prefetch-forensic 0.1.0

Windows Prefetch forensic analyzer — execution evidence (run count, last-run times, loaded files) plus graded masquerade / suspicious-location findings, over prefetch-core.
Documentation

prefetch-forensic

Crates.io: prefetch-core Crates.io: prefetch-forensic Docs.rs Rust 1.85+ License: Apache-2.0 Sponsor

CI unsafe forbidden Security advisories

Prove what ran on a Windows box — and when, how often, and from where — straight from .pf files, on any OS. A panic-free prefetch reader (MAM/Xpress-Huffman + SCCA v30/31) plus an analyzer that grades masquerading and suspicious-location execution.

// One call: execution evidence + graded findings, from a raw .pf file.
let (rec, findings) = prefetch_forensic::audit_bytes(&std::fs::read("COREUPDATER.EXE-157C54BB.pf")?)?;
println!("{} ran {}x, last {:?}, from {:?}",
         rec.executable, rec.run_count, rec.last_run_filetimes.first(), rec.image_path);
// → COREUPDATER.EXE ran 1x, last 132449604494103203, from \…\SYSTEM32\COREUPDATER.EXE

Most prefetch tools (PECmd, WinPrefetchView, windowsprefetch) decompress Win10+ prefetch by calling the Windows API RtlDecompressBufferEx — so they only run on Windows. prefetch-forensic carries its own clean-room MS-XCA Xpress-Huffman decoder (xpress-huffman), so it parses Windows prefetch on Linux and macOS too.

Two crates

Crate Role
prefetch-core the reader: MAM/Xpress-Huffman decompression + SCCA v30/31 parsing → PrefetchInfo (executable, run count, last-8 run times, volume serial/path, loaded files). No findings.
prefetch-forensic the analyzer: execution_record() (the evidence) + audit() → graded forensicnomicon findings. 
[dependencies]
prefetch-forensic = "0.1"   # pulls in prefetch-core

What the analyzer flags

Code Severity MITRE Fires when
PREFETCH-SYSTEM-BINARY-RELOCATED High T1036.005 a System32-only binary name (svchost.exe, lsass.exe, …) was loaded from outside System32/SysWOW64
PREFETCH-SUSPICIOUS-EXEC-PATH Medium T1204 the image ran from a malware-staging directory (Temp, Downloads, $Recycle.Bin, PerfLogs, …)

High precision by design: a normal System32 program — including the real Case 001 malware coreupdater.exe, which the attacker planted in System32 under a novel name — yields its execution evidence but no false-positive finding. Prefetch alone establishes that it ran; whether that is malicious is a correlation/tribunal question. Findings are observations, never verdicts.

Trust, but verify

  • #![forbid(unsafe_code)], no unwrap/expect/panic in production — every SCCA offset and length is bounds-checked.
  • Validated against independent external oracles on the real Stolen Szechuan Sauce (Case 001) malware prefetch: the decompressor is byte-for-byte identical to Fox-IT's dissect.util, and the parsed SCCA fields match Adam Witt's windowsprefetch. See docs/validation.md.

Privacy Policy · Terms of Service · © 2026 Security Ronin Ltd