Difference between pages "Windows Prefetch File Format" and "Chrome Disk Cache Format"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Section D)
 
(See Also)
 
Line 1: Line 1:
A Windows Prefetch file consists of one file header and multiple file sections with different content. Not all content has an obvious forensic value.
+
{{expand}}
  
As far as have been possible to ascertain, there is no public description of the format. The description below has been synthesised from examination
+
== Cache files ==
of multiple prefetch files.
+
The cache is stored in multiple:
 
+
{| class="wikitable"
== Header ==
+
|-
 
+
! Filename
This format has been observed on Windows XP, ...  will need to be modified for Vista/Win7 format
+
! Description
 +
|-
 +
| index
 +
| The index file
 +
|-
 +
| data_#
 +
| Data block files
 +
|-
 +
| f_######
 +
| (Separate) data stream file
 +
|}
  
 +
== Cache address ==
 +
The cache address is 4 bytes in size and consists of:
 
{| class="wikitable"
 
{| class="wikitable"
 
|-
 
|-
! Field
+
! offset
! Offset
+
! size
! Length
+
! value
! Type
+
! description
! Notes
+
 
|-
 
|-
| H1
+
| <i>If file type is 0 (Separate file)</i>
| 0x0000
+
|
| 4
+
|
| DWORD
+
|
| ? Probably a version number, identifying the file structure. Observed values: 0x11 - Windows XP; 0x17 - Vista, Windows 7
+
 
|-
 
|-
| H2
+
| 0.0
| 0x0004
+
| 28 bits
| 4
+
|  
| DWORD
+
| File number <br> The value represents the value of # in f_######
| ? Probably a file magic number. Only observed value: 0x41434353
+
 
|-
 
|-
| H3
+
| <i>Else</i>
| 0x0008
+
|
| 4
+
|
| DWORD?
+
|
| ? Observed values: 0x0F - Windows XP, 0x11 - Windows 7
+
 
|-
 
|-
| H4
+
| 0.0
| 0x000C
+
| 16 bits
| 4
+
|  
| DWORD
+
| Block number
| Prefetch file length.
+
 
|-
 
|-
| H5
+
| 2.0
|0x0010
+
| 8 bits
| 60
+
|  
| USTR
+
| File number (or file selector) <br> The value represents the value of # in data_#
| Name of executable as Unicode string, truncated after character 29 if necessary, and terminated by U+0000. As it appears in the prefetch file file name.
+
 
|-
 
|-
| H6
+
| 3.0
|0x004C
+
| 2 bits
|4
+
|  
|DWORD
+
| Block size <br> The number of contiguous blocks where 0 represents 1 block and 3 represents 4 blocks.
|The prefetch hash, as it appears in the pf file name.
+
 
|-
 
|-
| H7
+
| 3.2
|0x0050
+
| 2 bits
|4
+
|  
|?
+
| Reserved
|? Observed values: 0 for almost all prefetch files (XP); 1 for NTOSBOOT-B00DFAAD.pf (XP)
+
 
|-
 
|-
| H8
+
| <i>Common</i>
| 0x0054
+
|
| 4
+
|
| DWORD
+
|
| Offset to section A
+
 
|-
 
|-
| H9
+
| 3.4
| 0x0058
+
| 3 bits
| 4
+
|  
| DWORD
+
| File type
| ? Nr of entries in section A
+
 
|-
 
|-
| H10
+
| 3.7
| 0x005C
+
| 1 bit
| 4
+
|
| DWORD
+
| Initialized flag
| Offset to section B
+
|}
 +
 
 +
=== File types ===
 +
{| class="wikitable"
 
|-
 
|-
| H11
+
! Value
| 0x0060
+
! Description
| 4
+
| DWORD
+
| Nr of entries in section B
+
 
|-
 
|-
| H12
+
| 0
| 0x0064
+
| (Separate) data stream file
| 4
+
| DWORD
+
| Offset to section C
+
 
|-
 
|-
| H13
+
| 1
| 0x0068
+
| (Rankings) block data file (36 byte block data file)
| 4
+
| DWORD
+
| Length of section C
+
 
|-
 
|-
| H14
+
| 2
| 0x006C
+
| 256 byte block data file
| 4
+
| DWORD
+
| Offset to section D
+
 
|-
 
|-
| H15
+
| 3
| 0x0070
+
| 1024 byte block data file
| 4
+
| DWORD
+
| ? Probably the number of entries in the D section header
+
 
|-
 
|-
| H16
 
| 0x0074
 
 
| 4
 
| 4
| DWORD
+
| 4096 byte block data file
| Length of section D
+
 
|-
 
|-
| H17
+
|
| 0x0078
+
|
| 8
+
| FTIME
+
| Latest execution time of executable (FILETIME)
+
 
|-
 
|-
| H18
+
| 6
| 0x0080
+
| Unknown; seen on Mac OS  X 0x6f430074
| 16
+
|}
| ?
+
 
| ? Possibly structured as 4 DWORD. Observed values: /0x00000000 0x00000000 0x00000000 0x00000000/, /0x47868c00 0x00000000 0x47860c00 0x00000000/
+
==== Examples ====
 +
{| class="wikitable"
 
|-
 
|-
| H19
+
! Value
| 0x0090
+
! Description
| 4
+
| DWORD
+
| Execution counter
+
 
|-
 
|-
| H20
+
| 0x00000000
| 0x0094
+
| Not initialized
| 4
+
|-
| DWORD?
+
| 0x8000002a
| ? Observed values: 1, 2, 3, 4, 5, 6 (XP)
+
| Data stream file: f_00002a
 
|-
 
|-
 +
| 0xa0010003
 +
| Block data file: data_1, block number 3, 1 block of size
 
|}
 
|}
  
It's worth noting that the name of a carved prefetch file can be restored using the information in field H5 and H6, and its size can be determined by field H4.
+
== Index file format (index) ==
 +
Overview:
 +
* File header
 +
* least recently used (LRU) data (or eviction control data)
 +
* index table
  
== Section A and B ==
+
=== File header ===
 +
*TODO*
  
The content of these two sections is unknown.
+
== Data block file format (data_#) ==
 +
Overview:
 +
* File header
 +
* array of blocks
  
== Section C ==
+
=== File header ===
 +
*TODO*
  
== Section D ==
+
== Data stream ==
 +
See: [[gzip]]
  
Section D begins with one or more headers. The number is (most likely) determined by the DWORD at file offset 0x0070. Each header refers to a hard drive.
+
== See Also ==
 +
* [[Google Chrome]]
 +
* [[gzip]]
  
In this sections, all offsets are assumed to be counted from the start of the D section.
+
== External Links ==
 
+
{| class="wikitable"
+
|-
+
! Field
+
! Offset
+
! Length
+
! Type
+
! Notes
+
|-
+
| DH1
+
| 0x0000
+
| 4
+
| DWORD
+
| Offset to volume string (Unicode, terminated by U+0000)
+
|-
+
|}
+
  
If all the executables and libraries referenced in the C section are from one single disk volume, there will be only one header in the D section. If multiple volumes are referenced by section C, section D will contain multiple headers.  (A simple way to force this situation is to copy, say, NOTEPAD.EXE to a USB drive, and start it from that volume. The corresponding prefetch file with have one D header referring to, e.g. \DEVICE\HARDDISK1\DP(1)0-0+4 (the USB drive), and one to, e.g. \DEVICE\HARDDISKVOLUME1\ (where the .DLLs and other support files were found).
+
[[Category:File Formats]]

Revision as of 14:29, 21 June 2014

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Cache files

The cache is stored in multiple:

Filename Description
index The index file
data_# Data block files
f_###### (Separate) data stream file

Cache address

The cache address is 4 bytes in size and consists of:

offset size value description
If file type is 0 (Separate file)
0.0 28 bits File number
The value represents the value of # in f_######
Else
0.0 16 bits Block number
2.0 8 bits File number (or file selector)
The value represents the value of # in data_#
3.0 2 bits Block size
The number of contiguous blocks where 0 represents 1 block and 3 represents 4 blocks.
3.2 2 bits Reserved
Common
3.4 3 bits File type
3.7 1 bit Initialized flag

File types

Value Description
0 (Separate) data stream file
1 (Rankings) block data file (36 byte block data file)
2 256 byte block data file
3 1024 byte block data file
4 4096 byte block data file
6 Unknown; seen on Mac OS X 0x6f430074

Examples

Value Description
0x00000000 Not initialized
0x8000002a Data stream file: f_00002a
0xa0010003 Block data file: data_1, block number 3, 1 block of size

Index file format (index)

Overview:

  • File header
  • least recently used (LRU) data (or eviction control data)
  • index table

File header

  • TODO*

Data block file format (data_#)

Overview:

  • File header
  • array of blocks

File header

  • TODO*

Data stream

See: gzip

See Also

External Links