Year of Python (YOP) – Week Twenty One

25May15

Hello Reader!

This week I was working on updates to the Prefetch File script I began last week.  I’m starting to work on parsing out the file information data for the prefetch file.  It’s not complete, but there’s enough for now to post for this week.

First lets talk about the changes.  The prefetch_format function is first:

def prefetch_format(format_type):
    if format_type == "0x11":
        return "Windows XP"
    elif format_type == "0x17":
        return "Windows 7"
    elif format_type == "0x1a":
        return "Windows 8"
    return

Last week I was just printing out what OS the format was in.  This time around we’re going to use the data from the function to figure out what type of file we’re dealing with.  The parse it out accordingly.

The second change was when we read in the prefetch file to process it:

with open(args.prefetch_file, 'rb') as prefetch:
    prefetch_file = prefetch.read()
    prefetch_header = prefetch_file[:84]
    windows_os = prefetch_header_parse(prefetch_header)
    if windows_os == "Windows XP":
        file_info = prefetch_file[84:152]
        winxp_file_info(file_info)
    elif windows_os == "Windows 7":
        file_info = prefetch_file[84:240]
        win7_file_info(file_info)
    elif windows_os == "Windows 8":
        file_info = prefetch_file[84:308]
        win8_file_info(file_info)

So here’s where we are taking the return value from the prefetch_format function, and then figuring out which os function to pass it to.  This leads us to two new functions of code:

def winxp_file_info(file_info):
    metrics_offset = struct.unpack("<L", file_info[0:4])
    no_metrics = struct.unpack("<L", file_info[4:8])
    trace_chains = struct.unpack("<L", file_info[8:12])
    no_trace_chains = struct.unpack("<L", file_info[12:16])
    filename_str_offset = struct.unpack("<L", file_info[16:20])
    filename_str_size = struct.unpack("<L", file_info[20:24])
    volume_info = struct.unpack("<L", file_info[24:28])
    no_volumes = struct.unpack("<L", file_info[28:32])
    volume_info_size = struct.unpack("<L", file_info[32:36])
    last_run_time = struct.unpack("<Q", file_info[36:44])
    run_count = struct.unpack("<L", file_info[60:64])
    print "Metrics Array Offset: {}".format(hex(metrics_offset[0]))
    print "No. of Metrics: {}".format(no_metrics[0])
    print "Trace Chains Offset: {}".format(trace_chains[0])
    print "No. of Trace Chains: {}".format(no_trace_chains[0])
    print "Filename String Offset: {}".format(filename_str_offset[0])
    print "Filename String Size: {}".format(filename_str_size[0])
    print "Volume Info: {}".format(volume_info[0])
    print "No. of Volumes: {}".format(no_volumes[0])
    print "Volume Info Size: {}".format(volume_info_size[0])
    print "Last Run Time: {}".format(last_run_time[0])
    print "Run Count: {}".format(run_count[0])
    return

def win7_file_info(file_info):
    metrics_offset = struct.unpack("<L", file_info[0:4])
    no_metrics = struct.unpack("<L", file_info[4:8])
    trace_chains = struct.unpack("<L", file_info[8:12])
    no_trace_chains = struct.unpack("<L", file_info[12:16])
    filename_str_offset = struct.unpack("<L", file_info[16:20])
    filename_str_size = struct.unpack("<L", file_info[20:24])
    volume_info = struct.unpack("<L", file_info[24:28])
    no_volumes = struct.unpack("<L", file_info[28:32])
    volume_info_size = struct.unpack("<L", file_info[32:36])
    last_run_time = struct.unpack("<Q", file_info[44:52])
    run_count = struct.unpack("<L", file_info[68:72])
    print "Metrics Array Offset: {}".format(hex(metrics_offset[0]))
    print "No. of Metrics: {}".format(no_metrics[0])
    print "Trace Chains Offset: {}".format(trace_chains[0])
    print "No. of Trace Chains: {}".format(no_trace_chains[0])
    print "Filename String Offset: {}".format(filename_str_offset[0])
    print "Filename String Size: {}".format(filename_str_size[0])
    print "Volume Info: {}".format(volume_info[0])
    print "No. of Volumes: {}".format(no_volumes[0])
    print "Volume Info Size: {}".format(volume_info_size[0])
    print "Last Run Time: {}".format(last_run_time[0])
    print "Run Count: {}".format(run_count[0])
    return

So basically what I’m doing in these two functions is parsing out the file info data from the prefetch file of either Windows XP or Windows 7.  I’m still working on the Windows 8 functions, since that has a bit more data.

I also stumbled across the python Construct module which is what plaso uses to parse out this same information with log2timeline.  I’ve been playing around with rewriting some of this data with that module as well.  I may have that show up in future YOP entries.

Until next week!

https://github.com/CdtDelta/YOP

Advertisements


No Responses Yet to “Year of Python (YOP) – Week Twenty One”

  1. Leave a Comment

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: