tag:blogger.com,1999:blog-9518042.post7624289529914344683..comments2024-03-19T07:46:20.437-05:00Comments on Windows Incident Response: Prefetch Analysis, Revisited...Again...Unknownnoreply@blogger.comBlogger5125tag:blogger.com,1999:blog-9518042.post-30115038416108557202012-03-19T01:07:30.952-05:002012-03-19T01:07:30.952-05:00All of the D3Dxxx.dll files are part of the Direct...All of the D3Dxxx.dll files are part of the Direct 3D components of DirectX, which you'll probably recognize. They are likely to be related to gaming, but I'm sure they are used for more than that. The next digit(s) refer to the version, so D3D9 is Direct 3D v9Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-683792523772483982012-03-16T06:20:10.601-05:002012-03-16T06:20:10.601-05:00@Corey,
It's all about teamwork and sharing, ...@Corey,<br /><br />It's all about teamwork and sharing, my friend!H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-29046164530659096042012-03-16T06:19:14.833-05:002012-03-16T06:19:14.833-05:00@Diocyde...
WHY do I need to check out the EnScri...@Diocyde...<br /><br /><i>WHY</i> do I need to check out the EnScript? I don't use EnCase, and as you can clearly see, the script that used does the same thing...and more. For example, consider my <a href="http://windowsir.blogspot.com/2012/03/prefetch-analysis-revisited.html" rel="nofollow">previous post</a> on the subject...with this script, I can do all sorts of analysis, including LFO analysis of the loaded modules.<br /><br />Given this, why would I need to check out the EnScript?<br /><br />Thanks.H. Carveyhttps://www.blogger.com/profile/08966595734678290320noreply@blogger.comtag:blogger.com,1999:blog-9518042.post-31476004196250607662012-03-15T22:21:33.055-05:002012-03-15T22:21:33.055-05:00You need to check out pfdump enscript for Encase. ...You need to check out pfdump enscript for Encase. it decodes entire contents of prefetch to include all open file handles within the first 10 seconds. Very useful -DiocydeAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-9518042.post-21083052923675125622012-03-15T22:16:36.506-05:002012-03-15T22:16:36.506-05:00Awesome information and thank you for revisiting P...Awesome information and thank you for revisiting Prefetch files. Between your last two posts I learned alot about data inside a Prefetch file that I wasn't looking at.<br /><br />I still have all my images from exploit artifacts so I plan on updating my exploit posts to reflect this new information. I even have a few images from purposely infected systems and am curious about the prefetch files for malware. Again, thanks for the info and asking for the Prefetch file. Without you asking for it I may not have went back and looked at them.Corey Harrellhttp://journeyintoir.blogspot.com/noreply@blogger.com