:py:mod:`dissect.target.plugins.os.windows.prefetch` ==================================================== .. py:module:: dissect.target.plugins.os.windows.prefetch Module Contents --------------- Classes ~~~~~~~ .. autoapisummary:: dissect.target.plugins.os.windows.prefetch.Prefetch dissect.target.plugins.os.windows.prefetch.PrefetchPlugin Attributes ~~~~~~~~~~ .. autoapisummary:: dissect.target.plugins.os.windows.prefetch.PrefetchRecord dissect.target.plugins.os.windows.prefetch.GroupedPrefetchRecord dissect.target.plugins.os.windows.prefetch.c_prefetch dissect.target.plugins.os.windows.prefetch.prefetch dissect.target.plugins.os.windows.prefetch.prefetch_version_structs .. py:data:: PrefetchRecord .. py:data:: GroupedPrefetchRecord .. py:data:: c_prefetch :value: Multiline-String .. raw:: html
Show Value .. code-block:: python """ struct PREFETCH_HEADER_DETECT { char signature[4]; uint32 size; }; struct PREFETCH_HEADER { uint32 version; char signature[4]; uint32 unknown; uint32 size; char name[60]; uint32 hash; uint32 flag; }; struct FILE_INFORMATION_26 { uint32 metrics_array_offset; uint32 number_of_file_metrics_entries; uint32 trace_chain_array_offset; uint32 number_of_trace_chain_array_entries; uint32 filename_strings_offset; uint32 filename_strings_size; uint32 volumes_information_offset; uint32 number_of_volumes; uint32 volumes_information_size; uint32 unknown[2]; uint64 last_run_time; uint64 last_run_remains[7]; uint64 unknown[2]; uint32 run_count; uint32 unknown; uint32 unknown; char unknown[88]; }; struct FILE_INFORMATION_17 { uint32 metrics_array_offset; uint32 number_of_file_metrics_entries; uint32 trace_chain_array_offset; uint32 number_of_trace_chain_array_entries; uint32 filename_strings_offset; uint32 filename_strings_size; uint32 volumes_information_offset; uint32 number_of_volumes; uint32 volumes_information_size; uint32 last_run_time; uint32 unknown; uint32 run_count; uint32 unknown; }; struct FILE_INFORMATION_23 { uint32 metrics_array_offset; uint32 number_of_file_metrics_entries; uint32 trace_chain_array_offset; uint32 number_of_trace_chain_array_entries; uint32 filename_strings_offset; uint32 filename_strings_size; uint32 volumes_information_offset; uint32 number_of_volumes; uint32 volumes_information_size; uint32 unknown[2]; uint64 last_run_time; uint64 last_run_remains[2]; uint32 run_count; uint32 unknown; uint32 unknown; char unknown[80]; }; struct VOLUME_INFORMATION_17 { uint32 device_path_offset; uint32 device_path_number_of_characters; uint64 creation_time; uint32 serial_number; uint32 file_reference_offset; uint32 file_reference_size; uint32 directory_strings_array_offset; uint32 number_of_directory_strings; uint32 unknown; }; struct VOLUME_INFORMATION_30 { uint32 device_path_offset; uint32 device_path_number_of_characters; uint64 creation_time; uint32 serial_number; uint32 file_reference_offset; uint32 file_reference_size; uint32 directory_strings_array_offset; uint32 number_of_directory_strings; char unknown[4]; char unknown[24]; char unknown[4]; char unknown[24]; char unknown[4]; }; struct TRACE_CHAIN_ARRAY_ENTRY_17 { uint32 next_array_entry_index; uint32 total_block_load_count; uint32 unknown; uint32 unknown; uint32 unknown; }; struct FILE_METRICS_ARRAY_ENTRY_17 { uint32 start_time; uint32 duration; uint32 filename_string_offset; uint32 filename_string_number_of_characters; uint32 flags; }; struct FILE_METRICS_ARRAY_ENTRY_23 { uint32 start_time; uint32 duration; uint32 average_duration; uint32 filename_string_offset; uint32 filename_string_number_of_characters; uint32 flags; uint64 ntfs_reference; }; """ .. raw:: html
.. py:data:: prefetch .. py:data:: prefetch_version_structs .. py:class:: Prefetch(fh) .. py:property:: latest_timestamp Get the latest execution timestamp inside the prefetch file. .. py:property:: previous_timestamps Get the previous timestamps from the prefetch file. .. py:method:: identify() .. py:method:: parse() .. py:method:: parse_metrics(metric_array_struct) .. py:method:: read_filename(off, size) .. py:class:: PrefetchPlugin(target) Bases: :py:obj:`dissect.target.plugin.Plugin` Base class for plugins. Plugins can optionally be namespaced by specifying the ``__namespace__`` class attribute. Namespacing results in your plugin needing to be prefixed with this namespace when being called. For example, if your plugin has specified ``test`` as namespace and a function called ``example``, you must call your plugin with ``test.example``:: A ``Plugin`` class has the following private class attributes: - ``__namespace__`` - ``__record_descriptors__`` With the following three being assigned in :func:`register`: - ``__plugin__`` - ``__functions__`` - ``__exports__`` Additionally, the methods and attributes of :class:`Plugin` receive more private attributes by using decorators. The :func:`export` decorator adds the following private attributes - ``__exported__`` - ``__output__``: Set with the :func:`export` decorator. - ``__record__``: Set with the :func:`export` decorator. The :func:`internal` decorator and :class:`InternalPlugin` set the ``__internal__`` attribute. Finally. :func:`args` decorator sets the ``__args__`` attribute. :param target: The :class:`~dissect.target.target.Target` object to load the plugin for. .. py:method:: check_compatible() -> None Perform a compatibility check with the target. This function should return ``None`` if the plugin is compatible with the current target (``self.target``). For example, check if a certain file exists. Otherwise it should raise an ``UnsupportedPluginError``. :raises UnsupportedPluginError: If the plugin could not be loaded. .. py:method:: prefetch(grouped=False) Return the content of all prefetch files. Prefetch is a memory management feature in Windows. It contains information (for example run count and timestamp) about executable applications that have been executed recently or are frequently executed. .. rubric:: References - https://www.geeksforgeeks.org/prefetch-files-in-windows/ Yields PrefetchRecords with fields: hostname (string): The target hostname. domain (string): The target domain. ts (datetime): Run timestamp. filename (path): The filename. prefetch (path): The prefetch entry. linkedfile (path): The linked file entry. runcount (int): The run count. with --grouped: Yields PrefetchRecords with fields: hostname (string): The target hostname. domain (string): The target domain. ts (datetime): Run timestamp. filename (path): The filename. prefetch (path): The prefetch entry. linkedfiles (path[]): A list of linked files runcount (int): The run count. previousruns (datetime[]): Previous run non zero timestamps