prefetchkit – A powerful forensics commandline tool for analyzing Microsoft Prefetch files.

cydec / March 25, 2018 / Comments Off / Code Scripting, Digital Forensics

prefetchkit A powerful forensics commandline tool for analyzing and extracting information from Microsoft Prefetch files.

It fully supports the following Prefetch version:
+ Windows XP/2003
+ Windows Vista/7
+ Windows 8/8.1
If partially supports the following Prefetch version: Windows 10.

prefetchkit v1.0.2

Prefetch files (with the .pf or .PF extension) are Windows system files located in C:\WINDOWS\Prefetch\. They help Windows loading executable faster.

prefetchkit is a forensic tool: it extracts information such as the last executable which was run, how many times that executable was run.

With the metrics option, you can see what files are loaded during the loading or the executable. For example, if a user launches Paint on a specific picture, the path to that picture will be stored inside the Prefetch file.

Dependencies:
+ Rustc Language:

Use and Download:

git clone https://github.com/zadlg/prefetchkit && cd prefetchkit
cargo install prefetchkit
cargo build

cd target\debug
prefetchkit.exe --help

git clone https://github.com/zadlg/prefetchkit && cd prefetchkit

cargo install prefetchkit

cargo build

cd target\debug

prefetchkit.exe --help

Source: https://github.com/zadlg

Problem Resolve:
error: failed to fetch https://github.com/rust-lang/crates.io-index on windows?

https://support.microsoft.com/en-us/help/3140245/update-to-enable-tls-1-1-and-tls-1-2-as-a-default-secure-protocols-in

1	https://support.microsoft.com/en-us/help/3140245/update-to-enable-tls-1-1-and-tls-1-2-as-a-default-secure-protocols-in

Tags: dfir, Forensics, rust-programming-language, windows

Archives

prefetchkit – A powerful forensics commandline tool for analyzing Microsoft Prefetch files.