Difference between pages "Open Research Topics" and "Prefetch"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
m (Hard Problems)
 
(Added max prefetch file limit)
 
Line 1: Line 1:
; Research Ideas
+
{{Expand}}
 +
Windows Prefetch files, introduced in [[Windows|Windows XP]], are designed to speed up the application startup process. Prefetch files contain the name of the executable, a list of DLLs used by that executable, a count of how many times the executable was has been run, and a timestamp indicating the last time the program was run. Prefetch files are stored in the <tt>%SystemRoot%\Prefetch</tt> directory.
  
Interested in doing research in computer forensics? Looking for a master's topic, or just some ideas for a research paper? Here is my list. Please feel free to add your own ideas.  
+
== Timestamps ==
 +
Both the [[NTFS]] timestamps for a Prefetch file and the timestamp embedded in each Prefetch file contain valueable information. The creation date of the file indicates the first time the application was executed. Both the modification date of the file and the embedded timestamp indicate the last time the application was executed. The
  
 +
== Other Notes ==
 +
There should never be more than 128 prefetch files [http://blogs.msdn.com/ryanmy/archive/2005/05/25/421882.aspx].
  
=Hard Problems=
+
== See Also ==
* Stream Based Disk Forensics. Process the entire disk with one pass, or at most two, to minimize seek time. 
+
* [[SuperFetch]]
* Determine the device that created an image or video without metadata. (fingerprinting digital cameras)
+
* Automatically detect falsified digital evidence.
+
* Use the location of where data resides on a computer as a way of inferring information about the computer's past.
+
* Detect and diagnose sanitization attempts.
+
  
=Tool Development=
+
== External Links ==
==[[AFF]] Enhancement==
+
* [http://www.mitec.cz/wfa.html Windows File Analyzer] - Parses Prefetch files, thumbnail databases, shortcuts, index.dat files, and the recycle bin
* Evaluation of the AFF data page size. What is the optimal page size for compressed forensic work?
+
* Replacement of the AFF "BADFLAG" approach for indicating bad data with a bitmap.
+
* Modify aimage so that it can take a partial disk image and a disk and just image what's missing.
+
* Improve the data recovery features of aimage.
+
* Replace AFF's current table-of-contents system with one based on B+ Trees.
+
 
+
==Decoders and Validators==
+
* A JPEG decompresser that supports restarts and checkpointing for use in high-speed carving. It would also be useful it the JPEG decompressor didn't actually decompress --- all it needs to do is to verify the huffman table.
+
 
+
==Cell Phones==
+
Open source tools for:
+
* Imaging the contents of a cell phone memory
+
* Reassembling information in a cell phone memory
+
 
+
 
+
 
+
=Corpora Development=
+
==Realistic Corpora==
+
* Simulated disk imags
+
* Simulated network traffic
+
==Real Data==
+
* Digital Cameras
+
* Cell phones
+
* USB Memory Sticks ''below'' the logical layer.
+

Revision as of 10:33, 22 May 2007

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Windows Prefetch files, introduced in Windows XP, are designed to speed up the application startup process. Prefetch files contain the name of the executable, a list of DLLs used by that executable, a count of how many times the executable was has been run, and a timestamp indicating the last time the program was run. Prefetch files are stored in the %SystemRoot%\Prefetch directory.

Contents

Timestamps

Both the NTFS timestamps for a Prefetch file and the timestamp embedded in each Prefetch file contain valueable information. The creation date of the file indicates the first time the application was executed. Both the modification date of the file and the embedded timestamp indicate the last time the application was executed. The

Other Notes

There should never be more than 128 prefetch files [1].

See Also

External Links

  • Windows File Analyzer - Parses Prefetch files, thumbnail databases, shortcuts, index.dat files, and the recycle bin
Retrieved from "http://www.forensicswiki.org/w/index.php?title=Open_Research_Topics&oldid=7072"
Personal tools
Namespaces

Variants
Actions
Navigation:
About forensicswiki.org:
Toolbox