#prefetch #forensics #command-line #command-line-tool

app prefetchkit

A powerful forensic commandline tool for analysing Microsoft Prefetch Files

3 stable releases

Uses old Rust 2015

1.0.2 Mar 25, 2018

#4 in #prefetch

WTFPL license

110KB
324 lines

prefetchkit

Crates.io Crates.io license

A powerful forensic commandline tool for analyzing and extracting information from Microsoft Prefetch files.

It fully supports the following Prefetch version:

  • Windows XP/2003
  • Windows Vista/7
  • Windows 8/8.1

If partially supports the following Prefetch version:

  • Windows 10

Description

prefetchkit is a commandline tool which parses and reads Microsoft Prefetch files.

Prefetch files (with the .pf or .PF extension) are Windows system files located in C:\WINDOWS\Prefetch\. They help Windows loading executable faster.

prefetchkit is a forensic tool: it extracts information such as the last executable which was run, how many times that executable was run.

With the metrics option, you can see what files are loaded during the loading or the executable. For example, if a user launches Paint on a specific picture, the path to that picture will be stored inside the Prefetch file.

prefetchkit uses the libprefetch library for parsing and reading Prefetch files.

Installation

Using cargo:

cargo intall prefetchkit

Features

--help:

Prefetchkit 1.0.0
A powerful command-line tool for analysing Microsoft Prefetch Files

USAGE:
    prefetchkit [FLAGS] [OPTIONS] <TARGET>

FLAGS:
        --color      Put some colors, it never hurts
    -h, --help       Prints help information
    -m, --metrics    Print metrics (loaded DLL etc)
    -r, --reverse    Reverse order
        --version    Prints version information
    -v, --verbose    Display more information
    -V, --volumes    Print volumes

OPTIONS:
        --sort <sort>    Specify sort (if TARGET is a directory)
                               EXEC: by execution counter
                               TIME: by last execution time
                               NAME: by name [possible values: EXEC, TIME, NAME]

ARGS:
    <TARGET>    Target to analyze (pf files or directory containing pf files)

prefetchkit takes one positional argument, which can be a specific Prefetch file or a directory containing Prefetch files.

Example

$ prefetchkit MSPAINT.EXE-11CBB631.pf    # a specific file
$ prefetchkit xpmount/WINDOWS/Prefetch/  # The Windows Prefetch directory

Basics

If you run prefetchkit without flags and option, you'll get a table with the name of the executable, the last execution time and the execution counter:

$ prefetchkit MSPAINT.EXE-11CBB631.pf
Executable name             Last execution time   Execution counter
MSPAINT.EXE                 2011-03-22 21:44:39                   2

On a directory, you can use the --sort=<VALUE> option for sorting by:

  • EXEC - execution counter
  • TIME - last execution time
  • NAME - name

Additionally, there is -r for reversing the sort.

Metrics

Metrics is a special section of the Prefetch file which indicates each DLL, DAT (and other) files which are loaded with the executable. Depending on the Windows version, you get additional information such as the average loading time.

To display metrics, use the flag -m:

$ prefetchkit UPDATE.EXE-0CB058D8.pf -m
Executable name             Last execution time   Execution counter
UPDATE.EXE                  2011-03-13 11:09:24                   2
└─Metrics:
  ├─\DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\NTDLL.DLL
  ├─\DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\KERNEL32.DLL
  ├─\DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\UNICODE.NLS
  ├─\DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\LOCALE.NLS
  ├─\DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\SORTTBLS.NLS
  ├─\DEVICE\HARDDISKVOLUME1\WINDOWS\SOFTWAREDISTRIBUTION\DOWNLOAD\38F47E51C38A7A0EBC9C39DCA1EDD5A6\UPDATE\UPDATE.EXE
  ├─\DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\ADVAPI32.DLL
  ├─\DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\RPCRT4.DLL
  ├─\DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\COMCTL32.DLL
  ├─\DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\GDI32.DLL
  ├─\DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\USER32.DLL
  ├─\DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\CRYPT32.DLL
  ├─\DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\MSVCRT.DLL
  ├─\DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\MSASN1.DLL
  ├─\DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\IMAGEHLP.DLL
....

Using the verbose flag (-v), you'll get the additional information:

$ prefetechkit UPDATE.EXE-0CB058D8.pf -mv
Executable name             Last execution time   Execution counter
UPDATE.EXE                  2011-03-13 11:09:24                   2
└─Metrics:
  ├─\DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\NTDLL.DLL
   └─ start time: 0s duration: 50s average duration: ✘ MFT entry index: ✘
  
  ├─\DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\KERNEL32.DLL
   └─ start time: 50s duration: 52s average duration: ✘ MFT entry index: ✘
  
  ├─\DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\UNICODE.NLS
   └─ start time: 102s duration: 5s average duration: ✘ MFT entry index: ✘
  
  ├─\DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\LOCALE.NLS
   └─ start time: 107s duration: 3s average duration: ✘ MFT entry index: ✘
  
  ├─\DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\SORTTBLS.NLS
   └─ start time: 110s duration: 4s average duration: ✘ MFT entry index: ✘
  
  ├─\DEVICE\HARDDISKVOLUME1\WINDOWS\SOFTWAREDISTRIBUTION\DOWNLOAD\38F47E51C38A7A0EBC9C39DCA1EDD5A6\UPDATE\UPDATE.EXE
   └─ start time: 114s duration: 57s average duration: ✘ MFT entry index: ✘
....

Volumes

When you launch a executable, it uses files on one or several volumes. This kind of information is stored inside the Prefetch file. Even if the executable is stored on a external volume, a Prefetch file will be created.

In a forensic point a view, it can be very useful: you can determine that a USB key has been used with Paint, Chrome or another software, or a special software is located on a external hard drive.

For volumes, use the volume flag: -V:

$ prefetchkit UPDATE.EXE-0CB058D8.pf -V
Executable name             Last execution time   Execution counter
UPDATE.EXE                  2011-03-13 11:09:24                   2
└─Volumes:
  └─\DEVICE\HARDDISKVOLUME1

Again, using the verbose flag -v, you'll get extra information, such as each directory which is used by the executable:

$ prefetchkit UPDATE.EXE-0CB058D8.pf -Vv
Executable name             Last execution time   Execution counter
UPDATE.EXE                  2011-03-13 11:09:24                   2
└─Volumes:
  └─\DEVICE\HARDDISKVOLUME1
    ├─Creation time: 2009-03-04 10:23:57 Serial: 0x1054BA98
    └─Directories:
       ├─\DEVICE\HARDDISKVOLUME1\
       ├─\DEVICE\HARDDISKVOLUME1\WINDOWS\
       ├─\DEVICE\HARDDISKVOLUME1\WINDOWS\INF\
       ├─\DEVICE\HARDDISKVOLUME1\WINDOWS\SOFTWAREDISTRIBUTION\
       ├─\DEVICE\HARDDISKVOLUME1\WINDOWS\SOFTWAREDISTRIBUTION\DOWNLOAD\
       ├─\DEVICE\HARDDISKVOLUME1\WINDOWS\SOFTWAREDISTRIBUTION\DOWNLOAD\38F47E51C38A7A0EBC9C39DCA1EDD5A6\
       ├─\DEVICE\HARDDISKVOLUME1\WINDOWS\SOFTWAREDISTRIBUTION\DOWNLOAD\38F47E51C38A7A0EBC9C39DCA1EDD5A6\UPDATE\
       ├─\DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\
       ├─\DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\CATROOT\
       ├─\DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\CATROOT\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\
       ├─\DEVICE\HARDDISKVOLUME1\WINDOWS\WINSXS\
       └─\DEVICE\HARDDISKVOLUME1\WINDOWS\WINSXS\X86_MICROSOFT.WINDOWS.COMMON-CONTROLS_6595B64144CCF1DF_6.0.2600.2180_X-WW_A84F1FF9\

Releases

Release notes are available in RELEASES.md.

Compatibility

ole seems to work for rust 1.9 and greater.

License

http://www.wtfpl.net/about/

Dependencies

~3.5MB
~45K SLoC