Difference between pages "DC3 Digital Forensics Challenge" and "Prefetch"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
 
 
Line 1: Line 1:
== DC3 Challenge ==
+
{{Expand}}
[[http://www.dc3.mil/challenge/ DC3 Digital Forensics Challenge]]
+
Windows Prefetch files, introduced in [[Windows|Windows XP]], are designed to speed up the application startup process. Prefetch files contain the name of the executable, a Unicode list of DLLs used by that executable, a count of how many times the executable has been run, and a timestamp indicating the last time the program was run. Although Prefetch is present in Windows 2003, by default it is only enabled for boot prefetching. The feature is also found in [[Windows|Windows Vista]], where it has been augmented with [[SuperFetch]], [[ReadyBoot]], and [[ReadyBoost]].
The annual DC3 Digital Forensics Challenge is a global, online competition comprised of individual, progressive-level, digital forensic exercises.  The purpose of the challenge is to promote and generate interest in digital forensics; establish relationships within the digital forensics community; address the major obstacles and dilemmas confronting digital forensics investigators and examiners; and develop new tools, techniques, and methodologies. Throughout the 10 1/2 month contest starting on 15 Dec each year, teams can register and submit their solutions. Regardless of registration date, all final submissions are due the following 1 Nov. The DC3 Digital Forensics Challenge is a global contest and has multiple winning categories:
+
  
- High School
+
Up to 128 Prefetch files are stored in the <tt>%SystemRoot%\Prefetch</tt> directory [http://blogs.msdn.com/ryanmy/archive/2005/05/25/421882.aspx]. Each file in that directory should contain the name of the application (up to eight (?) characters), a dash, and then an eight character hash of the location from which that application was run, and a <tt>.pf</tt> extension. The filenames should be all uppercase except for the extension. The format of hashes is not known. A sample filename for [[md5deep]] would look like: <tt>MD5DEEP.EXE-4F89AB0C.pf</tt>. If an application is run from two different locations on the drive (i.e. the user runs <tt>C:\md5deep.exe</tt> and then <tt>C:\Apps\Hashing\md5deep.exe</tt>), there will be two different prefetch files in the Prefetch folder.
  
- Community College
 
  
- Undergrad
+
== Signature ==
 +
Each Prefetch file has a signature in the first 8 bytes of the file. Windows XP will generate Prefetch files with the signature \x11\x00\x00\x00\x53\x43\x43\x41 (0x41434353 0x00000011). Windows 7 and Windows Vista Prefetch file's signature is \x17\x00\x00\x00\x53\x43\x43\x41 (0x41434353 0x00000017). The [http://en.wikipedia.org/wiki/ASCII ASCII] representation of these bytes will display "....SCCA".
  
- Post Grad
+
== Timestamps ==
  
- Civilian
+
Both the [[NTFS]] timestamps for a Prefetch file and the timestamp embedded in each Prefetch file contain valuable information. The timestamp embedded within the Prefetch file is a 64-bit (QWORD) [http://msdn2.microsoft.com/en-us/library/ms724284.aspx FILETIME] object The creation date of the file indicates the first time the application was executed. Both the modification date of the file and the embedded timestamp indicate the last time the application was executed.
  
- Commercial
+
Windows will store timestamps according to Windows [http://msdn.microsoft.com/en-us/library/ms724290%28VS.85%29.aspx epoch].
  
- US Government
+
==== Creation Time ====
 +
The creation time does not have a static offset on any Windows platform. The location of the creation time can be found using the offset 0x8 + length of Volume path offset. See section Volume for more information.
  
- US Military
+
==== Last Run Time ====
 +
A timestamp of when the application was last ran is embedded into the Prefetch file. The offset to the "Last Run Time" is located at offset 0x78 from the beginning of the file on [[Windows]] XP. The offset for Windows Vista and Windows 7 is at 0x80.
  
 +
== MetaData ==
 +
==== Header ====
 +
In each Prefetch file, the size of the header is stored and can be found at offset 0x54 on Windows XP, Windows Vista, and Windows 7. The header size for Windows XP is 0x98 (152) and 0xf0 (240) on Windows Vista and Windows 7.
  
Most categories are divided by US & International (non-US) and global overall winner.  Winners can receive hardware, software, internships, training, trips to our DOD Cyber Crime Conference (Jan 2013), gift cards, and more.  
+
The Prefetch file will embed the application's name into the header at offset 0x10.
  
 +
==== Run Count ====
 +
The run count, or number of times the application has been run, is a 4-byte (DWORD) value located at offset 0x90 from the beginning of the file on [[Windows]] XP. On Windows Vista and Windows 7, the run time can be found at 0x98.
  
'''DC3 Maryland Digital Forensics Challenge'''
+
==== Volume ====
[[http://www.dc3.mil/challenge/2012/about/states/md.php/ DC3 Maryland Challenge]]
+
Volume related information, volume path and volume serial number, are embedded into the Prefetch file. The precise offset for this information is the same for each Prefetch file and Windows operating system. In the header at offset 0x6c, the location of the volume path is stored. The location is a 4-bytes (DWORD) value.
  
From education and training to employment opportunities, Maryland has become the epicenter for cyber crime investigations and cybersecurity.  DC3 has created the DC3 Maryland Digital Forensics Challenge a subset of the overall DC3 Digital Forensics Challenge to encourage Marylanders to participate and to consider digital forensics as a possible career path. Participants residing in Maryland will be eligible to receive a special recognition at the close of 2012 in addition to their general DC3 Digital Forensics Challenge prize eligibility.
+
At the location given from offset 0x6c, a 4-byte value is stored which is the number of bytes from current offset (location from offset 0x6c) to the beginning of the volume path string. The location from the offset 0x6c, for ease of reading, will be called the "volume path offset." The volume path is embedded as an [http://en.wikipedia.org/wiki/UTF-16/UCS-2 UTF-16] encoded string.
  
The DC3 Maryland Digital Forensics Challenge is open to all individuals physically residing in Maryland at the time of submission.
+
The length of the volume path string is a 4-byte value is located at volume path offset + 0x4.
  
 
+
The volume [http://en.wikipedia.org/wiki/Volume_serial_number serial number] is a 4-byte value that identifies a media storage. A serial number does not have a consistent offset within a Prefetch between Windows operating systems. The 4-byte value can be found eight (8) bytes from the creation time location. The [http://en.wikipedia.org/wiki/Vol_%28command%29 vol] command on Windows can verify the volume serial number.
  
== 2006 DC3 Digital Forensics Challenge ==
+
==== End of File ====
 +
The end of file (EOF) for each Prefetch file is located at offset 0xc.
  
The 2006 Challenge provided unique tests that included: Audio steganography, real vs. computer generated image analysis, Linux [[Logical Volume Manager (Linux)|LVM]] data carving, and recovering data from destroyed floppy disks and CDs. With 140 teams total, and 21 submissions entered, AccessData won the 2006 event.
+
==== Files ====
  
== 2007 DC3 Digital Forensics Challenge ==
+
Embedded within each Prefetch file are files and directories that were used doing the application's startup. The Prefetch file separates both filenames and directories into two different location in the file. Each string is encoded as a [http://en.wikipedia.org/wiki/UTF-16/UCS-2 UTF-16] string. Windows operating system uses UTF-16 encoding.
  
The 2007 Challenge introduced new topics, such as: [[Bitlocker]] cracking and recovering data from destroyed USB thumb drives. With 126 teams competing, and 11 entries submitted, a team of students from the [[Air Force Institute of Technology]] won the event.
+
The offset to the first set of filenames are at 0x64. The size of the first set of filenames can be found at offset 0x68. Both offsets are consistent between Windows XP, Windows Vista and Windows 7.
  
== 2008 DC3 Digital Forensics Challenge ==
+
In the bottom section of the Prefetch file are UTF-16 strings of directories. At the time of this writing (7/2011), the precise offset and size of the directory listing is unknown. The distance between the end of the Volume Path string and the beginning of the directory strings is given. An approach to finding the offset to the beginning of the directories listing is to obtain the distance value and the offset when the Volume Path string ends (after the NULL bytes). The distance value is at volume path offset + 0x18 (24). The distance is a 4-byte (DWORD) value. The end of second set of strings will complete the Prefetch file. The size of the directory listing is calculated by subtracting the start position of the directory listing from the end of file position.
  
Beginning with the 2008 Challenge, the contest was broken into four skill levels: Novice, Skilled, Expert, and Genius. New challenges included: detection of malicious software, partition recovery, file header reconstruction, [[Skype]] analysis, and foreign text identification and translation. With 199 teams competing, and 20 entries submitted, the competition was won by Chris Eagle and Tim Vidas of the [[Naval Postgraduate School]].  The 2008 Challenge also marked the first time that all results were released publicly.
+
== See Also ==
 
+
* [[SuperFetch]]
== 2009 DC3 Digital Forensics Challenge ==
+
* [[Prefetch XML]]
 
+
A total of 1,153 teams from 49 states and 61 countries applied to enter the 2009 DC3 Challenge. This is an increase from 223 teams from 40 states and 26 countries entered in 2008. Of that number of teams in 2009, 44 teams submitted solution packets back to FX for grading.
+
 
+
'''2009 Sponsors'''
+
 
+
'''SANS Institute for the U.S. High School and U.S. Undergraduate prizes'''
+
 
+
The SysAdmin, Audit, Network, Security (SANS) Institute is the most trusted and by far the largest source for information security training and certification in the world. It also develops, maintains, and makes available at no cost, the largest collection of research documents about various aspects of information security, and it operates the Internet's early warning system - Internet Storm Center. SANS is also a sponsor in the Center for Strategic & International Studies US Cyber Challenge.
+
 
+
'''IMPACT for the Non-U.S. prize'''
+
 
+
The International Multilateral Partnership Against Cyber-Threats (IMPACT) and the Department of Defense Cyber Crime Center have partnered to provide a Digital Forensic Challenge opportunity for non-U.S. entries. This opportunity will provide an international aspect to a previously U.S.-based event and allow additional insight into global methods to fight cyber crime.
+
 
+
'''2009 Winners' Circle'''
+
 
+
With the four available prizes for 2009, the official winners of the Challenger were:
+
 
+
{| class="wikitable"
+
|-
+
! Prize !! Team !! Points
+
|-
+
| DC3 Prize (U.S. Winner) || Little Bobby Tables || 1,772
+
|-
+
| SANS Prize - High School (U.S.) || pwnage || 1,309
+
|-
+
| SANS Prize - Undergraduate (U.S.) || WilmU || 1,732
+
|-
+
| IMPACT Prize (International & Overall) || DFRC || 2,014
+
|}
+
 
+
== 2010 DC3 Digital Forensics Challenge ==
+
 
+
A total of 1010 teams from 48 states and 53 countries applied to enter the 2010 DC3 Challenge. This is a 12% decrease in team applications from 1,153 teams from 49 states and 61 countries entered in 2009. Of that number of teams in 2010, 70 teams submitted solution packets back to FX for grading.  This is a 59% increase in the number of submissions returned to the DC3 Challenge from 2009 with 44 submissions returned. 
+
 
+
'''2010 Sponsors'''
+
 
+
New in 2010, several new sponsors provided additional prizes to allow for multiple winners:
+
 
+
'''SANS Institute for the U.S. High School and U.S. Undergraduate prizes'''
+
 
+
The [[SANS Institute|SysAdmin, Audit, Network, Security (SANS) Institute]] is the most trusted and by far the largest source for information security training and certification in the world. It also develops, maintains, and makes available at no cost, the largest collection of research documents about various aspects of information security, and it operates the Internet's early warning system - Internet Storm Center. SANS is also a sponsor in the Center for Strategic & International Studies US Cyber Challenge.
+
 
+
'''IMPACT for the Non-U.S. prize'''
+
 
+
The [[IMPACT|International Multilateral Partnership Against Cyber-Threats]] (IMPACT) and the Department of Defense Cyber Crime Center have partnered to provide a Digital Forensic Challenge opportunity for non-U.S. entries. This opportunity will provide an international aspect to a previously U.S.-based event and allow additional insight into global methods to fight cyber crime.
+
 
+
The winner(s) of the International category from an IMPACT-member country will be eligible to fly to Malaysia for a tour of the IMPACT facility in Cyberjaya, official presentation of a commemorative plaque and potential grants of EC-Council and SANS courses.
+
 
+
'''EC-Council for US Government, US Military, Commercial, and Civilian individual prizes'''
+
 
+
The [[International Council of Electronic Commerce Consultants]] (EC-Council) is a world leader in Information Security Certification and Training. With over 450 training locations for it’s information security courses in over 60 countries, it is a world leader in technical training and certification for the Information Security community. It is a trusted source for vendor neutral Information Security training solutions. EC-Council and DC3 have partnered to expand prize awards opportunities for our DC3 Digital Forensic Challenge. EC-Council will sponsor the categories of:
+
* U.S. Government
+
* U.S. Military
+
* Civilian for all U.S. and non-U.S. entries
+
* Commercial teams for all U.S. and non-U.S. entries
+
 
+
The winning teams of the Civilian, Commercial, Government, and Military categories will receive the following prizes for up to 4 members from the EC-Council:
+
* A  Plaque
+
* A pass to the Hacker Halted Conference to winners worth $1799 each
+
* Any free EC-Council electronic course ware of choice for the winners on Ethical Hacking, Computer Forensic, Security Analysis or Disaster Recovery worth $650 each
+
 
+
'''JHU for Community College Participants'''
+
 
+
The [[John Hopkins University|John Hopkins University (JHU) Carey School for Business]] as part of CyberWatch will be awarding a prize for the team with the highest score that is also enrolled in a community college.
+
 
+
The Johns Hopkins/CyberWatch (JHU/CW) winning team will be recognized as the academic leader at the U.S. Community College level. The winning team members will also be presented with an award to mark their outstanding achievement.
+
 
+
'''UK Cyber Security Challenge'''
+
 
+
[https://cybersecuritychallenge.org.uk/ Cyber Security Challenge UK] and DC3 have partnered together to provide an opportunity for teams consisting of all UK citizens residing in the UK.
+
The UK Challenge winning team will be offered two prizes from Cyber Security Challenge UK:
+
* Two weeks at the new UK Cyber Security Academy, which develops the skills required of next-generation cyber security specialists, including courses on digital forensics, threat and risk management, cyber-crime, and emerging security technologies.
+
* Invitations to take part in the Cyber Security Challenge UK’s masterclass challenge to compete against other successful contestants from other UK Challenge competitions.
+
 
+
'''2010 Winners' Circle'''
+
 
+
{| class="wikitable"
+
|-
+
! Prize !! Team !! Points
+
|-
+
| DC3 Prize (U.S. Winner) || Williams Twin Forensics || 1,470
+
|-
+
| SANS Prize - High School (U.S.) || Crash Override || 361
+
|-
+
| SANS Prize - Undergraduate (U.S.) || Team Name || 1,129
+
|-
+
| IMPACT Prize (International) || DFRC || 3,297
+
|-
+
| EC-COUNCIL Prize (US GOVT) || LBPDCCID || 409
+
|-
+
| EC-COUNCIL Prize (US Military) || Batcheej || 88
+
|-
+
| EC-COUNCIL Prize (Commercial) || Little Tree || 1,791
+
|-
+
| EC-COUNCIL Prize (Civilian) || William Twins Forensics || 1,470
+
|-
+
| JHU Prize (Community College) || PWNsauce || 84
+
|-
+
| UK Cyber Security Challenge || Mine Inc || 352
+
|}
+
 
+
== 2011 DC3 Digital Forensics Challenge ==
+
A total of 1147 teams from 50 states and 52 countries applied to enter the 2011 DC3 Challenge. This is a 3% increase in team applications from 1,110 teams from 48 states and 53 countries entered in 2010. Of that number of teams in 2011, 174 teams submitted solution packets back to FX for grading. This is a 149% increase in the number of submissions returned to the DC3 Challenge from 2010 with 70 submissions returned.
+
 
+
'''2011 Sponsors'''
+
 
+
Sponsor participation increased significantly with both the number of sponsors and the number of categories each sponsor supported.
+
 
+
'''''The SysAdmin, Audit, Network, Security (SANS) Institute: '''''
+
SANS sponsored the 1st place US High School, Undergraduate, and Graduate categories offering a trip to the 2012 DoD Cyber Crime Conference (conference fee not included) for up to 4 team members.
+
 
+
'''''IMPACT: '''''
+
IMPACT sponsored the 1st place Non-US Winner offering a trip to Malaysia for IMPACT training.
+
 
+
'''''JHU/CyberWatch: '''''
+
John Hopkins University (JHU) along with CyberWatch sponsored the 1st US Community College Winner offering scholarship money to up to 4 team members.
+
 
+
'''''The EC-Council: '''''
+
The International Council of Electronic Commerce Consultants (EC-Council) sponsored the 1st place Non US Civilian, Commercial, High School, Undergraduate, and Graduate categories, in addition to the US  Academic, Government, and Military categories.  They offer teams a plaque, a pass to the Hacker Halted Conference, and any free EC-Council electronic courseware on Ethical Hacking, Computer Forensics, Security Analysis, or Disaster Recovery of their choice.
+
 
+
'''''Cyber Security Challenge UK: '''''
+
The UK Challenge sponsored its own category offering the winning team of up to 4 members two weeks at the new UK Cyber Security Academy and an invitation to take part is the UK’s Masterclass Challenge. 
+
 
+
'''''Armed Forces Communications and Electronics Association (AFCEA) International '''''
+
AFCEA sponsored the 1st place US Government, Military, and Undergraduate categories offering a 1 year membership to their organization.
+
 
+
'''''BlackBag Technologies: '''''
+
BlackBag sponsored the US Overall winning team offering BBT Forensic Kit for up to 4 team members.
+
 
+
'''''National Institute of Standards and Technology Law Enforcement Standards Office (NIST OLES): '''''
+
NIST OLES sponsored the US Government Winner offering a trip to the 2012 DoD Cyber Crime Conference (conference fees excluded) for up to 4 team members. 
+
 
+
'''''Paraben : '''''
+
Paraben sponsored the 1st place US Undergraduate and 1st and 2nd Place US Government and Military categories offering the Paraben Device Seizure Software & Toolbox to all teams and a paid internship to the Undergraduate winner(s).
+
 
+
'''''The US Cyber Challenge (USCC): '''''
+
The USCC sponsored the 1st place US Undergraduate Winner offering a trip to the 2012 DoD Cyber Crime Conference (conference fees excluded) for up to 4 team members.
+
 
+
'''''AccessData:'''''
+
AccessData sponsored the 1st place US Undergraduate Winner offering a copy of Access Data FTK current version, two free training classes (online or in classroom), a optional 60 Day internship, and paid travel expenses and hotel room
+
 
+
'''''Dell:'''''
+
Dell sponsored the US Overall and US High School categories offering a Dell Streak 7 tablet for up to 4 team members.
+
 
+
'''''McAfee:'''''
+
McAfee sponsored the US Community College Winner offering Skullcandy headphones, the Hacking Exposed book, McAfee Total Protection software, and a lunch box/sack for up to 4 team members.
+
 
+
'''2011 Winners' Circle'''
+
 
+
{| class="wikitable"
+
|-
+
!CATEGORY (SPONSORS) !! TEAM NAME !! # OF PLAYERS !! AFFILIATION !! POINTS
+
|-
+
|Grand Champion (DC3) || LoneWolf || 1 || Sabanci University, Turkey || 4,789
+
|-
+
|Overall Civilian Winner (EC-Council) || DFRC || 4 || University of South Korea, Korea || 2,762
+
|-
+
|Overall Commercial Winner (EC-Council) || Northrop Grumman || 4 || Northrop Grumman, United States || 3,471
+
|-
+
|Overall High School (EC-Council) || AlphaPHS || 4 || Poolesville High School , United States || 854
+
|-
+
|Overall Undergraduate (EC-Council) || SIGSEGV || 4 || Arizona State University, United States|| 3,532
+
|-
+
|Overall Graduate  (EC-Council) || LoneWolf || 1 || Sabanci University, Turkey || 4,789
+
|-
+
|U.S. Overall Winner (DC3, BlackBag, Dell)  || SIGSEGV || 4 || Arizona State University, United States || 3,532
+
|- 
+
|U.S. Government Winner (EC-Council, AFCEA, NIST OLES, Paraben) || 0x90 || 4 || Department of Defense, United States || 3,269
+
|- 
+
|U.S. Military Winner (EC-Council, AFCEA, Paraben) || DCIS SEFO || 4 || Defense Criminal Investigative Service, United State || 1,105
+
|-
+
|U.S. High school Winner (SANS) || AlphaPHS || 4 || Poolesville High School , United States || 854
+
|- 
+
|U.S. Community College Winner (CyberWatch/JHU, CIS, McAfee) || CSI-207-001 || 4 || Anne Arundel Community College, United States || 924
+
|- 
+
|U.S. Undergraduate Winner (SANS, AFCEA, Paraben, Access Data) || SIGSEGV  || 4 || Arizona State University, United States || 3,532
+
|- 
+
|U.S. Graduate Winner (SANS) || DSU MSIA-2 || 1 || Dakota State University ||  1,549
+
|- 
+
|Non-U.S. Overall Winner (IMPACT) || LoneWolf || 1 || Sabanci University, Turkey || 4,789
+
|-
+
|U.K. Overall Winner (UK Challenge, McAfee) || Icarus || 1 || Lancaster University, United Kingdom || 2,098
+
|}
+
  
 
== External Links ==
 
== External Links ==
* [http://www.dc3.mil/ DC3 Main]
+
* [http://milo2012.wordpress.com/2009/10/19/windows-prefetch-folder-tool/ Prefetch-Tool Script] - Python looks Prefetch files up on a web server.
* [http://www.dc3.mil/challenge/ DC3 Digital Forensics Challenge]
+
* [http://www.mitec.cz/wfa.html Windows File Analyzer] - Parses Prefetch files, thumbnail databases, shortcuts, index.dat files, and the recycle bin
* [http://csicyber.dfilink.net/ CSI Cyber]
+
* [http://www.microsoft.com/whdc/driver/kernel/XP_kernel.mspx#ECLAC Microsoft's description of Prefetch when Windows XP was introduced]
 
+
* [http://msdn.microsoft.com/msdnmag/issues/01/12/XPKernel/default.aspx More detail from Microsoft]
[[Category:DC3 Digital Forensics Challenge]]
+
* [http://www.tzworks.net/prototype_page.php?proto_id=1 Windows Prefetch parser] Free tool that can be run on Windows, Linux or Mac OS-X.
 +
* [http://en.wikipedia.org/wiki/Prefetcher Wikipedia Prefetcher]

Revision as of 07:59, 16 August 2011

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Windows Prefetch files, introduced in Windows XP, are designed to speed up the application startup process. Prefetch files contain the name of the executable, a Unicode list of DLLs used by that executable, a count of how many times the executable has been run, and a timestamp indicating the last time the program was run. Although Prefetch is present in Windows 2003, by default it is only enabled for boot prefetching. The feature is also found in Windows Vista, where it has been augmented with SuperFetch, ReadyBoot, and ReadyBoost.

Up to 128 Prefetch files are stored in the %SystemRoot%\Prefetch directory [1]. Each file in that directory should contain the name of the application (up to eight (?) characters), a dash, and then an eight character hash of the location from which that application was run, and a .pf extension. The filenames should be all uppercase except for the extension. The format of hashes is not known. A sample filename for md5deep would look like: MD5DEEP.EXE-4F89AB0C.pf. If an application is run from two different locations on the drive (i.e. the user runs C:\md5deep.exe and then C:\Apps\Hashing\md5deep.exe), there will be two different prefetch files in the Prefetch folder.


Signature

Each Prefetch file has a signature in the first 8 bytes of the file. Windows XP will generate Prefetch files with the signature \x11\x00\x00\x00\x53\x43\x43\x41 (0x41434353 0x00000011). Windows 7 and Windows Vista Prefetch file's signature is \x17\x00\x00\x00\x53\x43\x43\x41 (0x41434353 0x00000017). The ASCII representation of these bytes will display "....SCCA".

Timestamps

Both the NTFS timestamps for a Prefetch file and the timestamp embedded in each Prefetch file contain valuable information. The timestamp embedded within the Prefetch file is a 64-bit (QWORD) FILETIME object The creation date of the file indicates the first time the application was executed. Both the modification date of the file and the embedded timestamp indicate the last time the application was executed.

Windows will store timestamps according to Windows epoch.

Creation Time

The creation time does not have a static offset on any Windows platform. The location of the creation time can be found using the offset 0x8 + length of Volume path offset. See section Volume for more information.

Last Run Time

A timestamp of when the application was last ran is embedded into the Prefetch file. The offset to the "Last Run Time" is located at offset 0x78 from the beginning of the file on Windows XP. The offset for Windows Vista and Windows 7 is at 0x80.

MetaData

Header

In each Prefetch file, the size of the header is stored and can be found at offset 0x54 on Windows XP, Windows Vista, and Windows 7. The header size for Windows XP is 0x98 (152) and 0xf0 (240) on Windows Vista and Windows 7.

The Prefetch file will embed the application's name into the header at offset 0x10.

Run Count

The run count, or number of times the application has been run, is a 4-byte (DWORD) value located at offset 0x90 from the beginning of the file on Windows XP. On Windows Vista and Windows 7, the run time can be found at 0x98.

Volume

Volume related information, volume path and volume serial number, are embedded into the Prefetch file. The precise offset for this information is the same for each Prefetch file and Windows operating system. In the header at offset 0x6c, the location of the volume path is stored. The location is a 4-bytes (DWORD) value.

At the location given from offset 0x6c, a 4-byte value is stored which is the number of bytes from current offset (location from offset 0x6c) to the beginning of the volume path string. The location from the offset 0x6c, for ease of reading, will be called the "volume path offset." The volume path is embedded as an UTF-16 encoded string.

The length of the volume path string is a 4-byte value is located at volume path offset + 0x4.

The volume serial number is a 4-byte value that identifies a media storage. A serial number does not have a consistent offset within a Prefetch between Windows operating systems. The 4-byte value can be found eight (8) bytes from the creation time location. The vol command on Windows can verify the volume serial number.

End of File

The end of file (EOF) for each Prefetch file is located at offset 0xc.

Files

Embedded within each Prefetch file are files and directories that were used doing the application's startup. The Prefetch file separates both filenames and directories into two different location in the file. Each string is encoded as a UTF-16 string. Windows operating system uses UTF-16 encoding.

The offset to the first set of filenames are at 0x64. The size of the first set of filenames can be found at offset 0x68. Both offsets are consistent between Windows XP, Windows Vista and Windows 7.

In the bottom section of the Prefetch file are UTF-16 strings of directories. At the time of this writing (7/2011), the precise offset and size of the directory listing is unknown. The distance between the end of the Volume Path string and the beginning of the directory strings is given. An approach to finding the offset to the beginning of the directories listing is to obtain the distance value and the offset when the Volume Path string ends (after the NULL bytes). The distance value is at volume path offset + 0x18 (24). The distance is a 4-byte (DWORD) value. The end of second set of strings will complete the Prefetch file. The size of the directory listing is calculated by subtracting the start position of the directory listing from the end of file position.

See Also

External Links