by Dr. Radut

FCNS_PF

FCNS_PF is the EnScript for carving and parsing Windows prefetch file.

FCNS PF 01

Open the case or create new case, add evidence then launch this EnScript. The following options are available.

  • Target
    • Selected: blue-checked file/object
    • Other - *.pf, $LogFile, pagefile.sys, Unallocated Clusters: enable/disable by each check box
  • Filtering Option
    • Min Size/Max Size: carving size by KB
    • Only search the start of each sector: it may takes time if you choose this option
  • Export
    • LEF File: specify the file path for carving PF
    • TSV File: specify the file path for parsing PF

Download

FCNS_PF_0.8.EnPack (SHA1: 164136174e6473178b96ed60a689441ef94843ee)

License

You may use the SOFTWARE freely for personal or commercial and NO WARRANTIES.

Requirements

EnCase 7.x

Background

Windows prefetch file contains information to speed up the application start-up. For example, these are last start-up time, count, reading file and so on.

There are several tools for parse the prefetch file, but few tool carves prefetch file with accurate size so this EnScript is implemented.

Feature

FCNS_PF searches the following signature for prefetch file.

\x11\x00\x00\x00\x53\x43\x43\x41 // XP/2003
\x17\x00\x00\x00\x53\x43\x43\x41 // Vista/7
\x1a\x00\x00\x00\x53\x43\x43\x41 // 8.1

Offset 12-15 contains the information of prefetch size, and FCNS_PF reads this information and carves. Carving data are stored on LEF, parsing data is recorded on TSV.

FCNS PF 02

If FCNS_PF finds full path of executable then it shows full path information in Name column. FCNS_PF doesn't support to verify hash with full path and list file/folder/volume information. If you need these information, you can make use of other tool.

Normally prefetch file is updated when corresponding application launched and prefetch files can be stored up to 128 or 1024. Therefore, it may be worth you try to carve out from unallocated clusters.

Reference

Prefetch - ForensicsWiki
http://www.forensicswiki.org/wiki/Prefetch

History

2015/04/19

I added "VSS" in Target - Other. However, a noise may be contained in this results because the EnScript doesn't parse structure of VSS. It is recommended If you found PF file in VSS Store. The EnScript have also adjusted timezone with evidence.