Difference between revisions of "Prefetch XML"

From Forensics Wiki
Jump to: navigation, search
(Created page with "A Prefetch file is used by Windows NT to improve the startup process of an application. Each prefetch file provides information about each ran application. ==XML Example== <pre...")
 
 
(3 intermediate revisions by 2 users not shown)
Line 13: Line 13:
 
   </header>
 
   </header>
 
   <volume>
 
   <volume>
     <path>\DEVICE\HARDDISKVOLUME1</path>
+
     <path>/DEVICE/HARDDISKVOLUME1</path>
 
     <serial_number>b46f6927</serial_number>
 
     <serial_number>b46f6927</serial_number>
 
   </volume>
 
   </volume>
 
   <creation>2010-08-18T06:13:10</creation>
 
   <creation>2010-08-18T06:13:10</creation>
   <associated_files>
+
   <filenames>
     \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\NTDLL.DLL
+
     <file>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/NTDLL.DLL</file>
     \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\KERNEL32.DLL
+
     <file>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/KERNEL32.DLL</file>
     \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\APISETSCHEMA.DLL
+
     <file>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/APISETSCHEMA.DLL</file>
     \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\KERNELBASE.DLL
+
     <file>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/KERNELBASE.DLL</file>
     \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\LOCALE.NLS
+
     <file>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/LOCALE.NLS</file>
     \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\ADVAPI32.DLL
+
     <file>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/ADVAPI32.DLL</file>
     \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\MSVCRT.DLL
+
     <file>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/MSVCRT.DLL</file>
     \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\SECHOST.DLL
+
     <file>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/SECHOST.DLL</file>
     \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\RPCRT4.DLL
+
     <file>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/RPCRT4.DLL</file>
     \DEVICE\HARDDISKVOLUME1\WINDOWS\WINSXS\X86_MICROSOFT.VC80.CRT_1FC8B3B9A1E18E3B_8.0.50727.4927_NONE_D08A205E442DB5B5\MSVCR80.DLL
+
     <file>/DEVICE/HARDDISKVOLUME1/WINDOWS/WINSXS/X86_MICROSOFT.VC80.CRT_1FC8B3B9A1E18E3B_8.0.50727.4927_NONE_D08A205E442DB5B5/MSVCR80.DLL</file>
     \DEVICE\HARDDISKVOLUME1\PROGRAM FILES\ADOBE\READER 9.0\READER\ACRORD32INFO.EXE
+
     <file>/DEVICE/HARDDISKVOLUME1/PROGRAM FILES/ADOBE/READER 9.0/READER/ACRORD32INFO.EXE</file>
     \DEVICE\HARDDISKVOLUME1\PROGRAM FILES\ADOBE\READER 9.0\READER\ACRORD32.DLL
+
     <file>/DEVICE/HARDDISKVOLUME1/PROGRAM FILES/ADOBE/READER 9.0/READER/ACRORD32.DLL</file>
     \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\WININET.DLL
+
     <file>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/WININET.DLL</file>
     \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\SHLWAPI.DLL
+
     <file>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/SHLWAPI.DLL</file>
     \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\GDI32.DLL
+
     <file>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/GDI32.DLL</file>
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\USER32.DLL
+
  </filenames>
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\LPK.DLL
+
  <dirnames>
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\USP10.DLL
+
     <dir>\DEVICE\HARDDISKVOLUME1\PROGRAM FILES\MSN TOOLBAR</dir>
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\NORMALIZ.DLL
+
     <dir>\DEVICE\HARDDISKVOLUME1\PROGRAM FILES\MSN TOOLBAR\PLATFORM</dir>
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\URLMON.DLL
+
     <dir>\DEVICE\HARDDISKVOLUME1\PROGRAM FILES\MSN TOOLBAR\PLATFORM\6.3.2348.0</dir>
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\OLE32.DLL
+
     <dir>\DEVICE\HARDDISKVOLUME1\PROGRAM FILES\WINDOWS LIVE</dir>
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\OLEAUT32.DLL
+
     <dir>\DEVICE\HARDDISKVOLUME1\PROGRAM FILES\WINDOWS LIVE\COMPANION</dir>
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\CRYPT32.DLL
+
     <dir>\DEVICE\HARDDISKVOLUME1\PROGRAM FILES\WINDOWS LIVE\COMPANION\EN</dir>
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\MSASN1.DLL
+
     <dir>\DEVICE\HARDDISKVOLUME1\PROGRAM FILES\WINDOWS LIVE\INSTALLER</dir>
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\IERTUTIL.DLL
+
     <dir>\DEVICE\HARDDISKVOLUME1\PROGRAM FILES\WINDOWS LIVE\SHARED</dir>
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\VERSION.DLL
+
     <dir>\DEVICE\HARDDISKVOLUME1\PROGRAMDATA</dir>
     \DEVICE\HARDDISKVOLUME1\PROGRAM FILES\ADOBE\READER 9.0\READER\AGM.DLL
+
     <dir>\DEVICE\HARDDISKVOLUME1\PROGRAMDATA\MICROSOFT</dir>
    \DEVICE\HARDDISKVOLUME1\WINDOWS\WINSXS\X86_MICROSOFT.VC80.CRT_1FC8B3B9A1E18E3B_8.0.50727.4927_NONE_D08A205E442DB5B5\MSVCP80.DLL
+
     <dir>\DEVICE\HARDDISKVOLUME1\PROGRAMDATA\MICROSOFT\SEARCH ENHANCEMENT PACK</dir>
     \DEVICE\HARDDISKVOLUME1\PROGRAM FILES\ADOBE\READER 9.0\READER\COOLTYPE.DLL
+
     <dir>\DEVICE\HARDDISKVOLUME1\PROGRAMDATA\MICROSOFT\SEARCH ENHANCEMENT PACK\SEANOTE</dir>
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\SHELL32.DLL
+
     <dir>\DEVICE\HARDDISKVOLUME1\PROGRAMDATA\MICROSOFT\SEARCH ENHANCEMENT PACK\SEARCH BOX EXTENSION</dir>
    \DEVICE\HARDDISKVOLUME1\WINDOWS\WINSXS\X86_MICROSOFT.WINDOWS.COMMON-CONTROLS_6595B64144CCF1DF_6.0.7600.16661_NONE_420FE3FA2B8113BD\COMCTL32.DLL
+
     <dir>\DEVICE\HARDDISKVOLUME1\PROGRAMDATA\MICROSOFT\SEARCH ENHANCEMENT PACK\SEARCH HELPER</dir>
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\USERENV.DLL
+
     <dir>\DEVICE\HARDDISKVOLUME1\USERS</dir>
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\PROFAPI.DLL
+
   </dirnames>
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\WINMM.DLL
+
     \DEVICE\HARDDISKVOLUME1\PROGRAM FILES\ADOBE\READER 9.0\READER\BIB.DLL
+
    \DEVICE\HARDDISKVOLUME1\PROGRAM FILES\ADOBE\READER 9.0\READER\ACE.DLL
+
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\IMM32.DLL
+
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\MSCTF.DLL
+
    \DEVICE\HARDDISKVOLUME1\WINDOWS\WINDOWSSHELL.MANIFEST
+
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\RPCSS.DLL
+
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\CRYPTBASE.DLL
+
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\IEFRAME.DLL
+
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\PSAPI.DLL
+
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\OLEACC.DLL
+
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\OLEACCRC.DLL
+
    \DEVICE\HARDDISKVOLUME1\WINDOWS\GLOBALIZATION\SORTING\SORTDEFAULT.NLS
+
    \DEVICE\HARDDISKVOLUME1\USERS\SIMSON GARFINKEL\APPDATA\ROAMING\ADOBE\ACROBAT\9.0\USERCACHE.BIN
+
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\CRYPTSP.DLL
+
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\RSAENH.DLL
+
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\RPCRTREMOTE.DLL
+
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\TZRES.DLL
+
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\UXTHEME.DLL
+
    \DEVICE\HARDDISKVOLUME1\WINDOWS\FONTS\STATICCACHE.DAT
+
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\MPR.DLL
+
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\VMHGFS.DLL
+
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\DRPROV.DLL
+
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\WINSTA.DLL
+
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\NTLANMAN.DLL
+
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\DAVCLNT.DLL
+
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\DAVHLPR.DLL
+
    \DEVICE\HARDDISKVOLUME1\USERS\SIMSON GARFINKEL\APPDATA\LOCAL\VMWARE\HGFS.DAT
+
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\CLBCATQ.DLL
+
     \DEVICE\HARDDISKVOLUME1\PROGRAM FILES\ADOBE\READER 9.0\READER\VIEWERPS.DLL
+
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\SETUPAPI.DLL
+
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\CFGMGR32.DLL
+
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\DEVOBJ.DLL
+
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\PROPSYS.DLL
+
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\NTMARTA.DLL
+
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\WLDAP32.DLL
+
    \DEVICE\HARDDISKVOLUME1\USERS\SIMSON GARFINKEL\APPDATA\LOCAL\MICROSOFT\WINDOWS\CACHES\CVERSIONS.1.DB
+
    \DEVICE\HARDDISKVOLUME1\USERS\SIMSON GARFINKEL\APPDATA\LOCAL\MICROSOFT\WINDOWS\CACHES\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.VER0X0000000000000039.DB
+
     \DEVICE\HARDDISKVOLUME1\PROGRAM FILES\DESKTOP.INI
+
    \DEVICE\HARDDISKVOLUME1\USERS\DESKTOP.INI
+
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\APPHELP.DLL
+
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\NETWORKEXPLORER.DLL
+
     \DEVICE\HARDDISKVOLUME1\PROGRAM FILES\MICROSOFT VISUAL STUDIO 10.0\COMMON7\TOOLS\ATLTRACETOOL8.EXE
+
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\CATROOT\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\PRNLX00Y.CAT
+
    \DEVICE\HARDDISKVOLUME1\$MFT
+
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\CATROOT\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\PRNLX005.CAT
+
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\DRIVERS\SRTSP.CAT
+
     \DEVICE\HARDDISKVOLUME1\PROGRAM FILES\WINDOWS LIVE\MAIL\WLMAIL.EXE
+
    \DEVICE\HARDDISKVOLUME1\USERS\SIMSON GARFINKEL\APPDATA\LOCAL\MICROSOFT\WINDOWS\CACHES\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.VER0X0000000000000038.DB
+
     \DEVICE\HARDDISKVOLUME1\PROGRAM FILES
+
    \DEVICE\HARDDISKVOLUME1\PROGRAM FILES\ADOBE
+
     \DEVICE\HARDDISKVOLUME1\PROGRAM FILES\ADOBE\READER 9.0
+
     \DEVICE\HARDDISKVOLUME1\PROGRAM FILES\ADOBE\READER 9.0\READER
+
    \DEVICE\HARDDISKVOLUME1\PROGRAM FILES\MICROSOFT VISUAL STUDIO 10.0
+
     \DEVICE\HARDDISKVOLUME1\PROGRAM FILES\MICROSOFT VISUAL STUDIO 10.0\COMMON7
+
     \DEVICE\HARDDISKVOLUME1\PROGRAM FILES\MICROSOFT VISUAL STUDIO 10.0\COMMON7\TOOLS
+
     \DEVICE\HARDDISKVOLUME1\USERS
+
    \DEVICE\HARDDISKVOLUME1\USERS\SIMSON GARFINKEL
+
    \DEVICE\HARDDISKVOLUME1\USERS\SIMSON GARFINKEL\APPDATA
+
    \DEVICE\HARDDISKVOLUME1\USERS\SIMSON GARFINKEL\APPDATA\LOCAL
+
    \DEVICE\HARDDISKVOLUME1\USERS\SIMSON GARFINKEL\APPDATA\LOCAL\MICROSOFT
+
    \DEVICE\HARDDISKVOLUME1\USERS\SIMSON GARFINKEL\APPDATA\LOCAL\MICROSOFT\WINDOWS
+
     \DEVICE\HARDDISKVOLUME1\USERS\SIMSON GARFINKEL\APPDATA\LOCAL\MICROSOFT\WINDOWS\CACHES
+
     \DEVICE\HARDDISKVOLUME1\USERS\SIMSON GARFINKEL\APPDATA\LOCAL\VMWARE
+
    \DEVICE\HARDDISKVOLUME1\WINDOWS
+
    \DEVICE\HARDDISKVOLUME1\WINDOWS\FONTS
+
    \DEVICE\HARDDISKVOLUME1\WINDOWS\GLOBALIZATION
+
    \DEVICE\HARDDISKVOLUME1\WINDOWS\GLOBALIZATION\SORTING
+
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32
+
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\CATROOT
+
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\CATROOT\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}
+
    \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\DRIVERS
+
    \DEVICE\HARDDISKVOLUME1\WINDOWS\WINSXS\X86_MICROSOFT.VC80.CRT_1FC8B3B9A1E18E3B_8.0.50727.4927_NONE_D08A205E442DB5B5
+
    \DEVICE\HARDDISKVOLUME1\WINDOWS\WINSXS\X86_MICROSOFT.WINDOWS.COMMON-CONTROLS_6595B64144CCF1DF_6.0.7600.16661_NONE_420FE3FA2B8113BD
+
   </associated_files>
+
 
</prefetch>
 
</prefetch>
 
</pre>
 
</pre>

Latest revision as of 12:22, 5 July 2011

A Prefetch file is used by Windows NT to improve the startup process of an application. Each prefetch file provides information about each ran application.

XML Example

<?xml version='1.0' encoding='ISO-8859-1'?>
<prefetch>
   <header>
     <os>Windows 7</os>
     <header_size>240</header_size>
     <filename>ACRORD32INFO.EXE</filename>
     <runs>3</runs>
     <atime>2011-02-07T12:24:52</atime>
   </header>
   <volume>
     <path>/DEVICE/HARDDISKVOLUME1</path>
     <serial_number>b46f6927</serial_number>
   </volume>
   <creation>2010-08-18T06:13:10</creation>
   <filenames>
     <file>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/NTDLL.DLL</file>
     <file>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/KERNEL32.DLL</file>
     <file>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/APISETSCHEMA.DLL</file>
     <file>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/KERNELBASE.DLL</file>
     <file>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/LOCALE.NLS</file>
     <file>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/ADVAPI32.DLL</file>
     <file>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/MSVCRT.DLL</file>
     <file>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/SECHOST.DLL</file>
     <file>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/RPCRT4.DLL</file>
     <file>/DEVICE/HARDDISKVOLUME1/WINDOWS/WINSXS/X86_MICROSOFT.VC80.CRT_1FC8B3B9A1E18E3B_8.0.50727.4927_NONE_D08A205E442DB5B5/MSVCR80.DLL</file>
     <file>/DEVICE/HARDDISKVOLUME1/PROGRAM FILES/ADOBE/READER 9.0/READER/ACRORD32INFO.EXE</file>
     <file>/DEVICE/HARDDISKVOLUME1/PROGRAM FILES/ADOBE/READER 9.0/READER/ACRORD32.DLL</file>
     <file>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/WININET.DLL</file>
     <file>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/SHLWAPI.DLL</file>
     <file>/DEVICE/HARDDISKVOLUME1/WINDOWS/SYSTEM32/GDI32.DLL</file>
   </filenames>
   <dirnames>
     <dir>\DEVICE\HARDDISKVOLUME1\PROGRAM FILES\MSN TOOLBAR</dir>
     <dir>\DEVICE\HARDDISKVOLUME1\PROGRAM FILES\MSN TOOLBAR\PLATFORM</dir>
     <dir>\DEVICE\HARDDISKVOLUME1\PROGRAM FILES\MSN TOOLBAR\PLATFORM\6.3.2348.0</dir>
     <dir>\DEVICE\HARDDISKVOLUME1\PROGRAM FILES\WINDOWS LIVE</dir>
     <dir>\DEVICE\HARDDISKVOLUME1\PROGRAM FILES\WINDOWS LIVE\COMPANION</dir>
     <dir>\DEVICE\HARDDISKVOLUME1\PROGRAM FILES\WINDOWS LIVE\COMPANION\EN</dir>
     <dir>\DEVICE\HARDDISKVOLUME1\PROGRAM FILES\WINDOWS LIVE\INSTALLER</dir>
     <dir>\DEVICE\HARDDISKVOLUME1\PROGRAM FILES\WINDOWS LIVE\SHARED</dir>
     <dir>\DEVICE\HARDDISKVOLUME1\PROGRAMDATA</dir>
     <dir>\DEVICE\HARDDISKVOLUME1\PROGRAMDATA\MICROSOFT</dir>
     <dir>\DEVICE\HARDDISKVOLUME1\PROGRAMDATA\MICROSOFT\SEARCH ENHANCEMENT PACK</dir>
     <dir>\DEVICE\HARDDISKVOLUME1\PROGRAMDATA\MICROSOFT\SEARCH ENHANCEMENT PACK\SEANOTE</dir>
     <dir>\DEVICE\HARDDISKVOLUME1\PROGRAMDATA\MICROSOFT\SEARCH ENHANCEMENT PACK\SEARCH BOX EXTENSION</dir>
     <dir>\DEVICE\HARDDISKVOLUME1\PROGRAMDATA\MICROSOFT\SEARCH ENHANCEMENT PACK\SEARCH HELPER</dir>
     <dir>\DEVICE\HARDDISKVOLUME1\USERS</dir>
   </dirnames>
</prefetch>

See Also