libprefetch
| Crates.io | libprefetch |
| lib.rs | libprefetch |
| version | 0.1.1 |
| created_at | 2018-03-23 20:44:31.362537+00 |
| updated_at | 2018-03-23 20:46:29.840808+00 |
| description | Forensic library; parser and reader for Microsoft Prefetch File |
| homepage | https://github.com/zadlg/libprefetch |
| repository | https://github.com/zadlg/libprefetch.git |
| max_upload_size | |
| id | 57134 |
| size | 133,499 |
zadig (zadlg)
documentation
README
libprefetch
A forensic library which parses and reads Microsoft Prefetch files.
libprefetch fully supports the following versions of Windows:
- Windows 2003
- Windows XP
- Windows Vista
- Windows 7
- Windows 8/8.1
libprefetch partially supports Windows 10.
Features:
- Parser and validator
- Auto detects version of Windows
- Provides the last execution time and the execution counter
- Provides metric information about loaded files (like dll etc) if available, such as :
- filename
- start time
- duration
- average duration
- NTFS MFT entry
- NTFS sequence numer
- Provides the trace chains (unavailable for Windows 10)
- Provides all pieces of information about the volumes:
- device path
- creation time
- serial number
- list of directories
This library will be used in a global forensic computing library very soon.
Usage
Add this to your Cargo.toml:
[dependencies]
libprefetch = "0.1.1"
and this to your crate root:
extern crate libprefetch;
Example
use libprefetch::Prefetch;
let file = std::fs::File::open("assets/WUAUCLT.EXE-399A8E72.pf").unwrap();
let prefetch = Prefetch::new(file).unwrap();
// Prints some information
println!("Executable {} launched {} times. The last time was: {}",
prefetch.name(),
prefetch.execution_counter(),
prefetch.last_execution_time() // TODO: format the FILETIME here
);
// Iterates over all loaded DLL etc for the prefetch file
println!(" ===== File metrics ===== ");
for metric in prefetch.metrics().unwrap() {
println!("#{}: {}", metric.id(), metric.filename());
println!(" start time: {}", metric.start_time().unwrap());
println!(" duration: {}", metric.duration().unwrap());
println!(" ------------------------------- ");
}
// Iterates over the volumes
println!(" ===== Volumes ===== ");
for volume in prefetch.volumes().unwrap() {
println!("Volume #{}:", volume.id());
println!(" Path: {}", volume.device_path());
println!(" Creation time: {}", volume.creation_time());
println!(" Serial number: {}", volume.serial_number());
println!(" Directories: ");
for directory in volume.directories().unwrap() {
println!(" {}", directory);
}
}
Releases
Release notes are available in RELEASES.md.
Compatibility
libprefetch seems to work for rust 1.9 and greater.