zoukankan      html  css  js  c++  java
  • Device Path in WinPrefetchView

    As we know that the Prefetch file is used for optimizing the loading time of the application in the next time that you run it. So we could know whether any suspicious application or not by examining those .pf files on the subject computers. We could download WinPrefetchView from NirSoft.

    The upper pane displays the list of all Prefetch files in your system. When you select a file in the upper pane, the lower pane displays the list of files stored inside the selected Prefetch file, which represent the files that were loaded by the application in the previous times that you used it.

    You could take a look at "Full Path" and "Device Path" as above. HARDDISKVOLUME2 relates to volume C. Now take a look at volumes on this disk 0 as below. The first one is a reserved partition. So volume C is the second one. It makes sense, right?

    Let's take a look at another subject computer as below. It seems that "Volume 3 = C" and "Volume 4 = D". But don't jump to conclusions too fast.

    Let me show you the volumes on disk 0 as below. The first volume is a reserved partition. The second one is volume C, and the third one is volume D. What's wrong with path in WinPrefetchView???  WinPrefetchView says that "Volume 3 = C" and "Volume 4 = D", but actually there is only one volume before volume C.

    As a forensic guy, we could take advantage of forensic tools but don't be so sure about the analysis result. We have to verify the analysis result so as to reduce misjudgement.

  • 相关阅读:
    WPF Layout & Image异步加载
    WPF Binding Validation 数据验证
    推荐一个.NET 命令行参数Parser 库
    Windows 下 命令行增强工具
    Windbg 离线调试.Net 程序入门
    拼写检查算法 Golang 版
    新Blog
    WPF 实现Loading效果
    struct结构体的变长特性
    第2章 构造函数语意学
  • 原文地址:https://www.cnblogs.com/pieces0310/p/5863061.html
Copyright © 2011-2022 走看看