Windows prefetches store the path of the file as a unique hash of the file path, and can't figure out how to reverse it after a significant amount of googling… Even if it is a one way hash, I would assume that it would be possible to hash every directory on the machine and compare to get the paths?…
Thanks.
Take a look a mitec.cz's Prefetch analyzer ( part of Windows File Analyzer), also available in WinTaylor.
Also Windows Forensics Analysis book, and if your lab is Encase-centric this may be of help to you which reference Encase scripts and other resources that may assist you
http//
Windows prefetches store the path of the file as a unique hash of the file path, and can't figure out how to reverse it after a significant amount of googling…
This link might explain why
http// 42llc . net/?option=com_myblog&task=tag&category=Prefetch&Itemid=39
(no, have't tested it myself yet. I've made a note to figure out what happens with executables in compressed folders, though.)
Even if it is a one way hash, I would assume that it would be possible to hash every directory on the machine and compare to get the paths?…
Unless, of course, the path doesn't exist anynmore … a directory that has been deleted or renamed, for instance. And, as indicated above, what happens if the file executable is in a compressed folder (ZIP)?
If you go on the Guidance website there is also an enscript that can do this fot you
JAYSP,
Don't bother chasing your tail. The link below will take you to the application I developed a few years ago. The new version (2010) will interpret the Layout.ini file also. Unfortunately, Vista and Seven do not yield the information that XP does. Read the abridged research paper which will inform you how the entries get created and how this can assist you to show file interaction.
http//
Allan S Hay
Try my PrefetchForensics tool, it uses the algorithm from 42llc to validate the hash value.
http//