Pages

Monday, 21 October 2013

Windows Prefetch (.PF) files

Thanks to Wayback machine (web.archive.org), I have been able to retrieve my old posts about Prefetch files from 42 LLC. You can find the original (slightly edited) post here now. It contains format information and the prefetch hash algorithm.

Windows 8 Prefetch files

Of late there has been some discussion about windows 8 prefetch files on forensicfocus.com and some mailing lists. Everybody seems to know about the change from recording a single Last Executed Time to the last 8 executed times. There is some confusion about the hashing algorithm. So I've revisited this artifact and here is what I found (for windows 8).

Windows 8 still uses the same prefetch hash calculation algorithm. A few offsets have changed but the structure of the pf file is still the same. The only change seems to be the addition of 7 new timestamps. This is because now the prefetch file stores the timestamp of the last 8 times the application was executed. My old enscript code has been updated to reflect this. Download here.

There is some extra data in the volume information block that still remains a mystery. Refer old post for the volume information block structure.

The new windows 8 prefetch file structure is as follows:
0x00 = 1A 00 00 00
0x04 = SCCA
0x08 = 11 00 00 00 
0x0C = 4 byte size of pf file itself
0x10 = 60 bytes of filename
0x4C = 4 bytes hash (same as in filename)
0x50-0x57 = unknown
0x58 = Number of Filepaths referenced
0x5C-0x63 = unknown
0x64 = Offset to Block containing Filepaths (DWORD)
0x68 = Length of Block containing Filepaths (DWORD)
0x6C = Offset to Volume Information Blocks (DWORD)
0x70 = Number of Volume Information Blocks present (DWORD)
0x74 = Size of all volume info blocks (DWORD)
0x78 = unknown
0x7C = unknown
0x80 = Program Last Execution Time (1) (FILETIME)
0x88 = Program Last Execution Time (2) (FILETIME)
0x90 = Program Last Execution Time (3) (FILETIME)
0x98 = Program Last Execution Time (4) (FILETIME)
0xA0 = Program Last Execution Time (5) (FILETIME)
0xA8 = Program Last Execution Time (6) (FILETIME)
0xB0 = Program Last Execution Time (7) (FILETIME)
0xB8 = Program Last Execution Time (8) (FILETIME)
0xC0-0xCF = unknown
0xD0 – Number of Executions (DWORD)

3 comments:

  1. Not sure if you're going to repost your old posts, if so can you update your links on:
    http://www.forensicswiki.org/wiki/Prefetch#External_Links

    I've moved one of them to:
    http://www.forensicswiki.org/wiki/Talk:Prefetch

    Thanks in advance.

    ReplyDelete
    Replies
    1. Sorry just saw you already did on http://www.swiftforensics.com/2010/04/the-windows-prefetchfile.html

      Delete
  2. Great job, Yogesh...thanks for sharing.

    ReplyDelete