ForensicsWiki will continue to operate as it has before and will not be shutting down. Thank you for your continued support of ForensicsWiki.

Difference between pages "Windows Prefetch File Format" and "Chrome Disk Cache Format"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Section D)
 
(See Also)
 
Line 1: Line 1:
A Windows Prefetch file consists of one file header and multiple file sections with different content. Not all content has an obvious forensic value.
+
{{expand}}
  
As far as have been possible to ascertain, there is no public description of the format. The description below has been synthesised from examination
+
== Cache files ==
of multiple prefetch files.
+
The cache is stored in multiple:
 
+
{| class="wikitable"
== Header ==
+
|-
 
+
! Filename
This format has been observed on Windows XP, ...  will need to be modified for Vista/Win7 format
+
! Description
 +
|-
 +
| index
 +
| The index file
 +
|-
 +
| data_#
 +
| Data block files
 +
|-
 +
| f_######
 +
| (Separate) data stream file
 +
|}
  
 +
== Cache address ==
 +
The cache address is 4 bytes in size and consists of:
 
{| class="wikitable"
 
{| class="wikitable"
 
|-
 
|-
! Field
+
! offset
! Offset
+
! size
! Length
+
! value
! Type
+
! description
! Notes
+
 
|-
 
|-
| H1
+
| <i>If file type is 0 (Separate file)</i>
| 0x0000
+
|
| 4
+
|
| DWORD
+
|
| ? Probably a version number, identifying the file structure. Observed values: 0x11 - Windows XP; 0x17 - Vista, Windows 7
+
 
|-
 
|-
| H2
+
| 0.0
| 0x0004
+
| 28 bits
| 4
+
|  
| DWORD
+
| File number <br> The value represents the value of # in f_######
| ? Probably a file magic number. Only observed value: 0x41434353
+
 
|-
 
|-
| H3
+
| <i>Else</i>
| 0x0008
+
|
| 4
+
|
| DWORD?
+
|
| ? Observed values: 0x0F - Windows XP, 0x11 - Windows 7
+
 
|-
 
|-
| H4
+
| 0.0
| 0x000C
+
| 16 bits
| 4
+
|  
| DWORD
+
| Block number
| Prefetch file length.
+
 
|-
 
|-
| H5
+
| 2.0
|0x0010
+
| 8 bits
| 60
+
|  
| USTR
+
| File number (or file selector) <br> The value represents the value of # in data_#
| Name of executable as Unicode string, truncated after character 29 if necessary, and terminated by U+0000. As it appears in the prefetch file file name.
+
 
|-
 
|-
| H6
+
| 3.0
|0x004C
+
| 2 bits
|4
+
|  
|DWORD
+
| Block size <br> The number of contiguous blocks where 0 represents 1 block and 3 represents 4 blocks.
|The prefetch hash, as it appears in the pf file name.
+
 
|-
 
|-
| H7
+
| 3.2
|0x0050
+
| 2 bits
|4
+
|  
|?
+
| Reserved
|? Observed values: 0 for almost all prefetch files (XP); 1 for NTOSBOOT-B00DFAAD.pf (XP)
+
 
|-
 
|-
| H8
+
| <i>Common</i>
| 0x0054
+
|
| 4
+
|
| DWORD
+
|
| Offset to section A
+
 
|-
 
|-
| H9
+
| 3.4
| 0x0058
+
| 3 bits
| 4
+
|  
| DWORD
+
| File type
| ? Nr of entries in section A
+
 
|-
 
|-
| H10
+
| 3.7
| 0x005C
+
| 1 bit
| 4
+
|
| DWORD
+
| Initialized flag
| Offset to section B
+
|}
 +
 
 +
=== File types ===
 +
{| class="wikitable"
 
|-
 
|-
| H11
+
! Value
| 0x0060
+
! Description
| 4
+
| DWORD
+
| Nr of entries in section B
+
 
|-
 
|-
| H12
+
| 0
| 0x0064
+
| (Separate) data stream file
| 4
+
| DWORD
+
| Offset to section C
+
 
|-
 
|-
| H13
+
| 1
| 0x0068
+
| (Rankings) block data file (36 byte block data file)
| 4
+
| DWORD
+
| Length of section C
+
 
|-
 
|-
| H14
+
| 2
| 0x006C
+
| 256 byte block data file
| 4
+
| DWORD
+
| Offset to section D
+
 
|-
 
|-
| H15
+
| 3
| 0x0070
+
| 1024 byte block data file
| 4
+
| DWORD
+
| ? Probably the number of entries in the D section header
+
 
|-
 
|-
| H16
 
| 0x0074
 
 
| 4
 
| 4
| DWORD
+
| 4096 byte block data file
| Length of section D
+
 
|-
 
|-
| H17
+
|
| 0x0078
+
|
| 8
+
| FTIME
+
| Latest execution time of executable (FILETIME)
+
 
|-
 
|-
| H18
+
| 6
| 0x0080
+
| Unknown; seen on Mac OS  X 0x6f430074
| 16
+
|}
| ?
+
 
| ? Possibly structured as 4 DWORD. Observed values: /0x00000000 0x00000000 0x00000000 0x00000000/, /0x47868c00 0x00000000 0x47860c00 0x00000000/
+
==== Examples ====
 +
{| class="wikitable"
 
|-
 
|-
| H19
+
! Value
| 0x0090
+
! Description
| 4
+
| DWORD
+
| Execution counter
+
 
|-
 
|-
| H20
+
| 0x00000000
| 0x0094
+
| Not initialized
| 4
+
|-
| DWORD?
+
| 0x8000002a
| ? Observed values: 1, 2, 3, 4, 5, 6 (XP)
+
| Data stream file: f_00002a
 
|-
 
|-
 +
| 0xa0010003
 +
| Block data file: data_1, block number 3, 1 block of size
 
|}
 
|}
  
It's worth noting that the name of a carved prefetch file can be restored using the information in field H5 and H6, and its size can be determined by field H4.
+
== Index file format (index) ==
 +
Overview:
 +
* File header
 +
* least recently used (LRU) data (or eviction control data)
 +
* index table
  
== Section A and B ==
+
=== File header ===
 +
*TODO*
  
The content of these two sections is unknown.
+
== Data block file format (data_#) ==
 +
Overview:
 +
* File header
 +
* array of blocks
  
== Section C ==
+
=== File header ===
 +
*TODO*
  
== Section D ==
+
== Data stream ==
 +
See: [[gzip]]
  
Section D begins with one or more headers. The number is (most likely) determined by the DWORD at file offset 0x0070. Each header refers to a hard drive.
+
== See Also ==
 +
* [[Google Chrome]]
 +
* [[gzip]]
  
In this sections, all offsets are assumed to be counted from the start of the D section.
+
== External Links ==
 
+
{| class="wikitable"
+
|-
+
! Field
+
! Offset
+
! Length
+
! Type
+
! Notes
+
|-
+
| DH1
+
| 0x0000
+
| 4
+
| DWORD
+
| Offset to volume string (Unicode, terminated by U+0000)
+
|-
+
|}
+
  
If all the executables and libraries referenced in the C section are from one single disk volume, there will be only one header in the D section. If multiple volumes are referenced by section C, section D will contain multiple headers.  (A simple way to force this situation is to copy, say, NOTEPAD.EXE to a USB drive, and start it from that volume. The corresponding prefetch file with have one D header referring to, e.g. \DEVICE\HARDDISK1\DP(1)0-0+4 (the USB drive), and one to, e.g. \DEVICE\HARDDISKVOLUME1\ (where the .DLLs and other support files were found).
+
[[Category:File Formats]]

Revision as of 18:29, 21 June 2014

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Cache files

The cache is stored in multiple:

Filename Description
index The index file
data_# Data block files
f_###### (Separate) data stream file

Cache address

The cache address is 4 bytes in size and consists of:

offset size value description
If file type is 0 (Separate file)
0.0 28 bits File number
The value represents the value of # in f_######
Else
0.0 16 bits Block number
2.0 8 bits File number (or file selector)
The value represents the value of # in data_#
3.0 2 bits Block size
The number of contiguous blocks where 0 represents 1 block and 3 represents 4 blocks.
3.2 2 bits Reserved
Common
3.4 3 bits File type
3.7 1 bit Initialized flag

File types

Value Description
0 (Separate) data stream file
1 (Rankings) block data file (36 byte block data file)
2 256 byte block data file
3 1024 byte block data file
4 4096 byte block data file
6 Unknown; seen on Mac OS X 0x6f430074

Examples

Value Description
0x00000000 Not initialized
0x8000002a Data stream file: f_00002a
0xa0010003 Block data file: data_1, block number 3, 1 block of size

Index file format (index)

Overview:

  • File header
  • least recently used (LRU) data (or eviction control data)
  • index table

File header

  • TODO*

Data block file format (data_#)

Overview:

  • File header
  • array of blocks

File header

  • TODO*

Data stream

See: gzip

See Also

External Links