SANS Digital Forensics and Incident Response Blog

Prefetch Parser v1.4 released

I have updated Prefetch Parser. The program was mentioned in Chad Tilbury's blog entry De-mystifying Defrag Identifying When Defrag Has Been Used For Anti-Forensics (Part 1 Windows XP). The main updates to the program are as follows:

  1. Add the Windows 7 option to the drop down box.
  2. GPL all the code (Parse_Prefetch_Info.pl and prefetch_parser_gui.au3)
  3. Make the program parse_prefetch_info callable from the command line (send flag —h or no arguments to get the syntax).
  4. Added reading the Layout.ini file and reporting on all programs/prefetch files that are in the Layout.ini file.
  5. Added a new report that will list the distinct devices/volumes/directories with hyperlinks to the prefetch.
  6. Added a cancel to the program that truly will cancel it.
  7. Added the ability to also output to XML, CSV and TAB formats.
  8. Added a debugging trace file that gets created so if there are problems I might be able to use that to see where the bug is.
  9. Allow the user not to enter a case name, which will create a temporary file in the user's temp directory.

The updated GUI program screen looks like this now:

Main_Program

Once you enter all the information and run the program you will get a series of reports. The main report has not changed so I did not include that. The new report "Distinct Path Report" Looks like this:

distinct_Path_report

As you can see it will show all the distinct Device/Mount point/Directories that exist in the prefetch files, these are hyperlinks to the files pointed to by the path information found within each prefetch file. The example above will take you to the following report:

Individual_report

This report shows what prefetch file has that distinct path. The next report shows the actual prefetch report.

From this report you can see which file was run from that distinct path.

Individual_report_blowup

Prefetch Parser will help digital forensics investigators track down rogue programs that may have been run from unexpected places. With the previous version one had to hunt through all the reports for this information. I thought this was a nice solution to cut down on that work as I already had the data available but had not reported on it.

If there are any comments/suggestions/problems please let me know. The program can be found here

Mark McKinnon, GCFA is Principal of RedWolf Computer Forensics where he has written many tools that are used through out the Computer Forensic Community. You can follow Mark on twitter @markmckinnon.