Difference between pages "CAINE Live CD" and "Prefetch"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
 
 
Line 1: Line 1:
{{Infobox_Software |
+
{{Expand}}
  name = CAINE LiveCD/DVD |
+
Windows Prefetch files, introduced in [[Windows|Windows XP]], are designed to speed up the application startup process. Prefetch files contain the name of the executable, a Unicode list of DLLs used by that executable, a count of how many times the executable has been run, and a timestamp indicating the last time the program was run. Although Prefetch is present in Windows 2003, by default it is only enabled for boot prefetching. The feature is also found in [[Windows|Windows Vista]], where it has been augmented with [[SuperFetch]], [[ReadyBoot]], and [[ReadyBoost]]. For SSD drives Prefetch is disabled by default [http://blogs.msdn.com/b/e7/archive/2009/05/05/support-and-q-a-for-solid-state-drives-and.aspx].
  maintainer = [[Nanni Bassetti]] |
+
  os = {{Linux}} |
+
  genre = {{Live CD}} |
+
  license = {{GPL}}, others |
+
  website = [http://www.caine-live.net Caine Live] |
+
}}
+
'' ''' Caine (an acronym for Computer Aided Investigative Environment'''') is a [[distribution Linux | distribution]] [[Live CD | live]] oriented to Computer Forensics ([[computer forensics]]) historically conceived by Giancarlo Giustini, within a project of Digital Forensics '' Interdepartmental Research Center for Security'' (CRIS) of the University of Modena and Reggio Emilia  see [http://www.caine-live.net/page4/history.html Official Site].
+
Since the end of the '''2009''' and currently the project is maintained by Nanni Bassetti.
+
  
== Features ==
+
The Prefetch files are stored in the directory:
The latest version of Caine is based on the [[Ubuntu Linux]] 12.04 LTS, MATE and LightDM. Compared to its original version, the current version has been modified to meet the standards forensic reliability and safety standards laid down by the [[NIST]] View [Http://www.cftt.nist.gov/Methodology_Overview.htm the methodologies of Nist].
+
<pre>
 +
%SystemRoot%\Prefetch
 +
</pre>
  
Caine includes:
+
The following files can be found in the Prefetch directory:
* Caine Interface - a user-friendly interface that brings together a number of well-known forensic tools, many of which are open source;
+
* <tt>*.pf</tt>, Prefetch files;
* Updated and optimized environment to conduct a forensic analysis;
+
* <tt>Ag*.db</tt>, [[SuperFetch]] files;
* Report generator semi-automatic, by which the investigator has a document easily editable and exportable with a summary of the activities;
+
* <tt>Layout.ini</tt>;
* Adherence to the investigative procedure defined recently by Italian Law 48/2008, [Http://www.parlamento.it/parlam/leggi/08048l.htm Law 48/2008,].
+
* <tt>PfPre_*.db</tt>;
 +
* <tt>PfSvPerfStats.bin</tt>
  
In addition, Caine is the first distribution to include forensic Forensics inside the Caja/Nautilus Scripts and all the patches of security for not to alter the devices in analysis.
+
A Prefetch file contains the name of the application, a dash, and then an eight character hash of the location from which that application was run, and a <tt>.pf</tt> extension. The filenames should be all uppercase except for the extension. The format of hashes is not known. A sample filename for [[md5deep]] would look like: <tt>MD5DEEP.EXE-4F89AB0C.pf</tt>. If an application is run from two different locations on the drive (i.e. the user runs <tt>C:\md5deep.exe</tt> and then <tt>C:\Apps\Hashing\md5deep.exe</tt>), there will be two different prefetch files in the Prefetch folder. According to MSDN up to 128 Prefetch files can be stored in the Prefetch directory [http://blogs.msdn.com/ryanmy/archive/2005/05/25/421882.aspx].
  
The distro uses several patches specifically constructed to make the system "forensic", ie not alter the original device to be tested and / or duplicate:
+
== File format ==
* Root file system spoofing: patch that prevents tampering with the source device;
+
Each Prefetch file has a 4-byte signature (at offset 4) "SCCA" (or in hexadecimal notation 0x53 0x43 0x43 0x41). The signature is assumed to be preceded by a 4-byte format version indicator:
* No automatic recovery corrupted Journal patch: patch that prevents tampering with the device source, through the recovery of the [[Journal]];
+
* 17 (0x00000011) for [[Windows XP]] and [[Windows 2003]]
* Mounter and RBFstab: mounting devices in a simple and via graphical interface.
+
* 23 (0x00000017) for [[Windows Vista]], [[Windows 2008]], [[Windows 7]] and [[Windows 2012]] (note Windows 2012 has not been confirmed)
 +
* 26 (0x0000001a) for [[Windows 8|Windows 8.1]] (note this could be Windows 8 as well but has not been confirmed)
  
[[RBFstab]] is set to treat [[EXT3]] as a [[EXT4]]'' noload with the option'' to avoid automatic recovery of any corrupt Journal of '[[EXT3]];
+
For more information about the file format see: [[Windows Prefetch File Format]]
* Swap file off: patch that avoids modifying the file [[swap]] in systems with limited memory [[RAM]], avoiding the alteration of the original artifact computer and overwrite data useful for the purposes of investigation.
+
  
Caine and Open Source == ==
+
== Metadata ==
Patches and technical solutions are and have been all made in collaboration with people (Professionals, hobbyists, experts,
+
The Prefetch file contains various metadata.
etc..) from all over the world. <br />
+
* The executable's name, up to 29 characters.
 +
* The run count, or number of times the application has been run.
 +
* Volume related information, like volume path and volume serial number.
 +
* The size of the Prefetch file (sometimes referred to as end of file (EOF)).
 +
* The files and directories that were used doing the application's start-up.
  
CAINE represents fully the spirit of the Open Source philosophy, because the project is completely open, anyone could
+
=== Timestamps ===
take the legacy of the previous developer or project manager. <br />
+
The Prefetch file contains 2 types of timestamps
 +
* The time when the application was last ran (executed). Version 26 of the Prefetch format maintains 7 previous last run times.
 +
* The volume creation time (part of the volume information) of the volume the Prefetch file was created on.
  
The distro is open source, the Windows side (Nirlauncher/Wintaylor) is open source and, last one but not least important, the distro is installable, so as to give the possibility to rebuild in a new version, in order to give a long life to this project.
+
The file system creation time of the Prefetch file indicates the first time the application was executed. Both the file system modification time of the Prefetch file and the embedded last run time indicate the last time the application was executed.
  
== Caine Interface ==
+
== Prefetch hash ==
Caine Interface - a user-friendly interface that brings together a number of well-known forensic tools. <Br/>
+
There are multiple known hashing functions to be used for prefetch file filename hashing, namely:
 +
* SCCA XP hash function; used on Windows XP and Windows 2003
 +
* SCCA Vista hash function; used on Windows Vista
 +
* SCCA 2008 hash function; used on Windows 2008, Windows 7, (possibly: Windows 2012) and Windows 8 (including 8.1)
  
Environment updated and optimized for digital investigations. <br />
+
=== SCCA XP hash function ===
 +
A Python implementation of the SCCA XP hash function:
  
Report Semi-automatic - the final production of a complete document and easily editable exported by the investigator.
+
<pre>
Maximum adherence to the Italian investigative procedure. <br />
+
def ssca_xp_hash_function(filename):
 +
    hash_value = 0
 +
    for character in filename:
 +
        hash_value = ((hash_value * 37) + ord(character)) % 0x100000000
 +
        hash_value = (hash_value * 314159269) % 0x100000000
 +
        if hash_value > 0x80000000:
 +
            hash_value = 0x100000000 - hash_value
  
The first distribution to include forensic inside the Caja Forensics / Nautilus/Caja Scripts and all security patches, not to alter the devices in the analysis. <br />
+
    return (abs(hash_value) % 1000000007) % 0x100000000
 +
</pre>
  
The basic interface of the distribution called Caine Interface, was performed using the known GTK2-Perl wrapper that implements the Perl language instruction set and commands made available from the Gtk + toolkit.
+
=== SCCA Vista hash function ===
 +
A Python implementation of the SCCA Vista hash function:
  
Caine Interface allows you not only to select the various forensic software, it automatically generates the final report, due to the modules offered by Perl Template Toolkit, and DocBook.
+
<pre>
 +
def ssca_vista_hash_function(filename):
 +
    hash_value = 314159
 +
    for character in filename:
 +
        hash_value = ((hash_value * 37) + ord(character)) % 0x100000000
 +
    return hash_value
 +
</pre>
  
Inside contains the following software.
+
=== SCCA 2008 hash function ===
 +
A Python implementation of the SCCA 2008 hash function:
  
, Acquisition
+
<pre>
* Grissom Analyzer (mmls, img_stat, fsstat)
+
def ssca_2008_hash_function(filename):
* LRRP
+
    hash_value = 314159
* AIR
+
    filename_index = 0
* Guymager
+
    filename_length = len(filename)
* Terminal with saving the output
+
    while filename_index + 8 < filename_length:
* DC3DD
+
        character_value = ord(filename[filename_index + 1]) * 37
 +
        character_value += ord(filename[filename_index + 2])
 +
        character_value *= 37
 +
        character_value += ord(filename[filename_index + 3])
 +
        character_value *= 37
 +
        character_value += ord(filename[filename_index + 4])
 +
        character_value *= 37
 +
        character_value += ord(filename[filename_index + 5])
 +
        character_value *= 37
 +
        character_value += ord(filename[filename_index + 6])
 +
        character_value *= 37
 +
        character_value += ord(filename[filename_index]) * 442596621
 +
        character_value += ord(filename[filename_index + 7])
 +
        hash_value = ((character_value - (hash_value * 803794207)) % 0x100000000)
 +
        filename_index += 8
  
; Analysis
+
    while filename_index < filename_length:
* Autopsy
+
      hash_value = (((37 * hash_value) + ord(filename[filename_index])) % 0x100000000)
* [[The SleuthKit]]
+
      filename_index += 1
* [[Selective file dumper | Sfdumper 2.2]]
+
* Fundl 2.0
+
* Scalpel
+
* Foremost
+
* Stegdetect
+
* Ophcrack
+
* Nautilus scripts
+
* And many others
+
  
Reporting semiautomatic == ==
+
    return hash_value
 +
</pre>
  
Every contribution in the form of output and local report for each program involved in an investigation is saved in a report file, easily manageable by the investigator. The generation of the final report is done through the creation of temporary log file, that is to contain the output products for implementing the programs used by the investigator. <br />
+
== Registry Keys ==
The generation process is achieved through the use of Perl, bash scripts, variables Perl Template Toolkit and the DocBook file that acts as a container to the final report. <br />
+
<pre>
 +
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters
 +
</pre>
  
All set within the Perl program.
+
The EnablePrefetcher Registry value can be used to disable prefetch.
  
The Project Caine == ==
+
== See Also ==
 +
* [[Windows Prefetch File Format]]
 +
* [[SuperFetch]]
 +
* [[Prefetch XML]]
 +
* [[Windows]]
  
The project was initially inserted into the priorities of the CRIS (Centre for Research Interdepartmental Security) Research Centre Interpardimentale Security - University of Modena [http://cris.unimore.it/cris/node/54 site], in this way the distribution has benefited from essential contributions on the technical computing, together to the latest "best practices" legal investigation digital  see [http://www.dia.unisa.it/~ads/ads/Sicurezza_files/Tesina%20Live%20Forensics.pdf Security University of Salerno] see [http://www.forwardedge2.com/pdf/bestpractices.pdf U.S. Secret Service document] see [http://ncfs.org/craiger.forensics.methods.procedures.final.pdf CraigeR's Draft].
+
== External Links ==
 +
* [http://msdn.microsoft.com/msdnmag/issues/01/12/XPKernel/default.aspx More detail from Microsoft]
 +
* [http://en.wikipedia.org/wiki/Prefetcher Wikipedia Prefetcher]
 +
* [http://msdn.microsoft.com/en-us/library/ms940847(v=winembedded.5).aspx MSDN: Disabling Prefetch]
 +
* [http://www.microsoft.com/whdc/driver/kernel/XP_kernel.mspx Kernel Enhancements for Windows XP], by [[Microsoft]], January 13, 2003 (Microsoft's description of Prefetch when Windows XP was introduced)
 +
* [http://blogs.msdn.com/b/ryanmy/archive/2005/05/25/421882.aspx Misinformation and the The Prefetch Flag], MSDN Blogs, May 25, 2005
 +
* [http://windowsir.blogspot.ch/2005/07/prefetch-file-metadata.html Prefetch file metadata], by [[Harlan Carvey]], July 13, 2005
 +
* [http://windowsir.blogspot.ch/2006/04/prefetch-files-revisited.html Prefetch files, revisited], by [[Harlan Carvey]], April 13, 2006
 +
* [http://blogs.msdn.com/b/e7/archive/2009/05/05/support-and-q-a-for-solid-state-drives-and.aspx Support and Q&A for Solid-State Drives], by Steven Sinofsky, May 5, 2009
 +
* [http://computer-forensics.sans.org/blog/2009/08/05/de-mystifying-defrag-identifying-when-defrag-has-been-used-for-anti-forensics-part-1-windows-xp/ De-mystifying Defrag: Identifying When Defrag Has Been Used for Anti-Forensics (Part 1 - Windows XP)], by [[Chad Tilbury]], August 5, 2009
 +
* [http://www.swiftforensics.com/2010/04/the-windows-prefetchfile.html Windows Prefetch File (old blog entry from 42 LLC)], by [[Yogesh Khatri]], April 14, 2010
 +
* [http://www.dfinews.com/articles/2010/12/decoding-prefetch-files-forensic-purposes-part-1 Decoding Prefetch Files for Forensic Purposes: Part 1], by [[Mark Wade]], December 8, 2010
 +
* [http://crucialsecurityblog.harris.com/2011/04/11/prefetch-files-at-face-value/ Prefetch Files at Face Value], by [[Mark Wade]], April 11, 2011
 +
* [http://kitrap08.blogspot.hk/2011/07/windows-logical-prefetcher.html Windows Logical Prefetcher], TTS blog, July 30, 2011 (article is in Russian)
 +
* [http://labit.in/pliki-prefetch-w-windows/ Prefetch i niedokładny licznik] by Paweł Hałdrzyński, August 20, 2011 (article in Polish; uncertain about the year of publication)
 +
* [http://windowsir.blogspot.ch/2012/03/prefetch-analysis-revisited.html Prefetch Analysis, Revisited], by [[Harlan Carvey]], March 8, 2012
 +
* [http://windowsir.blogspot.ch/2012/03/prefetch-analysis-revisitedagain.html Prefetch Analysis, Revisited...Again...], by [[Harlan Carvey]], March 15, 2012
 +
* [http://www.hexacorn.com/blog/2012/06/13/prefetch-hash-calculator-a-hash-lookup-table-xpvistaw7w2k3w2k8/ Prefetch Hash Calculator + a hash lookup table xp/vista/w7/w2k3/w2k8], Hexacorn blog, June 13, 2012
 +
* [http://www.hexacorn.com/blog/2012/10/29/prefetch-file-names-and-unc-paths/ Prefetch file names and UNC paths], Hexacorn blog, October 29, 2012
 +
* [http://journeyintoir.blogspot.ch/2012/12/ntosboot-prefetch-file.html NTOSBOOT Prefetch File], by [[Corey Harrell]], December 5, 2012
 +
* [http://www.invoke-ir.com/2013/09/whats-new-in-prefetch-for-windows-8.html What's New in the Prefetch for Windows 8??], by Jared Atkinson, September 21, 2013
 +
* [http://www.swiftforensics.com/2013/10/windows-prefetch-pf-files.html?m=1 Windows Prefetch (.PF) files], by [[Yogesh Khatri]], October 21, 2013
 +
* [http://resources.infosecinstitute.com/windows-systems-artifacts-digital-forensics-part-iii-prefetch-files/ Windows Systems and Artifacts in Digital Forensics: Part III: Prefetch Files], by Ivan Dimov, November 21, 2013
 +
* [http://i.imgur.com/riuljsK.jpg Prefetch 101 -  a Windows 8 Prefetch file walkthrough], by Jared Atkinson, 2014
  
The project Caine was also the subject of a scientific paper accepted and published inside the first Workshop on Computer & Network Forensics held in Milan September 10th 2008 - [http://conferenze.dei.polimi.it/ossconf/schedule.php OSSCoNF].
+
== Tools ==
  
In followed all close collaboration with Denis Frati (spilled by the project at end 2009) and Nanni Bassetti, prominent figures in the panorama of Italian Digital Forensics, allowed a constant improvement of investigative standards proposed. The work carried out together with the staff ConoscereLinux allowed to enter Caine within the Italian community of programmers of open-source software.
+
=== Commercial ===
  
Caine is very much the spirit of Open Source OSSConf 2008 Open Source Day 2012, precisely because the various inputs planning and operational were provided by so many employees scattered across the globe, using only the network to communicate and many have our utmost to provide hosting, mirror and suggestions, scripts and everything that can serve to improve the project, then a full and free.
+
=== Free - Non Open Source ===
 +
* [http://www.woanware.co.uk/forensics/prefetchforensics.html PrefetchForensics], PrefetchForensics is an application to extract information from Windows Prefetch files
 +
* [http://redwolfcomputerforensics.com/index.php?option=com_content&task=view&id=42&Itemid=55 Prefetch-Parser], Parse the prefetch files and display information
 +
* [http://www.mitec.cz/wfa.html Windows File Analyzer] - Parses Prefetch files, thumbnail databases, shortcuts, index.dat files, and the recycle bin
 +
* [http://www.tzworks.net/prototype_page.php?proto_id=1 Windows Prefetch Parser (pf)], Free tool that can be run on Windows, Linux or Mac OS-X
  
Currently the project manager and a team of international figures treat the project Caine since the 1.0 release to date that has arrived at version 4.0 (18-March-2013) and achieving praise from law enforcements of several foreign nations.
+
=== Open Source ===
 +
* [https://code.google.com/p/prefetch-tool/ prefetch-tool], Script to extract information from windows prefetch folder
 +
* [http://bitbucket.cassidiancybersecurity.com/prefetch-parser prefetch-parser], Standalone Python tools that parses Windows prefetch files and extracts all known and forensically relevant artefacts contained.
  
24/11/2012 The Caine 3.0 was presented at '[http://www.opensourceday.org/2012/?mid=20 Opens Source Day 2012]' at the University of Udine.
+
[[Category:Windows]]
 
+
== Notes ==
+
<references />
+
 
+
== Bibliography ==
+
* Andrea Ghirardini, Gabriele Faggioli, ''Computer Forensics'', Apogeo, 2009, ISBN 9788850328161
+
* E. Huebner, S. Zanero, ''Open Source Software for Digital Forensics'', Springer, 2010, ISBN 978-1-4419-5802-0
+
* Diane Barrett, Greg Kipper, ''Virtualization and Forensics: A Digital Forensic Investigator's Guide to Virtual Environment'', Syngress, 2010, ISBN 978-1-59749-557-8
+
* Sean Philip Oriyano and Michael Gregg, ''Hacker Techniques, Tools, And Incident Handling'', Jones and Bartlett Learning, 2011, ISBN 978-0-7637-9183-4
+
* Michael Jang, ''Security Strategies in Linux Platforms and Applications'', Jones and Bartlett Learning, 2011, ISBN 978-0-7637-9189-6
+
 
+
== External links ==
+
*[http://www.careeracademy.com/browseproducts/CHFI-Training-CBT-Boot-Camp--EC-Council-Computer-Hacking-Forensic-Investigator.HTML Presente nel training CHFI Ec-Council] International certificatione
+
*[http://link.springer.com/chapter/10.1007/978-1-4419-5803-7_5 Open Source Live Distributions for Computer Forensics- by Springer]<br />
+
*[http://conferenze.dei.polimi.it/ossconf/schedule.php OSSConf 2008]<br />
+
*[http://books.google.it/books?id=jQVgWaF3pJwC&pg=PT304&lpg=PT304&dq=Andrea+Ghirardini;+Gabriele+Faggioli,+Computer+Forensics+caine&source=bl&ots=mf8-Def6uF&sig=88ydFgTv05M2Q45B4FSvwqhBXKk&hl=it&sa=X&ei=W2voUOD3Lcrk4QSVlIDoDQ&ved=0CEMQ6AEwAQ Google books]<br />
+
*[http://www.amazon.com/Virtualization-Forensics-Forensic-Investigators-Environments/dp/1597495573Virtualization and Forensics: A Digital Forensic Investigator's Guide to Virtual Environment]<br />
+
*[http://www.linux-magazin.de/Ausgaben/2010/12/Italienische-Aufklaerung Linux-Mazin.de]<br />
+
*[http://www.linux-magazine.com/Issues/2011/122/Caine Linux-Magazine.com]<br />
+
*[http://www.opensourceday.org/2012/?mid=20 Opens Source Day 2012]<br />
+
*[http://searchsecurity.techtarget.it/articoli/0,1254,18_ART_103282,00.html TechTarget.it]<br />
+
*[http://programmazione.it/index.php?entity=eitem&idItem=41687 Programmazione.it]<br />
+
*[http://www.linuxtoday.com/upload/caine-3.0-review-121009195504.html Linuxtoday.com]<br />
+
*[http://www.linuxtoday.com/infrastructure/2010122801535SCSW Linuxtoday.com 2]<br />
+
*[http://news.softpedia.com/news/CAINE-3-0-a-Tool-for-Digital-Forensics-297461.shtml Softpedia]<br />
+
*[http://hackingzones.in/?p=2726 hackingzone.in]<br />
+
*[http://www.gustavopimentel.com.ar/ gustavopimental.com.ar]<br />
+
*[http://www.concise-courses.com/security/top-ten-distros/# concise-courses.com]<br />
+
*[http://www.e-linux.it/news_detail/caine-15 e-linux.it]<br />
+
*[http://www.ilsoftware.it/articoli.asp?tag=CAINE-progetto-italiano-per-la-computer-forensics_5656 ilsoftware.it]<br />
+
*[http://www.dragonjar.org/distribucion-live-cd-analisis-forense.xhtml dragonjar.org]<br />
+
*[http://www.nannibassetti.com/dblog/articolo.asp?articolo=156 Attestato Marenostrum V.F.F.]<br />
+
*[http://www.linuxformat.com/archives?issue=151 LinuxFormat] <br />
+
*[http://www.techrepublic.com/blog/10things/10-obscure-linux-distributions-and-why-you-should-know-about-them/2334 TechRepublic]<br />
+
*[http://www.forensicswiki.org/wiki/CAINE_Live_CD ForensicsWiki]<br />
+
* [http://www.caine-live.net Sito ufficiale]
+
* [http://cris.unimore.it/cris/node/54 Sito del CRIS] dedicato a Caine
+
 
+
{{Linux}}
+

Revision as of 00:02, 15 April 2014

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Windows Prefetch files, introduced in Windows XP, are designed to speed up the application startup process. Prefetch files contain the name of the executable, a Unicode list of DLLs used by that executable, a count of how many times the executable has been run, and a timestamp indicating the last time the program was run. Although Prefetch is present in Windows 2003, by default it is only enabled for boot prefetching. The feature is also found in Windows Vista, where it has been augmented with SuperFetch, ReadyBoot, and ReadyBoost. For SSD drives Prefetch is disabled by default [1].

The Prefetch files are stored in the directory:

%SystemRoot%\Prefetch

The following files can be found in the Prefetch directory:

  • *.pf, Prefetch files;
  • Ag*.db, SuperFetch files;
  • Layout.ini;
  • PfPre_*.db;
  • PfSvPerfStats.bin

A Prefetch file contains the name of the application, a dash, and then an eight character hash of the location from which that application was run, and a .pf extension. The filenames should be all uppercase except for the extension. The format of hashes is not known. A sample filename for md5deep would look like: MD5DEEP.EXE-4F89AB0C.pf. If an application is run from two different locations on the drive (i.e. the user runs C:\md5deep.exe and then C:\Apps\Hashing\md5deep.exe), there will be two different prefetch files in the Prefetch folder. According to MSDN up to 128 Prefetch files can be stored in the Prefetch directory [2].

File format

Each Prefetch file has a 4-byte signature (at offset 4) "SCCA" (or in hexadecimal notation 0x53 0x43 0x43 0x41). The signature is assumed to be preceded by a 4-byte format version indicator:

For more information about the file format see: Windows Prefetch File Format

Metadata

The Prefetch file contains various metadata.

  • The executable's name, up to 29 characters.
  • The run count, or number of times the application has been run.
  • Volume related information, like volume path and volume serial number.
  • The size of the Prefetch file (sometimes referred to as end of file (EOF)).
  • The files and directories that were used doing the application's start-up.

Timestamps

The Prefetch file contains 2 types of timestamps

  • The time when the application was last ran (executed). Version 26 of the Prefetch format maintains 7 previous last run times.
  • The volume creation time (part of the volume information) of the volume the Prefetch file was created on.

The file system creation time of the Prefetch file indicates the first time the application was executed. Both the file system modification time of the Prefetch file and the embedded last run time indicate the last time the application was executed.

Prefetch hash

There are multiple known hashing functions to be used for prefetch file filename hashing, namely:

  • SCCA XP hash function; used on Windows XP and Windows 2003
  • SCCA Vista hash function; used on Windows Vista
  • SCCA 2008 hash function; used on Windows 2008, Windows 7, (possibly: Windows 2012) and Windows 8 (including 8.1)

SCCA XP hash function

A Python implementation of the SCCA XP hash function:

def ssca_xp_hash_function(filename):
    hash_value = 0
    for character in filename:
        hash_value = ((hash_value * 37) + ord(character)) % 0x100000000
        hash_value = (hash_value * 314159269) % 0x100000000
        if hash_value > 0x80000000:
            hash_value = 0x100000000 - hash_value

    return (abs(hash_value) % 1000000007) % 0x100000000

SCCA Vista hash function

A Python implementation of the SCCA Vista hash function:

def ssca_vista_hash_function(filename):
    hash_value = 314159
    for character in filename:
        hash_value = ((hash_value * 37) + ord(character)) % 0x100000000
    return hash_value

SCCA 2008 hash function

A Python implementation of the SCCA 2008 hash function:

def ssca_2008_hash_function(filename):
    hash_value = 314159
    filename_index = 0
    filename_length = len(filename)
    while filename_index + 8 < filename_length:
        character_value = ord(filename[filename_index + 1]) * 37
        character_value += ord(filename[filename_index + 2])
        character_value *= 37
        character_value += ord(filename[filename_index + 3])
        character_value *= 37
        character_value += ord(filename[filename_index + 4])
        character_value *= 37
        character_value += ord(filename[filename_index + 5])
        character_value *= 37
        character_value += ord(filename[filename_index + 6])
        character_value *= 37
        character_value += ord(filename[filename_index]) * 442596621
        character_value += ord(filename[filename_index + 7])
        hash_value = ((character_value - (hash_value * 803794207)) % 0x100000000)
        filename_index += 8

    while filename_index < filename_length: 
       hash_value = (((37 * hash_value) + ord(filename[filename_index])) % 0x100000000)
       filename_index += 1

    return hash_value 

Registry Keys

Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters

The EnablePrefetcher Registry value can be used to disable prefetch.

See Also

External Links

Tools

Commercial

Free - Non Open Source

Open Source

  • prefetch-tool, Script to extract information from windows prefetch folder
  • prefetch-parser, Standalone Python tools that parses Windows prefetch files and extracts all known and forensically relevant artefacts contained.