Difference between pages "Windows Prefetch File Format" and "User:Danielle DiBruno"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
(Header)
 
m (Creating user page with biography of new user.)
 
Line 1: Line 1:
A Windows Prefetch file consists of one file header and multiple file sections with different content. Not all content has an obvious forensic value.
+
Prior law enforcement working as an undercover Special Agent investigating computer crimes- primarily focus Internet crimes against children. Worked as an investigative analyst for NCMEC's Cybertipline which acted as the "911" for the Internet involving all types of child exploitation- mostly involving child pornography cases on the Internet.
  
As far as have been possible to ascertain, there is no public description of the format. The description below has been synthesised from examination
+
Currently I work as a forensic analyst for a private company that handles all types of cyber threats involving major businesses and corporations. I am looking to expand my knowledge base of various types of cyber crimes.
of multiple prefetch files.
+
 
+
== Header ==
+
 
+
This format has been observed on Windows XP, ...  will need to be modified for Vista/Win7 format
+
 
+
{| class="wikitable"
+
|-
+
! Field
+
! Offset
+
! Length
+
! Type
+
! Notes
+
|-
+
| H1
+
| 0x0000
+
| 4
+
| DWORD
+
| ? Probably a version number, identifying the file structure. Observed values: 0x11 - Windows XP; 0x17 - Vista, Windows 7
+
|-
+
| H2
+
| 0x0004
+
| 4
+
| DWORD
+
| ? Probably a file magic number. Only observed value: 0x41434353 ('SCCA')
+
|-
+
| H3
+
| 0x0008
+
| 4
+
| DWORD?
+
| ? Observed values: 0x0F - Windows XP, 0x11 - Windows 7
+
|-
+
| H4
+
| 0x000C
+
| 4
+
| DWORD
+
| Prefetch file length.
+
|-
+
| H5
+
|0x0010
+
| 60
+
| USTR
+
| Name of executable as Unicode string, truncated after 29 code units, if necessary, and terminated by U+0000. As it appears in the prefetch file file name.
+
|-
+
| H6
+
|0x004C
+
|4
+
|DWORD
+
|The prefetch hash, as it appears in the pf file name.
+
|-
+
| H7
+
|0x0050
+
|4
+
|?
+
|? Observed values: 0 for almost all prefetch files (XP); 1 for NTOSBOOT-B00DFAAD.pf (XP)
+
|-
+
| H8
+
| 0x0054
+
| 4
+
| DWORD
+
| Offset to section A
+
|-
+
| H9
+
| 0x0058
+
| 4
+
| DWORD
+
| ? Nr of entries in section A
+
|-
+
| H10
+
| 0x005C
+
| 4
+
| DWORD
+
| Offset to section B
+
|-
+
| H11
+
| 0x0060
+
| 4
+
| DWORD
+
| Nr of entries in section B
+
|-
+
| H12
+
| 0x0064
+
| 4
+
| DWORD
+
| Offset to section C
+
|-
+
| H13
+
| 0x0068
+
| 4
+
| DWORD
+
| Length of section C
+
|-
+
| H14
+
| 0x006C
+
| 4
+
| DWORD
+
| Offset to section D
+
|-
+
| H15
+
| 0x0070
+
| 4
+
| DWORD
+
| ? Probably the number of entries in the D section header
+
|-
+
| H16
+
| 0x0074
+
| 4
+
| DWORD
+
| Length of section D
+
|-
+
| H17
+
| 0x0078
+
| 8
+
| FTIME
+
| Latest execution time of executable (FILETIME)
+
|-
+
| H18
+
| 0x0080
+
| 16
+
| ?
+
| ? Possibly structured as 4 DWORD. Observed values: /0x00000000 0x00000000 0x00000000 0x00000000/, /0x47868c00 0x00000000 0x47860c00 0x00000000/
+
|-
+
| H19
+
| 0x0090
+
| 4
+
| DWORD
+
| Execution counter
+
|-
+
| H20
+
| 0x0094
+
| 4
+
| DWORD?
+
| ? Observed values: 1, 2, 3, 4, 5, 6 (XP)
+
|-
+
|}
+
 
+
It's worth noting that the name of a carved prefetch file can be restored using the information in field H5 and H6, and its size can be determined by field H4.
+
 
+
== Section A and B ==
+
 
+
The content of these two sections is unknown.
+
 
+
== Section C ==
+
 
+
== Section D ==
+
 
+
Section D contains one or more subsections. The number is (most likely) determined by the DWORD at file offset 0x0070. Each subsection refers to directories on an identified volume.
+
 
+
In this section, all offsets are assumed to be counted from the start of the D section.
+
 
+
{| class="wikitable"
+
|-
+
! Field
+
! Offset
+
! Length
+
! Type
+
! Notes
+
|-
+
| DH1
+
| +0x0000
+
| 4
+
| DWORD
+
| Offset to volume string (Unicode, terminated by U+0000)
+
|-
+
| DH2
+
| +0x0004
+
| 4
+
| DWORD
+
| Length of volume string (nr of characters, including terminating U+0000)
+
|-
+
| DH3
+
| +0x0008
+
| 8
+
| FTIME
+
| (File time)
+
|-
+
| DH4
+
| +0x0010
+
| 4
+
| DWORD
+
| Volume serial number of volume indicated by volume string
+
|-
+
| DH5
+
| +0x0014
+
| 4
+
| DWORD
+
| ? Offset to section DHS1
+
|-
+
| DH6
+
| +0x0018
+
| 4
+
| DWORD
+
| ? Length of section DHS1 (in bytes)
+
|-
+
| DH7
+
| +0x001C
+
| 4
+
| DWORD
+
| ? Offset to section DHS2
+
|-
+
| DH8
+
| +0x0020
+
| 4
+
| DWORD
+
| ? Nr of strings in section DHS2
+
|-
+
| ?
+
| +0x0024
+
| ?
+
| ?
+
| ? additional 28 bytes (includes one timestamp?)
+
|}
+
 
+
 
+
 
+
If all the executables and libraries referenced in the C section are from one single disk volume, there will be only one section in the D section. If multiple volumes are referenced by section C, section D will contain multiple sections.  (A simple way to force this situation is to copy, say, NOTEPAD.EXE to a USB drive, and start it from that volume. The corresponding prefetch file will have one D header referring to, e.g. \DEVICE\HARDDISK1\DP(1)0-0+4 (the USB drive), and one to, e.g. \DEVICE\HARDDISKVOLUME1\ (where the .DLLs and other support files were found).
+

Latest revision as of 03:26, 5 November 2011

Prior law enforcement working as an undercover Special Agent investigating computer crimes- primarily focus Internet crimes against children. Worked as an investigative analyst for NCMEC's Cybertipline which acted as the "911" for the Internet involving all types of child exploitation- mostly involving child pornography cases on the Internet.

Currently I work as a forensic analyst for a private company that handles all types of cyber threats involving major businesses and corporations. I am looking to expand my knowledge base of various types of cyber crimes.