tag:blogger.com,1999:blog-9518042.post112091762312276530..comments2024-03-19T07:46:20.437-05:00Comments on Windows Incident Response: File MetadataUnknownnoreply@blogger.comBlogger10125tag:blogger.com,1999:blog-9518042.post-1121182427992215752005-07-12T10:33:00.000-05:002005-07-12T10:33:00.000-05:00SAL,The stuff w/ the PF files is pretty easy. One...SAL,<BR/><BR/>The stuff w/ the PF files is pretty easy. One of the Unicode strings within the .pf file is the path to the executable image file.<BR/><BR/>The significance of the MAC times is really easy to test. Simply clear the directory on your machine, and run...oh, say, Notepad. Note the MACs of the .pf file that's produced. Run some other files. Wait a couple of hours or a day or so, and go back and re-run the apps, and note the MACs again.H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-1121177289075416772005-07-12T09:08:00.000-05:002005-07-12T09:08:00.000-05:00S'ok, but here I WILL comment briefly on PF files....S'ok, but here I WILL comment briefly on PF files....I probably want to think about it a bit more, but initially I guess it'd be interesting to show the "metadata" portion that is stored in a PF file that describes the application its prefetching. I havent actually done any hunting inside a PF file yet but Im now curious... <BR/><BR/>Another dataset would be to show the signficance of MACs of a PF file to show a user's repetitive use of a certain program: since PF files do not get created on first launch, then its possible to show a user has used a certain application more than "accidently".Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-1121176357922921232005-07-12T08:52:00.000-05:002005-07-12T08:52:00.000-05:00Ooops...sorry about that. I guess it's really har...Ooops...sorry about that. I guess it's really hard to keep up when folks use "Anonymous" and don't add any ID to the post itself.H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-1121176084417888352005-07-12T08:48:00.000-05:002005-07-12T08:48:00.000-05:00heh, thats not me commenting on PF filesheh, thats not me commenting on PF filesAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-1121164349163381022005-07-12T05:32:00.000-05:002005-07-12T05:32:00.000-05:00SAL,Can you send me your email address? We've mov...SAL,<BR/><BR/>Can you send me your email address? We've moved on to email headers, and I'm still stuck on what specifically you're looking for with regards to files in the Prefetch directory.<BR/><BR/>Pardon me for thinking too linearly, but I tend to have to process one thing (particularly if it's interesting) before moving on to another.<BR/><BR/>Thanks!H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-1121136974247510782005-07-11T21:56:00.000-05:002005-07-11T21:56:00.000-05:00Harlan, ..stop me if you heard this one...(grin)On...Harlan,<BR/> ..stop me if you heard this one...(grin)<BR/><BR/>One item I have found myself explaining is the metadata in relation to email messages. I'm thinking of two examples, one- breaking down message headers and two- timestamps of mail messages.<BR/><BR/>The first is fairly straightforward and Im a bit hesistant to refer to a message header as "metadata" per se but I think it could fit. The second example is the Modified timestamp of an Outlook XP/2003 message. I think one thing that gets some people thinking is showing them that a message already received or sent in an outlook pst file can be opened, edited then re-saved(altered).Showing how and when this timestamp gets altered can be useful.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-1121076211787368342005-07-11T05:03:00.000-05:002005-07-11T05:03:00.000-05:00Yeah, I got that...but what I'm really trying to g...Yeah, I got that...but what I'm really trying to get at here is, what are your specific questions or concerns? Is there something in particular that you want to know, or think others should know?H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-1121021007042219022005-07-10T13:43:00.000-05:002005-07-10T13:43:00.000-05:00True, it's not a file, per se; however, it is very...True, it's not a file, per se; however, it is very useful information that is too often overlooked and misunderstood. Also, while the information found in the prefetch directory is not usually described as metadata, it is data that describes other data. [http://en.wikipedia.org/wiki/Metadata]Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-1120990880268993002005-07-10T05:21:00.000-05:002005-07-10T05:21:00.000-05:00Well, the Prefetch directory really isn't a "file"...Well, the Prefetch directory really isn't a "file", per se, but I don't see why I can't throw .pf files in there.<BR/><BR/>Is this something you're finding a lot of use for? Are there any specific questions you think should be answered with regards to the Prefetch dir/.pf files?H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-1120931424447555752005-07-09T12:50:00.000-05:002005-07-09T12:50:00.000-05:00Can you make sure the prefetch directory and its s...Can you make sure the prefetch directory and its significance is covered?Anonymousnoreply@blogger.com