Hi Dave,
Actually I have looked a little at carving prefetch files from memory-
it hasn't yet proved fruitful in a case. It seems that prefetch files
may not be entirely in memory, but you can find the header (which
actually differs a little bit from the one on disk) and some partial
data, like up to the prefetch file name ([name-hash.pf]).
The prefetch name alone has been helpful in some cases where we were
able to tell where malicious files had been run from, by analyzing the
hash. I have a script that generates the prefetch filename based on
the path (except for hosted programs in this script) that I released a
little over two years ago:
https://github.com/gleeda/misc-scripts/blob/master/prefetch/prefetch_hash.py
and I have other versions that brute force paths and use precalculated
whitelists of known executables etc.
It also appears that prefetch files are not obtainable using the
dumpfiles plugin.
As far as I know no one has yet released a plugin that scans
for/carves out prefetch files. It will be interesting to see what you
come up with! Let us know if you want to write up a plugin and need
any help.
All the best,
-gleeda
On Thu, Dec 27, 2012 at 7:19 PM, David Nardoni <dnardoni(a)gmail.com> wrote:
Has anyone done any research about parsing prefetch
files out of memory images? I was working with the latest version of volatility 2.3 and
found the mftparser plugin very helpful. I was looking specifically at prefetch files and
looking to possibly parse the prefetch files if they exist in memory to see what files may
have been accessed by specific executables.
Just wondering if anyone has looked at this or thought about developing a plugin around
this?
Dave
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
--
PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3 64C2 196B 2AB5 27A4 AC92