dissect.target.plugins.os.windows.prefetch¶
Module Contents¶
Classes¶
Windows prefetch plugin. |
Attributes¶
- dissect.target.plugins.os.windows.prefetch.PrefetchRecord¶
- dissect.target.plugins.os.windows.prefetch.GroupedPrefetchRecord¶
- dissect.target.plugins.os.windows.prefetch.prefetch_def = Multiline-String¶
Show Value
""" struct PREFETCH_HEADER_DETECT { char signature[4]; uint32 size; }; struct PREFETCH_HEADER { uint32 version; char signature[4]; uint32 unknown; uint32 size; char name[60]; uint32 hash; uint32 flag; }; struct FILE_INFORMATION_26 { uint32 metrics_array_offset; uint32 number_of_file_metrics_entries; uint32 trace_chain_array_offset; uint32 number_of_trace_chain_array_entries; uint32 filename_strings_offset; uint32 filename_strings_size; uint32 volumes_information_offset; uint32 number_of_volumes; uint32 volumes_information_size; uint32 unknown0[2]; uint64 last_run_time; uint64 last_run_remains[7]; uint64 unknown1[2]; uint32 run_count; uint32 unknown2; uint32 unknown3; char unknown4[88]; }; struct FILE_INFORMATION_17 { uint32 metrics_array_offset; uint32 number_of_file_metrics_entries; uint32 trace_chain_array_offset; uint32 number_of_trace_chain_array_entries; uint32 filename_strings_offset; uint32 filename_strings_size; uint32 volumes_information_offset; uint32 number_of_volumes; uint32 volumes_information_size; uint32 last_run_time; uint32 unknown0; uint32 run_count; uint32 unknown1; }; struct FILE_INFORMATION_23 { uint32 metrics_array_offset; uint32 number_of_file_metrics_entries; uint32 trace_chain_array_offset; uint32 number_of_trace_chain_array_entries; uint32 filename_strings_offset; uint32 filename_strings_size; uint32 volumes_information_offset; uint32 number_of_volumes; uint32 volumes_information_size; uint32 unknown[2]; uint64 last_run_time; uint64 last_run_remains[2]; uint32 run_count; uint32 unknown0; uint32 unknown1; char unknown2[80]; }; struct VOLUME_INFORMATION_17 { uint32 device_path_offset; uint32 device_path_number_of_characters; uint64 creation_time; uint32 serial_number; uint32 file_reference_offset; uint32 file_reference_size; uint32 directory_strings_array_offset; uint32 number_of_directory_strings; uint32 unknown; }; struct VOLUME_INFORMATION_30 { uint32 device_path_offset; uint32 device_path_number_of_characters; uint64 creation_time; uint32 serial_number; uint32 file_reference_offset; uint32 file_reference_size; uint32 directory_strings_array_offset; uint32 number_of_directory_strings; char unknown0[4]; char unknown1[24]; char unknown2[4]; char unknown3[24]; char unknown4[4]; }; struct TRACE_CHAIN_ARRAY_ENTRY_17 { uint32 next_array_entry_index; uint32 total_block_load_count; uint32 unknown0; uint32 unknown1; uint32 unknown2; }; struct FILE_METRICS_ARRAY_ENTRY_17 { uint32 start_time; uint32 duration; uint32 filename_string_offset; uint32 filename_string_number_of_characters; uint32 flags; }; struct FILE_METRICS_ARRAY_ENTRY_23 { uint32 start_time; uint32 duration; uint32 average_duration; uint32 filename_string_offset; uint32 filename_string_number_of_characters; uint32 flags; uint64 ntfs_reference; }; """
- dissect.target.plugins.os.windows.prefetch.c_prefetch¶
- dissect.target.plugins.os.windows.prefetch.prefetch_version_structs¶
- class dissect.target.plugins.os.windows.prefetch.Prefetch(fh: BinaryIO)¶
- fh¶
- header¶
- version¶
- volumes = None¶
- metrics = None¶
- fn = None¶
- identify() int¶
- parse() None¶
- parse_metrics(metric_array_struct: c_prefetch | c_prefetch) list[str | None]¶
- property latest_timestamp: datetime.datetime¶
Get the latest execution timestamp inside the prefetch file.
- property previous_timestamps: list[datetime.datetime | None]¶
Get the previous timestamps from the prefetch file.
- class dissect.target.plugins.os.windows.prefetch.PrefetchPlugin(target: dissect.target.target.Target)¶
Bases:
dissect.target.plugin.PluginWindows prefetch plugin.
- prefetchdir¶
- check_compatible() None¶
Perform a compatibility check with the target.
This function should return
Noneif the plugin is compatible with the current target (self.target). For example, check if a certain file exists. Otherwise it should raise anUnsupportedPluginError.- Raises:
UnsupportedPluginError – If the plugin could not be loaded.
- prefetch(grouped=False) Iterator[PrefetchRecord | GroupedPrefetchRecord]¶
Return the content of all prefetch files.
Prefetch is a memory management feature in Windows. It contains information (for example run count and timestamp) about executable applications that have been executed recently or are frequently executed.
References
Yields PrefetchRecords with fields:
hostname (string): The target hostname. domain (string): The target domain. ts (datetime): Run timestamp. filename (path): The filename. prefetch (path): The prefetch entry. linkedfile (path): The linked file entry. runcount (int): The run count.
with
--grouped:Yields PrefetchRecords with fields:
hostname (string): The target hostname. domain (string): The target domain. ts (datetime): Run timestamp. filename (path): The filename. prefetch (path): The prefetch entry. linkedfiles (path[]): A list of linked files runcount (int): The run count. previousruns (datetime[]): Previous run non zero timestamps