Re: [Vol-users] Parsing prefetch files

Hi Dave, Actually I have looked a little at carving prefetch files from memory- it hasn't yet proved fruitful in a case. It seems that prefetch files may not be entirely in memory, but you can find the header (which actually differs a little bit from the one on disk) and some partial data, like up to the prefetch file name ([name-hash.pf]). The prefetch name alone has been helpful in some cases where we were able to tell where malicious files had been run from, by analyzing the hash. I have a script that generates the prefetch filename based on the path (except for hosted programs in this script) that I released a little over two years ago: https://github.com/gleeda/misc-scripts/blob/master/prefetch/prefetch_hash.py and I have other versions that brute force paths and use precalculated whitelists of known executables etc. It also appears that prefetch files are not obtainable using the dumpfiles plugin. As far as I know no one has yet released a plugin that scans for/carves out prefetch files. It will be interesting to see what you come up with! Let us know if you want to write up a plugin and need any help. All the best, -gleeda On Thu, Dec 27, 2012 at 7:19 PM, David Nardoni <dnardoni(a)gmail.com> wrote: -- PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3 64C2 196B 2AB5 27A4 AC92