prefetch and usb ke...
Clear all

prefetch and usb key storage  

New Member

Does anyone know if it is possible to check which .pf file has been create by the use of a usb key storage ?
As far as i know, when you insert a usb key, a file is created in %windir%/prefetch/ (windows XP). I would like to go further and identify which key created it.



Posted : 21/06/2005 10:08 am
Community Legend


I've tried opening all of the files in my Prefetch directory in BinText (from Foundstone…looking at Unicode strings), and didn't find anything in any of them that would point to a USB storage device.

If an app were executed from the storage device, you might find a .pf file in the Prefetch directory with that app name, and within it, it would have the path to executable image for the app. I've found this to be the case with Notepad on XP…there are two copies, one in Windows and one in system32. Running each of these specifically will produce .pf files, and the path to the executable image will be listed in each .pf file as a Unicode string.

Having recently completed research into footprints left by USB storage devices on Windows systems, here's something you might try…

1. Go to the Registry on the machine, and navigate to HKLM\System\CurrrentControlSet\Enum\USBStor. Locate the device instance ID in question under the key.

2. Within the device instance ID, you will find a subkey that should be 12 or characters long. If the second character is "&", then that means that the device did not have a serial number. Within this key, take a look at the value named "ParentIDPrefix".

3. Go to HKLM\System\MountedDevices and comb through the \DosDevice entires until you find the device name that includes the ParentIPPrefix above. This will be the drive letter assigned to the device.

4. Open the setupapi.log file on the system, and comb through it, looking for the date that the device was first installed on the system. You can use this date and time to correspond with the LastWrite time of the Registry keys under USBStor, and help you locate the correct entry in the Prefetch directory, based on MAC times of the file.

I know this is a lot and may be confusing…let me know if you have any questions.

H. Carvey
"Windows Forensics and Incident Recovery"

Posted : 21/06/2005 1:20 pm