One comment from the previous blog entry asked for a program that would parse through the Prefetch directory and list all files, as well as the date/time that the application was last run. I've got that done...didn't take long at all...and will post the code over on the Windows-IR.com web site...check the Tools page. I'll try to get it posted tonight.
I've also written a Perl script that will parse the layout.ini file and for each executable (based on file extension....exe, .dll, and .sys) listed, will located the file and parse out available file version information. I'll post that script along with it's standalone .exe file to the Windows-IR.com site, as well.
Both programs will make an interesting addition to the FRU...perhaps even adding some code to the above programs to perform data reduction would provide more interesting results. However, I would definitely consider correlating the last access times of the .pf files from the Prefetch directory with things such as the uptime of the system, and any logon/logoff information you can get from the Security Event Log (in a pinch, last access times to the user directories may be useful if the appropriate auditing is not enabled).
No comments:
Post a Comment