zoukankan      html  css  js  c++  java
  • Device Path in WinPrefetchView

    As we know that the Prefetch file is used for optimizing the loading time of the application in the next time that you run it. So we could know whether any suspicious application or not by examining those .pf files on the subject computers. We could download WinPrefetchView from NirSoft.

    The upper pane displays the list of all Prefetch files in your system. When you select a file in the upper pane, the lower pane displays the list of files stored inside the selected Prefetch file, which represent the files that were loaded by the application in the previous times that you used it.

    You could take a look at "Full Path" and "Device Path" as above. HARDDISKVOLUME2 relates to volume C. Now take a look at volumes on this disk 0 as below. The first one is a reserved partition. So volume C is the second one. It makes sense, right?

    Let's take a look at another subject computer as below. It seems that "Volume 3 = C" and "Volume 4 = D". But don't jump to conclusions too fast.

    Let me show you the volumes on disk 0 as below. The first volume is a reserved partition. The second one is volume C, and the third one is volume D. What's wrong with path in WinPrefetchView???  WinPrefetchView says that "Volume 3 = C" and "Volume 4 = D", but actually there is only one volume before volume C.

    As a forensic guy, we could take advantage of forensic tools but don't be so sure about the analysis result. We have to verify the analysis result so as to reduce misjudgement.

  • 相关阅读:
    C#基础 const和readonly关键字
    C#基础 base与this关键字
    ASP.NET Web Form 与 ASP.NET MVC 区别
    qt 零星笔记
    我应该记录一下我不太了解的一些c语言函数
    Linux学习书籍推荐
    更改arch的默认终端
    让arch阻止某个软件包的升级
    python pachong zhuanzai
    从贴吧看的逆向网络协议过程逆向校园网客户端
  • 原文地址:https://www.cnblogs.com/pieces0310/p/5863061.html
Copyright © 2011-2022 走看看