As we know that the Prefetch file is used for optimizing the loading time of the application in the next time that you run it. So we could know whether any suspicious application or not by examining those .pf files on the subject computers. We could download WinPrefetchView from NirSoft.

The upper pane displays the list of all Prefetch files in your system. When you select a file in the upper pane, the lower pane displays the list of files stored inside the selected Prefetch file, which represent the files that were loaded by the application in the previous times that you used it.

You could take a look at "Full Path" and "Device Path" as above. HARDDISKVOLUME2 relates to volume C. Now take a look at volumes on this disk 0 as below. The first one is a reserved partition. So volume C is the second one. It makes sense, right?

Let's take a look at another subject computer as below. It seems that "Volume 3 = C" and "Volume 4 = D". But don't jump to conclusions too fast.

Let me show you the volumes on disk 0 as below. The first volume is a reserved partition. The second one is volume C, and the third one is volume D. What's wrong with path in WinPrefetchView???  WinPrefetchView says that "Volume 3 = C" and "Volume 4 = D", but actually there is only one volume before volume C.

As a forensic guy, we could take advantage of forensic tools but don't be so sure about the analysis result. We have to verify the analysis result so as to reduce misjudgement.

Device Path in WinPrefetchView的更多相关文章

  1. What is a Windows USB device path and how is it formatted?

    http://community.silabs.com/t5/Interface-Knowledge-Base/Windows-USB-Device-Path/ta-p/114059 Windows ...

  2. EDK II之Device Path

    UEFI中通过Device Path来描述设备的路径,一个完整的路径由多个Device Path Nodes组成. 下面通过输入设备的路径作为例子: PNP0A03 – PCI Host Bridge ...

  3. 痞子衡嵌入式:可通过USB Device Path来唯一指定i.MXRT设备进行ROM/Flashloader通信

    大家好,我是痞子衡,是正经搞技术的痞子.今天痞子衡给大家介绍的是通过USB Device Path来唯一指定i.MXRT设备进行ROM/Flashloader通信. i.MXRT系列高性能微控制器从2 ...

  4. Fix “Windows cannot access the specified device path or file” Error

    http://helpdeskgeek.com/help-desk/windows-cannot-access-the-specified-device-path-or-file/ Method 1 ...

  5. Device Tree Usage( DTS文件语法)

    http://elinux.org/Device_Tree_Usage Device Tree Usage     Top Device Tree page This page walks throu ...

  6. Multipath在OpenStack中的faulty device的成因及解决(part 1)

    | 版权:本文版权归作者和博客园共有,欢迎转载,但未经作者同意必须保留此段声明,且在文章页面明显位置给出原文连接.如有问题,可以邮件:wangxu198709@gmail.com 简介: Multip ...

  7. Device Tree Usage(理解DTS文件语法)

    Basic Data Format The device tree is a simple tree structure of nodes and properties. Properties are ...

  8. OpenStack中的Multipath faulty device的成因及解决(part 1)

    | 版权:本文版权归作者和博客园共有,欢迎转载,但未经作者同意必须保留此段声明,且在文章页面明显位置给出原文连接.如有问题,可以邮件:wangxu198709@gmail.com 简介: Multip ...

  9. How to match between physical usb device and its drive letter?

    struct tagDrives { WCHAR letter; WCHAR volume[ BUFFER_SIZE ]; } g_drives[ ]; // WCHAR GetUSBDrive( ) ...

随机推荐

  1. 关于ASP.NET页面打印技术的总结【转】

    B/S结构导致了Web应用程序中打印的特殊性. • 程序运行在浏览器中,打印机在本地,而文件确可能在服务器上,导致了打印控制不是很灵活. • 格式如何控制和定制等,是我们开发中可能会面对的问题. 打印 ...

  2. 循环数据forin,foreach,for of

    最近一直在对数据处理,循环匹配之类的,我的mentor也已经多次指出一个问题,就是在循环里面用if去判断一个数值是否存在的时候,只要找到就要退出,这个时候就要对循环的语法提出了要求: 1.for in ...

  3. BZOJ 2286 树链剖分+DFS序+虚树+树形DP

    第一次学习虚树,就是把无关的点去掉.S里维护一条链即可. #include <iostream> #include <cstring> #include <cstdio& ...

  4. 关于VC工程的组成

    刚刚建立的工程,其中 .vcxproj文件是生成的工程文件,它包含当前工程的设置和工程所包含的文件等信息..vcxproj.filters文件存放工程的虚拟目录信息,也就是在解决方案浏览器中的目录结构 ...

  5. Why NSAttributedString import html must be on main thread?

    The HTML importer should not be called from a background thread (that is, the options dictionary inc ...

  6. sqlserver08评估期已过的解决方法

    打开sqlserver出现提示:评估期已过.有关如何升级的测试版软件的信息,请访问http://www.microsoft.com/sql/howtobuy 解决方法如下: 第一步:进入开始菜单--- ...

  7. LPTHW 笨办法学python 20章

    本章节讲述了,函数和文件的综合操作. 分别 执行了.1.读出文件所有内容,2.把文件重置至文件开头.3.打印一行. 我在本节作了一个小小的改良,设置了一个全局变量,记录当前应该输入哪一行,如果执行过一 ...

  8. ListView中itemz中控件的点击事件和条目点击事件冲突

    <?xml version="1.0" encoding="utf-8"?> <LinearLayout xmlns:android=&quo ...

  9. strncpy基本用法

    见百度百科. 注意这句话: (c/c++)复制src中的内容(字符,数字.汉字....)到dest,复制多少由num的值决定,返回指向dest的指针.如果遇到null字符('\0'),且还没有到num ...

  10. H20的题——[noip2003]银河英雄传(并查集)

    公元五八○一年,地球居民迁移至金牛座α第二行星,在那里发表银河联邦创立宣言,同年改元为宇宙历元年,并开始向银河系深处拓展. 宇宙历七九九年,银河系的两大军事集团在巴米利恩星域爆发战争.泰山压顶集团派宇 ...