New free tool (pref...
 
Notifications
Clear all

New free tool (prefetch files)  

Page 1 / 2
  RSS
PaulSanderson
(@paulsanderson)
Senior Member

Recently I had need to look at a large number of prefetch files and as always I like to understand what it is I am looking for, so I wrote Prefetcher.

Prefetcher parses either single prefetch files (or a folder full of them) and breaks the content down in to its constituent areas. You first need to create a case file and then either add .pf files singly or as a folder. Prefetcher allows you to change the displayed timezone if required.

The functionality of Prefetcher will be added to Reconnoitre in the near future.

Please visit the free software section on our website (under the forum tab) for more information and the download link, there is no need to register.

http//sandersonforensics.com

Quote
Posted : 16/10/2013 9:53 pm
keydet89
(@keydet89)
Community Legend

Does it account for the new information found in Win8 .pf files?

ReplyQuote
Posted : 16/10/2013 10:40 pm
PaulSanderson
(@paulsanderson)
Senior Member

Not as yet Harlan, the problem it was written to address did not require it. I'll be looking at win 8 as soon as I can make some time.

Paul

ReplyQuote
Posted : 16/10/2013 11:56 pm
PaulSanderson
(@paulsanderson)
Senior Member

Anyone have a few prefetch files from a Win 8 machine they could zip up and send to me please. I only have a handful of windows 8 images and no prefetch files (assume from size of images that they are SSD's)

I may get a little time to program tonight

Thanks

ReplyQuote
Posted : 17/10/2013 12:33 am
keydet89
(@keydet89)
Community Legend

Not as yet Harlan, the problem it was written to address did not require it. I'll be looking at win 8 as soon as I can make some time.

It would be great to get some files, but do you know what you're going to be programming for?

ReplyQuote
Posted : 17/10/2013 1:11 am
PaulSanderson
(@paulsanderson)
Senior Member

I have an idea from reading a few blogs Harlan - but keeping an open mind as thats what reverse engineering is about, until you have looked you don't know what you are going to find!

ReplyQuote
Posted : 17/10/2013 1:15 am
keydet89
(@keydet89)
Community Legend

I have an idea from reading a few blogs Harlan - but keeping an open mind as thats what reverse engineering is about, until you have looked you don't know what you are going to find!

Wow. Seriously?

All I was referring to were the up to eight available time stamps for when the application was last run.

But what an answer. Eesh. I have to wonder if everyone's as reticent to share as this…

ReplyQuote
Posted : 17/10/2013 2:46 am
PaulSanderson
(@paulsanderson)
Senior Member

But what an answer. Eesh. I have to wonder if everyone's as reticent to share as this…

I have just offered/shared a free tool clearly that doesn't count?

I'll be looking at win 8 as soon as I can make some time.

If/when I do my research I may post if I find something new, if I don't I won't. I can't post anything prior to that because as I said above I haven't done the work - struggling to see why you think this makes me reticent to post.

ReplyQuote
Posted : 17/10/2013 3:13 am
minime2k9
(@minime2k9)
Active Member

For those who want to parse the Windows 8 prefetch data, the TZworks version seems to do these

TZWorks Prefetch

ReplyQuote
Posted : 17/10/2013 12:51 pm
PaulSanderson
(@paulsanderson)
Senior Member

New version released which addresses a display bug with the dates - available from the same URL at the forum.

http//sandersonforensics.com/forum/forumdisplay.php?9-Free-Software

ReplyQuote
Posted : 18/10/2013 3:28 pm
keydet89
(@keydet89)
Community Legend

I have just offered/shared a free tool clearly that doesn't count?

No one took that away from you, Paul. I had asked if the tool addresses updates to Windows 8 Prefetch files, and you responded with, "…I have an idea from reading a few blogs…"; however, you seemed rather reticent to discuss what you'd seen or read in those blogs.

If/when I do my research I may post if I find something new, if I don't I won't. I can't post anything prior to that because as I said above I haven't done the work - struggling to see why you think this makes me reticent to post.

Yes, everyone gets that. I was hoping to raise awareness of new artifacts, as well as the fact that when someone comes to a site such as this to ask questions about Windows systems, the version of Windows that they're addressing is critically important.

You'll have to excuse me for going off-topic from this thread, but it really illustrates to me one of the biggest short-comings of the DFIR "community" is that it's anything but a community.

Don't get me wrong…I completely support anyone who wants to write a tool and release it for others to use…I'm all about that. But to do so in complete isolation from the rest of the community…that's what's missing. When someone like you, Paul, releases a tool, the vast majority of those who come and download that tool (most won't ever actually use it) will think that because you wrote it, it's complete, and there's no reason to look any further to understand exactly what they're doing.

We need to start acting like a "community", even if it means that the only contribution we make is to ask a question. Why is that important? So that we can start to see trends and needs of the community as a whole.

ReplyQuote
Posted : 18/10/2013 5:51 pm
aeiforensics
(@aeiforensics)
Junior Member

To chastise Paul for not doing forensic research for you is the height of silliness. Paul has released a tool, he stated that he will do research when he has time, that he'll update that tool at a time of his choosing - plain and simple. Your comments could be read as if just because someone has done some research, that they must take their time to answer any question that you have on the topic they investigated. These forums are for the sharing of knowledge - yes, but it is not a requirement that just because you ask a question that someone answer it. You are being overly hard on an individual that wrote a piece of software and then freely shared it with the forensics community for them to use if they desire. There is no requirement for you to use his software, nor is there any requirement that he do your research for you on Windows 8 Prefetch files, but here - here let me Google that for you..."

ReplyQuote
Posted : 18/10/2013 6:45 pm
PaulSanderson
(@paulsanderson)
Senior Member

Harlan - you are completely missing the point. I haven't done any new research so I have nothing share. I can't be reticient about sharing something that I haven't got to share.

Agree with what you say re communities - but I have shared a hell of a lot over the years and even have a certificate from HTCC staring at me from the office wall in appreciation of the help I have given to people on there, so possibly I am a mis-placed target for your ire.

At the end of the day though I am happy with what I have put into the community so I'll leave discussions of sharing at that and get back to doing some work.

ReplyQuote
Posted : 18/10/2013 7:15 pm
keydet89
(@keydet89)
Community Legend

To chastise Paul for not doing forensic research for you is the height of silliness.

I wasn't chastising Paul for anything other than simply keeping himself isolated within the community.

Also, I wasn't asking him to do anything for me…I've already written my own tool to parse Windows 8/8.1 Prefetch files and put all of the available time stamps into a timeline.

ReplyQuote
Posted : 18/10/2013 9:16 pm
keydet89
(@keydet89)
Community Legend

Paul,

Harlan - you are completely missing the point. I haven't done any new research so I have nothing share. I can't be reticient about sharing something that I haven't got to share.

I don't think I'm missing the point at all.

I'm not chastizing you for anything…particularly not sharing. I commend you for making your tools available.

What I am saying is that information has been available on the Internet for some time now regarding new information available in Windows 8 Prefetch files.

I find it unfortunate that you choose to keep yourself isolated in the manner that you do. There are too many smart people such as yourself, that if you were willing to work together, correspond, and engage, greater things might be available to the community.

ReplyQuote
Posted : 18/10/2013 9:20 pm
Page 1 / 2
Share: