Search the Community
Showing results for tags 'prefetch'.
-
Motivation During the forensic analysis of a Windows machine, you may find the name of a deleted prefetch file. While its content may not be recoverable, the filename itself is often enough to find the full path of the executable for which the prefetch file was created. [hide][Hidden Content]]
-
- 4
-
- prefetch-hash-cracker
- v0.2.0
-
(and 5 more)
Tagged with:
-
Prefetch Hash Cracker During the forensic analysis of a Windows machine, you may find the name of a deleted prefetch file. While its content may not be recoverable, the filename itself is often enough to find the full path of the executable for which the prefetch file was created. How does it work? The provided bodyfile is used to get the path of every folder on the volume. The tool appends the provided executable name to each of those paths to create a list of possible full paths for the executable. Each possible full path is then hashed using the provided hash function. If there’s a possible full path for which the result matches the provided hash, that path is outputted. [Hidden Content]