libprefetch
A forensic library which parses and reads Microsoft Prefetch files.
libprefetch
fully supports the following versions of Windows:
- Windows 2003
- Windows XP
- Windows Vista
- Windows 7
- Windows 8/8.1
libprefetch
partially supports Windows 10.
Features:
- Parser and validator
- Auto detects version of Windows
- Provides the last execution time and the execution counter
- Provides metric information about loaded files (like dll etc) if available, such as :
- filename
- start time
- duration
- average duration
- NTFS MFT entry
- NTFS sequence numer
- Provides the trace chains (unavailable for Windows 10)
- Provides all pieces of information about the volumes:
- device path
- creation time
- serial number
- list of directories
This library will be used in a global forensic computing library very soon.
Usage
Add this to your Cargo.toml
:
[]
= "0.1.1"
and this to your crate root:
extern crate libprefetch;
Example
use Prefetch;
let file = open.unwrap;
let prefetch = new.unwrap;
// Prints some information
println!;
// Iterates over all loaded DLL etc for the prefetch file
println!;
for metric in prefetch.metrics.unwrap
// Iterates over the volumes
println!;
for volume in prefetch.volumes.unwrap
Releases
Release notes are available in RELEASES.md.
Compatibility
libprefetch
seems to work for rust 1.9 and greater.