[Vol-users] Parsing prefetch files

david nardoni dnardoni at gmail.com
Fri Jan 4 10:37:53 CST 2013

This is helpful information. The mft parser in volatility led me down
this path. I will see what I can find and if I get anywhere I will
share it with the group. Thanks again!

Sent from my iPhone

On Jan 3, 2013, at 7:07 PM, Jamie Levy <jamie.levy at gmail.com> wrote:

> Hi Dave,
> Actually I have looked a little at carving prefetch files from memory-
> it hasn't yet proved fruitful in a case.  It seems that prefetch files
> may not be entirely in memory, but you can find the header (which
> actually differs a little bit from the one on disk) and some partial
> data, like up to the prefetch file name ([name-hash.pf]).
> The prefetch name alone has been helpful in some cases where we were
> able to tell where malicious files had been run from, by analyzing the
> hash.  I have a script that generates the prefetch filename based on
> the path (except for hosted programs in this script) that I released a
> little over two years ago:
> https://github.com/gleeda/misc-scripts/blob/master/prefetch/prefetch_hash.py
> and I have other versions that brute force paths and use precalculated
> whitelists of known executables etc.
> It also appears that prefetch files are not obtainable using the
> dumpfiles plugin.
> As far as I know no one has yet released a plugin that scans
> for/carves out prefetch files.  It will be interesting to see what you
> come up with!  Let us know if you want to write up a plugin and need
> any help.
> All the best,
> -gleeda
> On Thu, Dec 27, 2012 at 7:19 PM, David Nardoni <dnardoni at gmail.com> wrote:
>> Has anyone done any research about parsing prefetch files out of memory images? I was working with the latest version of volatility 2.3 and found the mftparser plugin very helpful.  I was looking specifically at prefetch files and looking to possibly parse the prefetch files if they exist in memory to see what files may have been accessed by specific executables.
>> Just wondering if anyone has looked at this or thought about developing a plugin around this?
>> Dave
>> _______________________________________________
>> Vol-users mailing list
>> Vol-users at volatilityfoundation.org
>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
> --
> PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3  64C2 196B 2AB5 27A4 AC92

More information about the Vol-users mailing list