ForensicsWiki will continue to operate as it has before and will not be shutting down. Thank you for your continued support of ForensicsWiki.

Difference between revisions of "Prefetch XML"

From ForensicsWiki
Jump to: navigation, search
m (XML Example)
m (XML Example)
Line 13: Line 13:
 
   </header>
 
   </header>
 
   <volume>
 
   <volume>
     <path>\DEVICE\HARDDISKVOLUME1</path>
+
     <path>/DEVICE/HARDDISKVOLUME1</path>
 
     <serial_number>b46f6927</serial_number>
 
     <serial_number>b46f6927</serial_number>
 
   </volume>
 
   </volume>

Revision as of 15:14, 5 July 2011

A Prefetch file is used by Windows NT to improve the startup process of an application. Each prefetch file provides information about each ran application.

XML Example

<?xml version='1.0' encoding='ISO-8859-1'?>
<prefetch>
   <header>
     <os>Windows 7</os>
     <header_size>240</header_size>
     <filename>ACRORD32INFO.EXE</filename>
     <runs>3</runs>
     <atime>2011-02-07T12:24:52</atime>
   </header>
   <volume>
     <path>/DEVICE/HARDDISKVOLUME1</path>
     <serial_number>b46f6927</serial_number>
   </volume>
   <creation>2010-08-18T06:13:10</creation>
   <associated_files>
    <filename>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/NTDLL.DLL</filename>
    <filename>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/KERNEL32.DLL</filename>
    <filename>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/APISETSCHEMA.DLL</filename>
    <filename>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/KERNELBASE.DLL</filename>
    <filename>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/LOCALE.NLS</filename>
    <filename>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/ADVAPI32.DLL</filename>
    <filename>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/MSVCRT.DLL</filename>
    <filename>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/SECHOST.DLL</filename>
    <filename>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/RPCRT4.DLL</filename>
    <filename>/DEVICE/HARDDISKVOLUME1/WINDOWS/WINSXS/X86_MICROSOFT.VC80.CRT_1FC8B3B9A1E18E3B_8.0.50727.4927_NONE_D08A205E442DB5B5/MSVCR80.DLL</filename>
    <filename>/DEVICE/HARDDISKVOLUME1/PROGRAM FILES/ADOBE/READER 9.0/READER/ACRORD32INFO.EXE</filename>
    <filename>/DEVICE/HARDDISKVOLUME1/PROGRAM FILES/ADOBE/READER 9.0/READER/ACRORD32.DLL</filename>
    <filename>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/WININET.DLL</filename>
    <filename>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/SHLWAPI.DLL</filename>
    <filename>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/GDI32.DLL</filename>
    <filename>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/USER32.DLL</filename>
    <filename>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/LPK.DLL</filename>
    <filename>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/USP10.DLL</filename>
    <filename>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/NORMALIZ.DLL</filename>
    <filename>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/URLMON.DLL</filename>
    <filename>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/OLE32.DLL</filename>
    <filename>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/OLEAUT32.DLL</filename>
    <filename>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/CRYPT32.DLL</filename>
    <filename>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/MSASN1.DLL</filename>
    <filename>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/IERTUTIL.DLL</filename>
   </associated_files>
</prefetch>

See Also