT Sept. or September), use two digit dates (i.e. Jan 01 NOT Jan 1), and use date ranges rather than listing every date during an event(i.e. Jan 02-05, NOT Jan 02, 03, 04, 05).<br>
+
<i>Some events may be <u>limited</u> to <b>Law Enforcement Only</b> or to a specific audience.  Such restrictions should be noted when known.</i>
+
  
This is a BY DATE listing of upcoming events relevant to [[digital forensics]]. It is not an all inclusive list, but includes most well-known activities.  Some events may duplicate events on the generic [[conferences]] page, but entries in this list have specific dates and locations for the upcoming event.
+
As far as have been possible to ascertain, there is no public description of the format. The description below has been synthesised from examination
 +
of multiple prefetch files.  
  
This listing is divided into three sections (described as follows):<br>
+
== Header ==
<ol><li><b><u>[[Upcoming_events#Calls_For_Papers|Calls For Papers]]</u></b> - Calls for papers for either Journals or for Conferences, relevant to Digital Forensics (Name, Closing Date, URL)</li><br>
+
<li><b><u>[[Upcoming_events#Conferences|Conferences]]</u></b> - Conferences relevant for Digital Forensics (Name, Date, Location, URL)</li><br>
+
<li><b><u>[[Training Courses and Providers]]</u></b> - Training </li><br></ol>
+
  
== Calls For Papers ==
+
This format has been observed on Windows XP, ...  will need to be modified for Vista/Win7 format
Please help us keep this up-to-date with deadlines for upcoming conferences that would be appropriate for forensic research.
+
  
{| border="0" cellpadding="2" cellspacing="2" align="top"
+
{| class="wikitable"
|- style="background:#bfbfbf; font-weight: bold"
+
! width="30%|Title
+
! width="15%"|Due Date
+
! width="15%"|Notification Date
+
! width="40%"|Website
+
 
|-
 
|-
|IEEE Symposium on Security & Privacy
+
! Field
|Nov 14, 2012
+
! Offset
|Jan 28, 2013
+
! Length
|http://www.ieee-security.org/TC/SP2013/cfp.html
+
! Type
 +
! Notes
 
|-
 
|-
|FIRST Conference
+
| H1
|Dec 2012
+
| 0x0000
|Feb 2013
+
| 4
|http://conference.first.org/2013/
+
| DWORD
 +
| ? Probably a version number, identifying the file structure. Observed values: 0x11 - Windows XP; 0x17 - Vista, Windows 7
 
|-
 
|-
|International Workshop on Cyber Crime
+
| H2
|Feb 15, 2013
+
| 0x0004
|Mar 01, 2013
+
| 4
|http://stegano.net/IWCC2013/
+
| DWORD
 +
| ? Probably a file magic number. Only observed value: 0x41434353
 
|-
 
|-
|}
+
| H3
 
+
| 0x0008
See also [http://www.wikicfp.com/cfp/servlet/tool.search?q=forensics WikiCFP 'Forensics']
+
| 4
 
+
| DWORD?
== Conferences ==
+
| ? Observed values: 0x0F - Windows XP, 0x11 - Windows 7
{| border="0" cellpadding="2" cellspacing="2" align="top"
+
|- style="background:#bfbfbf; font-weight: bold"
+
! width="40%"|Title
+
! width="20%"|Date/Location
+
! width="40%"|Website
+
 
|-
 
|-
|7th IEEE LCN Workshop on Security In Communication Networks
+
| H4
|Oct 22-25<br>Clearwater, FL
+
| 0x000C
|http://www.sick-workshop.org
+
| 4
 +
| DWORD
 +
| Prefetch file length.
 
|-
 
|-
|4th International Conference on Digital Forensics & Cyber Crime
+
| H5
|Oct 24-28<br>West Lafayette, IN
+
|0x0010
|http://d-forensics.org/2012/show/home
+
| 60
 +
| USTR
 +
| Name of executable as Unicode string, truncated after character 29 if necessary, and terminated by U+0000. As it appears in the prefetch file file name.
 
|-
 
|-
|3rd Cybercrime and Trustworthy Computing Workshop
+
| H6
|Oct 29-30<br>Bellarat, Australia
+
|0x004C
|http://comp.mq.edu.au/conferences/ctc2011/
+
|4
 +
|DWORD
 +
|The prefetch hash, as it appears in the pf file name.
 
|-
 
|-
|Paraben Forensic Innovations Conference
+
| H7
|Nov 03-07<br>Park City, UT
+
|0x0050
|http://www.pfic-conference.com/
+
|4
 +
|?
 +
|? Observed values: 0 for almost all prefetch files (XP); 1 for NTOSBOOT-B00DFAAD.pf (XP)
 
|-
 
|-
|2012 International Workshop on Computational Forensics
+
| H8
|Nov 11<br>Tsukuba, Japan
+
| 0x0054
|http://iwcf12.arsforensica.org/
+
| 4
 +
| DWORD
 +
| Offset to section A
 
|-
 
|-
|IEEE Conference on Technologies for Homeland Security
+
| H9
|Nov 13-15<br>Waltham, MA
+
| 0x0058
|http://www.ieee-hst.org/
+
| 4
 +
| DWORD
 +
| ? Nr of entries in section A
 
|-
 
|-
|8th International Conference on Information Assurance and Security (IAS'12)
+
| H10
|Nov 21-23<br>Sao Carlos, Brazil
+
| 0x005C
|http://www.mirlabs.org/ias12
+
| 4
 +
| DWORD
 +
| Offset to section B
 
|-
 
|-
|Forensics@NIST 2012
+
| H11
|Nov 28-30<br>Rockville, MD
+
| 0x0060
|http://www.nist.gov/oles/forensics-2012.cfm
+
| 4
 +
| DWORD
 +
| Nr of entries in section B
 
|-
 
|-
|IEEE International Workshop on Information Forensics and Security
+
| H12
|Dec 02-05<br>Tenerife, Spain
+
| 0x0064
|http://www.wifs12.org/index.html
+
| 4
 +
| DWORD
 +
| Offset to section C
 
|-
 
|-
|28th Annual Computer Security Applications Conference (ACSAC 2012)
+
| H13
|Dec 03-07<br>Orlando, FL
+
| 0x0068
|http://www.acsac.org
+
| 4
 +
| DWORD
 +
| Length of section C
 
|-
 
|-
|2012 secau Security Congress
+
| H14
|Dec 03-05<br>Perth, Western Australia
+
| 0x006C
|http://conferences.secau.org/
+
| 4
 +
| DWORD
 +
| Offset to section D
 
|-
 
|-
|Ninth Annual IFIP WG 11.9 International Conference on Digital Forensics
+
| H15
|Jan 28-30<br>Orlando, FL
+
| 0x0070
|http://www.ifip119.org/Conferences/
+
| 4
 +
| DWORD
 +
| ? Probably the number of entries in the D section header
 
|-
 
|-
|2013 DoD Cybercrime Conference
+
| H16
|Jan 29-Feb 01<br>Louisville, KY
+
| 0x0074
|http://www.dodcybercrime.com/
+
| 4
 +
| DWORD
 +
| Length of section D
 
|-
 
|-
|65th Annual AAFS Meeting
+
| H17
|Feb 18-23<br>Washington, DC
+
| 0x0078
|http://www.aafs.org/aafs-2013-annual-meeting
+
| 8
 +
| FTIME
 +
| Latest execution time of executable (FILETIME)
 
|-
 
|-
|IEEE Symposium on Security & Privacy
+
| H18
|May 19-23<br>San Francisco, CA
+
| 0x0080
|http://www.ieee-security.org/TC/SP2013/index.html
+
| 16
 +
| ?
 +
| ? Possibly structured as 4 DWORD. Observed values: /0x00000000 0x00000000 0x00000000 0x00000000/, /0x47868c00 0x00000000 0x47860c00 0x00000000/
 
|-
 
|-
|International Workshop on Cyber Crime
+
| H19
|May 24<br>San Francisco, CA
+
| 0x0090
|http://stegano.net/IWCC2013/
+
| 4
 +
| DWORD
 +
| Execution counter
 
|-
 
|-
|Techno Security and Forensics Investigation Conference
+
| H20
|Jun 02-05<br>Myrtle Beach, SC
+
| 0x0094
|http://www.thetrainingco.com/html/Security%20Conference%202013.html
+
| 4
|-
+
| DWORD?
|Mobile Forensics World
+
| ? Observed values: 1, 2, 3, 4, 5, 6 (XP)
|Jun 02-05<br>Myrtle Beach, SC
+
|http://www.techsec.com/html/MFC-2013-Spring.html
+
|-
+
|FIRST Conference
+
|Jun 16-21<br>Bangkok, Thailand
+
|http://conference.first.org/2013/
+
|-
+
|DFRWS 2013
+
|Aug 04-07<br>Monterey, CA
+
|http://dfrws.org/2013
+
|-
+
|Regional Computer Forensics Group GMU 2013
+
|Aug 05-09<br>Fairfax, VA
+
|http://www.rcfg.org
+
 
|-
 
|-
 
|}
 
|}
  
==See Also==
+
It's worth noting that the name of a carved prefetch file can be restored using the information in field H5 and H6, and its size can be determined by field H4.
* [[Training Courses and Providers]]
+
 
==References==
+
== Section A and B ==
* [http://faculty.cs.tamu.edu/guofei/sec_conf_stat.htm Computer Security Conference Ranking and Statistic]
+
 
* [http://www.kdnuggets.com/meetings/ Meetings and Conferences in Data Mining and Discovery]
+
The content of these two sections is unknown.
* http://www.conferencealerts.com/data.htm Data Mining Conferences World-Wide]
+
 
 +
== Section C ==
 +
 
 +
== Section D ==

Revision as of 10:29, 14 September 2011

A Windows Prefetch file consists of one file header and multiple file sections with different content. Not all content has an obvious forensic value.

As far as have been possible to ascertain, there is no public description of the format. The description below has been synthesised from examination of multiple prefetch files.

Header

This format has been observed on Windows XP, ... will need to be modified for Vista/Win7 format

Field Offset Length Type Notes
H1 0x0000 4 DWORD  ? Probably a version number, identifying the file structure. Observed values: 0x11 - Windows XP; 0x17 - Vista, Windows 7
H2 0x0004 4 DWORD  ? Probably a file magic number. Only observed value: 0x41434353
H3 0x0008 4 DWORD?  ? Observed values: 0x0F - Windows XP, 0x11 - Windows 7
H4 0x000C 4 DWORD Prefetch file length.
H5 0x0010 60 USTR Name of executable as Unicode string, truncated after character 29 if necessary, and terminated by U+0000. As it appears in the prefetch file file name.
H6 0x004C 4 DWORD The prefetch hash, as it appears in the pf file name.
H7 0x0050 4 ? ? Observed values: 0 for almost all prefetch files (XP); 1 for NTOSBOOT-B00DFAAD.pf (XP)
H8 0x0054 4 DWORD Offset to section A
H9 0x0058 4 DWORD  ? Nr of entries in section A
H10 0x005C 4 DWORD Offset to section B
H11 0x0060 4 DWORD Nr of entries in section B
H12 0x0064 4 DWORD Offset to section C
H13 0x0068 4 DWORD Length of section C
H14 0x006C 4 DWORD Offset to section D
H15 0x0070 4 DWORD  ? Probably the number of entries in the D section header
H16 0x0074 4 DWORD Length of section D
H17 0x0078 8 FTIME Latest execution time of executable (FILETIME)
H18 0x0080 16  ?  ? Possibly structured as 4 DWORD. Observed values: /0x00000000 0x00000000 0x00000000 0x00000000/, /0x47868c00 0x00000000 0x47860c00 0x00000000/
H19 0x0090 4 DWORD Execution counter
H20 0x0094 4 DWORD?  ? Observed values: 1, 2, 3, 4, 5, 6 (XP)

It's worth noting that the name of a carved prefetch file can be restored using the information in field H5 and H6, and its size can be determined by field H4.

Section A and B

The content of these two sections is unknown.

Section C

Section D