A Python script to carve Windows Prefetch artifacts from arbitrary binary data
Project description
Python script to carve Windows Prefetch artifacts from arbitrary binary data
Description
The Windows application prefetch mechanism is in place to offer performance benefits when launching applications. It’s also one of the more beneficial forensic artifacts regarding evidence of applicaiton execution. prefetch-carve.py provides functionality for carving prefetch artifacts from binary data - such as unallocated disk space, raw memory images, etc. prefetch-carve.py will output to the specified file, and supports multiple output formats.
Supported Prefetch Types
Windows 10 Prefetch files are compressed, and are unable to be carved from disk in this manner. All other Prefetch formats are supported (Windows XP - Windows 8.1)
Command-Line Options
optional arguments:
-h, --help show this help message and exit
-f FILE, --file FILE Carve Prefetch files from the given file
-o OUTFILE, --outfile OUTFILE
Write results to the given file
-c, --csv Output results in csv format
-m, --mactime Output results in mactime format
-t, --tln Output results in tln format
-s SYSTEM, --system SYSTEM
System name (use with -t)
Testing
Thorough teseting is still underway. I plan to integrate this project with Travis CI shortly.
Installation
Using setup.py:
python setup.py install
Using pip:
pip install prefetchcarve
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
File details
Details for the file prefetchcarve-1.1.2.tar.gz.
File metadata
- Download URL: prefetchcarve-1.1.2.tar.gz
- Upload date:
- Size: 3.5 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | b358c59b30ffa234ef3fba3a1ad482cb2d89df12ab8d4f2fec2b1e20ccd82380 |
|
| MD5 | 6e616b6e2fc2cfd0dfa49729e20d749b |
|
| BLAKE2b-256 | b3294d0f72379f953393b3ce356f939c6b791d3b07cf073d7497bd6bb474f25d |
