Anyone know the name of the prefetch file for ftk imager lite? i need to locate it to show that one was created when i executed the program on a live system, as pointed out by keydet89 in the live acquisition topic i started.
cheers
> Anyone know the name of the prefetch file for ftk imager lite?
Yeah…it's the name of the executable (w/ ".exe") followed by a dash ("-") and a hash, and then ".pf".
I thought i would find it in the prefetch folder, but there is very little data in there, and the only readable text is
NTOSBOOT-B00DFAAD.pf
NTOSBO~1.PF
When i search for ftk_imager i get 100 hits in 5 files, these are
pagefile.sys
NTUSER~1.LOG
NTUSER.DAT
NTUSER.DAT.LOG
does this seem unusual? the prefetch file not being in windows\prefetch mean.
The lack of existence of the prefetch file means…what? I'm attempting to reason this through, not put you on the spot…
Do you know how FTK imager was launched? Double-clicking the icon? Do you see an entry in the UserAssist key?
> When i search for ftk_imager i get 100 hits in 5 files, these are
Okay, but what's the context? Just b/c you get hits, that doesn't mean that the tool was run…
The lack of the prefetch file means there isn't one there?
Do you know how FTK imager was launched? Double-clicking the icon? Do you see an entry in the UserAssist key?
It was launched by double clicking the icon, however the user assist key is in hkcu and i don't know how to get the information from the NTUSER.DAT file.
I only have till tomorrow morning to do this, it looks like my only option is to not have a section in my report explaining the changes that were made as a result of the live acquisition.
I suppose it will be a while until the case actually gets to court, i could buy your book harlan and learn this stuff from it, then maybe add the section to it and give the client the updated report. What do you think? i'm out of ideas. cry
I think you could've already had my book if you'd followed my instructions and gotten the ebook.
However, I know what you're asking for right now, and to be honest, I don't have enough information.
For example, what is the OS? How many .pf files do you see in the Windows\Prefetch directory?
What is the goal of your investigation? Your first email only talks about the .pf file…but your most recent post talks about needing to explain the changes made when you did a live acquisition.
These things would be much easier if you could just provide all information in a clear, concise manner up front….
Harlan
Its windows server 2003, when i open up the windows\prefetch directory i see this ascii
0………………………….~………j………….|oCm(×ƅɾ¦åDžɾ¦åDžɾ¦åÇ..²……R°…… ……..N.T.O.S.B.O.O.T.-.B.0.0.D.F.A.A.D…p.f…….~…….h.X………….|oCm(×ƅɾ¦åDžɾ¦åDžɾ¦åÇ..²……R°…… …….N.T.O.S.B.O.~.1…P.F……………..
I need to find the prefetch file created by running ftk imager.
I need to locate the entry created by running ftk imager in user assist.
I do not know how to extract the user assist information from the NTUSER.DAT file.
Thats why i ordered your book.
> Its windows server 2003
Okay, just as I suspected…
By default, Windows 2003 does NOT perform application prefetching; it does not create the application prefetch files the way XP does.
> I need to locate the entry created by running ftk imager in user assist.
I have the Perl code to do this…and it is also on the DVD that ships with my book. Of course, you're going to have to install Perl and the necessary module. The problem with compiling and shipping these Perl scripts as standalone EXEs is that historically, I don't even get so much as a simple "thank you" for my efforts…which is another reason why I put them in the book.
Harlan
By default, Windows 2003 does NOT perform application prefetching; it does not create the application prefetch files the way XP does.
OK so there would have been no prefetch file created when ftk imager was executed? thats good i suppose, one less thing that was changed on the system and one less thing to document.
I have the Perl code to do this…and it is also on the DVD that ships with my book. Of course, you're going to have to install Perl and the necessary module.
Good stuff, yeah i look forward to receiving those scripts, is it seen as acceptable to produce a report for a client and then add additional information to that report at a later date and send that to the client as an updated version? how would this be viewed in court?
I realise it can't be BEST practice but it seems that i don't have too much of an option, if it wouldn't create any problems i'm semi happy with doing this.
Thanks for the info
I'm not sure I can really do much to answer your questions…for one, I don't see the need for two reports, really. However, as long as you clearly document everything, I don't see why something shouldn't be admissible in court.