Forums
Main Category
General (Technical,...
Device Path in WinP...
 
Notifications
Clear all

Device Path in WinPrefetchView

 
General (Technical, Procedural, Software, Hardware etc.)
Last Post by EricZimmerman 9 years ago
4 Posts
4 Users
0 Reactions
1,089 Views
RSS
 gorvq7222
(@gorvq7222)
Reputable Member
Joined: 11 years ago
Posts: 236
Topic starter 11/09/2016 8:44 pm  

As we know that the Prefetch file is used for optimizing the loading time of the application in the next time that you run it. So we could know whether any suspicious application or not by examining those .pf files on the subject computers. We could download WinPrefetchView from NirSoft.

The upper pane displays the list of all Prefetch files in your system. When you select a file in the upper pane, the lower pane displays the list of files stored inside the selected Prefetch file, which represent the files that were loaded by the application in the previous times that you used it.

Something wrong with path of files loaded in .pf files. You guys could take a look at my blog to see what's going on.
http//www.cnblogs.com/pieces0310/p/5863061.html

As a forensic guy, we could take advantage of forensic tools but don't be so sure about the analysis result. We have to verify the analysis result so as to reduce misjudgement.


   
Quote
jaclaz
 jaclaz
(@jaclaz)
Illustrious Member
Joined: 18 years ago
Posts: 5133
11/09/2016 10:44 pm  

Well, harddiskvolumeN has not a direct link to disk, partition order.

For boot devices it is normally correspondent, but only if - as normally happens - the devices (and volumes in them) are enumerated with the same order, but it is not "given".

See (examples)
http//reboot.pro/topic/10169-resolvedmount-hidden-partition-command-line-possible/
http//reboot.pro/topic/2425-imdisk-commandline-script-to-createmount-ramdisk/
http//reboot.pro/topic/2425-imdisk-commandline-script-to-createmount-ramdisk/?p=20266
http//reboot.pro/topic/20240-how-to-get-partitions-path-in-command-prompt/

jaclaz


   
ReplyQuote
 thefuf
(@thefuf)
Reputable Member
Joined: 17 years ago
Posts: 262
12/09/2016 11:23 pm  

Something wrong with path of files loaded in .pf files

Partition numbers in the Object Manager namespace are assigned incrementally.

For example, let's take a look at the following configuration
- two hard disk drives
1. the first one has one partition;
2. the second one has two partitions.

In the Object Manager namespace, there will be the following objects
- \Device\Harddisk0\Partition0 (the whole first drive);
- \Device\Harddisk0\Partition1 (the first partition of the first drive);
- \Device\Harddisk1\Partition0 (the whole second drive);
- \Device\Harddisk1\Partition1 (the first partition of the second drive);
- \Device\Harddisk1\Partition2 (the second partition of the second drive).

However, all these objects are, in fact, symbolic links to other objects.
- \Device\Harddisk0\Partition1 points to \Device\HarddiskVolume1;
- \Device\Harddisk1\Partition1 points to \Device\HarddiskVolume2;
- \Device\Harddisk1\Partition2 points to \Device\HarddiskVolume3.

So the explanation is that a user did boot his system (at least once) with another storage device attached (with a single partition). And this device was detected before the system drive. This is why your volume numbers are off by one.


   
ReplyQuote
EricZimmerman
 EricZimmerman
(@ericzimmerman)
Estimable Member
Joined: 13 years ago
Posts: 222
13/09/2016 2:26 am  

i would compare nirsoft output to my prefetch tool as well

last i heard nirsoft was not showing all available runtimes.

https://binaryforay.blogspot.com/2016/01/pecmd-v0600-released.html

see the other PECmd posts as well for more details


   
ReplyQuote
Forum Jump:
  Previous Topic
Next Topic  
Share: