Releases: kacos2000/Prefetch-Browser
PrefetchBrowser
[Updates]
- Added option to save the Prefetch/Superfetch properties to a JSON file
- Other minor updates
MD5: 674E9EB75F5DBFF73C08F8DA74A46FEA
SHA256: 2779A2FAA40ABB2A9C595F68AEE96FEBFF8EA9CAA8AC2C8BC47026CA141E85F7
PrefetchBrowser
[Updates]
- Swapped 'Add-Type' and the C# code for [Prefetch.XpressStream.Xpress2] (used to decompress the Prefetch files) for a compiled & signed .dll instead, to solve errors in Win11
MD5: 0515EA6451015DA6964D176FE607ACB4
SHA256: 834955711A1B090EB952FB69284F4E79DC4F54C19E593DD394E96490189C70E4
PrefetchBrowser
[Updates]
-
Switched to Black background :)
-
Added new info on Prefetch File Metrics & Trace Arrays based on @JamesHabben 's research. E.g.:
-
Note:1 certain Prefetch files might take a bit longer to process due to the extra info (depending on the Nr. of trace metrics/entries)
-
Note2: Not all Flag values are known (yet).
-
Added experimental support for some Superfetch .db files including 'cadrespri.7db' and 'dynrespri.7db'.
-
db formats supported:
Format Version Files Compression 3 19 cadrespri.7db, dynrespri.7db None 15 14 AgRobust.db None 3 11 AgGlUAD_P_(SID here)_.db LZXPRESS 3 21 AgGlobalHistory.db, AgGlFgAppHistory.db LZXPRESS Example image from a Win10's 'AgGlobalHistory.db'
-
Some relatively recent info on Superfetch/Prefetch:
- 4n6ir.com Blog (2017)
- Fooling Windows through Superfetch by @MathildeVenault & @bdavidADK (2020): presentation, Paper, Tool
MD5: 2CA8117578438593842E9B1B828861A1
SHA256: 03136C7AA02908910E56A062BFADFC52A1A1F436AAB4A6A461864F5A0E6B215B
Contributors
Assets 3
PrefetchBrowser
[Update]
- minor bug fix
MD5: 57A2DCEE90A4C3BB6BA6828D625FA7CB
SHA256: 5A993C47ECA71098C8A2117302FD6279AD4AC8C7F1CC5FDF060C7F4DD1A2188F
PrefetchBrowser
[Update]
- New Digital Signature
MD5: CD53666980236F4658CE02DCC4DF9B4F
SHA1: B88FEDBEF703D408BC7B6C75445B6503BC829750
SHA256: 45471A6B255218D465FA1976643D30A52441D15A3BE1A98930EC615EB2F68682
PrefetchBrowser
[Update]
- minor corrections
MD5: 685FB286D4109B8EC3986EF0C25F5D61
SHA256: C14B6DEB855360DE5802008FA96060F48C2FAE0874A4C5C4BD9EC2BD16B3E801
PrefetchBrowser
[Update]
- Added file info for the loaded prefetch to the properties tree (useful when saving to a txt file)
- Minor fix
MD5: 814A18E0CE23A767FFF1F22DE442B550
SHA256: 32BCF56CD3B9310D31A6246344A53EFEEC6E371F1CDBF37011844B5CB5E20DEF
PrefetchBrowser
[Update]
- Now lists & reads Prefetch (.pf) files hidden in Alternate Data Streams
e.g. : 'WELCOME2.TXT:REVSHELL.EXE-41B5A636.pf'
Ref: # Creating a Hidden Prefetch File to Bypass Normal Forensic Analysis
PrefetchBrowser
[Updates]
- Added access permissions check when selecting a Prefetch folder
- Added option to export the Prefetch directory tree (Prefetch file system properties) to a csv/txt file
- Added option to export the Selected Prefetch file's Properties (Nodes) to a Text (txt) file
PrefetchBrowser
[Updates]
- Added Hashes of the Prefetch file (MD5,SHA1,SHA256)
- Added actual offsets to each node
- removed unknown stuff (for now)
Thanks to @EricZimmerman !! for the XressStream code
To Do:
- Add error checking
- Add support for earlier versions of Prefetch (17/23/26)
- Windows 10/11 (30 ver 1 & 2)
- More testing ..
MD5: 5E6D325FF2CE591408C72D55EB0E7FD3
SHA256: 78125D7C84DDF218518E987B8DB5A721334BCD926B45F7DEDB4A756A03DD69CF
