Difference between pages "Memory analysis" and "Windows Prefetch File Format"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(External Links: added recent article on Live RAM forensics)
 
(Section A)
 
Line 1: Line 1:
'''Memory Analysis''' is the science of using a [[Memory Imaging|memory image]] to determine information about running programs, the [[operating system]], and the overall state of a computer. Because the analysis is highly dependent on the operating system, it has been divded into the following pages:
+
{{expand}}
  
* [[Windows Memory Analysis]]
+
A Windows Prefetch file consists of one file header and multiple file sections with different content. Not all content has an obvious forensic value.
* [[Linux Memory Analysis]]
+
  
== OS-Independent Analysis ==
+
As far as have been possible to ascertain, there is no public description of the format. The description below has been synthesised from examination
 +
of multiple prefetch files.
  
At the IEEE Security and Privacy conference in May 2011, Brendan Dolan-Gavitt presented a novel system, [http://www.cc.gatech.edu/~brendan/Virtuoso_Oakland.pdf Virtuoso], that was able to perform operating-system independent memory analysis. Using virtual machine introspection accompanied by a number of formal program analysis techniques, his system was able to monitor the machine-level instructions and behavior of application actions (listing processes, network connections, etc) and then automatically generate Volatility plugins that replicated this analysis.
+
== Characteristics ==
 +
{| class="wikitable"
 +
|-
 +
| <b>Integers</b>
 +
| stored in little-endian
 +
|-
 +
| <b>Strings</b>
 +
| Stored as [http://en.wikipedia.org/wiki/UTF-16/UCS-2 UTF-16 little-endian] without a byte-order-mark (BOM).
 +
|-
 +
| <b>Timestamps</b>
 +
| Stored as [http://msdn2.microsoft.com/en-us/library/ms724284.aspx Windows FILETIME] in UTC.
 +
|-
 +
|}
  
== Encryption Keys ==
+
== File header ==
 +
The file header is 84 bytes of size and consists of:
 +
{| class="wikitable"
 +
|-
 +
! Field
 +
! Offset
 +
! Length
 +
! Type
 +
! Notes
 +
|-
 +
| H1
 +
| 0x0000
 +
| 4
 +
| DWORD
 +
| Format version (see format version section below)
 +
|-
 +
| H2
 +
| 0x0004
 +
| 4
 +
| DWORD
 +
| Signature 'SCCA' (or in hexadecimal representation 0x53 0x43 0x43 0x4)
 +
|-
 +
| H3
 +
| 0x0008
 +
| 4
 +
| DWORD?
 +
| Unknown - Values observed: 0x0F - Windows XP, 0x11 - Windows 7, Windows 8.1
 +
|-
 +
| H4
 +
| 0x000C
 +
| 4
 +
| DWORD
 +
| Prefetch file size (or length) (sometimes referred to as End of File (EOF)).
 +
|-
 +
| H5
 +
|0x0010
 +
| 60
 +
| USTR
 +
| The name of the (original) executable as a Unicode (UTF-16 litte-endian string), up to 29 characters and terminated by an end-of-string character (U+0000). This name should correspond with the one in the prefetch file filename.
 +
|-
 +
| H6
 +
|0x004C
 +
|4
 +
|DWORD
 +
|The prefetch hash. This hash value should correspond with the one in the prefetch file filename.
 +
|-
 +
| H7
 +
|0x0050
 +
|4
 +
|?
 +
| Unknown (flags)? Values observed: 0 for almost all prefetch files (XP); 1 for NTOSBOOT-B00DFAAD.pf (XP)
 +
|-
 +
|}
  
Various types of encryption keys can be extracted during memory analysis.
+
It's worth noting that the name of a carved prefetch file can be restored using the information in field H5 and H6, and its size can be determined by field H4.
* [[AESKeyFinder]] extracts 128-bit and 256-bit [[AES]] keys and [[RSAKeyFinder]] and private and public [[RSA]] keys from a memory dump [http://citp.princeton.edu/memory/code/].
+
* [http://jessekornblum.com/tools/volatility/cryptoscan.py cryptoscan.py], which is a [[List of Volatility Plugins|plugin for the Volatility framework]], scans a memory image for [[TrueCrypt]] passphrases
+
  
== See Also ==  
+
=== Format version ===
  
* [[Memory Imaging]]
+
{| class="wikitable"
* [[:Tools:Memory Imaging|Memory Imaging Tools]]
+
|-
* [[:Tools:Memory Analysis|Memory Analysis Tools]]
+
! Value
 +
! Windows version
 +
|-
 +
| 17 (0x11)
 +
| Windows XP, Windows 2003
 +
|-
 +
| 23 (0x17)
 +
| Windows Vista, Windows 7
 +
|-
 +
| 26 (0x1a)
 +
| Windows 8.1 (note this could be Windows 8 as well but has not been confirmed)
 +
|-
 +
|}
  
== External Links ==
+
=== File information ===
* [http://belkasoft.com/download/info/Live_RAM_Analysis_in_Digital_Forensics.pdf Discovering ephemeral evidence with Live RAM analysis] by Oleg Afonin and Yuri Gubanov, © 2013
+
The format of the file information is version dependent.
* [http://cryptome.org/0003/RAMisKey.pdf RAM is Key - Extracting Disk Encryption Keys From Volatile Memory], by [[Brian Kaplan]], May 2007
+
  
=== [http://volatility-labs.blogspot.com/ Volatility Labs] ===
+
Note that some other format specifications consider the file information part of the file header.  
* [http://volatility-labs.blogspot.com/2012/09/movp-11-logon-sessions-processes-and.html MoVP 1.1 Logon Sessions, Processes, and Images]
+
* [http://volatility-labs.blogspot.com/2012/09/movp-12-window-stations-and-clipboard.html MoVP 1.2 Window Stations and Clipboard Malware]
+
* [http://volatility-labs.blogspot.com/2012/09/movp-13-desktops-heaps-and-ransomware.html MoVP 1.3 Desktops, Heaps, and Ransomware]
+
* [http://volatility-labs.blogspot.com/2012/09/movp-14-average-coder-rootkit-bash.html MoVP 1.4 Average Coder Rootkit, Bash History, and Elevated Processes]
+
* [http://volatility-labs.blogspot.com/2012/09/movp-15-kbeast-rootkit-detecting-hidden.html MoVP 1.5 KBeast Rootkit, Detecting Hidden Modules, and sysfs]
+
* [http://volatility-labs.blogspot.com/2012/09/movp-21-atoms-new-mutex-classes-and-dll.html MoVP 2.1 Atoms (The New Mutex), Classes and DLL Injection]
+
* [http://volatility-labs.blogspot.com/2012/09/movp-22-malware-in-your-windows.html MoVP 2.2 Malware In Your Windows]
+
* [http://volatility-labs.blogspot.com/2012/09/movp-23-event-logs-and-service-sids.html MoVP 2.3 Event Logs and Service SIDs]
+
* [http://volatility-labs.blogspot.com/2012/09/movp-24-analyzing-jynx-rootkit-and.html MoVP 2.4 Analyzing the Jynx rootkit and LD_PRELOAD]
+
* [http://volatility-labs.blogspot.com/2012/09/movp-25-investigating-in-memory-network.html MoVP 2.5: Investigating In-Memory Network Data with Volatility]
+
* [http://volatility-labs.blogspot.com/2012/09/movp-31-detecting-malware-hooks-in.html MoVP 3.1 Detecting Malware Hooks in the Windows GUI Subsystem]
+
* [http://volatility-labs.blogspot.com/2012/09/howto-scan-for-internet-cachehistory.html HowTo: Scan for Internet Cache/History and URLs]
+
* [http://volatility-labs.blogspot.com/2012/09/movp-32-shellbags-in-memory-setregtime.html MoVP 3.2 Shellbags in Memory, SetRegTime, and TrueCrypt Volumes]
+
* [http://volatility-labs.blogspot.com/2012/09/movp-33-analyzing-user-handles-and.html MoVP 3.3 Analyzing USER Handles and the Win32k.sys Gahti]
+
* [http://volatility-labs.blogspot.com/2012/09/movp-34-recovering-tagclipdata-whats-in.html MoVP 3.4: Recovering tagCLIPDATA: What's In Your Clipboard?]
+
* [http://volatility-labs.blogspot.com/2012/09/movp-35-analyzing-2008-dfrws-challenge.html MoVP 3.5: Analyzing the 2008 DFRWS Challenge with Volatility]
+
* [http://volatility-labs.blogspot.com/2012/10/movp-41-detecting-malware-with-gdi.html MoVP 4.1 Detecting Malware with GDI Timers and Callbacks]
+
* [http://volatility-labs.blogspot.com/2012/10/movp-43-taking-screenshots-from-memory.html MoVP 4.2 Taking Screenshots from Memory Dumps]
+
* [http://volatility-labs.blogspot.com/2012/10/movp-43-recovering-master-boot-records.html MoVP 4.3 Recovering Master Boot Records (MBRs) from Memory]
+
* [http://volatility-labs.blogspot.com/2012/10/movp-44-cache-rules-everything-around.html MoVP 4.4 Cache Rules Everything Around Me(mory)]
+
* [http://volatility-labs.blogspot.com/2012/10/omfw-2012-malware-in-windows-gui.html OMFW 2012: Malware In the Windows GUI Subsystem]
+
* [http://volatility-labs.blogspot.com/2012/10/omfw-2012-reconstructing-mbr-and-mft.html OMFW 2012: Reconstructing the MBR and MFT from Memory]
+
* [http://volatility-labs.blogspot.com/2012/10/phalanx-2-revealed-using-volatility-to.html Phalanx 2 Revealed: Using Volatility to Analyze an Advanced Linux Rootkit]
+
* [http://volatility-labs.blogspot.ca/2012/10/solving-grrcon-network-forensics.html Solving the GrrCon Network Forensics Challenge with Volatility]
+
* [http://volatility-labs.blogspot.ca/2012/10/omfw-2012-analyzing-linux-kernel.html OMFW 2012: Analyzing Linux Kernel Rootkits with Volatility]
+
* [http://volatility-labs.blogspot.ca/2012/10/omfw-2012-datalore-android-memory.html OMFW 2012: Datalore: Android Memory Analysis]
+
* [http://volatility-labs.blogspot.ca/2012/10/movp-for-volatility-22-and-omfw-2012.html MoVP for Volatility 2.2 and OMFW 2012 Wrap-Up]
+
* [http://volatility-labs.blogspot.ca/2012/10/reverse-engineering-poison-ivys.html Reverse Engineering Poison Ivy's Injected Code Fragments]
+
* [http://volatility-labs.blogspot.ca/2012/10/omfw-2012-analysis-of-process-token.html OMFW 2012: The Analysis of Process Token Privileges]
+
* [http://volatility-labs.blogspot.ca/2012/10/omfw-2012-mining-pfn-database-for.html OMFW 2012: Mining the PFN Database for Malware Artifacts]
+
  
=== Volatility Videos ===
+
==== File information - version 17 ====
* [http://sketchymoose.blogspot.com/2011/10/set-up-to-more-memory-forensics.html Set Up to More Memory Forensics!], October 2011
+
The file information – version 17 is 68 bytes of size and consists of:
* [http://www.youtube.com/watch?v=8HsZLge0wWc Using Volatility: Suspicious Process (1/2)]
+
{| class="wikitable"
* [http://www.youtube.com/watch?v=XTZPNk-Esok Using Volatility: Suspicious Process (Part 2/2)]
+
|-
 +
! Field
 +
! Offset
 +
! Length
 +
! Type
 +
! Notes
 +
|-
 +
|
 +
| 0x0054
 +
| 4
 +
| DWORD
 +
| The offset to section A. The offset is relative from the start of the file.
 +
|-
 +
|
 +
| 0x0058
 +
| 4
 +
| DWORD
 +
| The number of entries in section A.
 +
|-
 +
|
 +
| 0x005C
 +
| 4
 +
| DWORD
 +
| The offset to section B. The offset is relative from the start of the file.
 +
|-
 +
|
 +
| 0x0060
 +
| 4
 +
| DWORD
 +
| The number of entries in section B.
 +
|-
 +
|
 +
| 0x0064
 +
| 4
 +
| DWORD
 +
| The offset to section C. The offset is relative from the start of the file.
 +
|-
 +
|
 +
| 0x0068
 +
| 4
 +
| DWORD
 +
| Length of section C.
 +
|-
 +
|
 +
| 0x006C
 +
| 4
 +
| DWORD
 +
| Offset to section D. The offset is relative from the start of the file.
 +
|-
 +
|
 +
| 0x0070
 +
| 4
 +
| DWORD
 +
| The number of entries in section D.
 +
|-
 +
|
 +
| 0x0074
 +
| 4
 +
| DWORD
 +
| Length of section D.
 +
|-
 +
|
 +
| 0x0078
 +
| 8
 +
| FILETIME
 +
| Latest execution time (or run time) of executable (FILETIME)
 +
|-
 +
|
 +
| 0x0080
 +
| 16
 +
| ?
 +
| Unknown ? Possibly structured as 4 DWORD. Observed values: /0x00000000 0x00000000 0x00000000 0x00000000/, /0x47868c00 0x00000000 0x47860c00 0x00000000/ (don't exclude the possibility here that this is remnant data)
 +
|-
 +
|
 +
| 0x0090
 +
| 4
 +
| DWORD
 +
| Execution counter (or run count)
 +
|-
 +
|
 +
| 0x0094
 +
| 4
 +
| DWORD?
 +
| Unknown ? Observed values: 1, 2, 3, 4, 5, 6 (XP)
 +
|-
 +
|}
 +
 
 +
==== File information - version 23 ====
 +
The file information – version 23 is 156 bytes of size and consists of:
 +
{| class="wikitable"
 +
|-
 +
! Field
 +
! Offset
 +
! Length
 +
! Type
 +
! Notes
 +
|-
 +
|
 +
| 0x0054
 +
| 4
 +
| DWORD
 +
| The offset to section A. The offset is relative from the start of the file.
 +
|-
 +
|
 +
| 0x0058
 +
| 4
 +
| DWORD
 +
| The number of entries in section A.
 +
|-
 +
|
 +
| 0x005C
 +
| 4
 +
| DWORD
 +
| The offset to section B. The offset is relative from the start of the file.
 +
|-
 +
|
 +
| 0x0060
 +
| 4
 +
| DWORD
 +
| The number of entries in section B.
 +
|-
 +
|
 +
| 0x0064
 +
| 4
 +
| DWORD
 +
| The offset to section C. The offset is relative from the start of the file.
 +
|-
 +
|
 +
| 0x0068
 +
| 4
 +
| DWORD
 +
| Length of section C.
 +
|-
 +
|
 +
| 0x006C
 +
| 4
 +
| DWORD
 +
| Offset to section D. The offset is relative from the start of the file.
 +
|-
 +
|
 +
| 0x0070
 +
| 4
 +
| DWORD
 +
| The number of entries in section D.
 +
|-
 +
|
 +
| 0x0074
 +
| 4
 +
| DWORD
 +
| Length of section D.
 +
|-
 +
|
 +
| <b>0x0078</b>
 +
| <b>8</b>
 +
| <b>?</b>
 +
| <b>Unknown</b>
 +
|-
 +
|
 +
| 0x0080
 +
| 8
 +
| FILETIME
 +
| Latest execution time (or run time) of executable (FILETIME)
 +
|-
 +
|
 +
| 0x0088
 +
| 16
 +
| ?
 +
| Unknown
 +
|-
 +
|
 +
| 0x0098
 +
| 4
 +
| DWORD
 +
| Execution counter (or run count)
 +
|-
 +
|
 +
| 0x009C
 +
| 4
 +
| DWORD?
 +
| Unknown
 +
|-
 +
|
 +
| <b>0x00A0</b>
 +
| <b>80</b>
 +
| <b>?</b>
 +
| <b>Unknown</b>
 +
|-
 +
|}
 +
 
 +
==== File information - version 26 ====
 +
The file information – version 23 is 224 bytes of size and consists of:
 +
{| class="wikitable"
 +
|-
 +
! Field
 +
! Offset
 +
! Length
 +
! Type
 +
! Notes
 +
|-
 +
|
 +
| 0x0054
 +
| 4
 +
| DWORD
 +
| The offset to section A. The offset is relative from the start of the file.
 +
|-
 +
|
 +
| 0x0058
 +
| 4
 +
| DWORD
 +
| The number of entries in section A.
 +
|-
 +
|
 +
| 0x005C
 +
| 4
 +
| DWORD
 +
| The offset to section B. The offset is relative from the start of the file.
 +
|-
 +
|
 +
| 0x0060
 +
| 4
 +
| DWORD
 +
| The number of entries in section B.
 +
|-
 +
|
 +
| 0x0064
 +
| 4
 +
| DWORD
 +
| The offset to section C. The offset is relative from the start of the file.
 +
|-
 +
|
 +
| 0x0068
 +
| 4
 +
| DWORD
 +
| Length of section C.
 +
|-
 +
|
 +
| 0x006C
 +
| 4
 +
| DWORD
 +
| Offset to section D. The offset is relative from the start of the file.
 +
|-
 +
|
 +
| 0x0070
 +
| 4
 +
| DWORD
 +
| The number of entries in section D.
 +
|-
 +
|
 +
| 0x0074
 +
| 4
 +
| DWORD
 +
| Length of section D.
 +
|-
 +
|
 +
| 0x0078
 +
| 8
 +
| ?
 +
| Unknown
 +
|-
 +
|
 +
| 0x0080
 +
| 8
 +
| FILETIME
 +
| Latest execution time (or run time) of executable (FILETIME)
 +
|-
 +
|
 +
| <b>0x0088</b>
 +
| <b>7 x 8 = 56</b>
 +
| <b>FILETIME</b>
 +
| <b>Older (most recent) latest execution time (or run time) of executable (FILETIME)</b>
 +
|-
 +
|
 +
| <b>0x00C0</b>
 +
| <b>16</b>
 +
| <b>?</b>
 +
| <b>Unknown</b>
 +
|-
 +
|
 +
| 0x00D0
 +
| 4
 +
| DWORD
 +
| Execution counter (or run count)
 +
|-
 +
|
 +
| <b>0x00D4</b>
 +
| <b>4</b>
 +
| <b>?</b>
 +
| <b>Unknown</b>
 +
|-
 +
|
 +
| <b>0x00D8</b>
 +
| <b>4</b>
 +
| <b>?</b>
 +
| <b>Unknown</b>
 +
|-
 +
|
 +
| <b>0x00DC</b>
 +
| <b>88</b>
 +
| <b>?</b>
 +
| <b>Unknown</b>
 +
|-
 +
|}
 +
 
 +
== Section A - Metrics ==
 +
This section contains an array with 20 byte (version 17) or 32 byte (version 23 and 26) metrics entry records.
 +
 
 +
A metrics entry records conists of:
 +
{| class="wikitable"
 +
|-
 +
! Field
 +
! Offset
 +
! Length
 +
! Type
 +
! Notes
 +
|-
 +
|
 +
| 0
 +
| 4
 +
| DWORD
 +
| Start time in ms
 +
|-
 +
|
 +
| 4
 +
| 4
 +
| DWORD
 +
| Duration in ms
 +
|-
 +
|
 +
| 8
 +
| 4
 +
| DWORD
 +
| Average duration in ms
 +
|-
 +
|
 +
| 12
 +
| 4
 +
| DWORD
 +
| Filename string offset <br> The offset is relative to the start of the filename string section (section C)
 +
|-
 +
|
 +
| 16
 +
| 4
 +
| DWORD
 +
| Filename string number of characters without end-of-string character
 +
|-
 +
|
 +
| 20
 +
| 4
 +
| DWORD
 +
| Unknown flags
 +
|-
 +
|
 +
| 24
 +
| 4
 +
| DWORD
 +
| Unknown
 +
|-
 +
|
 +
| 28
 +
| 4
 +
| DWORD
 +
| Unknown
 +
|}
 +
 
 +
== Section B ==
 +
This section contains an array with 12 byte (version 17, 23 and 26) entry records.
 +
 
 +
The actual format and usage of these entry records is currently not known.
 +
 
 +
== Section C - Filename strings ==
 +
This section contains filenames strings, it consists of an array of UTF-16 little-endian formatted strings with end-of-string characters (U+0000).
 +
 
 +
At the end of the section there seems to be alignment padding that can contain remnant values.
 +
 
 +
== Section D - Volumes information (block) ==
 +
 
 +
Section D contains one or more subsections, each subsection refers to directories on a volume.
 +
 
 +
If all the executables and libraries referenced in the C section are from one single disk volume, there will be only one section in the D section. If multiple volumes are referenced by section C, section D will contain multiple sections.  (A simple way to force this situation is to copy, say, NOTEPAD.EXE to a USB drive, and start it from that volume. The corresponding prefetch file will have one D header referring to, e.g. \DEVICE\HARDDISK1\DP(1)0-0+4 (the USB drive), and one to, e.g. \DEVICE\HARDDISKVOLUME1\ (where the .DLLs and other support files were found).
 +
 
 +
In this section, all offsets are assumed to be counted from the start of the D section.
 +
 
 +
=== Volume information ===
 +
The structure of the volume information is version dependent.
 +
 
 +
==== Volume information - version 17 ====
 +
The volume information – version 17 is 40 bytes in size and consists of:
 +
 
 +
{| class="wikitable"
 +
|-
 +
! Field
 +
! Offset
 +
! Length
 +
! Type
 +
! Notes
 +
|-
 +
| VI1
 +
| +0x0000
 +
| 4
 +
| DWORD
 +
| Offset to volume device path (Unicode, terminated by U+0000)
 +
|-
 +
| VI2
 +
| +0x0004
 +
| 4
 +
| DWORD
 +
| Length of volume device path (nr of characters, including terminating U+0000)
 +
|-
 +
| VI3
 +
| +0x0008
 +
| 8
 +
| FILETIME
 +
| Volume creation time.
 +
|-
 +
| VI4
 +
| +0x0010
 +
| 4
 +
| DWORD
 +
| Volume serial number of volume indicated by volume string
 +
|-
 +
| VI5
 +
| +0x0014
 +
| 4
 +
| DWORD
 +
| Offset to sub section E
 +
|-
 +
| VI6
 +
| +0x0018
 +
| 4
 +
| DWORD
 +
| Length of sub section E (in bytes)
 +
|-
 +
| VI7
 +
| +0x001C
 +
| 4
 +
| DWORD
 +
| Offset to sub section F
 +
|-
 +
| VI8
 +
| +0x0020
 +
| 4
 +
| DWORD
 +
| Number of strings in sub section F
 +
|-
 +
| VI9
 +
| +0x0024
 +
| 4
 +
| ?
 +
| Unknown
 +
|-
 +
|}
 +
 
 +
==== Volume information - version 23 ====
 +
The volume information entry – version 23 is 104 bytes in size and consists of:
 +
 
 +
{| class="wikitable"
 +
|-
 +
! Field
 +
! Offset
 +
! Length
 +
! Type
 +
! Notes
 +
|-
 +
| VI1
 +
| +0x0000
 +
| 4
 +
| DWORD
 +
| Offset to volume device path (Unicode, terminated by U+0000)
 +
|-
 +
| VI2
 +
| +0x0004
 +
| 4
 +
| DWORD
 +
| Length of volume device path (nr of characters, including terminating U+0000)
 +
|-
 +
| VI3
 +
| +0x0008
 +
| 8
 +
| FILETIME
 +
| Volume creation time.
 +
|-
 +
| VI4
 +
| +0x0010
 +
| 4
 +
| DWORD
 +
| Volume serial number of volume indicated by volume string
 +
|-
 +
| VI5
 +
| +0x0014
 +
| 4
 +
| DWORD
 +
| Offset to sub section E
 +
|-
 +
| VI6
 +
| +0x0018
 +
| 4
 +
| DWORD
 +
| Length of sub section E (in bytes)
 +
|-
 +
| VI7
 +
| +0x001C
 +
| 4
 +
| DWORD
 +
| Offset to sub section F
 +
|-
 +
| VI8
 +
| +0x0020
 +
| 4
 +
| DWORD
 +
| Number of strings in sub section F
 +
|-
 +
| VI9
 +
| +0x0024
 +
| 4
 +
| ?
 +
| Unknown
 +
|-
 +
| <b>VI10</b>
 +
| <b>+0x0028</b>
 +
| <b>28</b>
 +
| <b>?</b>
 +
| <b>Unknown</b>
 +
|-
 +
| <b>VI11</b>
 +
| <b>+0x0044</b>
 +
| <b>4</b>
 +
| <b>?</b>
 +
| <b>Unknown</b>
 +
|-
 +
| <b>VI12</b>
 +
| <b>+0x0048</b>
 +
| <b>28</b>
 +
| <b>?</b>
 +
| <b>Unknown</b>
 +
|-
 +
| <b>VI13</b>
 +
| <b>+0x0064</b>
 +
| <b>4</b>
 +
| <b>?</b>
 +
| <b>Unknown</b>
 +
|-
 +
|}
 +
 
 +
==== Volume information - version 26 ====
 +
The volume information entry – version 26 appears to be similar to volume information – version 23.
 +
 
 +
=== Sub section E - NTFS file references ===
 +
This sub section can contain NTFS file references.
 +
 
 +
For more information see [https://googledrive.com/host/0B3fBvzttpiiSbl9XZGZzQ05hZkU/Windows%20Prefetch%20File%20(PF)%20format.pdf Windows Prefetch File (PF) format].
 +
 
 +
=== Sub section F - Directory strings ===
 +
This sub sections contains directory strings. The number of strings is stored in the volume information.
 +
 
 +
A directory string is stored in the following structure:
 +
{| class="wikitable"
 +
|-
 +
! Field
 +
! Offset
 +
! Length
 +
! Type
 +
! Notes
 +
|-
 +
|
 +
| 0x0000
 +
| 2
 +
| DWORD
 +
| Number of characters (WORDs) of the directory name. The value does not include the end-of-string character.
 +
|-
 +
|
 +
| 0x0002
 +
|
 +
| USTR
 +
| The directory name as a Unicode (UTF-16 litte-endian string) terminated by an end-of-string character (U+0000).
 +
|-
 +
|}
 +
 
 +
== See Also ==
 +
* [[Prefetch]]
 +
 
 +
== External Links ==
 +
* [https://googledrive.com/host/0B3fBvzttpiiSbl9XZGZzQ05hZkU/Windows%20Prefetch%20File%20(PF)%20format.pdf Windows Prefetch File (PF) format], by the [[libssca|libssca project]]
 +
* [http://bitbucket.cassidiancybersecurity.com/prefetch-parser/wiki/Home Windows Prefetch file format], by the [http://bitbucket.cassidiancybersecurity.com/prefetch-parser prefetch-parser] project.
  
[[Category:Memory Analysis]]
+
[[Category:File Formats]]

Revision as of 10:57, 22 June 2014

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

A Windows Prefetch file consists of one file header and multiple file sections with different content. Not all content has an obvious forensic value.

As far as have been possible to ascertain, there is no public description of the format. The description below has been synthesised from examination of multiple prefetch files.

Characteristics

Integers stored in little-endian
Strings Stored as UTF-16 little-endian without a byte-order-mark (BOM).
Timestamps Stored as Windows FILETIME in UTC.

File header

The file header is 84 bytes of size and consists of:

Field Offset Length Type Notes
H1 0x0000 4 DWORD Format version (see format version section below)
H2 0x0004 4 DWORD Signature 'SCCA' (or in hexadecimal representation 0x53 0x43 0x43 0x4)
H3 0x0008 4 DWORD? Unknown - Values observed: 0x0F - Windows XP, 0x11 - Windows 7, Windows 8.1
H4 0x000C 4 DWORD Prefetch file size (or length) (sometimes referred to as End of File (EOF)).
H5 0x0010 60 USTR The name of the (original) executable as a Unicode (UTF-16 litte-endian string), up to 29 characters and terminated by an end-of-string character (U+0000). This name should correspond with the one in the prefetch file filename.
H6 0x004C 4 DWORD The prefetch hash. This hash value should correspond with the one in the prefetch file filename.
H7 0x0050 4 ? Unknown (flags)? Values observed: 0 for almost all prefetch files (XP); 1 for NTOSBOOT-B00DFAAD.pf (XP)

It's worth noting that the name of a carved prefetch file can be restored using the information in field H5 and H6, and its size can be determined by field H4.

Format version

Value Windows version
17 (0x11) Windows XP, Windows 2003
23 (0x17) Windows Vista, Windows 7
26 (0x1a) Windows 8.1 (note this could be Windows 8 as well but has not been confirmed)

File information

The format of the file information is version dependent.

Note that some other format specifications consider the file information part of the file header.

File information - version 17

The file information – version 17 is 68 bytes of size and consists of:

Field Offset Length Type Notes
0x0054 4 DWORD The offset to section A. The offset is relative from the start of the file.
0x0058 4 DWORD The number of entries in section A.
0x005C 4 DWORD The offset to section B. The offset is relative from the start of the file.
0x0060 4 DWORD The number of entries in section B.
0x0064 4 DWORD The offset to section C. The offset is relative from the start of the file.
0x0068 4 DWORD Length of section C.
0x006C 4 DWORD Offset to section D. The offset is relative from the start of the file.
0x0070 4 DWORD The number of entries in section D.
0x0074 4 DWORD Length of section D.
0x0078 8 FILETIME Latest execution time (or run time) of executable (FILETIME)
0x0080 16  ? Unknown ? Possibly structured as 4 DWORD. Observed values: /0x00000000 0x00000000 0x00000000 0x00000000/, /0x47868c00 0x00000000 0x47860c00 0x00000000/ (don't exclude the possibility here that this is remnant data)
0x0090 4 DWORD Execution counter (or run count)
0x0094 4 DWORD? Unknown ? Observed values: 1, 2, 3, 4, 5, 6 (XP)

File information - version 23

The file information – version 23 is 156 bytes of size and consists of:

Field Offset Length Type Notes
0x0054 4 DWORD The offset to section A. The offset is relative from the start of the file.
0x0058 4 DWORD The number of entries in section A.
0x005C 4 DWORD The offset to section B. The offset is relative from the start of the file.
0x0060 4 DWORD The number of entries in section B.
0x0064 4 DWORD The offset to section C. The offset is relative from the start of the file.
0x0068 4 DWORD Length of section C.
0x006C 4 DWORD Offset to section D. The offset is relative from the start of the file.
0x0070 4 DWORD The number of entries in section D.
0x0074 4 DWORD Length of section D.
0x0078 8 ? Unknown
0x0080 8 FILETIME Latest execution time (or run time) of executable (FILETIME)
0x0088 16  ? Unknown
0x0098 4 DWORD Execution counter (or run count)
0x009C 4 DWORD? Unknown
0x00A0 80 ? Unknown

File information - version 26

The file information – version 23 is 224 bytes of size and consists of:

Field Offset Length Type Notes
0x0054 4 DWORD The offset to section A. The offset is relative from the start of the file.
0x0058 4 DWORD The number of entries in section A.
0x005C 4 DWORD The offset to section B. The offset is relative from the start of the file.
0x0060 4 DWORD The number of entries in section B.
0x0064 4 DWORD The offset to section C. The offset is relative from the start of the file.
0x0068 4 DWORD Length of section C.
0x006C 4 DWORD Offset to section D. The offset is relative from the start of the file.
0x0070 4 DWORD The number of entries in section D.
0x0074 4 DWORD Length of section D.
0x0078 8  ? Unknown
0x0080 8 FILETIME Latest execution time (or run time) of executable (FILETIME)
0x0088 7 x 8 = 56 FILETIME Older (most recent) latest execution time (or run time) of executable (FILETIME)
0x00C0 16 ? Unknown
0x00D0 4 DWORD Execution counter (or run count)
0x00D4 4 ? Unknown
0x00D8 4 ? Unknown
0x00DC 88 ? Unknown

Section A - Metrics

This section contains an array with 20 byte (version 17) or 32 byte (version 23 and 26) metrics entry records.

A metrics entry records conists of:

Field Offset Length Type Notes
0 4 DWORD Start time in ms
4 4 DWORD Duration in ms
8 4 DWORD Average duration in ms
12 4 DWORD Filename string offset
The offset is relative to the start of the filename string section (section C)
16 4 DWORD Filename string number of characters without end-of-string character
20 4 DWORD Unknown flags
24 4 DWORD Unknown
28 4 DWORD Unknown

Section B

This section contains an array with 12 byte (version 17, 23 and 26) entry records.

The actual format and usage of these entry records is currently not known.

Section C - Filename strings

This section contains filenames strings, it consists of an array of UTF-16 little-endian formatted strings with end-of-string characters (U+0000).

At the end of the section there seems to be alignment padding that can contain remnant values.

Section D - Volumes information (block)

Section D contains one or more subsections, each subsection refers to directories on a volume.

If all the executables and libraries referenced in the C section are from one single disk volume, there will be only one section in the D section. If multiple volumes are referenced by section C, section D will contain multiple sections. (A simple way to force this situation is to copy, say, NOTEPAD.EXE to a USB drive, and start it from that volume. The corresponding prefetch file will have one D header referring to, e.g. \DEVICE\HARDDISK1\DP(1)0-0+4 (the USB drive), and one to, e.g. \DEVICE\HARDDISKVOLUME1\ (where the .DLLs and other support files were found).

In this section, all offsets are assumed to be counted from the start of the D section.

Volume information

The structure of the volume information is version dependent.

Volume information - version 17

The volume information – version 17 is 40 bytes in size and consists of:

Field Offset Length Type Notes
VI1 +0x0000 4 DWORD Offset to volume device path (Unicode, terminated by U+0000)
VI2 +0x0004 4 DWORD Length of volume device path (nr of characters, including terminating U+0000)
VI3 +0x0008 8 FILETIME Volume creation time.
VI4 +0x0010 4 DWORD Volume serial number of volume indicated by volume string
VI5 +0x0014 4 DWORD Offset to sub section E
VI6 +0x0018 4 DWORD Length of sub section E (in bytes)
VI7 +0x001C 4 DWORD Offset to sub section F
VI8 +0x0020 4 DWORD Number of strings in sub section F
VI9 +0x0024 4  ? Unknown

Volume information - version 23

The volume information entry – version 23 is 104 bytes in size and consists of:

Field Offset Length Type Notes
VI1 +0x0000 4 DWORD Offset to volume device path (Unicode, terminated by U+0000)
VI2 +0x0004 4 DWORD Length of volume device path (nr of characters, including terminating U+0000)
VI3 +0x0008 8 FILETIME Volume creation time.
VI4 +0x0010 4 DWORD Volume serial number of volume indicated by volume string
VI5 +0x0014 4 DWORD Offset to sub section E
VI6 +0x0018 4 DWORD Length of sub section E (in bytes)
VI7 +0x001C 4 DWORD Offset to sub section F
VI8 +0x0020 4 DWORD Number of strings in sub section F
VI9 +0x0024 4  ? Unknown
VI10 +0x0028 28 ? Unknown
VI11 +0x0044 4 ? Unknown
VI12 +0x0048 28 ? Unknown
VI13 +0x0064 4 ? Unknown

Volume information - version 26

The volume information entry – version 26 appears to be similar to volume information – version 23.

Sub section E - NTFS file references

This sub section can contain NTFS file references.

For more information see Windows Prefetch File (PF) format.

Sub section F - Directory strings

This sub sections contains directory strings. The number of strings is stored in the volume information.

A directory string is stored in the following structure:

Field Offset Length Type Notes
0x0000 2 DWORD Number of characters (WORDs) of the directory name. The value does not include the end-of-string character.
0x0002 USTR The directory name as a Unicode (UTF-16 litte-endian string) terminated by an end-of-string character (U+0000).

See Also

External Links