As we know that the Prefetch file is used for optimizing the loading time of the application in the next time that you run it. So we could know whether any suspicious application or not by examining those .pf files on the subject computers. We could download WinPrefetchView from NirSoft.

The upper pane displays the list of all Prefetch files in your system. When you select a file in the upper pane, the lower pane displays the list of files stored inside the selected Prefetch file, which represent the files that were loaded by the application in the previous times that you used it.

You could take a look at "Full Path" and "Device Path" as above. HARDDISKVOLUME2 relates to volume C. Now take a look at volumes on this disk 0 as below. The first one is a reserved partition. So volume C is the second one. It makes sense, right?

Let's take a look at another subject computer as below. It seems that "Volume 3 = C" and "Volume 4 = D". But don't jump to conclusions too fast.

Let me show you the volumes on disk 0 as below. The first volume is a reserved partition. The second one is volume C, and the third one is volume D. What's wrong with path in WinPrefetchView???  WinPrefetchView says that "Volume 3 = C" and "Volume 4 = D", but actually there is only one volume before volume C.

As a forensic guy, we could take advantage of forensic tools but don't be so sure about the analysis result. We have to verify the analysis result so as to reduce misjudgement.

Device Path in WinPrefetchView的更多相关文章

  1. What is a Windows USB device path and how is it formatted?

    http://community.silabs.com/t5/Interface-Knowledge-Base/Windows-USB-Device-Path/ta-p/114059 Windows ...

  2. EDK II之Device Path

    UEFI中通过Device Path来描述设备的路径,一个完整的路径由多个Device Path Nodes组成. 下面通过输入设备的路径作为例子: PNP0A03 – PCI Host Bridge ...

  3. 痞子衡嵌入式:可通过USB Device Path来唯一指定i.MXRT设备进行ROM/Flashloader通信

    大家好,我是痞子衡,是正经搞技术的痞子.今天痞子衡给大家介绍的是通过USB Device Path来唯一指定i.MXRT设备进行ROM/Flashloader通信. i.MXRT系列高性能微控制器从2 ...

  4. Fix “Windows cannot access the specified device path or file” Error

    http://helpdeskgeek.com/help-desk/windows-cannot-access-the-specified-device-path-or-file/ Method 1 ...

  5. Device Tree Usage( DTS文件语法)

    http://elinux.org/Device_Tree_Usage Device Tree Usage     Top Device Tree page This page walks throu ...

  6. Multipath在OpenStack中的faulty device的成因及解决(part 1)

    | 版权:本文版权归作者和博客园共有,欢迎转载,但未经作者同意必须保留此段声明,且在文章页面明显位置给出原文连接.如有问题,可以邮件:wangxu198709@gmail.com 简介: Multip ...

  7. Device Tree Usage(理解DTS文件语法)

    Basic Data Format The device tree is a simple tree structure of nodes and properties. Properties are ...

  8. OpenStack中的Multipath faulty device的成因及解决(part 1)

    | 版权:本文版权归作者和博客园共有,欢迎转载,但未经作者同意必须保留此段声明,且在文章页面明显位置给出原文连接.如有问题,可以邮件:wangxu198709@gmail.com 简介: Multip ...

  9. How to match between physical usb device and its drive letter?

    struct tagDrives { WCHAR letter; WCHAR volume[ BUFFER_SIZE ]; } g_drives[ ]; // WCHAR GetUSBDrive( ) ...

随机推荐

  1. C++ Daily 《1》----关于对象

    1. 问题 请问如下的一个 class 的一个对象占了多少内存? 具体包含哪些东西? non-static 变量? static member 变量? member function?? virtua ...

  2. STL 库中的陷阱----一个难以察觉的 bug

    请找出下面程序的 bug? int maxProfit2(vector<int> &prices) { int local[3] = {0}; int global[3] = {0 ...

  3. HDU 4768 (二分区间---涨姿势)

    题意:告诉n组A,B,C,按照A + k * C生成等差数列,问这n组数列中哪个数字出现了奇数次以及出现了几次,题目保证最多只会出现一个这种数字. 分析:读完题并没有思路,后来知道是二分区间,枚举是哪 ...

  4. 关于NS2安装的若干问题

    之前就知道这个软件安装起来很恶心,因为毕竟是10年前的软件,可没想到真的好恶心...花了整整一天才装上. 我安装的版本是ns-allinone-2.28,系统版本是ubuntu14.04 其实大部分出 ...

  5. Android 学习第2课,下载 eclipse 工具

    可以到http://www.ddooo.com/softdown/61745.htm 下载下来是32位与64位都有的 而且是汉化的,经测试成功,还可以,不错!

  6. netfilter-IPv4实现框架分析(一)

    基于Linux-2.6.30版本,具体实现net\ipv4\netfilter目录下,入口文件为net\ipv4\netfilter\iptable_filter.c,入口/出口函数为模块的init函 ...

  7. YHMMR003 农户基本信息的维护程序

    *********************************************************************** * Title : * * Application : ...

  8. C语言实现简单线程池(转-Newerth)

    有时我们会需要大量线程来处理一些相互独立的任务,为了避免频繁的申请释放线程所带来的开销,我们可以使用线程池.下面是一个C语言实现的简单的线程池. 头文件: 1: #ifndef THREAD_POOL ...

  9. 升级vs工程到vs2010(以上)工程找不到OutputDebugStr报错

    原因是不同版本的系统宏的不同导致报错,OutputDebugStr,它在vs2005的头文件里定义在vs安装目录下的平台sdk目录下的mmsysytem.h, 而到vs2013下这个文件被放到了系统目 ...

  10. bk. 2014.12.1

    typedef void (*halKeyCback_t) (uint8 key, uint8 state) 表示定义halKeyCBack_T为指向函数的指针,该函数的特点是形参(uint8,uin ...