This week I’m going back to parsing Windows artifacts.  The first one I’ve decided to tackle are Prefetch files.  For those of you who are not familiar with Prefetch files, you can check out this link for more information.

So far all this script does is parse thee header information of the Prefetch files, which is only 84 bytes long.  I’ve started working on parsing the rest of the data, but it’s not ready yet.  The format of the script is simple: -f <prefetch file>

And that’s it.  The script reads in the first 84 bytes of the file, and then passes it to a function to parse out the individual information.

Now there are some parts of the code I still need to tweak.  First is the ability to output to a CSV file.  I’ve been playing around with the Python CSV module, so look for the ability to output to that format in later scripts.  The second part I need to fix is prefetch_header_file_name variable.  Since the contents of this can vary in size, I need to figure out how to determine the end of the file name (I’m sure someone will contact me online within 5 minutes of posting this 🙂  ).

The Prefetch file has one part that’s unique, in that depending on the version of Windows, the data after the header portion can vary.  I’m choosing to handle it by using a different function depending on the version of Windows I need to work with.  This function will take care of that:

def prefetch_format(format_type):
    if format_type == "0x11":
        print "Windows XP/2003"
    elif format_type == "0x17":
        print "Windows Vista/7"
    elif format_type == "0x1a":
        print "Windows 8.1"

Right now this is just printing out the version of Windows.  However the current version I’m working on now will parse out the file version based on which version of Windows we’re dealing with.  That should show up in a later YOP.

Until next week!


