Difference between pages "Windows Prefetch File Format" and "Upcoming events"

From Forensics Wiki
(Difference between pages)
Jump to: navigation, search
(Header)
 
(Calls For Papers)
 
Line 1: Line 1:
A Windows Prefetch file consists of one file header and multiple file sections with different content. Not all content has an obvious forensic value.
+
<b>PLEASE READ BEFORE YOU EDIT THE LISTS BELOW</b><br>
 +
When events begin the same day, events of a longer length should be listed first.  New postings of events with the same date(s) as other events should be added after events already in the list. Please use three-letter month abbreviations (i.e. Sep, NOT Sept. or September), use two digit dates (i.e. Jan 01 NOT Jan 1), and use date ranges rather than listing every date during an event(i.e. Jan 02-05, NOT Jan 02, 03, 04, 05).<br>
 +
<i>Some events may be <u>limited</u> to <b>Law Enforcement Only</b> or to a specific audience.  Such restrictions should be noted when known.</i>
  
As far as have been possible to ascertain, there is no public description of the format. The description below has been synthesised from examination
+
This is a BY DATE listing of upcoming events relevant to [[digital forensics]]. It is not an all inclusive list, but includes most well-known activities.  Some events may duplicate events on the generic [[conferences]] page, but entries in this list have specific dates and locations for the upcoming event.
of multiple prefetch files.
+
  
== Characteristics ==
+
This listing is divided into three sections (described as follows):<br>
Integer values are stored in little-endian.
+
<ol><li><b><u>[[Upcoming_events#Calls_For_Papers|Calls For Papers]]</u></b> - Calls for papers for either Journals or for Conferences, relevant to Digital Forensics (Name, Closing Date, URL)</li><br>
 +
<li><b><u>[[Upcoming_events#Conferences|Conferences]]</u></b> - Conferences relevant for Digital Forensics (Name, Date, Location, URL)</li><br>
 +
<li><b><u>[[Training Courses and Providers]]</u></b> - Training </li><br></ol>
  
Strings are stored as UTF-16 little-endian without a byte-order-mark (BOM).
+
== Calls For Papers ==
 +
Please help us keep this up-to-date with deadlines for upcoming conferences that would be appropriate for forensic research.
  
Timestamps are stored as Windows Filetime in UTC.
+
{| border="0" cellpadding="2" cellspacing="2" align="top"
 
+
|- style="background:#bfbfbf; font-weight: bold"
== Header ==
+
! width="30%|Title
 
+
! width="15%"|Due Date
This format has been observed on Windows XP, ...  will need to be modified for Vista/Win7 format
+
! width="15%"|Notification Date
 
+
! width="40%"|Website
{| class="wikitable"
+
 
|-
 
|-
! Field
+
|USENIX Annual Technical Conference
! Offset
+
|Jan 28, 2014
! Length
+
|Apr 07, 2014
! Type
+
|https://www.usenix.org/conference/atc14/call-for-papers
! Notes
+
 
|-
 
|-
| H1
+
|Audio Engineering Society (AES) Conference on Audio Forensics
| 0x0000
+
|Jan 31, 2014
| 4
+
|Mar 15, 2014
| DWORD
+
|http://www.aes.org/conferences/54/downloads/54thCallForContributions.pdf
| Format version (see format version section below)
+
 
|-
 
|-
| H2
+
|DFRWS - USA 2014
| 0x0004
+
|Feb 13, 2014
| 4
+
|Apr 07, 2014
| DWORD
+
|http://dfrws.org/2014/cfp.shtml
| Signature 'SCCA' (or in hexadecimal representation 0x53 0x43 0x43 0x4)
+
 
|-
 
|-
| H3
+
|Symposium On Usable Privacy and Security
| 0x0008
+
|Feb 28, 2014 (Register) / Mar 06, 2014 (Submit)
| 4
+
|May 05, 2014
| DWORD?
+
|http://cups.cs.cmu.edu/soups/2014/cfp.html
| Unknown - Values observed: 0x0F - Windows XP, 0x11 - Windows 7, Windows 8.1
+
 
|-
 
|-
| H4
+
|6th International Conference on Digital Forensics & Cyber Crime
| 0x000C
+
|May 16, 2014
| 4
+
|Jul 30, 2014
| DWORD
+
|http://d-forensics.org/2014/show/cf-calls
| Prefetch file length.
+
|-
+
| H5
+
|0x0010
+
| 60
+
| USTR
+
| Name of executable as Unicode string, truncated after 29 characters, if necessary, and terminated by an end-of-string character (U+0000). As it appears in the prefetch file file name.
+
|-
+
| H6
+
|0x004C
+
|4
+
|DWORD
+
|The prefetch hash, as it appears in the prefetch file name.
+
|-
+
| H7
+
|0x0050
+
|4
+
|?
+
| Unknown (flags)? Values observed: 0 for almost all prefetch files (XP); 1 for NTOSBOOT-B00DFAAD.pf (XP)
+
 
|-
 
|-
 
|}
 
|}
  
The following part of the header is likely to be format version dependent structure for format version 0x11.
+
See also [http://www.wikicfp.com/cfp/servlet/tool.search?q=forensics WikiCFP 'Forensics']
  
{| class="wikitable"
+
== Conferences ==
 +
{| border="0" cellpadding="2" cellspacing="2" align="top"
 +
|- style="background:#bfbfbf; font-weight: bold"
 +
! width="40%"|Title
 +
! width="20%"|Date/Location
 +
! width="40%"|Website
 
|-
 
|-
! Field
+
|IFIP WG 11.9 International Conference on Digital Forensics
! Offset
+
|Jan 08-10<br>Vienna, Austria
! Length
+
|http://www.ifip119.org/Conferences/
! Type
+
! Notes
+
 
|-
 
|-
| H8
+
|AAFS 66th Annual Scientific Meeting
| 0x0054
+
|Feb 17-22<br>Seattle, WA, USA
| 4
+
|http://www.aafs.org/aafs-66th-annual-scientific-meeting
| DWORD
+
| Offset to section A
+
 
|-
 
|-
| H9
+
|21st Network & Distributed System Security Symposium
| 0x0058
+
|Feb 23-26<br>San Diego, CA, USA
| 4
+
|http://www.internetsociety.org/events/ndss-symposium
| DWORD
+
| ? Nr of entries in section A
+
 
|-
 
|-
| H10
+
|Fourth ACM Conference on Data and Application Security and Privacy 2014
| 0x005C
+
|Mar 03-05<br>San Antonio, TX, USA
| 4
+
|http://www1.it.utsa.edu/codaspy/
| DWORD
+
| Offset to section B
+
 
|-
 
|-
| H11
+
|9th International Conference on Cyber Warfare and Security (ICCWS-2014)
| 0x0060
+
|Mar 24-25<br>West Lafayette, IN, USA
| 4
+
|http://academic-conferences.org/iciw/iciw2014/iciw14-home.htm
| DWORD
+
| Nr of entries in section B
+
 
|-
 
|-
| H12
+
|CyberPatterns 2014
| 0x0064
+
|Apr 11<br>Oxford, United Kingdom
| 4
+
|http://tech.brookes.ac.uk/CyberPatterns2014/
| DWORD
+
| Offset to section C
+
 
|-
 
|-
| H13
+
|US Cyber Crime Conference 2014
| 0x0068
+
|Apr 29-May 02<br>Leesburg, VA
| 4
+
|http://www.usacybercrime.com/
| DWORD
+
| Length of section C
+
 
|-
 
|-
| H14
+
|DFRWS-Europe 2014
| 0x006C
+
|May 07-09<br>Amsterdam, Netherlands
| 4
+
|http://dfrws.org/2014eu/index.shtml
| DWORD
+
| Offset to section D
+
 
|-
 
|-
| H15
+
|8th International Conference on IT Security Incident Management & IT Forensics
| 0x0070
+
|May 12-14<br>Muenster, Germany
| 4
+
|http://www1.gi-ev.de/fachbereiche/sicherheit/fg/sidar/imf/imf2014/
| DWORD
+
| ? Probably the number of entries in the D section header
+
 
|-
 
|-
| H16
+
|2014 IEEE Symposium on Security and Privacy
| 0x0074
+
|May 16-23<br>Berkley, CA, USA
| 4
+
|http://www.ieee.org/conferences_events/conferences/conferencedetails/index.html?Conf_ID=16517
| DWORD
+
| Length of section D
+
 
|-
 
|-
| H17
+
|9th ADFSL Conference on Digital Forensics, Security and Law
| 0x0078
+
|May 28-29<br>Richmond, VA
| 8
+
|http://www.digitalforensics-conference.org/
| FTIME
+
| Latest execution time of executable (FILETIME)
+
 
|-
 
|-
| H18
+
|Techno-Security and Forensics Conference
| 0x0080
+
|Jun 01-04<br>Myrtle Beach, SC, USA
| 16
+
|http://www.techsec.com/html/Security%20Conference%202014.html
| ?
+
| ? Possibly structured as 4 DWORD. Observed values: /0x00000000 0x00000000 0x00000000 0x00000000/, /0x47868c00 0x00000000 0x47860c00 0x00000000/
+
 
|-
 
|-
| H19
+
|Mobile Forensics World
| 0x0090
+
|Jun 01-04<br>Myrtle Beach, SC, USA
| 4
+
|http://www.techsec.com/html/MFC-2014-Spring.html
| DWORD
+
| Execution counter
+
 
|-
 
|-
| H20
+
|12th International Conference on Applied Cryptography and Network Security
| 0x0094
+
|Jun 10-13<br>Lausanne, Switzerland
| 4
+
|http://acns2014.epfl.ch/
| DWORD?
+
| ? Observed values: 1, 2, 3, 4, 5, 6 (XP)
+
 
|-
 
|-
|}
+
|2nd ACM Workshop on Information Hiding and Multimedia Security
 
+
|Jun 11-13<br>Salzburg, Austria
It's worth noting that the name of a carved prefetch file can be restored using the information in field H5 and H6, and its size can be determined by field H4.
+
|http://www.ihmmsec.org/
 
+
=== Format version ===
+
 
+
{| class="wikitable"
+
 
|-
 
|-
! Value
+
|54th Conference on Audio Forensics
! Windows version
+
|Jun 12-14<br>London, England
 +
|http://www.aes.org/conferences/54/
 
|-
 
|-
| 0x11
+
|2014 USENIX Annual Technical Conference
| Windows XP, Windows 2003
+
|Jun 19-20<br>Philadelphia, PA, USA
 +
|https://www.usenix.org/conference/atc14
 
|-
 
|-
| 0x17
+
|44th Annual IEEE/IFIP International Conference on Dependable Systems and Networks
| Windows Vista, Windows 7
+
|Jun 23-26<br>Atlanta, GA, USA
 +
|http://www.dsn.org/
 
|-
 
|-
| 0x1a
+
|Symposium On Usable Privacy and Security (SOUPS) 2014
| Windows 8.1
+
|Jul 09-11<br>Menlo Park, CA, USA
 +
|http://cups.cs.cmu.edu/soups/2014/
 
|-
 
|-
|}
+
|Black Hat USA 2014
 
+
|Aug 02-07<br>Las Vegas, NV, USA
== Section A and B ==
+
|https://www.blackhat.com
 
+
The content of these two sections is unknown.
+
 
+
== Section C ==
+
 
+
== Section D ==
+
 
+
Section D contains one or more subsections. The number is (most likely) determined by the DWORD at file offset 0x0070. Each subsection refers to directories on an identified volume.
+
 
+
In this section, all offsets are assumed to be counted from the start of the D section.
+
 
+
{| class="wikitable"
+
 
|-
 
|-
! Field
+
|DFRWS 2014
! Offset
+
|Aug 03-06<br>Denver, CO, USA
! Length
+
|http://dfrws.org/2014/index.shtml
! Type
+
! Notes
+
 
|-
 
|-
| DH1
+
|RCFG GMU 2014
| +0x0000
+
|Aug 04-08<br>Fairfax, VA, USA
| 4
+
|http://www.rcfg.org/gmu/
| DWORD
+
| Offset to volume string (Unicode, terminated by U+0000)
+
 
|-
 
|-
| DH2
+
|23rd USENIX Security Symposium
| +0x0004
+
|Aug 20-22<br>San Diego, CA, USA
| 4
+
|https://www.usenix.org/conferences
| DWORD
+
| Length of volume string (nr of characters, including terminating U+0000)
+
 
|-
 
|-
| DH3
+
|2014 HTCIA International Conference & Training Expo
| +0x0008
+
|Aug 25-27<br>Austin, TX
| 8
+
|http://www.htcia.org/2013/11/2014-htcia-international-conference-training-expo/
| FTIME
+
| (File time)
+
 
|-
 
|-
| DH4
+
|6th International Conference on Digital Forensics & Cyber Crime
| +0x0010
+
|Sep 18-20<br>New Haven, CT
| 4
+
|http://d-forensics.org/2014/show/home
| DWORD
+
| Volume serial number of volume indicated by volume string
+
 
|-
 
|-
| DH5
+
|25th Annual Conference & Digital Multimedia Evidence Training Symposium
| +0x0014
+
|Oct 06-10<br>Coeur d’Alene, ID, USA
| 4
+
|http://www.leva.org/annual-training-conference/
| DWORD
+
| ? Offset to section DHS1
+
 
|-
 
|-
| DH6
 
| +0x0018
 
| 4
 
| DWORD
 
| ? Length of section DHS1 (in bytes)
 
|-
 
| DH7
 
| +0x001C
 
| 4
 
| DWORD
 
| ? Offset to section DHS2
 
|-
 
| DH8
 
| +0x0020
 
| 4
 
| DWORD
 
| ? Nr of strings in section DHS2
 
|-
 
| ?
 
| +0x0024
 
| ?
 
| ?
 
| ? additional 28 bytes (includes one timestamp?)
 
 
|}
 
|}
  
 
+
==See Also==
 
+
* [[Training Courses and Providers]]
If all the executables and libraries referenced in the C section are from one single disk volume, there will be only one section in the D section. If multiple volumes are referenced by section C, section D will contain multiple sections. (A simple way to force this situation is to copy, say, NOTEPAD.EXE to a USB drive, and start it from that volume. The corresponding prefetch file will have one D header referring to, e.g. \DEVICE\HARDDISK1\DP(1)0-0+4 (the USB drive), and one to, e.g. \DEVICE\HARDDISKVOLUME1\ (where the .DLLs and other support files were found).
+
==References==
 +
* [http://faculty.cs.tamu.edu/guofei/sec_conf_stat.htm Computer Security Conference Ranking and Statistic]
 +
* [http://www.kdnuggets.com/meetings/ Meetings and Conferences in Data Mining and Discovery]
 +
* http://www.conferencealerts.com/data.htm Data Mining Conferences World-Wide]

Revision as of 07:31, 23 January 2014

PLEASE READ BEFORE YOU EDIT THE LISTS BELOW
When events begin the same day, events of a longer length should be listed first. New postings of events with the same date(s) as other events should be added after events already in the list. Please use three-letter month abbreviations (i.e. Sep, NOT Sept. or September), use two digit dates (i.e. Jan 01 NOT Jan 1), and use date ranges rather than listing every date during an event(i.e. Jan 02-05, NOT Jan 02, 03, 04, 05).
Some events may be limited to Law Enforcement Only or to a specific audience. Such restrictions should be noted when known.

This is a BY DATE listing of upcoming events relevant to digital forensics. It is not an all inclusive list, but includes most well-known activities. Some events may duplicate events on the generic conferences page, but entries in this list have specific dates and locations for the upcoming event.

This listing is divided into three sections (described as follows):

  1. Calls For Papers - Calls for papers for either Journals or for Conferences, relevant to Digital Forensics (Name, Closing Date, URL)

  2. Conferences - Conferences relevant for Digital Forensics (Name, Date, Location, URL)

  3. Training Courses and Providers - Training

Contents

Calls For Papers

Please help us keep this up-to-date with deadlines for upcoming conferences that would be appropriate for forensic research.

Title Due Date Notification Date Website
USENIX Annual Technical Conference Jan 28, 2014 Apr 07, 2014 https://www.usenix.org/conference/atc14/call-for-papers
Audio Engineering Society (AES) Conference on Audio Forensics Jan 31, 2014 Mar 15, 2014 http://www.aes.org/conferences/54/downloads/54thCallForContributions.pdf
DFRWS - USA 2014 Feb 13, 2014 Apr 07, 2014 http://dfrws.org/2014/cfp.shtml
Symposium On Usable Privacy and Security Feb 28, 2014 (Register) / Mar 06, 2014 (Submit) May 05, 2014 http://cups.cs.cmu.edu/soups/2014/cfp.html
6th International Conference on Digital Forensics & Cyber Crime May 16, 2014 Jul 30, 2014 http://d-forensics.org/2014/show/cf-calls

See also WikiCFP 'Forensics'

Conferences

Title Date/Location Website
IFIP WG 11.9 International Conference on Digital Forensics Jan 08-10
Vienna, Austria
http://www.ifip119.org/Conferences/
AAFS 66th Annual Scientific Meeting Feb 17-22
Seattle, WA, USA
http://www.aafs.org/aafs-66th-annual-scientific-meeting
21st Network & Distributed System Security Symposium Feb 23-26
San Diego, CA, USA
http://www.internetsociety.org/events/ndss-symposium
Fourth ACM Conference on Data and Application Security and Privacy 2014 Mar 03-05
San Antonio, TX, USA
http://www1.it.utsa.edu/codaspy/
9th International Conference on Cyber Warfare and Security (ICCWS-2014) Mar 24-25
West Lafayette, IN, USA
http://academic-conferences.org/iciw/iciw2014/iciw14-home.htm
CyberPatterns 2014 Apr 11
Oxford, United Kingdom
http://tech.brookes.ac.uk/CyberPatterns2014/
US Cyber Crime Conference 2014 Apr 29-May 02
Leesburg, VA
http://www.usacybercrime.com/
DFRWS-Europe 2014 May 07-09
Amsterdam, Netherlands
http://dfrws.org/2014eu/index.shtml
8th International Conference on IT Security Incident Management & IT Forensics May 12-14
Muenster, Germany
http://www1.gi-ev.de/fachbereiche/sicherheit/fg/sidar/imf/imf2014/
2014 IEEE Symposium on Security and Privacy May 16-23
Berkley, CA, USA
http://www.ieee.org/conferences_events/conferences/conferencedetails/index.html?Conf_ID=16517
9th ADFSL Conference on Digital Forensics, Security and Law May 28-29
Richmond, VA
http://www.digitalforensics-conference.org/
Techno-Security and Forensics Conference Jun 01-04
Myrtle Beach, SC, USA
http://www.techsec.com/html/Security%20Conference%202014.html
Mobile Forensics World Jun 01-04
Myrtle Beach, SC, USA
http://www.techsec.com/html/MFC-2014-Spring.html
12th International Conference on Applied Cryptography and Network Security Jun 10-13
Lausanne, Switzerland
http://acns2014.epfl.ch/
2nd ACM Workshop on Information Hiding and Multimedia Security Jun 11-13
Salzburg, Austria
http://www.ihmmsec.org/
54th Conference on Audio Forensics Jun 12-14
London, England
http://www.aes.org/conferences/54/
2014 USENIX Annual Technical Conference Jun 19-20
Philadelphia, PA, USA
https://www.usenix.org/conference/atc14
44th Annual IEEE/IFIP International Conference on Dependable Systems and Networks Jun 23-26
Atlanta, GA, USA
http://www.dsn.org/
Symposium On Usable Privacy and Security (SOUPS) 2014 Jul 09-11
Menlo Park, CA, USA
http://cups.cs.cmu.edu/soups/2014/
Black Hat USA 2014 Aug 02-07
Las Vegas, NV, USA
https://www.blackhat.com
DFRWS 2014 Aug 03-06
Denver, CO, USA
http://dfrws.org/2014/index.shtml
RCFG GMU 2014 Aug 04-08
Fairfax, VA, USA
http://www.rcfg.org/gmu/
23rd USENIX Security Symposium Aug 20-22
San Diego, CA, USA
https://www.usenix.org/conferences
2014 HTCIA International Conference & Training Expo Aug 25-27
Austin, TX
http://www.htcia.org/2013/11/2014-htcia-international-conference-training-expo/
6th International Conference on Digital Forensics & Cyber Crime Sep 18-20
New Haven, CT
http://d-forensics.org/2014/show/home
25th Annual Conference & Digital Multimedia Evidence Training Symposium Oct 06-10
Coeur d’Alene, ID, USA
http://www.leva.org/annual-training-conference/

See Also

References