Expand description
Windows Prefetch forensic analyzer.
Prefetch’s primary forensic value is execution evidence: it proves a
program ran, how many times, when (the last eight runs), from where, and what
it loaded. execution_record extracts that evidence; audit adds a small
set of high-precision graded findings — a Windows system-binary name loaded
from outside System32 (masquerading) and execution from a known-suspicious
directory.
Findings are observations, never verdicts: prefetch establishes that
coreupdater.exe ran from System32 at a given time — whether that is
malicious is a correlation/tribunal question, not one prefetch answers alone.
Built on prefetch_core; findings use forensicnomicon::report.
Structs§
- Execution
Record - The execution evidence a single prefetch file establishes.
Enums§
- Prefetch
Anomaly - A graded prefetch finding. Each variant is a high-precision triage signal —
it stays quiet on benign prefetch (e.g. a normal
System32program) and fires only on a genuinely anomalous pattern.
Functions§
- audit
- Audit parsed prefetch info for graded anomalies (may be empty — benign prefetch yields no findings).
- audit_
bytes - Parse and audit a prefetch file (
MAM-compressed or rawSCCA) in one call: returns the execution evidence and any graded anomalies. This is the headline entry point. - execution_
record - Extract the execution evidence from parsed prefetch info.
- to_
finding - Convenience: produce a
Findingfor an anomaly under the given scope.