Thursday, April 13, 2006

Prefetch files, revisited

I was listening to the latest CyberSpeak podcast (8 Apr) today, and picked up a little tidbit. With regards to those .pf files located in the Prefetch directory on Windows XP, Ovie and Bret stated that the DWORD located at offset 0x90 in the file records the number of times that particular application was launched, with the caveat that this does not apply to those applications autostarted (as via Registry entries). So this will tell you how many times the user launched that application.

Also, the guys said that the 2 DWORDs located at offset 0x78 is the FILETIME object for the time that the application was last launched. This should probably correlate with the last write time on the .pf file itself.

Anyone have any other tidbits like this that can be incorporated into a nice little Perl script? ;-)

1 comment:

mar3k said...

Hello
I found Your post while googling for Prefetch forensic. However I found some information that Prefetch counter isn't so precise. Here is a short information (unfortunatelly in polish - but google translator does a very good job with that text).