Recently I had need to look at a large number of prefetch files and as always I like to understand what it is I am looking for, so I wrote Prefetcher.
Prefetcher parses either single prefetch files (or a folder full of them) and breaks the content down in to its constituent areas. You first need to create a case file and then either add .pf files singly or as a folder. Prefetcher allows you to change the displayed timezone if required.
The functionality of Prefetcher will be added to
Please visit the free software section on our website (under the forum tab) for more information and the download link, there is no need to register.
http//sandersonforensics.com
Does it account for the new information found in Win8 .pf files?
Not as yet Harlan, the problem it was written to address did not require it. I'll be looking at win 8 as soon as I can make some time.
Paul
Anyone have a few prefetch files from a Win 8 machine they could zip up and send to me please. I only have a handful of windows 8 images and no prefetch files (assume from size of images that they are SSD's)
I may get a little time to program tonight
Thanks
Not as yet Harlan, the problem it was written to address did not require it. I'll be looking at win 8 as soon as I can make some time.
It would be great to get some files, but do you know what you're going to be programming for?
I have an idea from reading a few blogs Harlan - but keeping an open mind as thats what reverse engineering is about, until you have looked you don't know what you are going to find!
I have an idea from reading a few blogs Harlan - but keeping an open mind as thats what reverse engineering is about, until you have looked you don't know what you are going to find!
Wow. Seriously?
All I was referring to were the up to eight available time stamps for when the application was last run.
But what an answer. Eesh. I have to wonder if everyone's as reticent to share as this…
But what an answer. Eesh. I have to wonder if everyone's as reticent to share as this…
I have just offered/shared a free tool clearly that doesn't count?
I'll be looking at win 8 as soon as I can make some time.
If/when I do my research I may post if I find something new, if I don't I won't. I can't post anything prior to that because as I said above I haven't done the work - struggling to see why you think this makes me reticent to post.
For those who want to parse the Windows 8 prefetch data, the TZworks version seems to do these
New version released which addresses a display bug with the dates - available from the same URL at the forum.
http//