A forensic library which parses and reads Microsoft Prefetch files.
libPrefetch fully supports the following versions of Windows:
* Windows 2003
* Windows XP
* Windows Vista
* Windows 7
* Windows 8/8.1
libprefetch partially supports Windows 10.
Features: * Parser and validator * Auto detects version of Windows * Provides the last execution time and the execution counter * Provides metric information about loaded files (like dll etc) if available, such as : * filename * start time * duration * average duration * NTFS MFT entry * NTFS sequence numer * Provides the trace chains (unavailable for Windows 10) * Provides all pieces of information about the volumes: * device path * creation time * serial number * list of directories
This library will be used in a global forensic computing library very soon.
Add this to your Cargo.toml:
toml
[dependencies]
libprefetch = "0.1.0"
and this to your crate root:
rust
extern crate libprefetch;
```rust use libprefetch::Prefetch;
let file = std::fs::File::open("assets/WUAUCLT.EXE-399A8E72.pf").unwrap();
let prefetch = Prefetch::new(file).unwrap();
// Prints some information println!("Executable {} launched {} times. The last time was: {}", prefetch.name(), prefetch.executioncounter(), prefetch.lastexecution_time() // TODO: format the FILETIME here );
// Iterates over all loaded DLL etc for the prefetch file println!(" ===== File metrics ===== "); for metric in prefetch.metrics().unwrap() { println!("#{}: {}", metric.id(), metric.filename()); println!(" start time: {}", metric.start_time().unwrap()); println!(" duration: {}", metric.duration().unwrap()); println!(" ------------------------------- "); }
// Iterates over the volumes println!(" ===== Volumes ===== "); for volume in prefetch.volumes().unwrap() { println!("Volume #{}:", volume.id()); println!(" Path: {}", volume.devicepath()); println!(" Creation time: {}", volume.creationtime()); println!(" Serial number: {}", volume.serial_number()); println!(" Directories: "); for directory in volume.directories().unwrap() { println!(" {}", directory); } }
```
Release notes are available in RELEASES.md.
libprefetch seems to work for rust 1.9 and greater.