zoukankan      html  css  js  c++  java
  • Device Path in WinPrefetchView

    As we know that the Prefetch file is used for optimizing the loading time of the application in the next time that you run it. So we could know whether any suspicious application or not by examining those .pf files on the subject computers. We could download WinPrefetchView from NirSoft.

    The upper pane displays the list of all Prefetch files in your system. When you select a file in the upper pane, the lower pane displays the list of files stored inside the selected Prefetch file, which represent the files that were loaded by the application in the previous times that you used it.

    You could take a look at "Full Path" and "Device Path" as above. HARDDISKVOLUME2 relates to volume C. Now take a look at volumes on this disk 0 as below. The first one is a reserved partition. So volume C is the second one. It makes sense, right?

    Let's take a look at another subject computer as below. It seems that "Volume 3 = C" and "Volume 4 = D". But don't jump to conclusions too fast.

    Let me show you the volumes on disk 0 as below. The first volume is a reserved partition. The second one is volume C, and the third one is volume D. What's wrong with path in WinPrefetchView???  WinPrefetchView says that "Volume 3 = C" and "Volume 4 = D", but actually there is only one volume before volume C.

    As a forensic guy, we could take advantage of forensic tools but don't be so sure about the analysis result. We have to verify the analysis result so as to reduce misjudgement.

  • 相关阅读:
    Winfroms检测组合键
    深入理解MySQL索引
    Java并发复习笔记
    并发编程三大特性——原子性、可见性、有序性
    redis修改密码
    windows server2016远程桌面设置
    Windows Server 2016离线安装.NET Framework 3.5
    common-io文件io流工具
    树莓派3b配置
    IOT 开源物联网平台
  • 原文地址:https://www.cnblogs.com/pieces0310/p/5863061.html
Copyright © 2011-2022 走看看