Wednesday, January 16, 2013

Backtrack Forensics: analyzing prefetch files with pref.pl

Menu: Forensics -> Forensic Analysis Tools
Directory: /pentest/forensics/pref.pl/

pref.pl is a Perl script, which can parse Windows XP/Vista/7 prefetch files. These are used to cache information about boot or application run (which dlls, other files are used), and thus the OS can pre load those files, and optimize the location of the files on hard disk, thus allowing the application to start and the boot to finish faster. (BTW prefetching should be disabled when using SSD, cause it can access any file at the same speed, and doesn't like frequent rewrites)

Usage:

The script was written for Windows, so first of all we need to modify line 55 to something like this (removing "\\" from the ends):
" opendir(DIR,$config{dir}) || die "Could not open ".$config{dir}.": $!\n";"

otherwise we get an error "No such file or directory", cause Linux won't understand the "\" in the path.

./pref.pl -d /root/forensics/Prefetch
This will check all files in a given directory, and return us the names, and when the associated application was run last time, and how many times it has been run.


./pref.pl -f /root/forensics/Prefetch/CMD.EXE-087B4001
This will check individual file, and show us the application name, path, system volume name and serial number.


./pref.pl -p -i -f /root/forensics/Prefetch/CMD.EXE-087B4001
This will show us also the files, which are run by the application, basically the most important cached information.


The "-v" option is needed if we want to parse Vista files, however I tried with Windows 7 files, and it will process them just fine even w/o the option being specified.

Official website: http://code.google.com/p/winforensicaanalysis/

No comments: