Difference between pages "Upcoming events" and "Prefetch"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(Conferences)
 
 
Line 1: Line 1:
<b>PLEASE READ BEFORE YOU EDIT THE LISTS BELOW</b><br>
+
{{Expand}}
When events begin the same day, events of a longer length should be listed first.  New postings of events with the same date(s) as other events should be added after events already in the list. Please use three-letter month abbreviations (i.e. Sep, NOT Sept. or September), use two digit dates (i.e. Jan 01 NOT Jan 1), and use date ranges rather than listing every date during an event(i.e. Jan 02-05, NOT Jan 02, 03, 04, 05).<br>
+
Windows Prefetch files, introduced in [[Windows|Windows XP]], are designed to speed up the application startup process. Prefetch files contain the name of the executable, a Unicode list of DLLs used by that executable, a count of how many times the executable has been run, and a timestamp indicating the last time the program was run. Although Prefetch is present in Windows 2003, by default it is only enabled for boot prefetching. The feature is also found in [[Windows|Windows Vista]], where it has been augmented with [[SuperFetch]], [[ReadyBoot]], and [[ReadyBoost]].
<i>Some events may be <u>limited</u> to <b>Law Enforcement Only</b> or to a specific audience.  Such restrictions should be noted when known.</i>
+
  
This is a BY DATE listing of upcoming events relevant to [[digital forensics]].  It is not an all inclusive list, but includes most well-known activities. Some events may duplicate events on the generic [[conferences]] page, but entries in this list have specific dates and locations for the upcoming event.
+
From [http://msdn.microsoft.com/en-us/library/windows/hardware/dn653317(v=vs.85).aspx]:
 +
* [[SuperFetch]]; analyzes per-machine usage patterns over time and optimizes the data that is kept in memory.
 +
* [[ReadyBoot]]; decreases boot time (the time from turning power on to reaching the log-on screen) by preloading the files and startup programs needed per-machine into a cache.
 +
* [[ReadyBoost]]; supports the use of flash storage devices like Universal Serial Bus (USB) flash drives and Secure Digital (SD) flash cards to boost PC performance.
 +
* [[ReadyDrive]]; supports hybrid hard disk drives.
  
This listing is divided into three sections (described as follows):<br>
+
For SSD drives Prefetch is disabled by default [http://blogs.msdn.com/b/e7/archive/2009/05/05/support-and-q-a-for-solid-state-drives-and.aspx].
<ol><li><b><u>[[Upcoming_events#Calls_For_Papers|Calls For Papers]]</u></b> - Calls for papers for either Journals or for Conferences, relevant to Digital Forensics (Name, Closing Date, URL)</li><br>
+
<li><b><u>[[Upcoming_events#Conferences|Conferences]]</u></b> - Conferences relevant for Digital Forensics (Name, Date, Location, URL)</li><br>
+
<li><b><u>[[Training Courses and Providers]]</u></b> - Training </li><br></ol>
+
  
== Calls For Papers ==
+
== Prefetch files ==
Please help us keep this up-to-date with deadlines for upcoming conferences that would be appropriate for forensic research.
+
The Prefetch files are stored in the directory:
 +
<pre>
 +
%SystemRoot%\Prefetch
 +
</pre>
  
{| border="0" cellpadding="2" cellspacing="2" align="top"
+
The following files can be found in the Prefetch directory:
|- style="background:#bfbfbf; font-weight: bold"
+
* <tt>*.pf</tt>, which are Prefetch files;
! width="30%|Title
+
* <tt>Ag*.db</tt> and <tt>Ag*.db.trx</tt>, which are [[SuperFetch]] files;
! width="15%"|Due Date
+
* <tt>Layout.ini</tt>;
! width="15%"|Notification Date
+
* <tt>PfPre_*.db</tt>;
! width="40%"|Website
+
* <tt>PfSvPerfStats.bin</tt>
|-
+
|9th International Conference on Cyber Warfare and Security (ICCWS-2014)
+
|Sep 02, 2013 (abstract)
+
|Sep 09, 2013 (abstract)<br>Dec 30, 2013 (final paper)
+
|http://academic-conferences.org/iciw/iciw2014/iciw14-call-papers.htm
+
|-
+
|IFIP WG 11.9 International Conference on Digital Forensics
+
|Sep 15, 2013
+
|Oct 15, 2013
+
|http://www.ifip119.org/Conferences/WG11-9-CFP-2014.pdf
+
|-
+
|}
+
  
See also [http://www.wikicfp.com/cfp/servlet/tool.search?q=forensics WikiCFP 'Forensics']
+
A Prefetch file contains the name of the application, a dash, and then an eight character hash of the location from which that application was run, and a <tt>.pf</tt> extension. The filenames should be all uppercase except for the extension. E.g. a filename for [[md5deep]] would look like: <tt>MD5DEEP.EXE-4F89AB0C.pf</tt>. If an application is run from two different locations on the drive (i.e. the user runs <tt>C:\md5deep.exe</tt> and then <tt>C:\Apps\Hashing\md5deep.exe</tt>), there will be two different prefetch files in the Prefetch folder. According to MSDN up to 128 Prefetch files can be stored in the Prefetch directory [http://blogs.msdn.com/ryanmy/archive/2005/05/25/421882.aspx].
  
== Conferences ==
+
=== File format ===
{| border="0" cellpadding="2" cellspacing="2" align="top"
+
Each Prefetch file has a 4-byte signature (at offset 4) "SCCA" (or in hexadecimal notation 0x53 0x43 0x43 0x41). The signature is assumed to be preceded by a 4-byte format version indicator:
|- style="background:#bfbfbf; font-weight: bold"
+
* 17 (0x00000011) for [[Windows XP]] and [[Windows 2003]]
! width="40%"|Title
+
* 23 (0x00000017) for [[Windows Vista]], [[Windows 2008]], [[Windows 7]] and [[Windows 2012]] (note Windows 2012 has not been confirmed)
! width="20%"|Date/Location
+
* 26 (0x0000001a) for [[Windows 8|Windows 8.1]] (note this could be Windows 8 as well but has not been confirmed)
! width="40%"|Website
+
|-
+
|6th International Workshop on Digital Forensics (WSDF 2013)
+
|Sep 02-06<br>Regensburg, Germany
+
|http://www.ares-conference.eu/conf/index.php?option=com_content&view=article&id=49&Itemid=95
+
|-
+
|2013 HTCIA International Conference & Training Expo
+
|Sep 08-11<br>Summerlin, NV
+
|http://www.htciaconference.org/
+
|-
+
|New Security Paradigms Workshop (NSPW)
+
|Sep 09-12<br>The Banff Center, Canada
+
|http://www.nspw.org/current/
+
|-
+
|Black Hat-Regional Summit
+
|Sep 10-12<br>Istanbul, Turkey
+
|https://www.blackhat.com/is-13/
+
|-
+
|French-Speaking Days on Digital Investigations-Journées Francophones de l'Investigation Numérique (AFSIN)
+
|Sep 10-12<br>Neuchâtel, Switzerland
+
|https://www.afsin.org/
+
|-
+
|5th International Conference on Digital Forensics & Cyber Crime
+
|Sep 25-27<br>Moscow, Russia
+
|http://d-forensics.org/2013/show/home
+
|-
+
|VB2013 - the 23rd Virus Bulletin International Conference
+
|Oct 02-04<br>Berlin, Germany
+
|http://www.virusbtn.com/conference/vb2013/index
+
|-
+
|8th International Conference on Malicious and Unwanted Software
+
|Oct 22-24<br>Fajardo, Puerto Rico, USA
+
|http://www.malwareconference.org/index.php?option=com_frontpage&Itemid=1
+
|-
+
|16th International Symposium on Research in Attacks, Intrusions and Defenses (RAID)
+
|Oct 23-25<br>St. Lucia
+
|http://www.raid2013.org/
+
|-
+
|5th International Workshop on Managing Insider Security Threats
+
|Oct 24-25<br>Busan, South Korea
+
|http://isyou.info/conf/mist13/index.htm
+
|-
+
|4th Annual Open Source Digital Forensics Conference (OSDF)
+
|Nov 04-05<br>Chantilly, VA
+
|http://www.basistech.com/about-us/events/open-source-forensics-conference/
+
|-
+
|Paraben Forensic Innovations Conference
+
|Nov 13-15<br>Salt Lake City, UT
+
|http://www.pfic-conference.com/
+
|-
+
|8th International Workshop on Systematic Approaches to Digital Forensic Engineering (SADFE)
+
|Nov 21-22<br>Hong Kong, China
+
|http://conf.ncku.edu.tw/sadfe/sadfe13/
+
|-
+
|Black Hat-Regional Summit
+
|Nov 26-27<br>Sao Paulo, Brazil
+
|https://www.blackhat.com/sp-13
+
|-
+
|29th Annual Computer Security Applications Conference (ACSAC)
+
|Dec 09-13<br>New Orleans, LA
+
|http://www.acsac.org
+
|-
+
|IFIP WG 11.9 International Conference on Digital Forensics
+
|Jan 08-10<br>Vienna, Austria
+
|http://www.ifip119.org/Conferences/
+
|-
+
|AAFS 66th Annual Scientific Meeting
+
|Feb 17-22<br>Seattle, WA
+
|http://www.aafs.org/aafs-66th-annual-scientific-meeting
+
|-
+
|21st Network & Distributed System Security Symposium
+
|Feb 23-26<br>San Diego, CA
+
|http://www.internetsociety.org/events/ndss-symposium-2014/
+
|-
+
|9th International Conference on Cyber Warfare and Security (ICCWS-2014)
+
|Mar 24-25<br>West Lafayette, IN
+
|http://academic-conferences.org/iciw/iciw2014/iciw14-home.htm
+
|-
+
|DFRWS-EU 2014
+
|May 07-09<br>Amsterdam, Netherlands
+
|http://dfrws.org/2014eu/index.shtml
+
|-
+
|2014 IEEE Symposium on Security and Privacy
+
|May 16-23<br>Berkley, CA
+
|http://www.ieee.org/conferences_events/conferences/conferencedetails/index.html?Conf_ID=16517
+
|-
+
|Techno-Security and Forensics Conference
+
|Jun 01-04<br>Myrtle Beach, SC
+
|http://www.techsec.com/html/Security%20Conference%202014.html
+
|-
+
|Mobile Forensics World
+
|Jun 01-04<br>Myrtle Beach, SC
+
|http://www.techsec.com/html/MFC-2014-Spring.html
+
|-
+
|DFRWS 2014
+
|Aug 03-06<br>Denver, CO
+
|http://dfrws.org/2014/index.shtml
+
|-
+
|}
+
  
==See Also==
+
For more information about the file format see: [[Windows Prefetch File Format]]
* [[Training Courses and Providers]]
+
 
==References==
+
== Metadata ==
* [http://faculty.cs.tamu.edu/guofei/sec_conf_stat.htm Computer Security Conference Ranking and Statistic]
+
The Prefetch file contains various metadata.
* [http://www.kdnuggets.com/meetings/ Meetings and Conferences in Data Mining and Discovery]
+
* The executable's name, up to 29 characters.
* http://www.conferencealerts.com/data.htm Data Mining Conferences World-Wide]
+
* The run count, or number of times the application has been run.
 +
* Volume related information, like volume path and volume serial number.
 +
* The size of the Prefetch file (sometimes referred to as end of file (EOF)).
 +
* The files and directories that were used doing the application's start-up.
 +
 
 +
=== Timestamps ===
 +
The Prefetch file contains 2 types of timestamps
 +
* The time when the application was last ran (executed). Version 26 of the Prefetch format maintains 7 previous last run times.
 +
* The volume creation time (part of the volume information) of the volume the Prefetch file was created on.
 +
 
 +
The file system creation time of the Prefetch file indicates the first time the application was executed. Both the file system modification time of the Prefetch file and the embedded last run time indicate the last time the application was executed.
 +
 
 +
== Prefetch hash ==
 +
There are multiple known hashing functions to be used for prefetch file filename hashing, namely:
 +
* SCCA XP hash function; used on Windows XP and Windows 2003
 +
* SCCA Vista hash function; used on Windows Vista
 +
* SCCA 2008 hash function; used on Windows 2008, Windows 7, (possibly: Windows 2012) and Windows 8 (including 8.1)
 +
 
 +
=== SCCA XP hash function ===
 +
A Python implementation of the SCCA XP hash function:
 +
 
 +
<pre>
 +
def ssca_xp_hash_function(filename):
 +
    hash_value = 0
 +
    for character in filename:
 +
        hash_value = ((hash_value * 37) + ord(character)) % 0x100000000
 +
        hash_value = (hash_value * 314159269) % 0x100000000
 +
        if hash_value > 0x80000000:
 +
            hash_value = 0x100000000 - hash_value
 +
 
 +
    return (abs(hash_value) % 1000000007) % 0x100000000
 +
</pre>
 +
 
 +
=== SCCA Vista hash function ===
 +
A Python implementation of the SCCA Vista hash function:
 +
 
 +
<pre>
 +
def ssca_vista_hash_function(filename):
 +
    hash_value = 314159
 +
    for character in filename:
 +
        hash_value = ((hash_value * 37) + ord(character)) % 0x100000000
 +
    return hash_value
 +
</pre>
 +
 
 +
=== SCCA 2008 hash function ===
 +
A Python implementation of the SCCA 2008 hash function:
 +
 
 +
<pre>
 +
def ssca_2008_hash_function(filename):
 +
    hash_value = 314159
 +
    filename_index = 0
 +
    filename_length = len(filename)
 +
    while filename_index + 8 < filename_length:
 +
        character_value = ord(filename[filename_index + 1]) * 37
 +
        character_value += ord(filename[filename_index + 2])
 +
        character_value *= 37
 +
        character_value += ord(filename[filename_index + 3])
 +
        character_value *= 37
 +
        character_value += ord(filename[filename_index + 4])
 +
        character_value *= 37
 +
        character_value += ord(filename[filename_index + 5])
 +
        character_value *= 37
 +
        character_value += ord(filename[filename_index + 6])
 +
        character_value *= 37
 +
        character_value += ord(filename[filename_index]) * 442596621
 +
        character_value += ord(filename[filename_index + 7])
 +
        hash_value = ((character_value - (hash_value * 803794207)) % 0x100000000)
 +
        filename_index += 8
 +
 
 +
    while filename_index < filename_length:
 +
      hash_value = (((37 * hash_value) + ord(filename[filename_index])) % 0x100000000)
 +
      filename_index += 1
 +
 
 +
    return hash_value
 +
</pre>
 +
 
 +
== Registry Keys ==
 +
<pre>
 +
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters
 +
</pre>
 +
 
 +
The EnablePrefetcher Registry value can be used to disable prefetch.
 +
 
 +
== See Also ==
 +
* [[Prefetch XML]]
 +
* [[ReadyBoot]]
 +
* [[SuperFetch]]
 +
* [[Windows]]
 +
* [[Windows Prefetch File Format]]
 +
 
 +
== External Links ==
 +
* [http://msdn.microsoft.com/msdnmag/issues/01/12/XPKernel/default.aspx More detail from Microsoft]
 +
* [http://en.wikipedia.org/wiki/Prefetcher Wikipedia Prefetcher]
 +
* [http://msdn.microsoft.com/en-us/library/ms940847(v=winembedded.5).aspx MSDN: Disabling Prefetch]
 +
* [http://www.microsoft.com/whdc/driver/kernel/XP_kernel.mspx Kernel Enhancements for Windows XP], by [[Microsoft]], January 13, 2003 (Microsoft's description of Prefetch when Windows XP was introduced)
 +
* [http://blogs.msdn.com/b/ryanmy/archive/2005/05/25/421882.aspx Misinformation and the The Prefetch Flag], MSDN Blogs, May 25, 2005
 +
* [http://windowsir.blogspot.ch/2005/07/prefetch-file-metadata.html Prefetch file metadata], by [[Harlan Carvey]], July 13, 2005
 +
* [http://windowsir.blogspot.ch/2006/04/prefetch-files-revisited.html Prefetch files, revisited], by [[Harlan Carvey]], April 13, 2006
 +
* [http://blogs.msdn.com/b/e7/archive/2009/05/05/support-and-q-a-for-solid-state-drives-and.aspx Support and Q&A for Solid-State Drives], by Steven Sinofsky, May 5, 2009
 +
* [http://computer-forensics.sans.org/blog/2009/08/05/de-mystifying-defrag-identifying-when-defrag-has-been-used-for-anti-forensics-part-1-windows-xp/ De-mystifying Defrag: Identifying When Defrag Has Been Used for Anti-Forensics (Part 1 - Windows XP)], by [[Chad Tilbury]], August 5, 2009
 +
* [http://www.swiftforensics.com/2010/04/the-windows-prefetchfile.html Windows Prefetch File (old blog entry from 42 LLC)], by [[Yogesh Khatri]], April 14, 2010
 +
* [http://msdn.microsoft.com/en-us/library/windows/hardware/dn653317(v=vs.85).aspx Windows PC Accelerators], by Microsoft, October 8, 2010
 +
* [http://www.dfinews.com/articles/2010/12/decoding-prefetch-files-forensic-purposes-part-1 Decoding Prefetch Files for Forensic Purposes: Part 1], by [[Mark Wade]], December 8, 2010
 +
* [http://crucialsecurityblog.harris.com/2011/04/11/prefetch-files-at-face-value/ Prefetch Files at Face Value], by [[Mark Wade]], April 11, 2011
 +
* [http://kitrap08.blogspot.hk/2011/07/windows-logical-prefetcher.html Windows Logical Prefetcher], TTS blog, July 30, 2011 (article is in Russian)
 +
* [http://labit.in/pliki-prefetch-w-windows/ Prefetch i niedokładny licznik] by Paweł Hałdrzyński, August 20, 2011 (article in Polish; uncertain about the year of publication)
 +
* [http://windowsir.blogspot.ch/2012/03/prefetch-analysis-revisited.html Prefetch Analysis, Revisited], by [[Harlan Carvey]], March 8, 2012
 +
* [http://windowsir.blogspot.ch/2012/03/prefetch-analysis-revisitedagain.html Prefetch Analysis, Revisited...Again...], by [[Harlan Carvey]], March 15, 2012
 +
* [http://www.hexacorn.com/blog/2012/06/13/prefetch-hash-calculator-a-hash-lookup-table-xpvistaw7w2k3w2k8/ Prefetch Hash Calculator + a hash lookup table xp/vista/w7/w2k3/w2k8], Hexacorn blog, June 13, 2012
 +
* [http://www.hexacorn.com/blog/2012/10/29/prefetch-file-names-and-unc-paths/ Prefetch file names and UNC paths], Hexacorn blog, October 29, 2012
 +
* [http://journeyintoir.blogspot.ch/2012/12/ntosboot-prefetch-file.html NTOSBOOT Prefetch File], by [[Corey Harrell]], December 5, 2012
 +
* [http://www.invoke-ir.com/2013/09/whats-new-in-prefetch-for-windows-8.html What's New in the Prefetch for Windows 8??], by Jared Atkinson, September 21, 2013
 +
* [http://www.swiftforensics.com/2013/10/windows-prefetch-pf-files.html?m=1 Windows Prefetch (.PF) files], by [[Yogesh Khatri]], October 21, 2013
 +
* [http://resources.infosecinstitute.com/windows-systems-artifacts-digital-forensics-part-iii-prefetch-files/ Windows Systems and Artifacts in Digital Forensics: Part III: Prefetch Files], by Ivan Dimov, November 21, 2013
 +
* [http://i.imgur.com/riuljsK.jpg Prefetch 101 - a Windows 8 Prefetch file walkthrough], by Jared Atkinson, 2014
 +
 
 +
== Tools ==
 +
 
 +
=== Commercial ===
 +
 
 +
=== Free - Non Open Source ===
 +
* [http://www.woanware.co.uk/forensics/prefetchforensics.html PrefetchForensics], PrefetchForensics is an application to extract information from Windows Prefetch files
 +
* [http://redwolfcomputerforensics.com/index.php?option=com_content&task=view&id=42&Itemid=55 Prefetch-Parser], Parse the prefetch files and display information
 +
* [http://www.mitec.cz/wfa.html Windows File Analyzer] - Parses Prefetch files, thumbnail databases, shortcuts, index.dat files, and the recycle bin
 +
* [http://www.tzworks.net/prototype_page.php?proto_id=1 Windows Prefetch Parser (pf)], Free tool that can be run on Windows, Linux or Mac OS-X
 +
 
 +
=== Open Source ===
 +
* [https://code.google.com/p/prefetch-tool/ prefetch-tool], Script to extract information from windows prefetch folder
 +
* [http://bitbucket.cassidiancybersecurity.com/prefetch-parser prefetch-parser], Standalone Python tools that parses Windows prefetch files and extracts all known and forensically relevant artefacts contained.
 +
 
 +
[[Category:Windows]]

Revision as of 01:28, 24 April 2014

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Windows Prefetch files, introduced in Windows XP, are designed to speed up the application startup process. Prefetch files contain the name of the executable, a Unicode list of DLLs used by that executable, a count of how many times the executable has been run, and a timestamp indicating the last time the program was run. Although Prefetch is present in Windows 2003, by default it is only enabled for boot prefetching. The feature is also found in Windows Vista, where it has been augmented with SuperFetch, ReadyBoot, and ReadyBoost.

From [1]:

  • SuperFetch; analyzes per-machine usage patterns over time and optimizes the data that is kept in memory.
  • ReadyBoot; decreases boot time (the time from turning power on to reaching the log-on screen) by preloading the files and startup programs needed per-machine into a cache.
  • ReadyBoost; supports the use of flash storage devices like Universal Serial Bus (USB) flash drives and Secure Digital (SD) flash cards to boost PC performance.
  • ReadyDrive; supports hybrid hard disk drives.

For SSD drives Prefetch is disabled by default [2].

Prefetch files

The Prefetch files are stored in the directory:

%SystemRoot%\Prefetch

The following files can be found in the Prefetch directory:

  • *.pf, which are Prefetch files;
  • Ag*.db and Ag*.db.trx, which are SuperFetch files;
  • Layout.ini;
  • PfPre_*.db;
  • PfSvPerfStats.bin

A Prefetch file contains the name of the application, a dash, and then an eight character hash of the location from which that application was run, and a .pf extension. The filenames should be all uppercase except for the extension. E.g. a filename for md5deep would look like: MD5DEEP.EXE-4F89AB0C.pf. If an application is run from two different locations on the drive (i.e. the user runs C:\md5deep.exe and then C:\Apps\Hashing\md5deep.exe), there will be two different prefetch files in the Prefetch folder. According to MSDN up to 128 Prefetch files can be stored in the Prefetch directory [3].

File format

Each Prefetch file has a 4-byte signature (at offset 4) "SCCA" (or in hexadecimal notation 0x53 0x43 0x43 0x41). The signature is assumed to be preceded by a 4-byte format version indicator:

For more information about the file format see: Windows Prefetch File Format

Metadata

The Prefetch file contains various metadata.

  • The executable's name, up to 29 characters.
  • The run count, or number of times the application has been run.
  • Volume related information, like volume path and volume serial number.
  • The size of the Prefetch file (sometimes referred to as end of file (EOF)).
  • The files and directories that were used doing the application's start-up.

Timestamps

The Prefetch file contains 2 types of timestamps

  • The time when the application was last ran (executed). Version 26 of the Prefetch format maintains 7 previous last run times.
  • The volume creation time (part of the volume information) of the volume the Prefetch file was created on.

The file system creation time of the Prefetch file indicates the first time the application was executed. Both the file system modification time of the Prefetch file and the embedded last run time indicate the last time the application was executed.

Prefetch hash

There are multiple known hashing functions to be used for prefetch file filename hashing, namely:

  • SCCA XP hash function; used on Windows XP and Windows 2003
  • SCCA Vista hash function; used on Windows Vista
  • SCCA 2008 hash function; used on Windows 2008, Windows 7, (possibly: Windows 2012) and Windows 8 (including 8.1)

SCCA XP hash function

A Python implementation of the SCCA XP hash function:

def ssca_xp_hash_function(filename):
    hash_value = 0
    for character in filename:
        hash_value = ((hash_value * 37) + ord(character)) % 0x100000000
        hash_value = (hash_value * 314159269) % 0x100000000
        if hash_value > 0x80000000:
            hash_value = 0x100000000 - hash_value

    return (abs(hash_value) % 1000000007) % 0x100000000

SCCA Vista hash function

A Python implementation of the SCCA Vista hash function:

def ssca_vista_hash_function(filename):
    hash_value = 314159
    for character in filename:
        hash_value = ((hash_value * 37) + ord(character)) % 0x100000000
    return hash_value

SCCA 2008 hash function

A Python implementation of the SCCA 2008 hash function:

def ssca_2008_hash_function(filename):
    hash_value = 314159
    filename_index = 0
    filename_length = len(filename)
    while filename_index + 8 < filename_length:
        character_value = ord(filename[filename_index + 1]) * 37
        character_value += ord(filename[filename_index + 2])
        character_value *= 37
        character_value += ord(filename[filename_index + 3])
        character_value *= 37
        character_value += ord(filename[filename_index + 4])
        character_value *= 37
        character_value += ord(filename[filename_index + 5])
        character_value *= 37
        character_value += ord(filename[filename_index + 6])
        character_value *= 37
        character_value += ord(filename[filename_index]) * 442596621
        character_value += ord(filename[filename_index + 7])
        hash_value = ((character_value - (hash_value * 803794207)) % 0x100000000)
        filename_index += 8

    while filename_index < filename_length: 
       hash_value = (((37 * hash_value) + ord(filename[filename_index])) % 0x100000000)
       filename_index += 1

    return hash_value 

Registry Keys

Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters

The EnablePrefetcher Registry value can be used to disable prefetch.

See Also

External Links

Tools

Commercial

Free - Non Open Source

Open Source

  • prefetch-tool, Script to extract information from windows prefetch folder
  • prefetch-parser, Standalone Python tools that parses Windows prefetch files and extracts all known and forensically relevant artefacts contained.