[Vol-users] Parsing prefetch files

Jamie Levy jamie.levy at gmail.com
Thu Jan 3 21:07:37 CST 2013

Hi Dave,

Actually I have looked a little at carving prefetch files from memory-
it hasn't yet proved fruitful in a case.  It seems that prefetch files
may not be entirely in memory, but you can find the header (which
actually differs a little bit from the one on disk) and some partial
data, like up to the prefetch file name ([name-hash.pf]).

The prefetch name alone has been helpful in some cases where we were
able to tell where malicious files had been run from, by analyzing the
hash.  I have a script that generates the prefetch filename based on
the path (except for hosted programs in this script) that I released a
little over two years ago:
and I have other versions that brute force paths and use precalculated
whitelists of known executables etc.

It also appears that prefetch files are not obtainable using the
dumpfiles plugin.

As far as I know no one has yet released a plugin that scans
for/carves out prefetch files.  It will be interesting to see what you
come up with!  Let us know if you want to write up a plugin and need
any help.

All the best,


On Thu, Dec 27, 2012 at 7:19 PM, David Nardoni <dnardoni at gmail.com> wrote:
> Has anyone done any research about parsing prefetch files out of memory images? I was working with the latest version of volatility 2.3 and found the mftparser plugin very helpful.  I was looking specifically at prefetch files and looking to possibly parse the prefetch files if they exist in memory to see what files may have been accessed by specific executables.
> Just wondering if anyone has looked at this or thought about developing a plugin around this?
> Dave
> _______________________________________________
> Vol-users mailing list
> Vol-users at volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users

PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3  64C2 196B 2AB5 27A4 AC92

More information about the Vol-users mailing list