{ "info": { "author": "Adam Witt", "author_email": "accidentalassist@gmail.com", "bugtrack_url": null, "classifiers": [ "Development Status :: 5 - Production/Stable", "Intended Audience :: Information Technology", "License :: OSI Approved :: Apache Software License", "Programming Language :: Python :: 2.7", "Topic :: Security" ], "description": "Windows-Prefetch-Parser\n========================\nPython script created to parse Windows Prefetch files: Supports XP - Windows 10 Prefetch files\n\nDescription\n------------\nThe Windows application prefetch mechanism was put in place to offer performance benefits when launching applications. It just so happens to be one of the more beneficial forensic artifacts regarding evidence of applicaiton execution as well. prefetch.py provides functionality for parsing prefetch files for all current prefetch file versions: 17, 23, 26, and 30.\n\nFeatures\n---------\n* Specify a single prefetch file or a directory of prefetch files\n* CSV output support\n* (Limited) Windows 10 support - Windows 10 prefetch files must be parsed from a Windows 8+ workstation\n* Sort a directory of Prefetch files by all execution timestamps\n\n\nCommand-Line Options\n---------------------\nFor now, prefetch.py requires one of two command-line options: ``--file`` specifies a single prefetch to point the script at. ``--directory`` specifies an entire directory of prefetch files which will be parsed and printed to stdout. When using ``--directory / -d``, remember to include the trailing slash:\n\n::\n\n dev@computer:~$ ./prefetch.py -h\n usage: prefetch.py [-h] [-c] [-d DIRECTORY] [-e EXECUTED] [-f FILE]\n \n optional arguments:\n -h, --help show this help message and exit\n -c, --csv Present results in CSV format\n -d DIRECTORY, --directory DIRECTORY\n Parse all PF files in a given directory\n -e EXECUTED, --executed EXECUTED\n Sort PF files by ALL execution times\n -f FILE, --file FILE Parse a given Prefetch file\n\n**--file**\n\nUsing the ``--file / -f`` switch with a single prefetch file results in the output below:\n\n::\n\n dev@computer:~$ python prefetch.py -f CMD.EXE-4A81B364.pf\n\n =====================\n CMD.EXE-4A81B364.pf\n =====================\n \n Executable Name: CMD.EXE\n \n Run count: 2\n Last Executed: 2016-01-16 20:26:42.515108\n \n Volume Information:\n Volume Name: \\DEVICE\\HARDDISKVOLUME2\n Creation Date: 2016-01-16 21:15:18.109374\n Serial Number: 88008c2f\n \n Directory Strings:\n \\DEVICE\\HARDDISKVOLUME2\\WINDOWS\n \\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\BRANDING\n \\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\BRANDING\\BASEBRD\n \\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\GLOBALIZATION\n \\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\GLOBALIZATION\\SORTING\n \\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\n \n Resources loaded:\n\n 1: \\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\NTDLL.DLL\n 2: \\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\KERNEL32.DLL\n 3: \\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\APISETSCHEMA.DLL\n 4: \\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\KERNELBASE.DLL\n 5: \\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\LOCALE.NLS\n 6: \\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\CMD.EXE\n 7: \\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\MSVCRT.DLL\n 8: \\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\WINBRAND.DLL\n 9: \\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\USER32.DLL\n 10: \\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\GDI32.DLL\n 11: \\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\LPK.DLL\n 12: \\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\USP10.DLL\n 13: \\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\IMM32.DLL\n 14: \\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\MSCTF.DLL\n 15: \\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\BRANDING\\BASEBRD\\BASEBRD.DLL\n 16: \\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\GLOBALIZATION\\SORTING\\SORTDEFAULT.NLS\n\n**--directory**\n\nBy invoking the ``--directory / -d`` flag, the Analyst is able to parse an entire directory of Prefetch files at once.\n\n**--executed**\n\nSort a directory of Prefetch files by execution time. This sort will include ALL timestamps in Windows 8+ Prefetch files (up to eight per file):\n\n::\n\n dev@computer:~$ python prefetch.py -e Prefetch/\n\n Execution Time, File Executed\n 2015-11-15 00:02:39.781250, WUAUCLT.EXE-399A8E72\n 2015-11-15 00:02:26.281250, VERCLSID.EXE-3667BD89\n 2015-11-15 00:02:24.343750, WMIPRVSE.EXE-28F301A9\n 2015-11-15 00:02:07.453124, RUNDLL32.EXE-451FC2C0\n 2015-11-15 00:01:50.765626, GOOGLEUPDATE.EXE-1E123D86\n 2015-11-15 00:01:08, NTOSBOOT-B00DFAAD\n ...\n ...\n ...\n\n**--csv**\n\nUsing the ``--csv / -c`` flag will provide results in CSV format:\n\n::\n\n Last Executed, Executable Name, Run Count\n 2016-01-20 16:01:27.680128, ADOBEIPCBROKER.EXE-c8d02fab, 1\n 2016-01-20 16:59:42.077480, CREATIVE CLOUD UNINSTALLER.EX-216b8ea8, 1\n 2016-01-19 18:07:18.101626, MSIEXEC.EXE-a2d55cb6, 37237\n 2016-01-20 16:11:15.818394, ACRODIST.EXE-782bc2b2, 1\n\n\nTesting\n--------\n\nTesting on the prefetch file types below has been completed successfully:\n\n* Windows XP (version 17)\n* Windows 7 (version 23)\n* Windows 8.1 (version 26)\n* Windows 10 (version 30)\n\nReferences\n-----------\nThis project would not have been possible without the work of others much smarter than I. The prefetch file format is not officially documented by Microsoft and has been understood through reverse engineering, and trial-and-error. \n\nAdditionally, Without the excellent work by Francesco Picasso in understanding the Windows 10 prefetch compression method, I would not have been able to get Windows 10 parsed here. I use a modified version of his decompression script in prefetch.py. Francesco's original script can be found at the link below:\n\n`w10pfdecomp.py `_\n\nTo gain a better understanding of the prefetch file format, check out the following resources; which were all used as references for the creation of my script:\n\n`ForensicsWiki: Windows Prefetch File Format `_\n\n`Libyal Project: libscca `_\n\n`Zena Forensics: A first look at Windows 10 Prefetch files `_\n\nPython Requirements\n--------------------\n* from argparse import ArgumentParser\n* import binascii\n* import collections\n* import ctypes\n* from datetime import datetime,timedelta\n* import json\n* import os\n* import struct\n* import sys\n* import tempfile", "description_content_type": null, "docs_url": null, "download_url": "", "downloads": { "last_day": -1, "last_month": -1, "last_week": -1 }, "home_page": "https://github.com/PoorBillionaire/Windows-Prefetch-Parser", "keywords": "DFIR Prefetch Forensics Incident Response Microsoft Windows", "license": "Apache Software License", "maintainer": "", "maintainer_email": "", "name": "windowsprefetch", "package_url": "https://pypi.org/project/windowsprefetch/", "platform": "UNKNOWN", "project_url": "https://pypi.org/project/windowsprefetch/", "project_urls": { "Homepage": "https://github.com/PoorBillionaire/Windows-Prefetch-Parser" }, "release_url": "https://pypi.org/project/windowsprefetch/3.0.5/", "requires_dist": null, "requires_python": "", "summary": "A Python script to parse Windows Prefetch files", "version": "3.0.5" }, "last_serial": 2017763, "releases": { "1.0.0": [ { "comment_text": "", "digests": { "md5": "7661250d46b71a48dd343aa4713adbf0", "sha256": "3dc1b678d8db8ff9c8a8474d1dbfa6e1532133eb86e9bdbe97357c1094596748" }, "downloads": -1, "filename": "windowsprefetch-1.0.0.tar.gz", "has_sig": false, "md5_digest": "7661250d46b71a48dd343aa4713adbf0", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 4296, "upload_time": "2015-12-10T04:53:44", "url": "https://files.pythonhosted.org/packages/c2/3b/4295cb30307af7b38aeb3ead9cd29764ed5e36b0682052cbb0d595cdd3fd/windowsprefetch-1.0.0.tar.gz" } ], "1.0.1": [ { "comment_text": "", "digests": { "md5": "e593b48e4a5a9f8761dbf08ed1afa055", "sha256": "9fc5ac8bd79c0e720d4042a284b1f4b965db11e94c9c56bae34684ca6794a1c9" }, "downloads": -1, "filename": "windowsprefetch-1.0.1.tar.gz", "has_sig": false, "md5_digest": "e593b48e4a5a9f8761dbf08ed1afa055", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 4286, "upload_time": "2015-12-10T05:24:07", "url": "https://files.pythonhosted.org/packages/86/be/0ff6cc48b22f96accfff22692ec0e8d9b679c97ea83199c31886e8e41e43/windowsprefetch-1.0.1.tar.gz" } ], "1.0.2": [ { "comment_text": "", "digests": { "md5": "37ced457df4e0bbfd7aefaa28537ff71", "sha256": "040bafbf6037d59af54d28cfa2c1cf87a35f5d1253c954937f898b94a0bc37ec" }, "downloads": -1, "filename": "windowsprefetch-1.0.2.tar.gz", "has_sig": false, "md5_digest": "37ced457df4e0bbfd7aefaa28537ff71", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 4248, "upload_time": "2015-12-10T05:31:48", "url": "https://files.pythonhosted.org/packages/16/61/ba69c3a8a5c44467610aeca64edd8e6c0e241e81eef767f70823ed6271b0/windowsprefetch-1.0.2.tar.gz" } ], "1.0.3": [ { "comment_text": "", "digests": { "md5": "ce8fd614cabb12d3665f98651bb8d109", "sha256": "9b4d2d4ba042e101912653f4f6b0748e27d39392eb866a79d6896cdaac85d68f" }, "downloads": -1, "filename": "windowsprefetch-1.0.3.tar.gz", "has_sig": false, "md5_digest": "ce8fd614cabb12d3665f98651bb8d109", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 10997, "upload_time": "2015-12-10T05:41:13", "url": "https://files.pythonhosted.org/packages/a5/3c/f1cffdf89c676c42a66aa3ac85f7810ef8ae2903f12073a7b0db416ccc7d/windowsprefetch-1.0.3.tar.gz" } ], "1.0.4": [ { "comment_text": "", "digests": { "md5": "12cc8e6f40d28cdc87f2447e80522e66", "sha256": "6c0d1dcb8ccd01bdef9471894b5ebb8af01be9ae7890625c74d7d630bdbe94fa" }, "downloads": -1, "filename": "windowsprefetch-1.0.4.tar.gz", "has_sig": false, "md5_digest": "12cc8e6f40d28cdc87f2447e80522e66", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 10995, "upload_time": "2015-12-10T05:47:49", "url": "https://files.pythonhosted.org/packages/23/b8/94347fd96007d8a7ac5d6d1135a4f394dc989878ea86de82727d9b9ee5c2/windowsprefetch-1.0.4.tar.gz" } ], "1.0.5": [ { "comment_text": "", "digests": { "md5": "924dac8f2924bf2a7afc1990e0489917", "sha256": "f00098377309d379772e4b31802b47b8ba20d24f79d45f09e6d8bbab052d8c27" }, "downloads": -1, "filename": "windowsprefetch-1.0.5.tar.gz", "has_sig": false, "md5_digest": "924dac8f2924bf2a7afc1990e0489917", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 11005, "upload_time": "2015-12-10T05:52:44", "url": "https://files.pythonhosted.org/packages/f7/67/1ee207ad085aa7d1a5828eeda523f65730e7afad95d96891035a54370eab/windowsprefetch-1.0.5.tar.gz" } ], "1.0.6": [ { "comment_text": "", "digests": { "md5": "cb1313c5a751ca8da55e547869b69320", "sha256": "d2be6fd09ea277a90a37705a6908c9b2ad435c7af46df4ee690c4f92654b9884" }, "downloads": -1, "filename": "windowsprefetch-1.0.6.tar.gz", "has_sig": false, "md5_digest": "cb1313c5a751ca8da55e547869b69320", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 11026, "upload_time": "2015-12-31T22:08:42", "url": "https://files.pythonhosted.org/packages/f2/cf/8c658efe98c087d77f8a6d5208b6088c13f519c482055a769d6fb952c837/windowsprefetch-1.0.6.tar.gz" } ], "1.0.7": [ { "comment_text": "", "digests": { "md5": "d9c119064212c9ea3bbba0af85a31aa7", "sha256": "7a1ec714647942ba0d3ca0b317aa104340eab16537bde63b8425efa0e94c3083" }, "downloads": -1, "filename": "windowsprefetch-1.0.7.tar.gz", "has_sig": false, "md5_digest": "d9c119064212c9ea3bbba0af85a31aa7", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 11020, "upload_time": "2016-01-03T21:48:45", "url": "https://files.pythonhosted.org/packages/7a/78/488d41f860420272fee5fa005d127ffa76dc2db54ce779e17ecc7112ad9c/windowsprefetch-1.0.7.tar.gz" } ], "2.0.0": [ { "comment_text": "", "digests": { "md5": "142de868d5705af3b977208fe97df8bc", "sha256": "4d56adfcdb08589556021415279773798ab0cdcd9be45d7721496909f44de413" }, "downloads": -1, "filename": "windowsprefetch-2.0.0.tar.gz", "has_sig": false, "md5_digest": "142de868d5705af3b977208fe97df8bc", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 8354, "upload_time": "2016-01-13T01:54:54", "url": "https://files.pythonhosted.org/packages/e3/81/e4a30b8f110b5179dd576572971cead669dff144b94e01946af3c066bd4d/windowsprefetch-2.0.0.tar.gz" } ], "2.0.1": [ { "comment_text": "", "digests": { "md5": "6156ee158e3781435efa87792c9068cb", "sha256": "f71e71738545fb3b551c13ed3dc8a4f0a6681af2791c9266f4fd59c293650a5c" }, "downloads": -1, "filename": "windowsprefetch-2.0.1.tar.gz", "has_sig": false, "md5_digest": "6156ee158e3781435efa87792c9068cb", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 7739, "upload_time": "2016-01-20T21:08:50", "url": "https://files.pythonhosted.org/packages/2e/84/c4a497b81fdd4ff324e6e8dfdb565eb9c31927f9ce00cafc58be4f7eed74/windowsprefetch-2.0.1.tar.gz" } ], "2.0.2": [ { "comment_text": "", "digests": { "md5": "b39e8ba94a02e588775d3d0b2943769b", "sha256": "f3be26993fb700b3ad5c93c603089e7b076b3e1c3aa26df5196b64433dae206e" }, "downloads": -1, "filename": "windowsprefetch-2.0.2.tar.gz", "has_sig": false, "md5_digest": "b39e8ba94a02e588775d3d0b2943769b", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 7736, "upload_time": "2016-01-20T21:16:27", "url": "https://files.pythonhosted.org/packages/27/29/c20ac2f768f8758c6cfc934690ea97e37f7e33c6e7da5d60da531f42547e/windowsprefetch-2.0.2.tar.gz" } ], "2.0.3": [ { "comment_text": "", "digests": { "md5": "d5540a016583ddfd6860d5c72fb2d0c5", "sha256": "9125f340460a3db669017e85472bb63133d843807ca7c2a827f6eb0f8d78e282" }, "downloads": -1, "filename": "windowsprefetch-2.0.3.tar.gz", "has_sig": false, "md5_digest": "d5540a016583ddfd6860d5c72fb2d0c5", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 7754, "upload_time": "2016-01-25T17:17:56", "url": "https://files.pythonhosted.org/packages/92/a0/ee1f4ea632b33db60630fd0d534a1473118593558a28db0dcd0162ee65a8/windowsprefetch-2.0.3.tar.gz" } ], "2.0.4": [ { "comment_text": "", "digests": { "md5": "aaeca47640581446cf189cc31cc2b416", "sha256": "49e16e28eb043b8c60cf59cda1f960c6bda12b6797effa82cad660ddc4f2e5c5" }, "downloads": -1, "filename": "windowsprefetch-2.0.4.tar.gz", "has_sig": false, "md5_digest": "aaeca47640581446cf189cc31cc2b416", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 7745, "upload_time": "2016-01-25T18:29:17", "url": "https://files.pythonhosted.org/packages/06/12/5229393b0f1a7b96adaba18a5be17c66001e6017588626321c08b4090837/windowsprefetch-2.0.4.tar.gz" } ], "2.0.5": [ { "comment_text": "", "digests": { "md5": "e948107c7a85c04b2924f09405e76a65", "sha256": "6a576fbdaf188876e1cd65b7f9f98acbfe81b8675e402a202203077832243aab" }, "downloads": -1, "filename": "windowsprefetch-2.0.5.tar.gz", "has_sig": false, "md5_digest": "e948107c7a85c04b2924f09405e76a65", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 7785, "upload_time": "2016-01-27T23:28:53", "url": "https://files.pythonhosted.org/packages/07/2c/37829c800cd11157653d36ce2a34908d0307306370a8fed31d1fc8b82502/windowsprefetch-2.0.5.tar.gz" } ], "2.0.6": [ { "comment_text": "", "digests": { "md5": "fa59be14ffc08cec6daab9f0446f9623", "sha256": "88545c6328d87fbadd84502c395d43e76647a027d06ee43dfae1708a1132c4e7" }, "downloads": -1, "filename": "windowsprefetch-2.0.6.tar.gz", "has_sig": false, "md5_digest": "fa59be14ffc08cec6daab9f0446f9623", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 7751, "upload_time": "2016-01-28T00:02:31", "url": "https://files.pythonhosted.org/packages/0f/6c/3b78c16a4872090f5d06504446c250b3b73bd74873c8a6be3542a26c3840/windowsprefetch-2.0.6.tar.gz" } ], "3.0.1": [ { "comment_text": "", "digests": { "md5": "aec0217425757a22783f756ca0974ff8", "sha256": "7bff63b2ea84c8c67817b21f40ba0b90553f9782d22ef81ccaa2f0c3d4b8d36a" }, "downloads": -1, "filename": "windowsprefetch-3.0.1.tar.gz", "has_sig": false, "md5_digest": "aec0217425757a22783f756ca0974ff8", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 8053, "upload_time": "2016-01-31T20:55:15", "url": "https://files.pythonhosted.org/packages/03/bd/f8f9e055386588f45bfe4fb859ecd340eb80cdefea4b9a7892cf0a6860ff/windowsprefetch-3.0.1.tar.gz" } ], "3.0.5": [ { "comment_text": "", "digests": { "md5": "b2f9c72ea7f07da2504188596c2aeb8e", "sha256": "d417460587576c0dac745bf6bc9c51eb30e7a20501a18a3879c287e8de50ebfb" }, "downloads": -1, "filename": "windowsprefetch-3.0.5.tar.gz", "has_sig": false, "md5_digest": "b2f9c72ea7f07da2504188596c2aeb8e", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 8364, "upload_time": "2016-03-21T01:27:24", "url": "https://files.pythonhosted.org/packages/b2/58/71bc0eab8a93b74372a799fbfcf5f45c1a802fc40e2480760dbec5d5fdca/windowsprefetch-3.0.5.tar.gz" } ] }, "urls": [ { "comment_text": "", "digests": { "md5": "b2f9c72ea7f07da2504188596c2aeb8e", "sha256": "d417460587576c0dac745bf6bc9c51eb30e7a20501a18a3879c287e8de50ebfb" }, "downloads": -1, "filename": "windowsprefetch-3.0.5.tar.gz", "has_sig": false, "md5_digest": "b2f9c72ea7f07da2504188596c2aeb8e", "packagetype": "sdist", "python_version": "source", "requires_python": null, "size": 8364, "upload_time": "2016-03-21T01:27:24", "url": "https://files.pythonhosted.org/packages/b2/58/71bc0eab8a93b74372a799fbfcf5f45c1a802fc40e2480760dbec5d5fdca/windowsprefetch-3.0.5.tar.gz" } ] }