As we know that the Prefetch file is used for optimizing the loading time of the application in the next time that you run it. So we could know whether any suspicious application or not by examining those .pf files on the subject computers. We could download WinPrefetchView from NirSoft.

The upper pane displays the list of all Prefetch files in your system. When you select a file in the upper pane, the lower pane displays the list of files stored inside the selected Prefetch file, which represent the files that were loaded by the application in the previous times that you used it.

You could take a look at "Full Path" and "Device Path" as above. HARDDISKVOLUME2 relates to volume C. Now take a look at volumes on this disk 0 as below. The first one is a reserved partition. So volume C is the second one. It makes sense, right?

Let's take a look at another subject computer as below. It seems that "Volume 3 = C" and "Volume 4 = D". But don't jump to conclusions too fast.

Let me show you the volumes on disk 0 as below. The first volume is a reserved partition. The second one is volume C, and the third one is volume D. What's wrong with path in WinPrefetchView???  WinPrefetchView says that "Volume 3 = C" and "Volume 4 = D", but actually there is only one volume before volume C.

As a forensic guy, we could take advantage of forensic tools but don't be so sure about the analysis result. We have to verify the analysis result so as to reduce misjudgement.

Device Path in WinPrefetchView的更多相关文章

  1. What is a Windows USB device path and how is it formatted?

    http://community.silabs.com/t5/Interface-Knowledge-Base/Windows-USB-Device-Path/ta-p/114059 Windows ...

  2. EDK II之Device Path

    UEFI中通过Device Path来描述设备的路径,一个完整的路径由多个Device Path Nodes组成. 下面通过输入设备的路径作为例子: PNP0A03 – PCI Host Bridge ...

  3. 痞子衡嵌入式:可通过USB Device Path来唯一指定i.MXRT设备进行ROM/Flashloader通信

    大家好,我是痞子衡,是正经搞技术的痞子.今天痞子衡给大家介绍的是通过USB Device Path来唯一指定i.MXRT设备进行ROM/Flashloader通信. i.MXRT系列高性能微控制器从2 ...

  4. Fix “Windows cannot access the specified device path or file” Error

    http://helpdeskgeek.com/help-desk/windows-cannot-access-the-specified-device-path-or-file/ Method 1 ...

  5. Device Tree Usage( DTS文件语法)

    http://elinux.org/Device_Tree_Usage Device Tree Usage     Top Device Tree page This page walks throu ...

  6. Multipath在OpenStack中的faulty device的成因及解决(part 1)

    | 版权:本文版权归作者和博客园共有,欢迎转载,但未经作者同意必须保留此段声明,且在文章页面明显位置给出原文连接.如有问题,可以邮件:wangxu198709@gmail.com 简介: Multip ...

  7. Device Tree Usage(理解DTS文件语法)

    Basic Data Format The device tree is a simple tree structure of nodes and properties. Properties are ...

  8. OpenStack中的Multipath faulty device的成因及解决(part 1)

    | 版权:本文版权归作者和博客园共有,欢迎转载,但未经作者同意必须保留此段声明,且在文章页面明显位置给出原文连接.如有问题,可以邮件:wangxu198709@gmail.com 简介: Multip ...

  9. How to match between physical usb device and its drive letter?

    struct tagDrives { WCHAR letter; WCHAR volume[ BUFFER_SIZE ]; } g_drives[ ]; // WCHAR GetUSBDrive( ) ...

随机推荐

  1. Eclipse for php + Xdebug搭建PHP的调试环境

    Xdebug安装教程 下载Xdebug 首先我们需要下载Xdebug,务必根据安装的PHP版本,选择合适的Xdebug版本,由于我是在Windows环境下安装PHP的,所以选择下载Windows版本的 ...

  2. Maven工程中的右键team

    与资源库同步(S):在需要合并版本时使用 提交(C):本地代码写入源码库 更新(U):本地代码升级到服务器端版本 在点击更新时,请注意: 如果当前项目有改动(甚至是比原来多了一个空格),则此时无法更新 ...

  3. Error Handling

    Use Exceptions Rather Than Return Codes Back in the distant past there were many languages that didn ...

  4. Day17_集合第三天

    1.HashSet类(掌握) 1.哈希值概念      哈希值:哈希值就是调用对象的hashCode()方法后返回的一个int型数字      哈希桶:简单点理解就是存储相同哈希值对象的一个容器 1. ...

  5. Error:(1, 0) Your project path contains non-ASCII characters. This will most likely cause the build to fail on Windows. Please move your project to a different directory. See http://b.android.com/9574

    这个一般是因为你打开的项目所在的目录存在中文,把项目换到全英文目录下就没问题了

  6. Web Storage的方法

    1.分为两种:localStorage与sessionStorage.2.存储形式:key-value的形式.sessionStorage 1.session定义:session指用户在浏览某个网站时 ...

  7. mysql存储过程详解(入门)

    delimiter //    #修改结束符号为// create procedure pro_wyx() /*创建存储过程*/ begin declare i int ; #定义变量 set i=1 ...

  8. JavaScript中的document.cookie的使用

    转:http://blog.csdn.net/liuyong0818/article/details/4807473 我们已经知道,在 document 对象中有一个 cookie 属性.但是 Coo ...

  9. i++; 与 ++i;的内部区别。

    对于一个用前置自加和后置自加的效果相同的地方,我们应该用哪个呢? 例: for(point i = 0; i != N; ?): 上面for语句中的“?”处,你会在那里写i++还是++i呢? 前置++ ...

  10. 为什么在使用get时,Properties对象总是忽略默认值?

    不应该对Properties对象调用get方法:而应该调用getProperty方法.许多人认为二者的区别是getProperty声明了返回值为String类型,而get声明的返回值类型为Object ...