FS_Forensic_Prefetch

The `forensic/prefetch` directory

The directory forensic/prefetch exists as a sub-directory to the file system root.

The directory is hidden by default. It will appear once forensic mode has been started and processing is completed.

The directory contains data recovered from Windows prefetch files as follows:

File	Description
00-prefetch-summary.txt	Summary file containing prefetch information.
`<N>`-`<name>`.pf	Recovered prefetch file.
`<N>`-`<name>`.pf.txt	List of files referenced by the prefetched application.

Recovered prefetch data includes:

Executable name.
Number of executions (runs).
Last 8 execution times.
List of files referenced by the application.

The MemProcFS prefetch implementation parses prefetch files on Windows 8 and upwards.

Files in the forensic/prefetch directory are read-only.

00-prefetch-summary.txt

The file 00-prefetch-summary.txt contains summary prefetch summary information for recovered prefetch files. This includes name, number of runs, last eight execution times.

The file 00-prefetch-summary.txt have the following format:

   # Process              RunCount #Files PrefetchFile                           RunTime1                 RunTime2                 RunTime3                 RunTime4                 RunTime5                 RunTime6                 RunTime7                 RunTime8               
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
0000 GOOGLECRASHHANDLER64.EXE    4     34 GOOGLECRASHHANDLER64.EXE-00550B3D.pf   2019-08-12 22:00:30 UTC  2019-07-22 01:24:04 UTC  2019-06-06 17:56:14 UTC  2019-05-31 00:26:25 UTC                      ***                      ***                      ***                      ***
0001 SYSTEMSETTINGS.EXE          4    265 SYSTEMSETTINGS.EXE-45A5EC0B.pf         2019-08-12 22:51:41 UTC  2019-01-12 19:15:59 UTC  2019-01-12 19:07:26 UTC  2019-01-07 02:52:48 UTC                      ***                      ***                      ***                      ***
0002 SECURITYHEALTHSERVICE.EXE   7     83 SECURITYHEALTHSERVICE.EXE-4AC18DFE.pf  2019-08-12 22:37:20 UTC  2019-08-12 22:22:04 UTC  2019-08-12 21:59:14 UTC  2019-06-02 21:56:12 UTC  2019-05-31 00:19:46 UTC  2019-01-11 19:45:47 UTC  2019-01-07 03:00:56 UTC                      ***

Example

The example shows the prefetch file summary as well as a prefetch file listing.

For Developers

The forensic/prefetch sub-directory is implemented as a built-in native C-code plugin. The plugin source is located in the file modules/m_fc_prefetch.c in the vmm project.

Overview

API

Root File System

(root)
conf
forensic
- csv
- files
- findevil
- json
- ntfs
- prefetch
- timeline
- web
- yara
misc
- bitlocker
- eventlog
- phys2virt
- procinfo
- search
  - bin
  - yara
- view
registry
sys
- certificates
- drivers
- memory
- objects
- net
- pool
- proc
- services
- syscall
- sysinfo
- tasks
- users
vm

FS_Forensic_Prefetch

The forensic/prefetch directory

00-prefetch-summary.txt

Example

For Developers

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Overview

API

Root File System

Per-Process File System

Development

FAQ

Clone this wiki locally

The `forensic/prefetch` directory