Archive for April, 2011
Seasoned forensic investigators know the value of Windows prefetch files. A prefetch file is created by a mechanism Windows uses to increase the performance of the program loader. These files contain important program loader information such as DLL dependencies, module sizes, file paths, last run date, run count, etc. The value of prefetch files to an investigator is significant.
Unfortunately, most commercial forensic tools do not provide an easy way to examine this treasure of forensic evidence. So, like any other problem – instead of complaining about it I did something about it.
Today, I am releasing PFDump to the forensic community
The tool has the following features:
- Lightweight, fast, and flexible command line tool.
- Extracts forensic metadata from a Windows prefetch file.
- Analyzes a single prefetch file or a folder containing multiple prefetch files.
- Analyzes prefetch files on a live system for incident responders.
- Dumps prefetch metadata to stdout, TXT, HTML, or XML files.
- Computes MD5 and SHA1 hashes for each prefetch file.
- Self-contained binary – no other dependencies.
- Runs on Windows XP, Vista, 7.
- Documentation is included in the download zip file.
Common uses include:
- Identifying applications run on a Windows host and when.
- Identifying the full path to an executable run on a Windows host.
- Identifying how many times and application has been run.
- Searching and sorting application execution time.
- Creating a timeline of applications run on a Windows host.
Download the tool and let me know how it works for you.