[Vol-users] Parsing prefetch files
jamie.levy at gmail.com
Thu Jan 3 21:07:37 CST 2013
Actually I have looked a little at carving prefetch files from memory-
it hasn't yet proved fruitful in a case. It seems that prefetch files
may not be entirely in memory, but you can find the header (which
actually differs a little bit from the one on disk) and some partial
data, like up to the prefetch file name ([name-hash.pf]).
The prefetch name alone has been helpful in some cases where we were
able to tell where malicious files had been run from, by analyzing the
hash. I have a script that generates the prefetch filename based on
the path (except for hosted programs in this script) that I released a
little over two years ago:
and I have other versions that brute force paths and use precalculated
whitelists of known executables etc.
It also appears that prefetch files are not obtainable using the
As far as I know no one has yet released a plugin that scans
for/carves out prefetch files. It will be interesting to see what you
come up with! Let us know if you want to write up a plugin and need
All the best,
On Thu, Dec 27, 2012 at 7:19 PM, David Nardoni <dnardoni at gmail.com> wrote:
> Has anyone done any research about parsing prefetch files out of memory images? I was working with the latest version of volatility 2.3 and found the mftparser plugin very helpful. I was looking specifically at prefetch files and looking to possibly parse the prefetch files if they exist in memory to see what files may have been accessed by specific executables.
> Just wondering if anyone has looked at this or thought about developing a plugin around this?
> Vol-users mailing list
> Vol-users at volatilityfoundation.org
PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3 64C2 196B 2AB5 27A4 AC92
More information about the Vol-users