Thursday, March 13, 2014

EnCase EnScript to search for and parse prefetch files in unallocated

Carlos Cajigas and I were recently having dinner and talking over some EnScript ideas. He recommended an EnScript to search for prefetch data in unallocated and then if found, to parse it for some basic data. Prefetch data can be very useful when handling employee misconduct, criminal and malware cases, so I agreed to write one and name it the "losprefetcher" ;).

This EnScript will search Unallocated cluster, pagefile.sys and & $LogFile for the known file signature of a prefetch file (*.pf) and then if found, it will parse out the name of the executable, the last run time and run count. The parsed data is written to the console and to a bookmark:

Download EnCase v6 here
Download EnCase v7 here


Post a Comment

Computer Forensics, Malware Analysis & Digital Investigations

Random Articles