:py:mod:`dissect.target.plugins.os.windows.prefetch` ==================================================== .. py:module:: dissect.target.plugins.os.windows.prefetch Module Contents --------------- Classes ~~~~~~~ .. autoapisummary:: dissect.target.plugins.os.windows.prefetch.Prefetch dissect.target.plugins.os.windows.prefetch.PrefetchPlugin Attributes ~~~~~~~~~~ .. autoapisummary:: dissect.target.plugins.os.windows.prefetch.PrefetchRecord dissect.target.plugins.os.windows.prefetch.CompactPrefetchRecord dissect.target.plugins.os.windows.prefetch.prefetch_def dissect.target.plugins.os.windows.prefetch.c_prefetch dissect.target.plugins.os.windows.prefetch.prefetch_version_structs .. py:data:: PrefetchRecord .. py:data:: CompactPrefetchRecord .. py:data:: prefetch_def :value: Multiline-String .. raw:: html
Show Value .. code-block:: python """ struct PREFETCH_HEADER_DETECT { char signature[4]; uint32 size; }; struct PREFETCH_HEADER { uint32 version; char signature[4]; uint32 unknown; uint32 size; char name[60]; uint32 hash; uint32 flag; }; struct FILE_INFORMATION_26 { uint32 metrics_array_offset; uint32 number_of_file_metrics_entries; uint32 trace_chain_array_offset; uint32 number_of_trace_chain_array_entries; uint32 filename_strings_offset; uint32 filename_strings_size; uint32 volumes_information_offset; uint32 number_of_volumes; uint32 volumes_information_size; uint32 unknown0[2]; uint64 last_run_time; uint64 last_run_remains[7]; uint64 unknown1[2]; uint32 run_count; uint32 unknown2; uint32 unknown3; char unknown4[88]; }; struct FILE_INFORMATION_17 { uint32 metrics_array_offset; uint32 number_of_file_metrics_entries; uint32 trace_chain_array_offset; uint32 number_of_trace_chain_array_entries; uint32 filename_strings_offset; uint32 filename_strings_size; uint32 volumes_information_offset; uint32 number_of_volumes; uint32 volumes_information_size; uint32 last_run_time; uint32 unknown0; uint32 run_count; uint32 unknown1; }; struct FILE_INFORMATION_23 { uint32 metrics_array_offset; uint32 number_of_file_metrics_entries; uint32 trace_chain_array_offset; uint32 number_of_trace_chain_array_entries; uint32 filename_strings_offset; uint32 filename_strings_size; uint32 volumes_information_offset; uint32 number_of_volumes; uint32 volumes_information_size; uint32 unknown[2]; uint64 last_run_time; uint64 last_run_remains[2]; uint32 run_count; uint32 unknown0; uint32 unknown1; char unknown2[80]; }; struct VOLUME_INFORMATION_17 { uint32 device_path_offset; uint32 device_path_number_of_characters; uint64 creation_time; uint32 serial_number; uint32 file_reference_offset; uint32 file_reference_size; uint32 directory_strings_array_offset; uint32 number_of_directory_strings; uint32 unknown; }; struct VOLUME_INFORMATION_30 { uint32 device_path_offset; uint32 device_path_number_of_characters; uint64 creation_time; uint32 serial_number; uint32 file_reference_offset; uint32 file_reference_size; uint32 directory_strings_array_offset; uint32 number_of_directory_strings; char unknown0[4]; char unknown1[24]; char unknown2[4]; char unknown3[24]; char unknown4[4]; }; struct TRACE_CHAIN_ARRAY_ENTRY_17 { uint32 next_array_entry_index; uint32 total_block_load_count; uint32 unknown0; uint32 unknown1; uint32 unknown2; }; struct FILE_METRICS_ARRAY_ENTRY_17 { uint32 start_time; uint32 duration; uint32 filename_string_offset; uint32 filename_string_number_of_characters; uint32 flags; }; struct FILE_METRICS_ARRAY_ENTRY_23 { uint32 start_time; uint32 duration; uint32 average_duration; uint32 filename_string_offset; uint32 filename_string_number_of_characters; uint32 flags; uint64 ntfs_reference; }; """ .. raw:: html
.. py:data:: c_prefetch .. py:data:: prefetch_version_structs .. py:class:: Prefetch(fh: BinaryIO) .. py:attribute:: fh .. py:attribute:: header .. py:attribute:: version .. py:attribute:: volumes :value: None .. py:attribute:: metrics :value: None .. py:attribute:: fn :value: None .. py:method:: identify() -> int .. py:method:: parse() -> None .. py:method:: parse_metrics(metric_array_struct: c_prefetch | c_prefetch) -> list[str | None] .. py:method:: read_filename(off: int, size: int) -> bytes .. py:property:: latest_timestamp :type: datetime.datetime Get the latest execution timestamp inside the prefetch file. .. py:property:: previous_timestamps :type: list[datetime.datetime | None] Get the previous timestamps from the prefetch file. .. py:class:: PrefetchPlugin(target: dissect.target.target.Target) Bases: :py:obj:`dissect.target.plugin.Plugin` Windows prefetch plugin. .. py:attribute:: prefetchdir .. py:method:: check_compatible() -> None Perform a compatibility check with the target. This function should return ``None`` if the plugin is compatible with the current target (``self.target``). For example, check if a certain file exists. Otherwise it should raise an :class:`UnsupportedPluginError`. :raises UnsupportedPluginError: If the plugin could not be loaded. .. py:method:: prefetch(compact: bool = False) -> collections.abc.Iterator[PrefetchRecord | CompactPrefetchRecord] Return the content of all prefetch files. Prefetch is a memory management feature in Windows. It contains information (for example run count and timestamp) about executable applications that have been executed recently or are frequently executed. .. rubric:: References - https://www.geeksforgeeks.org/prefetch-files-in-windows/ Yields PrefetchRecords with fields: .. code-block:: text hostname (string): The target hostname. domain (string): The target domain. ts (datetime): Run timestamp. filename (path): The filename. prefetch (path): The prefetch entry. linkedfile (path): The linked file entry. runcount (int): The run count. with ``--compact``: Yields PrefetchRecords with fields: .. code-block:: text hostname (string): The target hostname. domain (string): The target domain. ts (datetime): Run timestamp. filename (path): The filename. prefetch (path): The prefetch entry. linkedfiles (path[]): A list of linked files runcount (int): The run count. previousruns (datetime[]): Previous run non zero timestamps