Prefetch XML

From Forensics Wiki
Revision as of 14:31, 29 June 2011 by Lg (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

A Prefetch file is used by Windows NT to improve the startup process of an application. Each prefetch file provides information about each ran application.

XML Example

<?xml version='1.0' encoding='ISO-8859-1'?>
<prefetch>
   <header>
     <os>Windows 7</os>
     <header_size>240</header_size>
     <filename>ACRORD32INFO.EXE</filename>
     <runs>3</runs>
     <atime>2011-02-07T12:24:52</atime>
   </header>
   <volume>
     <path>\DEVICE\HARDDISKVOLUME1</path>
     <serial_number>b46f6927</serial_number>
   </volume>
   <creation>2010-08-18T06:13:10</creation>
   <associated_files>
     \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\NTDLL.DLL
     \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\KERNEL32.DLL
     \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\APISETSCHEMA.DLL
     \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\KERNELBASE.DLL
     \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\LOCALE.NLS
     \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\ADVAPI32.DLL
     \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\MSVCRT.DLL
     \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\SECHOST.DLL
     \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\RPCRT4.DLL
     \DEVICE\HARDDISKVOLUME1\WINDOWS\WINSXS\X86_MICROSOFT.VC80.CRT_1FC8B3B9A1E18E3B_8.0.50727.4927_NONE_D08A205E442DB5B5\MSVCR80.DLL
     \DEVICE\HARDDISKVOLUME1\PROGRAM FILES\ADOBE\READER 9.0\READER\ACRORD32INFO.EXE
     \DEVICE\HARDDISKVOLUME1\PROGRAM FILES\ADOBE\READER 9.0\READER\ACRORD32.DLL
     \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\WININET.DLL
     \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\SHLWAPI.DLL
     \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\GDI32.DLL
     \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\USER32.DLL
     \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\LPK.DLL
     \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\USP10.DLL
     \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\NORMALIZ.DLL
     \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\URLMON.DLL
     \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\OLE32.DLL
     \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\OLEAUT32.DLL
     \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\CRYPT32.DLL
     \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\MSASN1.DLL
     \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\IERTUTIL.DLL
     \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\VERSION.DLL
     \DEVICE\HARDDISKVOLUME1\PROGRAM FILES\ADOBE\READER 9.0\READER\AGM.DLL
     \DEVICE\HARDDISKVOLUME1\WINDOWS\WINSXS\X86_MICROSOFT.VC80.CRT_1FC8B3B9A1E18E3B_8.0.50727.4927_NONE_D08A205E442DB5B5\MSVCP80.DLL
     \DEVICE\HARDDISKVOLUME1\PROGRAM FILES\ADOBE\READER 9.0\READER\COOLTYPE.DLL
     \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\SHELL32.DLL
     \DEVICE\HARDDISKVOLUME1\WINDOWS\WINSXS\X86_MICROSOFT.WINDOWS.COMMON-CONTROLS_6595B64144CCF1DF_6.0.7600.16661_NONE_420FE3FA2B8113BD\COMCTL32.DLL
     \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\USERENV.DLL
     \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\PROFAPI.DLL
     \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\WINMM.DLL
     \DEVICE\HARDDISKVOLUME1\PROGRAM FILES\ADOBE\READER 9.0\READER\BIB.DLL
     \DEVICE\HARDDISKVOLUME1\PROGRAM FILES\ADOBE\READER 9.0\READER\ACE.DLL
     \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\IMM32.DLL
     \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\MSCTF.DLL
     \DEVICE\HARDDISKVOLUME1\WINDOWS\WINDOWSSHELL.MANIFEST
     \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\RPCSS.DLL
     \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\CRYPTBASE.DLL
     \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\IEFRAME.DLL
     \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\PSAPI.DLL
     \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\OLEACC.DLL
     \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\OLEACCRC.DLL
     \DEVICE\HARDDISKVOLUME1\WINDOWS\GLOBALIZATION\SORTING\SORTDEFAULT.NLS
     \DEVICE\HARDDISKVOLUME1\USERS\SIMSON GARFINKEL\APPDATA\ROAMING\ADOBE\ACROBAT\9.0\USERCACHE.BIN
     \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\CRYPTSP.DLL
     \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\RSAENH.DLL
     \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\RPCRTREMOTE.DLL
     \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\TZRES.DLL
     \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\UXTHEME.DLL
     \DEVICE\HARDDISKVOLUME1\WINDOWS\FONTS\STATICCACHE.DAT
     \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\MPR.DLL
     \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\VMHGFS.DLL
     \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\DRPROV.DLL
     \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\WINSTA.DLL
     \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\NTLANMAN.DLL
     \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\DAVCLNT.DLL
     \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\DAVHLPR.DLL
     \DEVICE\HARDDISKVOLUME1\USERS\SIMSON GARFINKEL\APPDATA\LOCAL\VMWARE\HGFS.DAT
     \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\CLBCATQ.DLL
     \DEVICE\HARDDISKVOLUME1\PROGRAM FILES\ADOBE\READER 9.0\READER\VIEWERPS.DLL
     \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\SETUPAPI.DLL
     \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\CFGMGR32.DLL
     \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\DEVOBJ.DLL
     \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\PROPSYS.DLL
     \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\NTMARTA.DLL
     \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\WLDAP32.DLL
     \DEVICE\HARDDISKVOLUME1\USERS\SIMSON GARFINKEL\APPDATA\LOCAL\MICROSOFT\WINDOWS\CACHES\CVERSIONS.1.DB
     \DEVICE\HARDDISKVOLUME1\USERS\SIMSON GARFINKEL\APPDATA\LOCAL\MICROSOFT\WINDOWS\CACHES\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.VER0X0000000000000039.DB
     \DEVICE\HARDDISKVOLUME1\PROGRAM FILES\DESKTOP.INI
     \DEVICE\HARDDISKVOLUME1\USERS\DESKTOP.INI
     \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\APPHELP.DLL
     \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\NETWORKEXPLORER.DLL
     \DEVICE\HARDDISKVOLUME1\PROGRAM FILES\MICROSOFT VISUAL STUDIO 10.0\COMMON7\TOOLS\ATLTRACETOOL8.EXE
     \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\CATROOT\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\PRNLX00Y.CAT
     \DEVICE\HARDDISKVOLUME1\$MFT
     \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\CATROOT\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\PRNLX005.CAT
     \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\DRIVERS\SRTSP.CAT
     \DEVICE\HARDDISKVOLUME1\PROGRAM FILES\WINDOWS LIVE\MAIL\WLMAIL.EXE
     \DEVICE\HARDDISKVOLUME1\USERS\SIMSON GARFINKEL\APPDATA\LOCAL\MICROSOFT\WINDOWS\CACHES\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.VER0X0000000000000038.DB
     \DEVICE\HARDDISKVOLUME1\PROGRAM FILES
     \DEVICE\HARDDISKVOLUME1\PROGRAM FILES\ADOBE
     \DEVICE\HARDDISKVOLUME1\PROGRAM FILES\ADOBE\READER 9.0
     \DEVICE\HARDDISKVOLUME1\PROGRAM FILES\ADOBE\READER 9.0\READER
     \DEVICE\HARDDISKVOLUME1\PROGRAM FILES\MICROSOFT VISUAL STUDIO 10.0
     \DEVICE\HARDDISKVOLUME1\PROGRAM FILES\MICROSOFT VISUAL STUDIO 10.0\COMMON7
     \DEVICE\HARDDISKVOLUME1\PROGRAM FILES\MICROSOFT VISUAL STUDIO 10.0\COMMON7\TOOLS
     \DEVICE\HARDDISKVOLUME1\USERS
     \DEVICE\HARDDISKVOLUME1\USERS\SIMSON GARFINKEL
     \DEVICE\HARDDISKVOLUME1\USERS\SIMSON GARFINKEL\APPDATA
     \DEVICE\HARDDISKVOLUME1\USERS\SIMSON GARFINKEL\APPDATA\LOCAL
     \DEVICE\HARDDISKVOLUME1\USERS\SIMSON GARFINKEL\APPDATA\LOCAL\MICROSOFT
     \DEVICE\HARDDISKVOLUME1\USERS\SIMSON GARFINKEL\APPDATA\LOCAL\MICROSOFT\WINDOWS
     \DEVICE\HARDDISKVOLUME1\USERS\SIMSON GARFINKEL\APPDATA\LOCAL\MICROSOFT\WINDOWS\CACHES
     \DEVICE\HARDDISKVOLUME1\USERS\SIMSON GARFINKEL\APPDATA\LOCAL\VMWARE
     \DEVICE\HARDDISKVOLUME1\WINDOWS
     \DEVICE\HARDDISKVOLUME1\WINDOWS\FONTS
     \DEVICE\HARDDISKVOLUME1\WINDOWS\GLOBALIZATION
     \DEVICE\HARDDISKVOLUME1\WINDOWS\GLOBALIZATION\SORTING
     \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32
     \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\CATROOT
     \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\CATROOT\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}
     \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\DRIVERS
     \DEVICE\HARDDISKVOLUME1\WINDOWS\WINSXS\X86_MICROSOFT.VC80.CRT_1FC8B3B9A1E18E3B_8.0.50727.4927_NONE_D08A205E442DB5B5
     \DEVICE\HARDDISKVOLUME1\WINDOWS\WINSXS\X86_MICROSOFT.WINDOWS.COMMON-CONTROLS_6595B64144CCF1DF_6.0.7600.16661_NONE_420FE3FA2B8113BD
   </associated_files>
</prefetch>

See Also