|
1 | | -# prefetch-hash-cracker |
2 | | -Prefetch Hash Cracker |
| 1 | +# Prefetch Hash Cracker |
| 2 | + |
| 3 | + |
| 4 | + |
| 5 | +## Motivation |
| 6 | +During forensic analysis of a Windows machine, you may find evidence of a deleted prefetch file. Even if its content is not recoverable, the filename itself is often enough to find the full path of the executable for which the prefetch file was created. |
| 7 | + |
| 8 | +## Using the tool |
| 9 | +The following fields must be provided: |
| 10 | +* Executable name |
| 11 | + Including the extension. It will be embedded in the prefetch filename, unless [this](#The-29-character-limit) happens. |
| 12 | + |
| 13 | + |
| 14 | +* Prefetch hash |
| 15 | + 8 hexadecimal digits at the end of the prefetch filename, right before the `.pf` extension. |
| 16 | + |
| 17 | + |
| 18 | +* Hash function |
| 19 | +* Bodyfile |
| 20 | +* Mount point |
| 21 | + |
| 22 | +### Hash function |
| 23 | +There are 2 known prefetch hash functions: |
| 24 | + |
| 25 | +* SCCA XP - used in Windows XP |
| 26 | +* SCCA Vista - used in Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10 and Windows 11 |
| 27 | + |
| 28 | +### Bodyfile |
| 29 | +A bodyfile of the system. |
| 30 | + |
| 31 | +The bodyfile format is not very restrictive, so there are a lot of variations of it - some of which are not supported. Body files created with `fls` and `MFTECmd` should work fine. |
| 32 | + |
| 33 | +### Mount point |
| 34 | +The mount point of the bodyfile, as marked below: |
| 35 | + |
| 36 | +<pre><code>0|<ins>C:</ins>/Users/Peter/Desktop ($FILE_NAME)|62694-48-2|d/d-wx-wx-wx|...</code></pre> |
| 37 | + |
| 38 | + |
| 39 | +## Limitations |
| 40 | +The following cases are not supported: |
| 41 | +* Hosting applications, such as `svchost.exe` and `mmc.exe` |
| 42 | +* Applications executed with the `/prefetch` flag |
| 43 | +* Applications executed from a UNC (network) path |
| 44 | + |
| 45 | +### The 29-character limit |
| 46 | +If the executable name is longer than 29 characters (including the extension), it will be truncated in the prefetch filename. For example, executing this file from the `C:\Temp` directory: |
| 47 | +``` |
| 48 | +This is a very long file nameSo this part will be truncated.exe |
| 49 | +``` |
| 50 | +Will result in the creation of this prefetch file: |
| 51 | +``` |
| 52 | +THIS IS A VERY LONG FILE NAME-D0B882CC.pf |
| 53 | +``` |
| 54 | + |
| 55 | +In this case, the executable name cannot be derived from the prefetch filename, so you will not be able to provide it to the tool. |
| 56 | + |
| 57 | +## License |
| 58 | +[MIT](https://choosealicense.com/licenses/mit/) |
0 commit comments