Prefetch file parser in pure Python

The Prefetch file

In this section we are going to present the main structures and data contained in a Prefetch file, depending of the Windows operating system version.

The full documentation, including all the offsets, is available on the Wiki that goes along with the tool repository. We will do our best to keep it up-to-date.

The file is composed of 5 main sections:

1. The header
2. The section A (usage is still unknown)
3. The section B (usage is still unknown)
4. The section C containing the fileset information
5. One or more section D (one per volume that was involved in the program loading phase) containing the directoryset and volume information

The header

• Length: 120 bytes
• Content
  • version of the file format (0x11=WinXP, 0x17=Win7, 0x1a=Win8)
  • Magic signature (“SCCA”)
  • Size of the prefetch file
  • Application name (up to 30 chars)
  • Checksum value (the one you can find after the dash in the prefetch filename)
  • Blocks describing offsets, number of entries and/or lengths of the remaining sections

After this fixed and version independent part, there is extra relevant data to parse:

• last run timestamp
• number of times the file has been executed
• up to 7 other previous run timestamps (Windows 8 and above)

Section A

This section is an array of values whose role is still not understood by the community.

The length of one entry changes with the operating system:

• 20 bytes for Windows XP
• 32 bytes since Windows 7

Section B

Just like section A, this section is an array of values, each value is 12 bytes long.

The meaning of those values is still unknown.

Section C – fileset

This section is an array of UTF-16LE strings, separated by “\x00”.
Each string represents a file that is involved during the execution of the program.

Section D – directoryset and volumeinfo

Each section D contains:

• Volumeinfo header
  • volume creation timestamp
  • volume serial number
  • volume path
• Directory set which is an array of UTF-16LE strings, each one corresponding to a path involved in the section C

Our tool

The tool we are releasing is a standalone Python file, containing several classes to do the job. The choice of putting everything into a single file is to give extra flexibility:

• no need for installation
• no need for external dependencies

In addition to that, the code has been split into several classes so you can use it both as a standalone command line tool and as a Python library. Moreover, data parsing and output formatting are clearly separated so one can add its own output style.

By default, results can be formatted in:

• a human readable form
• JSON
• XML

As usual, the tool is available in our Bitbucket repository and like all the previous tools, licence is GPLv3.

Usage

usage: prefetch.py [-h] [-o FILE] [-f FORMAT] [-r]
                   prefetch_files [prefetch_files ...]

positional arguments:
  prefetch_files

optional arguments:
  -h, --help            show this help message and exit
  -o FILE, --output FILE
                        Outputs the result to the given file
  -f FORMAT, --format FORMAT
  -r, --recursive

Unless overridden by the corresponding command line arguments, the output is done in TEXT (human readable format) in stdout. All errors are always directed to stderr.

Example

Here is a sample output of a Windows 8 prefetch file. All given timestamps are GMT.

$ prefetch.py ./ACMSETUP.EXE-3E855E3C.pf
###### ./ACMSETUP.EXE-3E855E3C.pf ######
  magic    = SCCA
  version  = 26
  OS       = Win8
  filesize = 36472
  crc      = 3E855E3C
  appName  = ACMSETUP.EXE
  appPath  = \DEVICE\HARDDISKVOLUME5\~MSSETUP.T\TMP.T\ACMSETUP.EXE
  dwRun    = 4
  lastRun  = 2013-03-13 13:21:32
  prevRun  = 2013-03-13 13:17:59
  prevRun  = 2013-03-13 13:16:56
  prevRun  = 2013-03-13 13:10:40
  Fileset
      \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\NTDLL.DLL
      \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\WOW64.DLL
      \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\WOW64WIN.DLL
      \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\WOW64CPU.DLL
      \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\KERNEL32.DLL
      \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSWOW64\KERNEL32.DLL
      \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\USER32.DLL
      \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSWOW64\NTDLL.DLL
      \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSWOW64\KERNELBASE.DLL
      \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\LOCALE.NLS
      \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSWOW64\APPHELP.DLL
      \DEVICE\HARDDISKVOLUME1\WINDOWS\APPPATCH\SYSMAIN.SDB
      \DEVICE\HARDDISKVOLUME1\WINDOWS\APPPATCH\ACLAYERS.DLL
      \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSWOW64\MSVCRT.DLL
      \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSWOW64\USER32.DLL
      \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSWOW64\GDI32.DLL
      \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSWOW64\SHELL32.DLL
      \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSWOW64\SHLWAPI.DLL
      \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSWOW64\OLEAUT32.DLL
      \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSWOW64\MPR.DLL
      \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSWOW64\SETUPAPI.DLL
      \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSWOW64\SFC.DLL
      \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSWOW64\WINSPOOL.DRV
      \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSWOW64\RPCRT4.DLL
      \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSWOW64\COMBASE.DLL
      \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSWOW64\CFGMGR32.DLL
      \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSWOW64\DEVOBJ.DLL
      \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSWOW64\SSPICLI.DLL
      \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSWOW64\SFC_OS.DLL
      \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSWOW64\CRYPTBASE.DLL
      \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSWOW64\SECHOST.DLL
      \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSWOW64\BCRYPTPRIMITIVES.DLL
      \DEVICE\HARDDISKVOLUME1\WINDOWS\APPPATCH\ACGENRAL.DLL
      \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSWOW64\UXTHEME.DLL
      \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSWOW64\WINMM.DLL
      \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSWOW64\SAMCLI.DLL
      \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSWOW64\OLE32.DLL
      \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSWOW64\MSACM32.DLL
      \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSWOW64\VERSION.DLL
      \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSWOW64\USERENV.DLL
      \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSWOW64\DWMAPI.DLL
      \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSWOW64\URLMON.DLL
      \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSWOW64\ADVAPI32.DLL
      \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSWOW64\WINMMBASE.DLL
      \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSWOW64\PROFAPI.DLL
      \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSWOW64\IERTUTIL.DLL
      \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSWOW64\WININET.DLL
      \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSWOW64\SHCORE.DLL
      \DEVICE\HARDDISKVOLUME5\~MSSETUP.T\TMP.T\ACMSETUP.EXE
      \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSWOW64\IMM32.DLL
      \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSWOW64\MSCTF.DLL
      \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\EN-US\SETUPAPI.DLL.MUI
      \DEVICE\HARDDISKVOLUME5\~MSSETUP.T\TMP.T\MSSETUP.DLL
      \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSWOW64\LZ32.DLL
      \DEVICE\HARDDISKVOLUME1\WINDOWS\GLOBALIZATION\SORTING\SORTDEFAULT.NLS
      \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\EN-US\USER32.DLL.MUI
      \DEVICE\HARDDISKVOLUME1\WINDOWS\WIN.INI
      \DEVICE\HARDDISKVOLUME5\~MSSETUP.T\TMP.T\SP698VBO.STF
      \DEVICE\HARDDISKVOLUME1\WINDOWS\FONTS\STATICCACHE.DAT
      \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSWOW64\CLBCATQ.DLL
      \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSWOW64\TZRES.DLL
      \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\EN-US\TZRES.DLL.MUI
      \DEVICE\HARDDISKVOLUME5\~MSSETUP.T\TMP.T\SP698VBO.INF
      \DEVICE\HARDDISKVOLUME1\TEST\SETUP.INI
      \DEVICE\HARDDISKVOLUME1\WINDOWS\APPPATCH\ACSPECFC.DLL
      \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSWOW64\COMCTL32.DLL
      \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSWOW64\MSCMS.DLL
      \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSWOW64\DDRAW.DLL
      \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSWOW64\COMDLG32.DLL
      \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSWOW64\WS2_32.DLL
      \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSWOW64\MSI.DLL
      \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSWOW64\DCIMAN32.DLL
      \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSWOW64\NSI.DLL
      \DEVICE\HARDDISKVOLUME5\~MSSETUP.T\TMP.T\BBOARD.DLL
      \DEVICE\HARDDISKVOLUME5\~MSSETUP.T\TMP.T\VSSETUP.TTF
      \DEVICE\HARDDISKVOLUME1\WINDOWS\VSSETUP.TTF
      \DEVICE\HARDDISKVOLUME1\WINDOWS\VSSETUP.FOR
      \DEVICE\HARDDISKVOLUME5\~MSSETUP.T\TMP.T\VB98ENT.STF
      \DEVICE\HARDDISKVOLUME5\~MSSETUP.T\TMP.T\VB98ENT.INF
      \DEVICE\HARDDISKVOLUME1\$MFT
  Dirsets
      volume     = \DEVICE\HARDDISKVOLUME5
      volumeSN   = DEB1-18C8
      createTime = 2012-11-06 08:28:23
      Entries
            \DEVICE\HARDDISKVOLUME5\~MSSETUP.T
            \DEVICE\HARDDISKVOLUME5\~MSSETUP.T\TMP.T

      volume     = \DEVICE\HARDDISKVOLUME1
      volumeSN   = D8B0-ED38
      createTime = 2012-09-19 23:15:33
      Entries
            \DEVICE\HARDDISKVOLUME1\TEST
            \DEVICE\HARDDISKVOLUME1\WINDOWS
            \DEVICE\HARDDISKVOLUME1\WINDOWS\APPPATCH
            \DEVICE\HARDDISKVOLUME1\WINDOWS\FONTS
            \DEVICE\HARDDISKVOLUME1\WINDOWS\GLOBALIZATION
            \DEVICE\HARDDISKVOLUME1\WINDOWS\GLOBALIZATION\SORTING
            \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32
            \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\EN-US
            \DEVICE\HARDDISKVOLUME1\WINDOWS\SYSWOW64

Credits and conclusion

Thanks to Forensics Wiki, most of the file format was already documented.

We hope that this tool will help a lot of fellow DFIR dudes during their missions.

Again, like any other tool we release, any feedback is much appreciated