Lib.rs

Parser implementations
#parser #prefetch #forensics

libprefetch

Forensic library; parser and reader for Microsoft Prefetch File

by zadlg. Owned by zadlg.

2 releases

Uses old Rust 2015

0.1.1 Mar 23, 2018
0.1.0 Mar 23, 2018

#1746 in Parser implementations


Used in prefetchkit

WTFPL license

135KB
814 lines

libprefetch

Crates.io Crates.io license

A forensic library which parses and reads Microsoft Prefetch files.

libprefetch fully supports the following versions of Windows:

  • Windows 2003
  • Windows XP
  • Windows Vista
  • Windows 7
  • Windows 8/8.1

libprefetch partially supports Windows 10.

Features:

  • Parser and validator
  • Auto detects version of Windows
  • Provides the last execution time and the execution counter
  • Provides metric information about loaded files (like dll etc) if available, such as :
    • filename
    • start time
    • duration
    • average duration
    • NTFS MFT entry
    • NTFS sequence numer
  • Provides the trace chains (unavailable for Windows 10)
  • Provides all pieces of information about the volumes:
    • device path
    • creation time
    • serial number
    • list of directories

This library will be used in a global forensic computing library very soon.

Usage

Add this to your Cargo.toml:

[dependencies]
libprefetch = "0.1.1"

and this to your crate root:

extern crate libprefetch;

Example

use libprefetch::Prefetch;

let file = std::fs::File::open("assets/WUAUCLT.EXE-399A8E72.pf").unwrap();

let prefetch = Prefetch::new(file).unwrap();

// Prints some information
println!("Executable {} launched {} times. The last time was: {}",
  prefetch.name(),
  prefetch.execution_counter(),
  prefetch.last_execution_time() // TODO: format the FILETIME here
);

// Iterates over all loaded DLL etc for the prefetch file
println!(" ===== File metrics ===== ");
for metric in prefetch.metrics().unwrap() {
  println!("#{}: {}", metric.id(), metric.filename());
  println!("    start time: {}", metric.start_time().unwrap());
  println!("    duration: {}", metric.duration().unwrap());
  println!(" ------------------------------- ");
}

// Iterates over the volumes
println!(" ===== Volumes ===== ");
for volume in prefetch.volumes().unwrap() {
  println!("Volume #{}:", volume.id());
  println!("    Path: {}", volume.device_path());
  println!("    Creation time: {}", volume.creation_time());
  println!("    Serial number: {}", volume.serial_number());
  println!("    Directories: ");
  for directory in volume.directories().unwrap() {
    println!("        {}", directory);
  }
}

Releases

Release notes are available in RELEASES.md.

Compatibility

libprefetch seems to work for rust 1.9 and greater.

License

http://www.wtfpl.net/about/

No runtime deps