Windows Prefetch Analysis

The topic of data stored in the Prefetch trace files hasn’t been much discussed. James Habben in his article “Windows Prefetch: Overview of New Research in Sections A & B” analyzes the type of information that we can extract from one of these trace files (read the full article here).

The file format of Prefetch trace files has changed a bit over the years. The information that James writes about is the result of many years of elongated and inconsistent study time. He spent a lot of time in IDA trying to analyze the kernel level code. Perhaps, having familiarized with his explanations will push you to new thoughts, to work with this even more.

Read his full article here and leave a comment or write by e-mail.

More.

DISCLAIMER: THIS POST IS FOR INFORMATIONAL PURPOSES ONLY AND IS NOT TO BE CONSIDERED LEGAL ADVICE ON ANY SUBJECT MATTER. DIGITAL FORENSICS CORP. IS NOT A LAWFIRM AND DOES NOT PROVIDE LEGAL ADVICE OR SERVICES. By viewing posts, the reader understands there is no attorney-client relationship, the post should not be used as a substitute for legal advice from a licensed professional attorney, and readers are urged to consult their own legal counsel on any specific legal questions concerning a specific situation.