Prefetch Dump (PFDump)
This EnScript is designed to parse the prefetch files created by the MS Windows Task Scheduler service. Windows XP to Windows 10 file formats are supported. It's worth noting that Windows 10 prefetch files are compressed using the Xpress+Huffman compression algorithm.
Prefetch files monitor system activity during the period when the system boots and also when an application starts. This allows the system to pre-load necessary data (from MFT records, files and folders) all in one go rather than keep returning to file system objects to read data from them again and again. Not only is the prefetch data used during system and application start-up, it is also used to optimize the disk defragmentation process.
The majority of prefetch files have a file-name containing the name of the associated executable or a name representing the boot process (NTOSBOOT). This name will be followed by a hash value calculated in one of two ways.
If the name represents the boot process then the hash value should always be the same. If the prefetch file refers to a designated 'hosting application' (an application such as MMC.EXE, DLLHOST.EXE or RUNDLL32.EXE, one that starts another process) then the hash is calculated using a hash of the executable's device path and also a hash of the command-line. If the prefetch file refers to any other application then the hash is derived solely from the executable's device path.
In addition, SVCHOST.EXE is used with command-line parameters which will affect the hash stored in the filename. Though it is not defined as a hosting application, this script will process it like one and check for the commonly used command-line parameters.
The script allows the examiner to process all entries, tagged entries or selected entries in the current view. Regardless of the option chosen, the script will only process those files with a '.pf' file extension and a prefetch file-signature.
Before processing starts, the script will perform a signature-based validation-check and then display a list of the files that will be processed. This list will show whether a prefetch file relates to a hosting application, whether the hash value should be verified and also, for a hosting application, what command-line should be used for the purpose of hash verification. Please note that there may be a slight pause while this list is generated.
Double-clicking on an item in the list will allow the examiner to modify the process options for that item. The available options will depend on whether the prefetch file relates to a hosting application or not.
The option to verify the hash value for a prefetch file will always be enabled for non-hosting applications because it doesn't require any additional information and takes very little time.
For hosting applications the prefetch hash can only be verified by using the command-line that was used to start the application.
Where hash verification is required for a hosting application the script will attempt to verify the hash using the command-line optionally provided by the examiner; it will also use an internal list of common command-lines used to invoke Control Panel tool (cpl) files using RUNDLL32.EXE and Microsoft Management Console (msc) files using MMC.EXE.
This will often give the examiner an indication of the actions the user has taken to configure his/her system. For instance, the RUNDLL.EXE hosting application may have been used to execute the Date and Time Control Panel tool so that the user could change the system clock or modify time-zone settings.
It's important to understand that hosting apps such as RUNDLL32.EXE can be used for many different purposes and so the internal list of command-lines used by the script is not exhaustive. Not only that but the prefetch hash is case-sensitive and the case-sensitivity of a command-line can vary depending on how it was invoked. For instance, executing the date/time Control Panel tool from the system tray, run-dialog box, command-prompt and by double-clicking on it in the Control Panel itself can all result in different command-lines, some of which differ only by case.
In addition to considering all of the different command-lines that could have been used, the script also has to consider the logical drive-letters that were referred to by the command-line. For instance, the operating system might not have been installed on logical drive C, it might have been installed on drive D - this would be reflected in the prefetch hash value and must therefore be taken into account.
For this reason, the script uses templates of common command lines and inserts the drive letter, cpl/msc file-name and any other relevant options into each one. The examiner has the option of specifying the upper-most drive-letter which is to be used for testing. Note that this process can take considerable time so choosing an upper drive-letter limit of 'Z' is not recommended. If the examiner wishes to see the paths that are being tested then the verbose logging option can be enabled.
If the examiner wishes to test hash validation then he/she can create prefetch files on his/her own system using the Sysinternals Process Explorer application to identify the command-line for each related process.
In addition to the options already listed above options the examiner can specify the bookmark folder name, toggle hash validation for selected files and also restrict the number of items in the file-list that will be parsed. The latter is due to the fact that the prefetch file associated with certain processes (such as the boot process) can refer to an extremely large number of files and the examiner may not want this. Note that setting the size limit to -1 will instruct the script to parse every file-list regardless of the number of entries it contains.
This version allows the examiner to change the processing order by ordering the the list of prefetch files shown beforehand. This can be accomplished either using drag and drop, or by sorting one or more columns and then using the 'Adjust Rows' option. By default, files are processing in ascending order of last-written date.