3 stable releases
Uses old Rust 2015
1.0.2 | Mar 25, 2018 |
---|
#4 in #prefetch
110KB
324 lines
prefetchkit
A powerful forensic commandline tool for analyzing and extracting information from Microsoft Prefetch files.
It fully supports the following Prefetch version:
- Windows XP/2003
- Windows Vista/7
- Windows 8/8.1
If partially supports the following Prefetch version:
- Windows 10
Description
prefetchkit
is a commandline tool which parses and reads Microsoft Prefetch
files.
Prefetch files (with the .pf
or .PF
extension) are Windows system files
located in C:\WINDOWS\Prefetch\
. They help Windows loading executable faster.
prefetchkit
is a forensic tool: it extracts information such as the last
executable which was run, how many times that executable was run.
With the metrics
option, you can see what files are loaded during the loading
or the executable. For example, if a user launches Paint on a specific picture,
the path to that picture will be stored inside the Prefetch file.
prefetchkit
uses the libprefetch
library for parsing and reading Prefetch files.
Installation
Using cargo
:
cargo intall prefetchkit
Features
--help
:
Prefetchkit 1.0.0
A powerful command-line tool for analysing Microsoft Prefetch Files
USAGE:
prefetchkit [FLAGS] [OPTIONS] <TARGET>
FLAGS:
--color Put some colors, it never hurts
-h, --help Prints help information
-m, --metrics Print metrics (loaded DLL etc)
-r, --reverse Reverse order
--version Prints version information
-v, --verbose Display more information
-V, --volumes Print volumes
OPTIONS:
--sort <sort> Specify sort (if TARGET is a directory)
EXEC: by execution counter
TIME: by last execution time
NAME: by name [possible values: EXEC, TIME, NAME]
ARGS:
<TARGET> Target to analyze (pf files or directory containing pf files)
prefetchkit
takes one positional argument, which can be a specific
Prefetch file or a directory containing Prefetch files.
Example
$ prefetchkit MSPAINT.EXE-11CBB631.pf # a specific file
$ prefetchkit xpmount/WINDOWS/Prefetch/ # The Windows Prefetch directory
Basics
If you run prefetchkit
without flags and option, you'll get a table with the
name of the executable, the last execution time and the execution counter:
$ prefetchkit MSPAINT.EXE-11CBB631.pf
Executable name Last execution time Execution counter
MSPAINT.EXE 2011-03-22 21:44:39 2
On a directory, you can use the --sort=<VALUE>
option for sorting by:
EXEC
- execution counterTIME
- last execution timeNAME
- name
Additionally, there is -r
for reversing the sort.
Metrics
Metrics is a special section of the Prefetch file which indicates each DLL, DAT (and other) files which are loaded with the executable. Depending on the Windows version, you get additional information such as the average loading time.
To display metrics, use the flag -m
:
$ prefetchkit UPDATE.EXE-0CB058D8.pf -m
Executable name Last execution time Execution counter
UPDATE.EXE 2011-03-13 11:09:24 2
└─Metrics:
├─\DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\NTDLL.DLL
├─\DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\KERNEL32.DLL
├─\DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\UNICODE.NLS
├─\DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\LOCALE.NLS
├─\DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\SORTTBLS.NLS
├─\DEVICE\HARDDISKVOLUME1\WINDOWS\SOFTWAREDISTRIBUTION\DOWNLOAD\38F47E51C38A7A0EBC9C39DCA1EDD5A6\UPDATE\UPDATE.EXE
├─\DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\ADVAPI32.DLL
├─\DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\RPCRT4.DLL
├─\DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\COMCTL32.DLL
├─\DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\GDI32.DLL
├─\DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\USER32.DLL
├─\DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\CRYPT32.DLL
├─\DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\MSVCRT.DLL
├─\DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\MSASN1.DLL
├─\DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\IMAGEHLP.DLL
....
Using the verbose flag (-v
), you'll get the additional information:
$ prefetechkit UPDATE.EXE-0CB058D8.pf -mv
Executable name Last execution time Execution counter
UPDATE.EXE 2011-03-13 11:09:24 2
└─Metrics:
├─\DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\NTDLL.DLL
│ └─ start time: 0s duration: 50s average duration: ✘ MFT entry index: ✘
│
├─\DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\KERNEL32.DLL
│ └─ start time: 50s duration: 52s average duration: ✘ MFT entry index: ✘
│
├─\DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\UNICODE.NLS
│ └─ start time: 102s duration: 5s average duration: ✘ MFT entry index: ✘
│
├─\DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\LOCALE.NLS
│ └─ start time: 107s duration: 3s average duration: ✘ MFT entry index: ✘
│
├─\DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\SORTTBLS.NLS
│ └─ start time: 110s duration: 4s average duration: ✘ MFT entry index: ✘
│
├─\DEVICE\HARDDISKVOLUME1\WINDOWS\SOFTWAREDISTRIBUTION\DOWNLOAD\38F47E51C38A7A0EBC9C39DCA1EDD5A6\UPDATE\UPDATE.EXE
│ └─ start time: 114s duration: 57s average duration: ✘ MFT entry index: ✘
....
Volumes
When you launch a executable, it uses files on one or several volumes. This kind of information is stored inside the Prefetch file. Even if the executable is stored on a external volume, a Prefetch file will be created.
In a forensic point a view, it can be very useful: you can determine that a USB key has been used with Paint, Chrome or another software, or a special software is located on a external hard drive.
For volumes, use the volume flag: -V
:
$ prefetchkit UPDATE.EXE-0CB058D8.pf -V
Executable name Last execution time Execution counter
UPDATE.EXE 2011-03-13 11:09:24 2
└─Volumes:
└─\DEVICE\HARDDISKVOLUME1
Again, using the verbose flag -v
, you'll get extra information, such as each
directory which is used by the executable:
$ prefetchkit UPDATE.EXE-0CB058D8.pf -Vv
Executable name Last execution time Execution counter
UPDATE.EXE 2011-03-13 11:09:24 2
└─Volumes:
└─\DEVICE\HARDDISKVOLUME1
├─Creation time: 2009-03-04 10:23:57 Serial: 0x1054BA98
└─Directories:
├─\DEVICE\HARDDISKVOLUME1\
├─\DEVICE\HARDDISKVOLUME1\WINDOWS\
├─\DEVICE\HARDDISKVOLUME1\WINDOWS\INF\
├─\DEVICE\HARDDISKVOLUME1\WINDOWS\SOFTWAREDISTRIBUTION\
├─\DEVICE\HARDDISKVOLUME1\WINDOWS\SOFTWAREDISTRIBUTION\DOWNLOAD\
├─\DEVICE\HARDDISKVOLUME1\WINDOWS\SOFTWAREDISTRIBUTION\DOWNLOAD\38F47E51C38A7A0EBC9C39DCA1EDD5A6\
├─\DEVICE\HARDDISKVOLUME1\WINDOWS\SOFTWAREDISTRIBUTION\DOWNLOAD\38F47E51C38A7A0EBC9C39DCA1EDD5A6\UPDATE\
├─\DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\
├─\DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\CATROOT\
├─\DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\CATROOT\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\
├─\DEVICE\HARDDISKVOLUME1\WINDOWS\WINSXS\
└─\DEVICE\HARDDISKVOLUME1\WINDOWS\WINSXS\X86_MICROSOFT.WINDOWS.COMMON-CONTROLS_6595B64144CCF1DF_6.0.2600.2180_X-WW_A84F1FF9\
Releases
Release notes are available in RELEASES.md.
Compatibility
ole
seems to work for rust 1.9 and greater.
License
Dependencies
~3MB
~44K SLoC