prefetch-core 0.1.0

Pure-Rust read-only Windows Prefetch (.pf) reader — MAM/Xpress-Huffman decompression + SCCA v30/31 (run count, last-8 run times, volume info, loaded files).
Documentation
  • Coverage
  • 100%
    24 out of 24 items documented0 out of 6 items with examples
  • Size
  • Source code size: 27.7 kB This is the summed size of all the files inside the crates.io package for this release.
  • Documentation size: 512.57 kB This is the summed size of all files generated by rustdoc for all configured targets
  • Ø build duration
  • this release: 3s Average build duration of successful builds.
  • all releases: 3s Average build duration of successful builds in releases after 2024-10-23.
  • Links
  • SecurityRonin/prefetch-forensic
    0 0 0
  • crates.io
  • Dependencies
  • Versions
  • Owners
  • h4x0r

prefetch-forensic

Crates.io: prefetch-core Crates.io: prefetch-forensic Docs.rs Rust 1.85+ License: Apache-2.0 Sponsor

CI unsafe forbidden Security advisories

Prove what ran on a Windows box — and when, how often, and from where — straight from .pf files, on any OS. A panic-free prefetch reader (MAM/Xpress-Huffman + SCCA v30/31) plus an analyzer that grades masquerading and suspicious-location execution.

// One call: execution evidence + graded findings, from a raw .pf file.
let (rec, findings) = prefetch_forensic::audit_bytes(&std::fs::read("COREUPDATER.EXE-157C54BB.pf")?)?;
println!("{} ran {}x, last {:?}, from {:?}",
         rec.executable, rec.run_count, rec.last_run_filetimes.first(), rec.image_path);
// → COREUPDATER.EXE ran 1x, last 132449604494103203, from \…\SYSTEM32\COREUPDATER.EXE

Most prefetch tools (PECmd, WinPrefetchView, windowsprefetch) decompress Win10+ prefetch by calling the Windows API RtlDecompressBufferEx — so they only run on Windows. prefetch-forensic carries its own clean-room MS-XCA Xpress-Huffman decoder (xpress-huffman), so it parses Windows prefetch on Linux and macOS too.

Two crates

Crate Role
prefetch-core the reader: MAM/Xpress-Huffman decompression + SCCA v30/31 parsing → PrefetchInfo (executable, run count, last-8 run times, volume serial/path, loaded files). No findings.
prefetch-forensic the analyzer: execution_record() (the evidence) + audit() → graded forensicnomicon findings. 
[dependencies]
prefetch-forensic = "0.1"   # pulls in prefetch-core

What the analyzer flags

Code Severity MITRE Fires when
PREFETCH-SYSTEM-BINARY-RELOCATED High T1036.005 a System32-only binary name (svchost.exe, lsass.exe, …) was loaded from outside System32/SysWOW64
PREFETCH-SUSPICIOUS-EXEC-PATH Medium T1204 the image ran from a malware-staging directory (Temp, Downloads, $Recycle.Bin, PerfLogs, …)

High precision by design: a normal System32 program — including the real Case 001 malware coreupdater.exe, which the attacker planted in System32 under a novel name — yields its execution evidence but no false-positive finding. Prefetch alone establishes that it ran; whether that is malicious is a correlation/tribunal question. Findings are observations, never verdicts.

Trust, but verify

  • #![forbid(unsafe_code)], no unwrap/expect/panic in production — every SCCA offset and length is bounds-checked.
  • Validated against independent external oracles on the real Stolen Szechuan Sauce (Case 001) malware prefetch: the decompressor is byte-for-byte identical to Fox-IT's dissect.util, and the parsed SCCA fields match Adam Witt's windowsprefetch. See docs/validation.md.

Privacy Policy · Terms of Service · © 2026 Security Ronin Ltd