[Vol-users] Parsing prefetch files
dnardoni at gmail.com
Fri Jan 4 10:37:53 CST 2013
This is helpful information. The mft parser in volatility led me down
this path. I will see what I can find and if I get anywhere I will
share it with the group. Thanks again!
Sent from my iPhone
On Jan 3, 2013, at 7:07 PM, Jamie Levy <jamie.levy at gmail.com> wrote:
> Hi Dave,
> Actually I have looked a little at carving prefetch files from memory-
> it hasn't yet proved fruitful in a case. It seems that prefetch files
> may not be entirely in memory, but you can find the header (which
> actually differs a little bit from the one on disk) and some partial
> data, like up to the prefetch file name ([name-hash.pf]).
> The prefetch name alone has been helpful in some cases where we were
> able to tell where malicious files had been run from, by analyzing the
> hash. I have a script that generates the prefetch filename based on
> the path (except for hosted programs in this script) that I released a
> little over two years ago:
> and I have other versions that brute force paths and use precalculated
> whitelists of known executables etc.
> It also appears that prefetch files are not obtainable using the
> dumpfiles plugin.
> As far as I know no one has yet released a plugin that scans
> for/carves out prefetch files. It will be interesting to see what you
> come up with! Let us know if you want to write up a plugin and need
> any help.
> All the best,
> On Thu, Dec 27, 2012 at 7:19 PM, David Nardoni <dnardoni at gmail.com> wrote:
>> Has anyone done any research about parsing prefetch files out of memory images? I was working with the latest version of volatility 2.3 and found the mftparser plugin very helpful. I was looking specifically at prefetch files and looking to possibly parse the prefetch files if they exist in memory to see what files may have been accessed by specific executables.
>> Just wondering if anyone has looked at this or thought about developing a plugin around this?
>> Vol-users mailing list
>> Vol-users at volatilityfoundation.org
> PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3 64C2 196B 2AB5 27A4 AC92
More information about the Vol-users