The Prefetch file
In this section we are going to present the main structures and data contained in a Prefetch file, depending of the Windows operating system version.
The full documentation, including all the offsets, is available on the Wiki that goes along with the tool repository. We will do our best to keep it up-to-date.
The file is composed of 5 main sections:
- The header
- The section A (usage is still unknown)
- The section B (usage is still unknown)
- The section C containing the fileset information
- One or more section D (one per volume that was involved in the program loading phase) containing the directoryset and volume information
The header
- Length: 120 bytes
- Content
- version of the file format (0x11=WinXP, 0x17=Win7, 0x1a=Win8)
- Magic signature (“SCCA”)
- Size of the prefetch file
- Application name (up to 30 chars)
- Checksum value (the one you can find after the dash in the prefetch filename)
- Blocks describing offsets, number of entries and/or lengths of the remaining sections
After this fixed and version independent part, there is extra relevant data to parse:
- last run timestamp
- number of times the file has been executed
- up to 7 other previous run timestamps (Windows 8 and above)
Section A
This section is an array of values whose role is still not understood by the community.
The length of one entry changes with the operating system:
- 20 bytes for Windows XP
- 32 bytes since Windows 7
Section B
Just like section A, this section is an array of values, each value is 12 bytes long.
The meaning of those values is still unknown.
Section C – fileset
This section is an array of UTF-16LE strings, separated by “\x00”.
Each string represents a file that is involved during the execution of the program.
Section D – directoryset and volumeinfo
Each section D contains:
- Volumeinfo header
- volume creation timestamp
- volume serial number
- volume path
- Directory set which is an array of UTF-16LE strings, each one corresponding to a path involved in the section C
Our tool
The tool we are releasing is a standalone Python file, containing several classes to do the job. The choice of putting everything into a single file is to give extra flexibility:
- no need for installation
- no need for external dependencies
In addition to that, the code has been split into several classes so you can use it both as a standalone command line tool and as a Python library. Moreover, data parsing and output formatting are clearly separated so one can add its own output style.
By default, results can be formatted in:
- a human readable form
- JSON
- XML
As usual, the tool is available in our Bitbucket repository and like all the previous tools, licence is GPLv3.
Usage
usage: prefetch.py [-h] [-o FILE] [-f FORMAT] [-r] prefetch_files [prefetch_files ...] positional arguments: prefetch_files optional arguments: -h, --help show this help message and exit -o FILE, --output FILE Outputs the result to the given file -f FORMAT, --format FORMAT -r, --recursive
Unless overridden by the corresponding command line arguments, the output is done in TEXT (human readable format) in stdout. All errors are always directed to stderr.
Example
Here is a sample output of a Windows 8 prefetch file. All given timestamps are GMT.
$ prefetch.py ./ACMSETUP.EXE-3E855E3C.pf ###### ./ACMSETUP.EXE-3E855E3C.pf ###### magic = SCCA version = 26 OS = Win8 filesize = 36472 crc = 3E855E3C appName = ACMSETUP.EXE appPath = \DEVICE\HARDDISKVOLUME5\~MSSETUP.T\TMP.T\ACMSETUP.EXE dwRun = 4 lastRun = 2013-03-13 13:21:32 prevRun = 2013-03-13 13:17:59 prevRun = 2013-03-13 13:16:56 prevRun = 2013-03-13 13:10:40 Fileset \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\NTDLL.DLL \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\WOW64.DLL \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\WOW64WIN.DLL \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\WOW64CPU.DLL \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\KERNEL32.DLL \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSWOW64\KERNEL32.DLL \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\USER32.DLL \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSWOW64\NTDLL.DLL \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSWOW64\KERNELBASE.DLL \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\LOCALE.NLS \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSWOW64\APPHELP.DLL \DEVICE\HARDDISKVOLUME1\WINDOWS\APPPATCH\SYSMAIN.SDB \DEVICE\HARDDISKVOLUME1\WINDOWS\APPPATCH\ACLAYERS.DLL \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSWOW64\MSVCRT.DLL \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSWOW64\USER32.DLL \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSWOW64\GDI32.DLL \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSWOW64\SHELL32.DLL \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSWOW64\SHLWAPI.DLL \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSWOW64\OLEAUT32.DLL \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSWOW64\MPR.DLL \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSWOW64\SETUPAPI.DLL \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSWOW64\SFC.DLL \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSWOW64\WINSPOOL.DRV \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSWOW64\RPCRT4.DLL \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSWOW64\COMBASE.DLL \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSWOW64\CFGMGR32.DLL \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSWOW64\DEVOBJ.DLL \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSWOW64\SSPICLI.DLL \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSWOW64\SFC_OS.DLL \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSWOW64\CRYPTBASE.DLL \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSWOW64\SECHOST.DLL \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSWOW64\BCRYPTPRIMITIVES.DLL \DEVICE\HARDDISKVOLUME1\WINDOWS\APPPATCH\ACGENRAL.DLL \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSWOW64\UXTHEME.DLL \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSWOW64\WINMM.DLL \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSWOW64\SAMCLI.DLL \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSWOW64\OLE32.DLL \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSWOW64\MSACM32.DLL \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSWOW64\VERSION.DLL \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSWOW64\USERENV.DLL \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSWOW64\DWMAPI.DLL \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSWOW64\URLMON.DLL \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSWOW64\ADVAPI32.DLL \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSWOW64\WINMMBASE.DLL \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSWOW64\PROFAPI.DLL \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSWOW64\IERTUTIL.DLL \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSWOW64\WININET.DLL \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSWOW64\SHCORE.DLL \DEVICE\HARDDISKVOLUME5\~MSSETUP.T\TMP.T\ACMSETUP.EXE \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSWOW64\IMM32.DLL \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSWOW64\MSCTF.DLL \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\EN-US\SETUPAPI.DLL.MUI \DEVICE\HARDDISKVOLUME5\~MSSETUP.T\TMP.T\MSSETUP.DLL \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSWOW64\LZ32.DLL \DEVICE\HARDDISKVOLUME1\WINDOWS\GLOBALIZATION\SORTING\SORTDEFAULT.NLS \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\EN-US\USER32.DLL.MUI \DEVICE\HARDDISKVOLUME1\WINDOWS\WIN.INI \DEVICE\HARDDISKVOLUME5\~MSSETUP.T\TMP.T\SP698VBO.STF \DEVICE\HARDDISKVOLUME1\WINDOWS\FONTS\STATICCACHE.DAT \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSWOW64\CLBCATQ.DLL \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSWOW64\TZRES.DLL \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\EN-US\TZRES.DLL.MUI \DEVICE\HARDDISKVOLUME5\~MSSETUP.T\TMP.T\SP698VBO.INF \DEVICE\HARDDISKVOLUME1\TEST\SETUP.INI \DEVICE\HARDDISKVOLUME1\WINDOWS\APPPATCH\ACSPECFC.DLL \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSWOW64\COMCTL32.DLL \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSWOW64\MSCMS.DLL \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSWOW64\DDRAW.DLL \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSWOW64\COMDLG32.DLL \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSWOW64\WS2_32.DLL \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSWOW64\MSI.DLL \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSWOW64\DCIMAN32.DLL \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSWOW64\NSI.DLL \DEVICE\HARDDISKVOLUME5\~MSSETUP.T\TMP.T\BBOARD.DLL \DEVICE\HARDDISKVOLUME5\~MSSETUP.T\TMP.T\VSSETUP.TTF \DEVICE\HARDDISKVOLUME1\WINDOWS\VSSETUP.TTF \DEVICE\HARDDISKVOLUME1\WINDOWS\VSSETUP.FOR \DEVICE\HARDDISKVOLUME5\~MSSETUP.T\TMP.T\VB98ENT.STF \DEVICE\HARDDISKVOLUME5\~MSSETUP.T\TMP.T\VB98ENT.INF \DEVICE\HARDDISKVOLUME1\$MFT Dirsets volume = \DEVICE\HARDDISKVOLUME5 volumeSN = DEB1-18C8 createTime = 2012-11-06 08:28:23 Entries \DEVICE\HARDDISKVOLUME5\~MSSETUP.T \DEVICE\HARDDISKVOLUME5\~MSSETUP.T\TMP.T volume = \DEVICE\HARDDISKVOLUME1 volumeSN = D8B0-ED38 createTime = 2012-09-19 23:15:33 Entries \DEVICE\HARDDISKVOLUME1\TEST \DEVICE\HARDDISKVOLUME1\WINDOWS \DEVICE\HARDDISKVOLUME1\WINDOWS\APPPATCH \DEVICE\HARDDISKVOLUME1\WINDOWS\FONTS \DEVICE\HARDDISKVOLUME1\WINDOWS\GLOBALIZATION \DEVICE\HARDDISKVOLUME1\WINDOWS\GLOBALIZATION\SORTING \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32 \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\EN-US \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSWOW64
Credits and conclusion
Thanks to Forensics Wiki, most of the file format was already documented.
We hope that this tool will help a lot of fellow DFIR dudes during their missions.
Again, like any other tool we release, any feedback is much appreciated