Velocidex
diff --git a/‎.gitignore
Lines changed: 3 additions & 0 deletions b/‎.gitignore
Lines changed: 3 additions & 0 deletions
diff --git a/‎.gitmodules
Lines changed: 3 additions & 0 deletions b/‎.gitmodules
Lines changed: 3 additions & 0 deletions
diff --git a/‎Makefile
Lines changed: 11 additions & 0 deletions b/‎Makefile
Lines changed: 11 additions & 0 deletions
diff --git a/‎cmd/prefetch.go
Lines changed: 32 additions & 0 deletions b/‎cmd/prefetch.go
Lines changed: 32 additions & 0 deletions
diff --git a/‎conversion.spec.yaml
Lines changed: 12 additions & 0 deletions b/‎conversion.spec.yaml
Lines changed: 12 additions & 0 deletions
diff --git a/‎debug.go
Lines changed: 13 additions & 0 deletions b/‎debug.go
Lines changed: 13 additions & 0 deletions
diff --git a/‎file_metrics.go
Lines changed: 64 additions & 0 deletions b/‎file_metrics.go
Lines changed: 64 additions & 0 deletions
diff --git a/‎fixtures/CALC.EXE-3FBEF7FD.pf.golden
Lines changed: 75 additions & 0 deletions b/‎fixtures/CALC.EXE-3FBEF7FD.pf.golden
Lines changed: 75 additions & 0 deletions
diff --git a/‎fixtures/LIVECOMM.EXE-D546E475.pf.golden
Lines changed: 59 additions & 0 deletions b/‎fixtures/LIVECOMM.EXE-D546E475.pf.golden
Lines changed: 59 additions & 0 deletions
diff --git a/‎fixtures/MSMSGS.EXE-2B6052DE.pf.golden
Lines changed: 62 additions & 0 deletions b/‎fixtures/MSMSGS.EXE-2B6052DE.pf.golden
Lines changed: 62 additions & 0 deletions
diff --git a/‎fixtures/PING.EXE-B29F6629.pf.golden
Lines changed: 38 additions & 0 deletions b/‎fixtures/PING.EXE-B29F6629.pf.golden
Lines changed: 38 additions & 0 deletions
diff --git a/‎headers.go
Lines changed: 1 addition & 0 deletions b/‎headers.go
Lines changed: 1 addition & 0 deletions
@@ -0,0 +1,3 @@
+*~
+prefetch
+prefetch.exe
@@ -0,0 +1,3 @@
+[submodule "test_data/Prefetch"]
+	path = test_data/Prefetch
+	url = https://github.com/EricZimmerman/Prefetch.git
@@ -0,0 +1,11 @@
+all:
+	go build  -o prefetch cmd/*.go
+
+gen:
+	binparsegen conversion.spec.yaml  > prefetch_gen.go
+
+test:
+	go test ./...
+
+windows:
+	GOOS=windows GOARCH=amd64 go build -o prefetch.exe cmd/*.go
@@ -0,0 +1,32 @@
+package main
+
+import (
+	"encoding/json"
+	"flag"
+	"fmt"
+	"os"
+
+	"www.velocidex.com/golang/binparsergen"
+	prefetch "www.velocidex.com/golang/go-prefetch"
+)
+
+func main() {
+	flag.Parse()
+
+	args := flag.Args()
+	if len(args) == 0 {
+		flag.Usage()
+		os.Exit(1)
+	}
+
+	for _, arg := range args {
+		fd, err := os.Open(arg)
+		binparsergen.FatalIfError(err, fmt.Sprintf("Open file: %v", err))
+
+		prefetch_obj, err := prefetch.LoadPrefetch(fd)
+		binparsergen.FatalIfError(err, fmt.Sprintf("Parsing Error: %v", err))
+
+		serialized_content, _ := json.MarshalIndent(prefetch_obj, " ", " ")
+		fmt.Println(string(serialized_content))
+	}
+}
@@ -0,0 +1,12 @@
+Module: prefetch
+Profile: PrefetchProfile
+Filename: profile_vtypes.json
+GenerateDebugString: true
+Structs:
+  - MAMHeader
+  - SCCAHeader
+  - FileInformationWin10
+  - FileMetricsEntryV30
+  - FileInformationVista
+  - FileInformationXP
+  - FileMetricsEntryV17
@@ -0,0 +1,13 @@
+package prefetch
+
+import "fmt"
+
+var (
+	Prefetch_debug = true
+)
+
+func Printf(fmt_str string, args ...interface{}) {
+	if Prefetch_debug {
+		fmt.Printf(fmt_str, args...)
+	}
+}
@@ -0,0 +1,64 @@
+package prefetch
+
+func (self *FileInformationWin10) Filenames() []string {
+	result := []string{}
+
+	start_of_strings_table := self.FilenameOffset()
+
+	file_metrics_offset := int64(self.FileMetricsOffset())
+	for i := uint32(0); i < self.NumberOfFileMetrics(); i++ {
+		metric := self.Profile.FileMetricsEntryV30(
+			self.Reader, file_metrics_offset)
+
+		filename := ParseUTF16String(
+			self.Reader,
+			int64(start_of_strings_table+metric.FilenameOffset()),
+			int64(metric.FilenameLength()*2))
+		result = append(result, filename)
+		file_metrics_offset += int64(metric.Size())
+	}
+
+	return result
+}
+
+func (self *FileInformationVista) Filenames() []string {
+	result := []string{}
+
+	start_of_strings_table := self.FilenameOffset()
+
+	file_metrics_offset := int64(self.FileMetricsOffset())
+	for i := uint32(0); i < self.NumberOfFileMetrics(); i++ {
+		metric := self.Profile.FileMetricsEntryV30(
+			self.Reader, file_metrics_offset)
+
+		filename := ParseUTF16String(
+			self.Reader,
+			int64(start_of_strings_table+metric.FilenameOffset()),
+			int64(metric.FilenameLength()*2))
+		result = append(result, filename)
+		file_metrics_offset += int64(metric.Size())
+	}
+
+	return result
+}
+
+func (self *FileInformationXP) Filenames() []string {
+	result := []string{}
+
+	start_of_strings_table := self.FilenameOffset()
+
+	file_metrics_offset := int64(self.FileMetricsOffset())
+	for i := uint32(0); i < self.NumberOfFileMetrics(); i++ {
+		metric := self.Profile.FileMetricsEntryV17(
+			self.Reader, file_metrics_offset)
+
+		filename := ParseUTF16String(
+			self.Reader,
+			int64(start_of_strings_table+metric.FilenameOffset()),
+			int64(metric.FilenameLength()*2))
+		result = append(result, filename)
+		file_metrics_offset += int64(metric.Size())
+	}
+
+	return result
+}
@@ -0,0 +1,75 @@
+{
+  "Executable": "CALC.EXE",
+  "FileSize": 47848,
+  "Hash": "0x3FBEF7FD",
+  "Version": "Win10",
+  "LastRunTimes": [
+   "2016-01-11T22:08:20Z",
+   "2016-01-10T02:12:33Z"
+  ],
+  "FilesAccessed": [
+   "\\VOLUME{01d1217a9c4c6779-8c9f49ec}\\WINDOWS\\SYSTEM32\\NTDLL.DLL",
+   "\\VOLUME{01d1217a9c4c6779-8c9f49ec}\\WINDOWS\\SYSTEM32\\CALC.EXE",
+   "\\VOLUME{01d1217a9c4c6779-8c9f49ec}\\WINDOWS\\SYSTEM32\\KERNEL32.DLL",
+   "\\VOLUME{01d1217a9c4c6779-8c9f49ec}\\WINDOWS\\SYSTEM32\\KERNELBASE.DLL",
+   "\\VOLUME{01d1217a9c4c6779-8c9f49ec}\\WINDOWS\\SYSTEM32\\LOCALE.NLS",
+   "\\VOLUME{01d1217a9c4c6779-8c9f49ec}\\WINDOWS\\SYSTEM32\\SHELL32.DLL",
+   "\\VOLUME{01d1217a9c4c6779-8c9f49ec}\\WINDOWS\\SYSTEM32\\MSVCRT.DLL",
+   "\\VOLUME{01d1217a9c4c6779-8c9f49ec}\\WINDOWS\\SYSTEM32\\CFGMGR32.DLL",
+   "\\VOLUME{01d1217a9c4c6779-8c9f49ec}\\WINDOWS\\SYSTEM32\\WINDOWS.STORAGE.DLL",
+   "\\VOLUME{01d1217a9c4c6779-8c9f49ec}\\WINDOWS\\SYSTEM32\\COMBASE.DLL",
+   "\\VOLUME{01d1217a9c4c6779-8c9f49ec}\\WINDOWS\\SYSTEM32\\RPCRT4.DLL",
+   "\\VOLUME{01d1217a9c4c6779-8c9f49ec}\\WINDOWS\\SYSTEM32\\BCRYPTPRIMITIVES.DLL",
+   "\\VOLUME{01d1217a9c4c6779-8c9f49ec}\\WINDOWS\\SYSTEM32\\ADVAPI32.DLL",
+   "\\VOLUME{01d1217a9c4c6779-8c9f49ec}\\WINDOWS\\SYSTEM32\\SECHOST.DLL",
+   "\\VOLUME{01d1217a9c4c6779-8c9f49ec}\\WINDOWS\\SYSTEM32\\SHLWAPI.DLL",
+   "\\VOLUME{01d1217a9c4c6779-8c9f49ec}\\WINDOWS\\SYSTEM32\\GDI32.DLL",
+   "\\VOLUME{01d1217a9c4c6779-8c9f49ec}\\WINDOWS\\SYSTEM32\\USER32.DLL",
+   "\\VOLUME{01d1217a9c4c6779-8c9f49ec}\\WINDOWS\\SYSTEM32\\KERNEL.APPCORE.DLL",
+   "\\VOLUME{01d1217a9c4c6779-8c9f49ec}\\WINDOWS\\SYSTEM32\\SHCORE.DLL",
+   "\\VOLUME{01d1217a9c4c6779-8c9f49ec}\\WINDOWS\\SYSTEM32\\POWRPROF.DLL",
+   "\\VOLUME{01d1217a9c4c6779-8c9f49ec}\\WINDOWS\\SYSTEM32\\PROFAPI.DLL",
+   "\\VOLUME{01d1217a9c4c6779-8c9f49ec}\\WINDOWS\\SYSTEM32\\IMM32.DLL",
+   "\\VOLUME{01d1217a9c4c6779-8c9f49ec}\\WINDOWS\\SYSTEM32\\RPCSS.DLL",
+   "\\VOLUME{01d1217a9c4c6779-8c9f49ec}\\WINDOWS\\GLOBALIZATION\\SORTING\\SORTDEFAULT.NLS",
+   "\\VOLUME{01d1217a9c4c6779-8c9f49ec}\\WINDOWS\\SYSTEM32\\APPHELP.DLL",
+   "\\VOLUME{01d1217a9c4c6779-8c9f49ec}\\WINDOWS\\SYSTEM32\\CLBCATQ.DLL",
+   "\\VOLUME{01d1217a9c4c6779-8c9f49ec}\\WINDOWS\\SYSTEM32\\UXTHEME.DLL",
+   "\\VOLUME{01d1217a9c4c6779-8c9f49ec}\\PROGRAM FILES (X86)\\STARDOCK\\START10\\START10_64.DLL",
+   "\\VOLUME{01d1217a9c4c6779-8c9f49ec}\\PROGRAM FILES\\GPSOFTWARE\\DIRECTORY OPUS\\DOPUSLIB.DLL",
+   "\\VOLUME{01d1217a9c4c6779-8c9f49ec}\\WINDOWS\\SYSTEM32\\OLE32.DLL",
+   "\\VOLUME{01d1217a9c4c6779-8c9f49ec}\\WINDOWS\\SYSTEM32\\OLEAUT32.DLL",
+   "\\VOLUME{01d1217a9c4c6779-8c9f49ec}\\WINDOWS\\SYSTEM32\\SHFOLDER.DLL",
+   "\\VOLUME{01d1217a9c4c6779-8c9f49ec}\\WINDOWS\\SYSTEM32\\CRYPT32.DLL",
+   "\\VOLUME{01d1217a9c4c6779-8c9f49ec}\\WINDOWS\\SYSTEM32\\MSASN1.DLL",
+   "\\VOLUME{01d1217a9c4c6779-8c9f49ec}\\WINDOWS\\SYSTEM32\\VERSION.DLL",
+   "\\VOLUME{01d1217a9c4c6779-8c9f49ec}\\WINDOWS\\SYSTEM32\\WTSAPI32.DLL",
+   "\\VOLUME{01d1217a9c4c6779-8c9f49ec}\\WINDOWS\\SYSTEM32\\PROPSYS.DLL",
+   "\\VOLUME{01d1217a9c4c6779-8c9f49ec}\\WINDOWS\\SYSTEM32\\ACTXPRXY.DLL",
+   "\\VOLUME{01d1217a9c4c6779-8c9f49ec}\\WINDOWS\\SYSTEM32\\URLMON.DLL",
+   "\\VOLUME{01d1217a9c4c6779-8c9f49ec}\\WINDOWS\\SYSTEM32\\IERTUTIL.DLL",
+   "\\VOLUME{01d1217a9c4c6779-8c9f49ec}\\WINDOWS\\SYSTEM32\\IEFRAME.DLL",
+   "\\VOLUME{01d1217a9c4c6779-8c9f49ec}\\WINDOWS\\WINSXS\\AMD64_MICROSOFT.WINDOWS.COMMON-CONTROLS_6595B64144CCF1DF_6.0.10586.0_NONE_8C15AE12515E1C22\\COMCTL32.DLL",
+   "\\VOLUME{01d1217a9c4c6779-8c9f49ec}\\WINDOWS\\WINDOWSSHELL.MANIFEST",
+   "\\VOLUME{01d1217a9c4c6779-8c9f49ec}\\WINDOWS\\SYSTEM32\\EN-US\\WINDOWS.STORAGE.DLL.MUI",
+   "\\VOLUME{01d1217a9c4c6779-8c9f49ec}\\WINDOWS\\SYSTEM32\\SECUR32.DLL",
+   "\\VOLUME{01d1217a9c4c6779-8c9f49ec}\\WINDOWS\\SYSTEM32\\SSPICLI.DLL",
+   "\\VOLUME{01d1217a9c4c6779-8c9f49ec}\\WINDOWS\\SYSTEM32\\MLANG.DLL",
+   "\\VOLUME{01d1217a9c4c6779-8c9f49ec}\\WINDOWS\\SYSTEM32\\WININET.DLL",
+   "\\VOLUME{01d1217a9c4c6779-8c9f49ec}\\USERS\\E\\APPDATA\\LOCAL\\MICROSOFT\\WINDOWS\\INETCACHE\\COUNTERS.DAT",
+   "\\VOLUME{01d1217a9c4c6779-8c9f49ec}\\WINDOWS\\SYSTEM32\\TWINUI.DLL",
+   "\\VOLUME{01d1217a9c4c6779-8c9f49ec}\\WINDOWS\\SYSTEM32\\TWINAPI.APPCORE.DLL",
+   "\\VOLUME{01d1217a9c4c6779-8c9f49ec}\\WINDOWS\\SYSTEM32\\DWMAPI.DLL",
+   "\\VOLUME{01d1217a9c4c6779-8c9f49ec}\\WINDOWS\\SYSTEM32\\WINDOWS.UI.IMMERSIVE.DLL",
+   "\\VOLUME{01d1217a9c4c6779-8c9f49ec}\\WINDOWS\\SYSTEM32\\WINTYPES.DLL",
+   "\\VOLUME{01d1217a9c4c6779-8c9f49ec}\\WINDOWS\\SYSTEM32\\BCRYPT.DLL",
+   "\\VOLUME{01d1217a9c4c6779-8c9f49ec}\\WINDOWS\\SYSTEM32\\TWINUI.APPCORE.DLL",
+   "\\VOLUME{01d1217a9c4c6779-8c9f49ec}\\WINDOWS\\SYSTEM32\\COREMESSAGING.DLL",
+   "\\VOLUME{01d1217a9c4c6779-8c9f49ec}\\WINDOWS\\SYSTEM32\\COREUICOMPONENTS.DLL",
+   "\\VOLUME{01d1217a9c4c6779-8c9f49ec}\\WINDOWS\\SYSTEM32\\EXECMODELPROXY.DLL",
+   "\\VOLUME{01d1217a9c4c6779-8c9f49ec}\\WINDOWS\\SYSTEM32\\MRMCORER.DLL",
+   "\\VOLUME{01d1217a9c4c6779-8c9f49ec}\\WINDOWS\\SYSTEM32\\BCP47LANGS.DLL",
+   "\\VOLUME{01d1217a9c4c6779-8c9f49ec}\\WINDOWS\\SYSTEM32\\WINDOWS.UI.DLL",
+   "\\VOLUME{01d1217a9c4c6779-8c9f49ec}\\$MFT"
+  ]
+ }
@@ -0,0 +1,59 @@
+{
+  "Executable": "LIVECOMM.EXE",
+  "FileSize": 36456,
+  "Hash": "0xD546E475",
+  "Version": "Win8.1",
+  "LastRunTimes": [
+   "2016-01-16T21:08:46Z"
+  ],
+  "FilesAccessed": [
+   "\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\NTDLL.DLL",
+   "\\DEVICE\\HARDDISKVOLUME2\\PROGRAM FILES\\WINDOWSAPPS\\MICROSOFT.WINDOWSCOMMUNICATIONSAPPS_16.4.4206.722_X64__8WEKYB3D8BBWE\\LIVECOMM.EXE",
+   "\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\KERNEL32.DLL",
+   "\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\KERNELBASE.DLL",
+   "\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\LOCALE.NLS",
+   "\\DEVICE\\HARDDISKVOLUME2\\PROGRAM FILES\\WINDOWSAPPS\\MICROSOFT.WINDOWSCOMMUNICATIONSAPPS_16.4.4206.722_X64__8WEKYB3D8BBWE\\MICROSOFT.SYSTEM.PACKAGE.METADATA\\S-1-5-21-588873271-1728575951-1297560112-1001.PCKGDEP",
+   "\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\ADVAPI32.DLL",
+   "\\DEVICE\\HARDDISKVOLUME2\\PROGRAM FILES\\WINDOWSAPPS\\MICROSOFT.VCLIBS.110.00_11.0.50712.1_X64__8WEKYB3D8BBWE\\MSVCR110.DLL",
+   "\\DEVICE\\HARDDISKVOLUME2\\$MFT",
+   "\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\COMBASE.DLL",
+   "\\DEVICE\\HARDDISKVOLUME2\\PROGRAM FILES\\WINDOWSAPPS\\MICROSOFT.WINDOWSCOMMUNICATIONSAPPS_16.4.4206.722_X64__8WEKYB3D8BBWE\\WLLOG.DLL",
+   "\\DEVICE\\HARDDISKVOLUME2\\PROGRAM FILES\\WINDOWSAPPS\\MICROSOFT.WINDOWSCOMMUNICATIONSAPPS_16.4.4206.722_X64__8WEKYB3D8BBWE\\MICROSOFT.WINDOWSLIVE.PLATFORM.SERVICE.DLL",
+   "\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\OLEAUT32.DLL",
+   "\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\MSVCRT.DLL",
+   "\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\SECHOST.DLL",
+   "\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\RPCRT4.DLL",
+   "\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\OLE32.DLL",
+   "\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\GDI32.DLL",
+   "\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\USER32.DLL",
+   "\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\IMM32.DLL",
+   "\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\MSCTF.DLL",
+   "\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\RPCSS.DLL",
+   "\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\CRYPTBASE.DLL",
+   "\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\BCRYPTPRIMITIVES.DLL",
+   "\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\WINDOWS.STORAGE.APPLICATIONDATA.DLL",
+   "\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\TWINAPI.DLL",
+   "\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\SHELL32.DLL",
+   "\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\SHLWAPI.DLL",
+   "\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\WINTYPES.DLL",
+   "\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\GLOBALIZATION\\SORTING\\SORTDEFAULT.NLS",
+   "\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\PROPSYS.DLL",
+   "\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\SHCORE.DLL",
+   "\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\EN-US\\SHELL32.DLL.MUI",
+   "\\DEVICE\\HARDDISKVOLUME2\\PROGRAM FILES\\WINDOWSAPPS\\MICROSOFT.WINDOWSCOMMUNICATIONSAPPS_16.4.4206.722_X64__8WEKYB3D8BBWE\\SHARED\\BICI.DLL",
+   "\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\CRYPTSP.DLL",
+   "\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\RSAENH.DLL",
+   "\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\EN-US\\KERNELBASE.DLL.MUI",
+   "\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\THREADPOOLWINRT.DLL",
+   "\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\ACTXPRXY.DLL",
+   "\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\BIWINRT.DLL",
+   "\\DEVICE\\HARDDISKVOLUME2\\PROGRAM FILES\\WINDOWSAPPS\\MICROSOFT.WINDOWSCOMMUNICATIONSAPPS_16.4.4206.722_X64__8WEKYB3D8BBWE\\MICROSOFT.WINDOWSLIVE.PLATFORM.DLL",
+   "\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\WINDOWS.APPLICATIONMODEL.DLL",
+   "\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\WINDOWS.APPLICATIONMODEL.BACKGROUND.SYSTEMEVENTSBROKER.DLL",
+   "\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\SYSTEMEVENTSBROKERCLIENT.DLL",
+   "\\DEVICE\\HARDDISKVOLUME2\\USERS\\E\\APPDATA\\LOCAL\\PACKAGES\\MICROSOFT.WINDOWSCOMMUNICATIONSAPPS_8WEKYB3D8BBWE\\SETTINGS\\SETTINGS.DAT",
+   "\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\WINDOWS.SECURITY.AUTHENTICATION.ONLINEID.DLL",
+   "\\DEVICE\\HARDDISKVOLUME2\\PROGRAM FILES\\WINDOWSAPPS\\MICROSOFT.WINDOWSCOMMUNICATIONSAPPS_16.4.4206.722_X64__8WEKYB3D8BBWE\\MODERNSHARED\\ERRORREPORTING\\ERRORREPORTING.DLL",
+   "\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\WINDOWS.NETWORKING.CONNECTIVITY.DLL"
+  ]
+ }
@@ -0,0 +1,62 @@
+{
+  "Executable": "MSMSGS.EXE",
+  "FileSize": 21366,
+  "Hash": "0x2B6052DE",
+  "Version": "WinXP",
+  "LastRunTimes": [
+   "2016-01-13T22:05:11Z"
+  ],
+  "FilesAccessed": [
+   "\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\NTDLL.DLL",
+   "\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\KERNEL32.DLL",
+   "\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\UNICODE.NLS",
+   "\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\LOCALE.NLS",
+   "\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\SORTTBLS.NLS",
+   "\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\MSVCRT.DLL",
+   "\\DEVICE\\HARDDISKVOLUME1\\PROGRAM FILES\\MESSENGER\\MSMSGS.EXE",
+   "\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\ADVAPI32.DLL",
+   "\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\RPCRT4.DLL",
+   "\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\SECUR32.DLL",
+   "\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\GDI32.DLL",
+   "\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\USER32.DLL",
+   "\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\WSOCK32.DLL",
+   "\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\WS2_32.DLL",
+   "\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\WS2HELP.DLL",
+   "\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\OLE32.DLL",
+   "\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\OLEAUT32.DLL",
+   "\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\WINSXS\\X86_MICROSOFT.WINDOWS.COMMON-CONTROLS_6595B64144CCF1DF_6.0.2600.5512_X-WW_35D4CE83\\COMCTL32.DLL",
+   "\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\SHLWAPI.DLL",
+   "\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\COMDLG32.DLL",
+   "\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\SHELL32.DLL",
+   "\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\VERSION.DLL",
+   "\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\WINMM.DLL",
+   "\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\WINSXS\\X86_MICROSOFT.WINDOWS.GDIPLUS_6595B64144CCF1DF_1.0.2600.5512_X-WW_DFB54E0C\\GDIPLUS.DLL",
+   "\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\MSIMG32.DLL",
+   "\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\NETAPI32.DLL",
+   "\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\WININET.DLL",
+   "\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\CRYPT32.DLL",
+   "\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\MSASN1.DLL",
+   "\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\CRYPTDLL.DLL",
+   "\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\IPHLPAPI.DLL",
+   "\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\CTYPE.NLS",
+   "\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\SORTKEY.NLS",
+   "\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\WINDOWSSHELL.MANIFEST",
+   "\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\RPCSS.DLL",
+   "\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\UXTHEME.DLL",
+   "\\DEVICE\\HARDDISKVOLUME1\\DOCUMENTS AND SETTINGS\\E\\NTUSER.DAT",
+   "\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\XPOB2RES.DLL",
+   "\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\CLBCATQ.DLL",
+   "\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\COMRES.DLL",
+   "\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\WINLOGON.EXE",
+   "\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\XPSP2RES.DLL",
+   "\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\SXS.DLL",
+   "\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\ES.DLL",
+   "\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\WTSAPI32.DLL",
+   "\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\WINSTA.DLL",
+   "\\DEVICE\\HARDDISKVOLUME1\\PROGRAM FILES\\MESSENGER\\MSGSC.DLL",
+   "\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\CREDUI.DLL",
+   "\\DEVICE\\HARDDISKVOLUME1\\DOCUMENTS AND SETTINGS\\E\\LOCAL SETTINGS\\TEMPORARY INTERNET FILES\\CONTENT.IE5\\INDEX.DAT",
+   "\\DEVICE\\HARDDISKVOLUME1\\DOCUMENTS AND SETTINGS\\E\\COOKIES\\INDEX.DAT",
+   "\\DEVICE\\HARDDISKVOLUME1\\DOCUMENTS AND SETTINGS\\E\\LOCAL SETTINGS\\HISTORY\\HISTORY.IE5\\INDEX.DAT"
+  ]
+ }
@@ -0,0 +1,38 @@
+{
+  "Executable": "PING.EXE",
+  "FileSize": 11216,
+  "Hash": "0xB29F6629",
+  "Version": "Vista",
+  "LastRunTimes": [
+   "2012-04-06T19:00:55Z"
+  ],
+  "FilesAccessed": [
+   "\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\NTDLL.DLL",
+   "\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\KERNEL32.DLL",
+   "\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\APISETSCHEMA.DLL",
+   "\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\KERNELBASE.DLL",
+   "\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\LOCALE.NLS",
+   "\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\PING.EXE",
+   "\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\ADVAPI32.DLL",
+   "\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\MSVCRT.DLL",
+   "\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\SECHOST.DLL",
+   "\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\RPCRT4.DLL",
+   "\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\IPHLPAPI.DLL",
+   "\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\NSI.DLL",
+   "\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\WINNSI.DLL",
+   "\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\USER32.DLL",
+   "\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\GDI32.DLL",
+   "\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\LPK.DLL",
+   "\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\USP10.DLL",
+   "\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\WS2_32.DLL",
+   "\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\IMM32.DLL",
+   "\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\MSCTF.DLL",
+   "\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\EN-US\\PING.EXE.MUI",
+   "\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\GLOBALIZATION\\SORTING\\SORTDEFAULT.NLS",
+   "\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\MSWSOCK.DLL",
+   "\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\WSHQOS.DLL",
+   "\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\WSHTCPIP.DLL",
+   "\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\WSHIP6.DLL",
+   "\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\RESCACHE\\RC0007\\RESCACHE.HIT"
+  ]
+ }
@@ -0,0 +1 @@
+package prefetch
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+[submodule "test_data/Prefetch"]`
	`2`	`+ path = test_data/Prefetch`
	`3`	`+ url = https://github.com/EricZimmerman/Prefetch.git`