Difference between revisions of "Prefetch XML"

From ForensicsWiki
Jump to: navigation, search
m (XML Example)
Line 17: Line 17:
 
   </volume>
 
   </volume>
 
   <creation>2010-08-18T06:13:10</creation>
 
   <creation>2010-08-18T06:13:10</creation>
   <associated_files>
+
   <filenames>
    <filename>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/NTDLL.DLL</filename>
+
    <file>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/NTDLL.DLL</file>
    <filename>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/KERNEL32.DLL</filename>
+
    <file>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/KERNEL32.DLL</file>
    <filename>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/APISETSCHEMA.DLL</filename>
+
    <file>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/APISETSCHEMA.DLL</file>
    <filename>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/KERNELBASE.DLL</filename>
+
    <file>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/KERNELBASE.DLL</file>
    <filename>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/LOCALE.NLS</filename>
+
    <file>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/LOCALE.NLS</file>
    <filename>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/ADVAPI32.DLL</filename>
+
    <file>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/ADVAPI32.DLL</file>
    <filename>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/MSVCRT.DLL</filename>
+
    <file>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/MSVCRT.DLL</file>
    <filename>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/SECHOST.DLL</filename>
+
    <file>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/SECHOST.DLL</file>
    <filename>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/RPCRT4.DLL</filename>
+
    <file>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/RPCRT4.DLL</file>
    <filename>/DEVICE/HARDDISKVOLUME1/WINDOWS/WINSXS/X86_MICROSOFT.VC80.CRT_1FC8B3B9A1E18E3B_8.0.50727.4927_NONE_D08A205E442DB5B5/MSVCR80.DLL</filename>
+
    <file>/DEVICE/HARDDISKVOLUME1/WINDOWS/WINSXS/X86_MICROSOFT.VC80.CRT_1FC8B3B9A1E18E3B_8.0.50727.4927_NONE_D08A205E442DB5B5/MSVCR80.DLL</file>
    <filename>/DEVICE/HARDDISKVOLUME1/PROGRAM FILES/ADOBE/READER 9.0/READER/ACRORD32INFO.EXE</filename>
+
    <file>/DEVICE/HARDDISKVOLUME1/PROGRAM FILES/ADOBE/READER 9.0/READER/ACRORD32INFO.EXE</file>
    <filename>/DEVICE/HARDDISKVOLUME1/PROGRAM FILES/ADOBE/READER 9.0/READER/ACRORD32.DLL</filename>
+
    <file>/DEVICE/HARDDISKVOLUME1/PROGRAM FILES/ADOBE/READER 9.0/READER/ACRORD32.DLL</file>
    <filename>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/WININET.DLL</filename>
+
    <file>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/WININET.DLL</file>
    <filename>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/SHLWAPI.DLL</filename>
+
    <file>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/SHLWAPI.DLL</file>
    <filename>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/GDI32.DLL</filename>
+
    <file>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/GDI32.DLL</file>
    <filename>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/USER32.DLL</filename>
+
  </filenames>
    <filename>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/LPK.DLL</filename>
+
  <directories>
    <filename>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/USP10.DLL</filename>
+
    <dir>\DEVICE\HARDDISKVOLUME1\PROGRAM FILES\MSN TOOLBAR</dir>
    <filename>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/NORMALIZ.DLL</filename>
+
    <dir>\DEVICE\HARDDISKVOLUME1\PROGRAM FILES\MSN TOOLBAR\PLATFORM</dir>
    <filename>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/URLMON.DLL</filename>
+
    <dir>\DEVICE\HARDDISKVOLUME1\PROGRAM FILES\MSN TOOLBAR\PLATFORM\6.3.2348.0</dir>
    <filename>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/OLE32.DLL</filename>
+
    <dir>\DEVICE\HARDDISKVOLUME1\PROGRAM FILES\WINDOWS LIVE</dir>
    <filename>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/OLEAUT32.DLL</filename>
+
    <dir>\DEVICE\HARDDISKVOLUME1\PROGRAM FILES\WINDOWS LIVE\COMPANION</dir>
    <filename>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/CRYPT32.DLL</filename>
+
    <dir>\DEVICE\HARDDISKVOLUME1\PROGRAM FILES\WINDOWS LIVE\COMPANION\EN</dir>
    <filename>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/MSASN1.DLL</filename>
+
    <dir>\DEVICE\HARDDISKVOLUME1\PROGRAM FILES\WINDOWS LIVE\INSTALLER</dir>
    <filename>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/IERTUTIL.DLL</filename>
+
    <dir>\DEVICE\HARDDISKVOLUME1\PROGRAM FILES\WINDOWS LIVE\SHARED</dir>
   </associated_files>
+
    <dir>\DEVICE\HARDDISKVOLUME1\PROGRAMDATA</dir>
 +
    <dir>\DEVICE\HARDDISKVOLUME1\PROGRAMDATA\MICROSOFT</dir>
 +
    <dir>\DEVICE\HARDDISKVOLUME1\PROGRAMDATA\MICROSOFT\SEARCH ENHANCEMENT PACK</dir>
 +
    <dir>\DEVICE\HARDDISKVOLUME1\PROGRAMDATA\MICROSOFT\SEARCH ENHANCEMENT PACK\SEANOTE</dir>
 +
    <dir>\DEVICE\HARDDISKVOLUME1\PROGRAMDATA\MICROSOFT\SEARCH ENHANCEMENT PACK\SEARCH BOX EXTENSION</dir>
 +
    <dir>\DEVICE\HARDDISKVOLUME1\PROGRAMDATA\MICROSOFT\SEARCH ENHANCEMENT PACK\SEARCH HELPER</dir>
 +
    <dir>\DEVICE\HARDDISKVOLUME1\USERS</dir>
 +
   </directories>
 
</prefetch>
 
</prefetch>
 
</pre>
 
</pre>

Revision as of 13:20, 5 July 2011

A Prefetch file is used by Windows NT to improve the startup process of an application. Each prefetch file provides information about each ran application.

XML Example

<?xml version='1.0' encoding='ISO-8859-1'?>
<prefetch>
   <header>
     <os>Windows 7</os>
     <header_size>240</header_size>
     <filename>ACRORD32INFO.EXE</filename>
     <runs>3</runs>
     <atime>2011-02-07T12:24:52</atime>
   </header>
   <volume>
     <path>/DEVICE/HARDDISKVOLUME1</path>
     <serial_number>b46f6927</serial_number>
   </volume>
   <creation>2010-08-18T06:13:10</creation>
   <filenames>
     <file>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/NTDLL.DLL</file>
     <file>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/KERNEL32.DLL</file>
     <file>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/APISETSCHEMA.DLL</file>
     <file>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/KERNELBASE.DLL</file>
     <file>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/LOCALE.NLS</file>
     <file>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/ADVAPI32.DLL</file>
     <file>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/MSVCRT.DLL</file>
     <file>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/SECHOST.DLL</file>
     <file>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/RPCRT4.DLL</file>
     <file>/DEVICE/HARDDISKVOLUME1/WINDOWS/WINSXS/X86_MICROSOFT.VC80.CRT_1FC8B3B9A1E18E3B_8.0.50727.4927_NONE_D08A205E442DB5B5/MSVCR80.DLL</file>
     <file>/DEVICE/HARDDISKVOLUME1/PROGRAM FILES/ADOBE/READER 9.0/READER/ACRORD32INFO.EXE</file>
     <file>/DEVICE/HARDDISKVOLUME1/PROGRAM FILES/ADOBE/READER 9.0/READER/ACRORD32.DLL</file>
     <file>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/WININET.DLL</file>
     <file>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/SHLWAPI.DLL</file>
     <file>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/GDI32.DLL</file>
   </filenames>
   <directories>
     <dir>\DEVICE\HARDDISKVOLUME1\PROGRAM FILES\MSN TOOLBAR</dir>
     <dir>\DEVICE\HARDDISKVOLUME1\PROGRAM FILES\MSN TOOLBAR\PLATFORM</dir>
     <dir>\DEVICE\HARDDISKVOLUME1\PROGRAM FILES\MSN TOOLBAR\PLATFORM\6.3.2348.0</dir>
     <dir>\DEVICE\HARDDISKVOLUME1\PROGRAM FILES\WINDOWS LIVE</dir>
     <dir>\DEVICE\HARDDISKVOLUME1\PROGRAM FILES\WINDOWS LIVE\COMPANION</dir>
     <dir>\DEVICE\HARDDISKVOLUME1\PROGRAM FILES\WINDOWS LIVE\COMPANION\EN</dir>
     <dir>\DEVICE\HARDDISKVOLUME1\PROGRAM FILES\WINDOWS LIVE\INSTALLER</dir>
     <dir>\DEVICE\HARDDISKVOLUME1\PROGRAM FILES\WINDOWS LIVE\SHARED</dir>
     <dir>\DEVICE\HARDDISKVOLUME1\PROGRAMDATA</dir>
     <dir>\DEVICE\HARDDISKVOLUME1\PROGRAMDATA\MICROSOFT</dir>
     <dir>\DEVICE\HARDDISKVOLUME1\PROGRAMDATA\MICROSOFT\SEARCH ENHANCEMENT PACK</dir>
     <dir>\DEVICE\HARDDISKVOLUME1\PROGRAMDATA\MICROSOFT\SEARCH ENHANCEMENT PACK\SEANOTE</dir>
     <dir>\DEVICE\HARDDISKVOLUME1\PROGRAMDATA\MICROSOFT\SEARCH ENHANCEMENT PACK\SEARCH BOX EXTENSION</dir>
     <dir>\DEVICE\HARDDISKVOLUME1\PROGRAMDATA\MICROSOFT\SEARCH ENHANCEMENT PACK\SEARCH HELPER</dir>
     <dir>\DEVICE\HARDDISKVOLUME1\USERS</dir>
   </directories>
</prefetch>

See Also