A fast and cross platform Prefetch parser written in Rust that gives you the ability to query the records via JMESPath queries. Output is JSONL.
To build you must set LIBFWNT_BIN to the path that contains the compiled libscca library. You must also copy the compiled library to the same folder as the compiled rust tools. At some point I will try and copy the compiled library from LIBFWNT_BIN to the compiled paths from the build... but for now it is a manual job
To build RustyPrefetch
cargo build --release
RustyPrefetch 0.2.0
Matthew Seyer <https://github.com/forensicmatt/RustyPrefetch>
Parse prefetch.
USAGE:
RustyPrefetch.exe [FLAGS] [OPTIONS] --source <FILE>
FLAGS:
-b, --bool_expr JMES Query as bool only. (Prints whole record if true.)
-h, --help Prints help information
-t, --tracechain Output Tracechains
-V, --version Prints version information
OPTIONS:
-q, --query <QUERY> JMES Query
-s, --source <FILE> The source path. Can be a file or a directory.
The output is written to stdout as a json list of records.
// DEFAULT OUTPUT
RustyPrefetch.exe -s C:\TestData\Images\Donald_Blake_Evidence\exports\Prefetch\CCLEANER64.EXE-DE05DBE1.pf
{"source_file":"C:\\TestData\\Images\\Donald_Blake_Evidence\\exports\\Prefetch\\CCLEANER64.EXE-DE05DBE1.pf","header":{"version":26,"signature":1094927187,"unknown1":17,"filesize":68628,"filename":"CCLEANER64.EXE","hash":3724925921,"unknon2":0},"fileinfo":{"metrics_array_offset":304,"metrics_entry_count":107,"trace_array_offset":3728,"trace_entry_count":3776,"filename_offset":49040,"filename_length":13706,"volume_info_offset":62752,"volume_info_count":1,"volume_info_size":5876,"unknown3":4294967334,"last_run_time":["2013-10-22 16:23:53.090","2013-10-22 16:23:48.339","2013-10-13 09:39:15.655","2013-10-13 09:39:11.807","1601-01-01 00:00:00.000","1601-01-01 00:00:00.000","1601-01-01 00:00:00.000","1601-01-01 00:00:00.000"],"unknown1":"00000000000000000000000000000000","run_count":4,"unknown2":3,"unknown5":3,"unknown4":"00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000"},"metrics":[{"tracechain_index":0,"tracechain_count":238,"prefetched_blocks":165,"filename_offset":0,"filename_length":50,"flags":"0x0200: EXECUTABLE_MEMORY","file_reference":{"reference":"562949953463549","entry":42237,"sequence":2},"filename":"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\SYSTEM32\\NTDLL.DLL","tracechain":[]},{"tracechain_index":238,"tracechain_count":485,"prefetched_blocks":139,"filename_offset":102,"filename_length":61,"flags":"0x0200: EXECUTABLE_MEMORY","file_reference":{"reference":"844424930154102","entry":22134,"sequence":3},"filename":"\\DEVICE\\HARDDISKVOLUME5\\PROGRAM FILES\\CCLEANER\\CCLEANER64.EXE","tracechain":[]},{"tracechain_index":723,"tracechain_count":93,"prefetched_blocks":29,"filename_offset":226,"filename_length":53,"flags":"0x0200: EXECUTABLE_MEMORY","file_reference":{"reference":"562949953463519","entry":42207,"sequence":2},"filename":"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\SYSTEM32\\KERNEL32.DLL","tracechain":[]},{"tracechain_index":816,"tracechain_count":149,"prefetched_blocks":54,"filename_offset":334,"filename_length":55,"flags":"0x0200: EXECUTABLE_MEMORY","file_reference":{"reference":"562949953463612","entry":42300,"sequence":2},"filename":"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\SYSTEM32\\KERNELBASE.DLL","tracechain":[]},{"tracechain_index":965,"tracechain_count":56,"prefetched_blocks":48,"filename_offset":446,"filename_length":51,"flags":"0x0002: RESOURCE","file_reference":{"reference":"281474976950665","entry":240009,"sequence":1},"filename":"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\SYSTEM32\\LOCALE.NLS","tracechain":[]},{"tracechain_index":1021,"tracechain_count":112,"prefetched_blocks":59,"filename_offset":550,"filename_length":51,"flags":"0x0200: EXECUTABLE_MEMORY","file_reference":{"reference":"281474976951522","entry":240866,"sequence":1},"filename":"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\SYSTEM32\\RPCRT4.DLL","tracechain":[]},{"tracechain_index":1133,"tracechain_count":74,"prefetched_blocks":35,"filename_offset":654,"filename_length":51,"flags":"0x0200: EXECUTABLE_MEMORY","file_reference":{"reference":"281474976952041","entry":241385,"sequence":1},"filename":"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\SYSTEM32\\USER32.DLL","tracechain":[]},{"tracechain_index":1207,"tracechain_count":77,"prefetched_blocks":22,"filename_offset":758,"filename_length":50,"flags":"0x0200: EXECUTABLE_MEMORY","file_reference":{"reference":"281474976950218","entry":239562,"sequence":1},"filename":"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\SYSTEM32\\GDI32.DLL","tracechain":[]},{"tracechain_index":1284,"tracechain_count":11,"prefetched_blocks":11,"filename_offset":860,"filename_length":53,"flags":"0x0200: EXECUTABLE_MEMORY","file_reference":{"reference":"281474976949265","entry":238609,"sequence":1},"filename":"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\SYSTEM32\\COMDLG32.DLL","tracechain":[]},{"tracechain_index":1295,"tracechain_count":29,"prefetched_blocks":24,"filename_offset":968,"filename_length":53,"flags":"0x0200: EXECUTABLE_MEMORY","file_reference":{"reference":"281474976948447","entry":237791,"sequence":1},"filename":"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\SYSTEM32\\ADVAPI32.DLL","tracechain":[]},{"tracechain_index":1324,"tracechain_count":336,"prefetched_blocks":64,"filename_offset":1076,"filename_length":52,"flags":"0x0200: EXECUTABLE_MEMORY","file_reference":{"reference":"562949953463692","entry":42380,"sequence":2},"filename":"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\SYSTEM32\\SHELL32.DLL","tracechain":[]},{"tracechain_index":1660,"tracechain_count":46,"prefetched_blocks":13,"filename_offset":1182,"filename_length":50,"flags":"0x0200: EXECUTABLE_MEMORY","file_reference":{"reference":"562949953463521","entry":42209,"sequence":2},"filename":"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\SYSTEM32\\OLE32.DLL","tracechain":[]},{"tracechain_index":1706,"tracechain_count":22,"prefetched_blocks":19,"filename_offset":1284,"filename_length":53,"flags":"0x0200: EXECUTABLE_MEMORY","file_reference":{"reference":"281474976951204","entry":240548,"sequence":1},"filename":"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\SYSTEM32\\OLEAUT32.DLL","tracechain":[]},{"tracechain_index":1728,"tracechain_count":25,"prefetched_blocks":22,"filename_offset":1392,"filename_length":52,"flags":"0x0200: EXECUTABLE_MEMORY","file_reference":{"reference":"281474976951649","entry":240993,"sequence":1},"filename":"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\SYSTEM32\\SHLWAPI.DLL","tracechain":[]},{"tracechain_index":1753,"tracechain_count":144,"prefetched_blocks":23,"filename_offset":1498,"filename_length":145,"flags":"0x0200: EXECUTABLE_MEMORY","file_reference":{"reference":"281474976965326","entry":254670,"sequence":1},"filename":"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\WINSXS\\AMD64_MICROSOFT.WINDOWS.COMMON-CONTROLS_6595B64144CCF1DF_6.0.9600.16384_NONE_62475F7BECB72503\\COMCTL32.DLL","tracechain":[]},{"tracechain_index":1897,"tracechain_count":5,"prefetched_blocks":5,"filename_offset":1790,"filename_length":52,"flags":"0x0200: EXECUTABLE_MEMORY","file_reference":{"reference":"281474976950852","entry":240196,"sequence":1},"filename":"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\SYSTEM32\\MSIMG32.DLL","tracechain":[]},{"tracechain_index":1902,"tracechain_count":58,"prefetched_blocks":25,"filename_offset":1896,"filename_length":52,"flags":"0x0200: EXECUTABLE_MEMORY","file_reference":{"reference":"281474976952048","entry":241392,"sequence":1},"filename":"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\SYSTEM32\\UXTHEME.DLL","tracechain":[]},{"tracechain_index":1960,"tracechain_count":7,"prefetched_blocks":7,"filename_offset":2002,"filename_length":53,"flags":"0x0200: EXECUTABLE_MEMORY","file_reference":{"reference":"281474976952414","entry":241758,"sequence":1},"filename":"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\SYSTEM32\\WTSAPI32.DLL","tracechain":[]},{"tracechain_index":1967,"tracechain_count":8,"prefetched_blocks":8,"filename_offset":2110,"filename_length":53,"flags":"0x0200: EXECUTABLE_MEMORY","file_reference":{"reference":"281474976950982","entry":240326,"sequence":1},"filename":"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\SYSTEM32\\NETAPI32.DLL","tracechain":[]},{"tracechain_index":1975,"tracechain_count":27,"prefetched_blocks":26,"filename_offset":2218,"filename_length":52,"flags":"0x0200: EXECUTABLE_MEMORY","file_reference":{"reference":"281474976949475","entry":238819,"sequence":1},"filename":"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\SYSTEM32\\CRYPT32.DLL","tracechain":[]},{"tracechain_index":2002,"tracechain_count":12,"prefetched_blocks":12,"filename_offset":2324,"filename_length":53,"flags":"0x0200: EXECUTABLE_MEMORY","file_reference":{"reference":"281474976952258","entry":241602,"sequence":1},"filename":"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\SYSTEM32\\WINTRUST.DLL","tracechain":[]},{"tracechain_index":2014,"tracechain_count":64,"prefetched_blocks":41,"filename_offset":2432,"filename_length":50,"flags":"0x0200: EXECUTABLE_MEMORY","file_reference":{"reference":"281474976950060","entry":239404,"sequence":1},"filename":"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\SYSTEM32\\ESENT.DLL","tracechain":[]},{"tracechain_index":2078,"tracechain_count":6,"prefetched_blocks":6,"filename_offset":2534,"filename_length":52,"flags":"0x0200: EXECUTABLE_MEMORY","file_reference":{"reference":"281474976952010","entry":241354,"sequence":1},"filename":"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\SYSTEM32\\VERSION.DLL","tracechain":[]},{"tracechain_index":2084,"tracechain_count":31,"prefetched_blocks":19,"filename_offset":2640,"filename_length":52,"flags":"0x0200: EXECUTABLE_MEMORY","file_reference":{"reference":"562949953438467","entry":17155,"sequence":2},"filename":"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\SYSTEM32\\WININET.DLL","tracechain":[]},{"tracechain_index":2115,"tracechain_count":37,"prefetched_blocks":29,"filename_offset":2746,"filename_length":51,"flags":"0x0200: EXECUTABLE_MEMORY","file_reference":{"reference":"281474976950914","entry":240258,"sequence":1},"filename":"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\SYSTEM32\\MSVCRT.DLL","tracechain":[]},{"tracechain_index":2152,"tracechain_count":22,"prefetched_blocks":12,"filename_offset":2850,"filename_length":52,"flags":"0x0200: EXECUTABLE_MEMORY","file_reference":{"reference":"281474976951587","entry":240931,"sequence":1},"filename":"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\SYSTEM32\\SECHOST.DLL","tracechain":[]},{"tracechain_index":2174,"tracechain_count":156,"prefetched_blocks":32,"filename_offset":2956,"filename_length":52,"flags":"0x0200: EXECUTABLE_MEMORY","file_reference":{"reference":"562949953463617","entry":42305,"sequence":2},"filename":"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\SYSTEM32\\COMBASE.DLL","tracechain":[]},{"tracechain_index":2330,"tracechain_count":7,"prefetched_blocks":7,"filename_offset":3062,"filename_length":53,"flags":"0x0200: EXECUTABLE_MEMORY","file_reference":{"reference":"281474976951010","entry":240354,"sequence":1},"filename":"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\SYSTEM32\\NETUTILS.DLL","tracechain":[]},{"tracechain_index":2337,"tracechain_count":20,"prefetched_blocks":11,"filename_offset":3170,"filename_length":51,"flags":"0x0200: EXECUTABLE_MEMORY","file_reference":{"reference":"281474976951742","entry":241086,"sequence":1},"filename":"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\SYSTEM32\\SRVCLI.DLL","tracechain":[]},{"tracechain_index":2357,"tracechain_count":7,"prefetched_blocks":7,"filename_offset":3274,"filename_length":51,"flags":"0x0200: EXECUTABLE_MEMORY","file_reference":{"reference":"281474976952259","entry":241603,"sequence":1},"filename":"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\SYSTEM32\\WKSCLI.DLL","tracechain":[]},{"tracechain_index":2364,"tracechain_count":8,"prefetched_blocks":8,"filename_offset":3378,"filename_length":51,"flags":"0x0200: EXECUTABLE_MEMORY","file_reference":{"reference":"281474976950792","entry":240136,"sequence":1},"filename":"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\SYSTEM32\\MSASN1.DLL","tracechain":[]},{"tracechain_index":2372,"tracechain_count":95,"prefetched_blocks":18,"filename_offset":3482,"filename_length":53,"flags":"0x0200: EXECUTABLE_MEMORY","file_reference":{"reference":"562949953438461","entry":17149,"sequence":2},"filename":"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\SYSTEM32\\IERTUTIL.DLL","tracechain":[]},{"tracechain_index":2467,"tracechain_count":7,"prefetched_blocks":7,"filename_offset":3590,"filename_length":51,"flags":"0x0200: EXECUTABLE_MEMORY","file_reference":{"reference":"281474976951536","entry":240880,"sequence":1},"filename":"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\SYSTEM32\\SAMCLI.DLL","tracechain":[]},{"tracechain_index":2474,"tracechain_count":32,"prefetched_blocks":25,"filename_offset":3694,"filename_length":51,"flags":"0x0200: EXECUTABLE_MEMORY","file_reference":{"reference":"281474976951634","entry":240978,"sequence":1},"filename":"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\SYSTEM32\\SHCORE.DLL","tracechain":[]},{"tracechain_index":2506,"tracechain_count":25,"prefetched_blocks":18,"filename_offset":3798,"filename_length":50,"flags":"0x0202: RESOURCE | EXECUTABLE_MEMORY","file_reference":{"reference":"281474976950309","entry":239653,"sequence":1},"filename":"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\SYSTEM32\\IMM32.DLL","tracechain":[]},{"tracechain_index":2531,"tracechain_count":60,"prefetched_blocks":7,"filename_offset":3900,"filename_length":50,"flags":"0x0200: EXECUTABLE_MEMORY","file_reference":{"reference":"844424930168691","entry":36723,"sequence":3},"filename":"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\SYSTEM32\\MSCTF.DLL","tracechain":[]},{"tracechain_index":2591,"tracechain_count":1,"prefetched_blocks":1,"filename_offset":4002,"filename_length":53,"flags":"0x0002: RESOURCE","file_reference":{"reference":"281474976939952","entry":229296,"sequence":1},"filename":"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\WINDOWSSHELL.MANIFEST","tracechain":[]},{"tracechain_index":2592,"tracechain_count":8,"prefetched_blocks":8,"filename_offset":4110,"filename_length":50,"flags":"0x0002: RESOURCE","file_reference":{"reference":"281474976951519","entry":240863,"sequence":1},"filename":"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\SYSTEM32\\RPCSS.DLL","tracechain":[]},{"tracechain_index":2600,"tracechain_count":8,"prefetched_blocks":8,"filename_offset":4212,"filename_length":59,"flags":"0x0200: EXECUTABLE_MEMORY","file_reference":{"reference":"281474976950580","entry":239924,"sequence":1},"filename":"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\SYSTEM32\\KERNEL.APPCORE.DLL","tracechain":[]},{"tracechain_index":2608,"tracechain_count":6,"prefetched_blocks":6,"filename_offset":4332,"filename_length":54,"flags":"0x0200: EXECUTABLE_MEMORY","file_reference":{"reference":"281474976949287","entry":238631,"sequence":1},"filename":"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\SYSTEM32\\CRYPTBASE.DLL","tracechain":[]},{"tracechain_index":2614,"tracechain_count":12,"prefetched_blocks":12,"filename_offset":4442,"filename_length":61,"flags":"0x0200: EXECUTABLE_MEMORY","file_reference":{"reference":"281474976948921","entry":238265,"sequence":1},"filename":"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\SYSTEM32\\BCRYPTPRIMITIVES.DLL","tracechain":[]},{"tracechain_index":2626,"tracechain_count":46,"prefetched_blocks":14,"filename_offset":4566,"filename_length":82,"flags":"0x0200: EXECUTABLE_MEMORY","file_reference":{"reference":"281474976928283","entry":217627,"sequence":1},"filename":"\\DEVICE\\HARDDISKVOLUME5\\PROGRAM FILES\\COMMON FILES\\MICROSOFT SHARED\\INK\\TIPTSF.DLL","tracechain":[]},{"tracechain_index":2672,"tracechain_count":26,"prefetched_blocks":26,"filename_offset":4732,"filename_length":69,"flags":"0x0002: RESOURCE","file_reference":{"reference":"281474976942086","entry":231430,"sequence":1},"filename":"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\GLOBALIZATION\\SORTING\\SORTDEFAULT.NLS","tracechain":[]},{"tracechain_index":2698,"tracechain_count":47,"prefetched_blocks":35,"filename_offset":4872,"filename_length":52,"flags":"0x0200: EXECUTABLE_MEMORY","file_reference":{"reference":"281474976949562","entry":238906,"sequence":1},"filename":"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\SYSTEM32\\DBGHELP.DLL","tracechain":[]},{"tracechain_index":2745,"tracechain_count":2,"prefetched_blocks":0,"filename_offset":4978,"filename_length":50,"flags":"0x0001: NOT_PREFETCHED","file_reference":{"reference":"281474976951929","entry":241273,"sequence":1},"filename":"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\SYSTEM32\\TZRES.DLL","tracechain":[]},{"tracechain_index":2747,"tracechain_count":8,"prefetched_blocks":0,"filename_offset":5080,"filename_length":60,"flags":"0x0001: NOT_PREFETCHED","file_reference":{"reference":"281474976956696","entry":246040,"sequence":1},"filename":"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\SYSTEM32\\EN-US\\TZRES.DLL.MUI","tracechain":[]},{"tracechain_index":2755,"tracechain_count":8,"prefetched_blocks":0,"filename_offset":5202,"filename_length":51,"flags":"0x0001: NOT_PREFETCHED","file_reference":{"reference":"562949953463321","entry":42009,"sequence":2},"filename":"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\SYSTEM32\\DWMAPI.DLL","tracechain":[]},{"tracechain_index":2763,"tracechain_count":72,"prefetched_blocks":0,"filename_offset":5306,"filename_length":53,"flags":"0x0001: NOT_PREFETCHED","file_reference":{"reference":"281474976941924","entry":231268,"sequence":1},"filename":"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\FONTS\\STATICCACHE.DAT","tracechain":[]},{"tracechain_index":2835,"tracechain_count":29,"prefetched_blocks":0,"filename_offset":5414,"filename_length":51,"flags":"0x0001: NOT_PREFETCHED","file_reference":{"reference":"281474976951187","entry":240531,"sequence":1},"filename":"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\SYSTEM32\\OLEACC.DLL","tracechain":[]},{"tracechain_index":2864,"tracechain_count":1,"prefetched_blocks":0,"filename_offset":5518,"filename_length":53,"flags":"0x0001: NOT_PREFETCHED","file_reference":{"reference":"281474976951176","entry":240520,"sequence":1},"filename":"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\SYSTEM32\\OLEACCRC.DLL","tracechain":[]},{"tracechain_index":2865,"tracechain_count":26,"prefetched_blocks":25,"filename_offset":5626,"filename_length":52,"flags":"0x0200: EXECUTABLE_MEMORY","file_reference":{"reference":"281474976949219","entry":238563,"sequence":1},"filename":"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\SYSTEM32\\CLBCATQ.DLL","tracechain":[]},{"tracechain_index":2891,"tracechain_count":6,"prefetched_blocks":6,"filename_offset":5732,"filename_length":62,"flags":"0x0002: RESOURCE","file_reference":{"reference":"1125899907055903","entry":213279,"sequence":4},"filename":"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\REGISTRATION\\R00000000000D.CLB","tracechain":[]},{"tracechain_index":2897,"tracechain_count":10,"prefetched_blocks":0,"filename_offset":5858,"filename_length":52,"flags":"0x0001: NOT_PREFETCHED","file_reference":{"reference":"281474976951982","entry":241326,"sequence":1},"filename":"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\SYSTEM32\\USERENV.DLL","tracechain":[]},{"tracechain_index":2907,"tracechain_count":10,"prefetched_blocks":10,"filename_offset":5964,"filename_length":52,"flags":"0x0200: EXECUTABLE_MEMORY","file_reference":{"reference":"281474976951332","entry":240676,"sequence":1},"filename":"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\SYSTEM32\\PROFAPI.DLL","tracechain":[]},{"tracechain_index":2917,"tracechain_count":18,"prefetched_blocks":0,"filename_offset":6070,"filename_length":52,"flags":"0x0001: NOT_PREFETCHED","file_reference":{"reference":"562949953463413","entry":42101,"sequence":2},"filename":"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\SYSTEM32\\TWINAPI.DLL","tracechain":[]},{"tracechain_index":2935,"tracechain_count":43,"prefetched_blocks":30,"filename_offset":6176,"filename_length":52,"flags":"0x0200: EXECUTABLE_MEMORY","file_reference":{"reference":"281474976951345","entry":240689,"sequence":1},"filename":"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\SYSTEM32\\PROPSYS.DLL","tracechain":[]},{"tracechain_index":2978,"tracechain_count":4,"prefetched_blocks":4,"filename_offset":6282,"filename_length":90,"flags":"0x0002: RESOURCE","file_reference":{"reference":"844424930171009","entry":39041,"sequence":3},"filename":"\\DEVICE\\HARDDISKVOLUME5\\USERS\\DONALD\\APPDATA\\LOCAL\\MICROSOFT\\WINDOWS\\CACHES\\CVERSIONS.1.DB","tracechain":[]},{"tracechain_index":2982,"tracechain_count":53,"prefetched_blocks":0,"filename_offset":6464,"filename_length":141,"flags":"0x0001: NOT_PREFETCHED","file_reference":{"reference":"0","entry":0,"sequence":0},"filename":"\\DEVICE\\HARDDISKVOLUME5\\USERS\\DONALD\\APPDATA\\LOCAL\\MICROSOFT\\WINDOWS\\CACHES\\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.1.VER0X000000000000007A.DB","tracechain":[]},{"tracechain_index":3035,"tracechain_count":18,"prefetched_blocks":0,"filename_offset":6748,"filename_length":55,"flags":"0x0001: NOT_PREFETCHED","file_reference":{"reference":"281474976948925","entry":238269,"sequence":1},"filename":"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\SYSTEM32\\BCP47LANGS.DLL","tracechain":[]},{"tracechain_index":3053,"tracechain_count":9,"prefetched_blocks":0,"filename_offset":6860,"filename_length":141,"flags":"0x0001: NOT_PREFETCHED","file_reference":{"reference":"0","entry":0,"sequence":0},"filename":"\\DEVICE\\HARDDISKVOLUME5\\USERS\\DONALD\\APPDATA\\LOCAL\\MICROSOFT\\WINDOWS\\CACHES\\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.VER0X0000000000000005.DB","tracechain":[]},{"tracechain_index":3062,"tracechain_count":1,"prefetched_blocks":0,"filename_offset":7144,"filename_length":102,"flags":"0x0001: NOT_PREFETCHED","file_reference":{"reference":"844424930220292","entry":88324,"sequence":3},"filename":"\\DEVICE\\HARDDISKVOLUME5\\USERS\\DONALD\\APPDATA\\LOCAL\\MICROSOFT\\WINDOWS\\APPLICATION SHORTCUTS\\DESKTOP.INI","tracechain":[]},{"tracechain_index":3063,"tracechain_count":1,"prefetched_blocks":1,"filename_offset":7350,"filename_length":56,"flags":"0x0002: RESOURCE","file_reference":{"reference":"562949953512510","entry":91198,"sequence":2},"filename":"\\DEVICE\\HARDDISKVOLUME5\\USERS\\DONALD\\DESKTOP\\DESKTOP.INI","tracechain":[]},{"tracechain_index":3064,"tracechain_count":1,"prefetched_blocks":1,"filename_offset":7464,"filename_length":58,"flags":"0x0002: RESOURCE","file_reference":{"reference":"562949953512519","entry":91207,"sequence":2},"filename":"\\DEVICE\\HARDDISKVOLUME5\\USERS\\DONALD\\DOCUMENTS\\DESKTOP.INI","tracechain":[]},{"tracechain_index":3065,"tracechain_count":1,"prefetched_blocks":1,"filename_offset":7582,"filename_length":54,"flags":"0x0002: RESOURCE","file_reference":{"reference":"562949953512518","entry":91206,"sequence":2},"filename":"\\DEVICE\\HARDDISKVOLUME5\\USERS\\DONALD\\MUSIC\\DESKTOP.INI","tracechain":[]},{"tracechain_index":3066,"tracechain_count":1,"prefetched_blocks":1,"filename_offset":7692,"filename_length":57,"flags":"0x0002: RESOURCE","file_reference":{"reference":"562949953512509","entry":91197,"sequence":2},"filename":"\\DEVICE\\HARDDISKVOLUME5\\USERS\\DONALD\\PICTURES\\DESKTOP.INI","tracechain":[]},{"tracechain_index":3067,"tracechain_count":1,"prefetched_blocks":1,"filename_offset":7808,"filename_length":55,"flags":"0x0002: RESOURCE","file_reference":{"reference":"562949953512507","entry":91195,"sequence":2},"filename":"\\DEVICE\\HARDDISKVOLUME5\\USERS\\DONALD\\VIDEOS\\DESKTOP.INI","tracechain":[]},{"tracechain_index":3068,"tracechain_count":1,"prefetched_blocks":1,"filename_offset":7920,"filename_length":58,"flags":"0x0002: RESOURCE","file_reference":{"reference":"562949953512525","entry":91213,"sequence":2},"filename":"\\DEVICE\\HARDDISKVOLUME5\\USERS\\DONALD\\DOWNLOADS\\DESKTOP.INI","tracechain":[]},{"tracechain_index":3069,"tracechain_count":1,"prefetched_blocks":1,"filename_offset":8038,"filename_length":57,"flags":"0x0002: RESOURCE","file_reference":{"reference":"562949953548697","entry":127385,"sequence":2},"filename":"\\DEVICE\\HARDDISKVOLUME5\\USERS\\DONALD\\SKYDRIVE\\DESKTOP.INI","tracechain":[]},{"tracechain_index":3070,"tracechain_count":1,"prefetched_blocks":0,"filename_offset":8154,"filename_length":93,"flags":"0x0001: NOT_PREFETCHED","file_reference":{"reference":"562949953512517","entry":91205,"sequence":2},"filename":"\\DEVICE\\HARDDISKVOLUME5\\USERS\\DONALD\\APPDATA\\ROAMING\\MICROSOFT\\WINDOWS\\START MENU\\DESKTOP.INI","tracechain":[]},{"tracechain_index":3071,"tracechain_count":1,"prefetched_blocks":0,"filename_offset":8342,"filename_length":102,"flags":"0x0001: NOT_PREFETCHED","file_reference":{"reference":"27584547717671353","entry":27065,"sequence":98},"filename":"\\DEVICE\\HARDDISKVOLUME5\\USERS\\DONALD\\APPDATA\\ROAMING\\MICROSOFT\\WINDOWS\\START MENU\\PROGRAMS\\DESKTOP.INI","tracechain":[]},{"tracechain_index":3072,"tracechain_count":1,"prefetched_blocks":0,"filename_offset":8548,"filename_length":76,"flags":"0x0001: NOT_PREFETCHED","file_reference":{"reference":"281474976939638","entry":228982,"sequence":1},"filename":"\\DEVICE\\HARDDISKVOLUME5\\PROGRAMDATA\\MICROSOFT\\WINDOWS\\START MENU\\DESKTOP.INI","tracechain":[]},{"tracechain_index":3073,"tracechain_count":1,"prefetched_blocks":0,"filename_offset":8702,"filename_length":85,"flags":"0x0001: NOT_PREFETCHED","file_reference":{"reference":"844424930174314","entry":42346,"sequence":3},"filename":"\\DEVICE\\HARDDISKVOLUME5\\PROGRAMDATA\\MICROSOFT\\WINDOWS\\START MENU\\PROGRAMS\\DESKTOP.INI","tracechain":[]},{"tracechain_index":3074,"tracechain_count":1,"prefetched_blocks":0,"filename_offset":8874,"filename_length":56,"flags":"0x0001: NOT_PREFETCHED","file_reference":{"reference":"281474976939919","entry":229263,"sequence":1},"filename":"\\DEVICE\\HARDDISKVOLUME5\\USERS\\PUBLIC\\DESKTOP\\DESKTOP.INI","tracechain":[]},{"tracechain_index":3075,"tracechain_count":3,"prefetched_blocks":0,"filename_offset":8988,"filename_length":135,"flags":"0x0001: NOT_PREFETCHED","file_reference":{"reference":"0","entry":0,"sequence":0},"filename":"\\DEVICE\\HARDDISKVOLUME5\\USERS\\DONALD\\APPDATA\\ROAMING\\MICROSOFT\\WINDOWS\\RECENT\\CUSTOMDESTINATIONS\\CCC0FA1B9F86F7B3.CUSTOMDESTINATIONS-MS","tracechain":[]},{"tracechain_index":3078,"tracechain_count":9,"prefetched_blocks":0,"filename_offset":9260,"filename_length":53,"flags":"0x0001: NOT_PREFETCHED","file_reference":{"reference":"281474976950619","entry":239963,"sequence":1},"filename":"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\SYSTEM32\\LINKINFO.DLL","tracechain":[]},{"tracechain_index":3087,"tracechain_count":4,"prefetched_blocks":0,"filename_offset":9368,"filename_length":75,"flags":"0x0001: NOT_PREFETCHED","file_reference":{"reference":"0","entry":0,"sequence":0},"filename":"\\DEVICE\\HARDDISKVOLUME5\\PROGRAMDATA\\MICROSOFT\\WINDOWS\\CACHES\\CVERSIONS.2.DB","tracechain":[]},{"tracechain_index":3091,"tracechain_count":20,"prefetched_blocks":0,"filename_offset":9520,"filename_length":126,"flags":"0x0001: NOT_PREFETCHED","file_reference":{"reference":"0","entry":0,"sequence":0},"filename":"\\DEVICE\\HARDDISKVOLUME5\\PROGRAMDATA\\MICROSOFT\\WINDOWS\\CACHES\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.VER0X000000000000001C.DB","tracechain":[]},{"tracechain_index":3111,"tracechain_count":89,"prefetched_blocks":0,"filename_offset":9774,"filename_length":126,"flags":"0x0001: NOT_PREFETCHED","file_reference":{"reference":"0","entry":0,"sequence":0},"filename":"\\DEVICE\\HARDDISKVOLUME5\\PROGRAMDATA\\MICROSOFT\\WINDOWS\\CACHES\\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.VER0X0000000000000001.DB","tracechain":[]},{"tracechain_index":3200,"tracechain_count":22,"prefetched_blocks":22,"filename_offset":10028,"filename_length":53,"flags":"0x0200: EXECUTABLE_MEMORY","file_reference":{"reference":"281474976951673","entry":241017,"sequence":1},"filename":"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\SYSTEM32\\SETUPAPI.DLL","tracechain":[]},{"tracechain_index":3222,"tracechain_count":11,"prefetched_blocks":11,"filename_offset":10136,"filename_length":53,"flags":"0x0200: EXECUTABLE_MEMORY","file_reference":{"reference":"281474976949092","entry":238436,"sequence":1},"filename":"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\SYSTEM32\\CFGMGR32.DLL","tracechain":[]},{"tracechain_index":3233,"tracechain_count":1,"prefetched_blocks":0,"filename_offset":10244,"filename_length":49,"flags":"0x0001: NOT_PREFETCHED","file_reference":{"reference":"281474976928181","entry":217525,"sequence":1},"filename":"\\DEVICE\\HARDDISKVOLUME5\\PROGRAM FILES\\DESKTOP.INI","tracechain":[]},{"tracechain_index":3234,"tracechain_count":27,"prefetched_blocks":0,"filename_offset":10344,"filename_length":52,"flags":"0x0001: NOT_PREFETCHED","file_reference":{"reference":"281474976951158","entry":240502,"sequence":1},"filename":"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\SYSTEM32\\NTSHRUI.DLL","tracechain":[]},{"tracechain_index":3261,"tracechain_count":14,"prefetched_blocks":5,"filename_offset":10450,"filename_length":52,"flags":"0x0200: EXECUTABLE_MEMORY","file_reference":{"reference":"562949953463397","entry":42085,"sequence":2},"filename":"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\SYSTEM32\\SSPICLI.DLL","tracechain":[]},{"tracechain_index":3275,"tracechain_count":7,"prefetched_blocks":0,"filename_offset":10556,"filename_length":51,"flags":"0x0001: NOT_PREFETCHED","file_reference":{"reference":"281474976949303","entry":238647,"sequence":1},"filename":"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\SYSTEM32\\CSCAPI.DLL","tracechain":[]},{"tracechain_index":3282,"tracechain_count":1,"prefetched_blocks":0,"filename_offset":10660,"filename_length":38,"flags":"0x0001: NOT_PREFETCHED","file_reference":{"reference":"0","entry":0,"sequence":0},"filename":"\\DEVICE\\HARDDISKVOLUME5\\$EXTEND\\$OBJID","tracechain":[]},{"tracechain_index":3283,"tracechain_count":11,"prefetched_blocks":8,"filename_offset":10738,"filename_length":52,"flags":"0x0200: EXECUTABLE_MEMORY","file_reference":{"reference":"281474976949295","entry":238639,"sequence":1},"filename":"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\SYSTEM32\\CRYPTSP.DLL","tracechain":[]},{"tracechain_index":3294,"tracechain_count":10,"prefetched_blocks":10,"filename_offset":10844,"filename_length":51,"flags":"0x0200: EXECUTABLE_MEMORY","file_reference":{"reference":"281474976951514","entry":240858,"sequence":1},"filename":"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\SYSTEM32\\RSAENH.DLL","tracechain":[]},{"tracechain_index":3304,"tracechain_count":9,"prefetched_blocks":9,"filename_offset":10948,"filename_length":51,"flags":"0x0200: EXECUTABLE_MEMORY","file_reference":{"reference":"281474976948913","entry":238257,"sequence":1},"filename":"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\SYSTEM32\\BCRYPT.DLL","tracechain":[]},{"tracechain_index":3313,"tracechain_count":3,"prefetched_blocks":0,"filename_offset":11052,"filename_length":122,"flags":"0x0001: NOT_PREFETCHED","file_reference":{"reference":"0","entry":0,"sequence":0},"filename":"\\DEVICE\\HARDDISKVOLUME5\\USERS\\DONALD\\APPDATA\\ROAMING\\MICROSOFT\\WINDOWS\\RECENT\\CUSTOMDESTINATIONS\\NZJ6ROFVMQWDVN6YXNLC.TEMP","tracechain":[]},{"tracechain_index":3316,"tracechain_count":12,"prefetched_blocks":0,"filename_offset":11298,"filename_length":52,"flags":"0x0001: NOT_PREFETCHED","file_reference":{"reference":"0","entry":0,"sequence":0},"filename":"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\SYSTEM32\\NTMARTA.DLL","tracechain":[]},{"tracechain_index":3328,"tracechain_count":38,"prefetched_blocks":0,"filename_offset":11404,"filename_length":28,"flags":"0x0001: NOT_PREFETCHED","file_reference":{"reference":"0","entry":0,"sequence":0},"filename":"\\DEVICE\\HARDDISKVOLUME5\\$MFT","tracechain":[]},{"tracechain_index":3366,"tracechain_count":27,"prefetched_blocks":0,"filename_offset":11462,"filename_length":58,"flags":"0x0001: NOT_PREFETCHED","file_reference":{"reference":"0","entry":0,"sequence":0},"filename":"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\SYSTEM32\\EXPLORERFRAME.DLL","tracechain":[]},{"tracechain_index":3393,"tracechain_count":20,"prefetched_blocks":0,"filename_offset":11580,"filename_length":50,"flags":"0x0001: NOT_PREFETCHED","file_reference":{"reference":"0","entry":0,"sequence":0},"filename":"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\SYSTEM32\\DUSER.DLL","tracechain":[]},{"tracechain_index":3413,"tracechain_count":79,"prefetched_blocks":0,"filename_offset":11682,"filename_length":50,"flags":"0x0001: NOT_PREFETCHED","file_reference":{"reference":"0","entry":0,"sequence":0},"filename":"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\SYSTEM32\\DUI70.DLL","tracechain":[]},{"tracechain_index":3492,"tracechain_count":1,"prefetched_blocks":0,"filename_offset":11784,"filename_length":41,"flags":"0x0001: NOT_PREFETCHED","file_reference":{"reference":"281474976939756","entry":229100,"sequence":1},"filename":"\\DEVICE\\HARDDISKVOLUME5\\USERS\\DESKTOP.INI","tracechain":[]},{"tracechain_index":3493,"tracechain_count":1,"prefetched_blocks":0,"filename_offset":11868,"filename_length":81,"flags":"0x0001: NOT_PREFETCHED","file_reference":{"reference":"3659174697353306","entry":114778,"sequence":13},"filename":"\\DEVICE\\HARDDISKVOLUME5\\USERS\\DONALD\\APPDATA\\ROAMING\\MOZILLA\\FIREFOX\\PROFILES.INI","tracechain":[]},{"tracechain_index":3494,"tracechain_count":56,"prefetched_blocks":0,"filename_offset":12032,"filename_length":53,"flags":"0x0001: NOT_PREFETCHED","file_reference":{"reference":"281474976951921","entry":241265,"sequence":1},"filename":"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\SYSTEM32\\TASKSCHD.DLL","tracechain":[]},{"tracechain_index":3550,"tracechain_count":16,"prefetched_blocks":0,"filename_offset":12140,"filename_length":52,"flags":"0x0001: NOT_PREFETCHED","file_reference":{"reference":"0","entry":0,"sequence":0},"filename":"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\SYSTEM32\\XMLLITE.DLL","tracechain":[]},{"tracechain_index":3566,"tracechain_count":20,"prefetched_blocks":0,"filename_offset":12246,"filename_length":51,"flags":"0x0001: NOT_PREFETCHED","file_reference":{"reference":"0","entry":0,"sequence":0},"filename":"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\SYSTEM32\\WINSTA.DLL","tracechain":[]},{"tracechain_index":3586,"tracechain_count":29,"prefetched_blocks":0,"filename_offset":12350,"filename_length":51,"flags":"0x0001: NOT_PREFETCHED","file_reference":{"reference":"0","entry":0,"sequence":0},"filename":"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\SYSTEM32\\URLMON.DLL","tracechain":[]},{"tracechain_index":3615,"tracechain_count":7,"prefetched_blocks":0,"filename_offset":12454,"filename_length":52,"flags":"0x0001: NOT_PREFETCHED","file_reference":{"reference":"0","entry":0,"sequence":0},"filename":"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\SYSTEM32\\SECUR32.DLL","tracechain":[]},{"tracechain_index":3622,"tracechain_count":9,"prefetched_blocks":0,"filename_offset":12560,"filename_length":48,"flags":"0x0001: NOT_PREFETCHED","file_reference":{"reference":"0","entry":0,"sequence":0},"filename":"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\SYSTEM32\\MPR.DLL","tracechain":[]},{"tracechain_index":3631,"tracechain_count":55,"prefetched_blocks":0,"filename_offset":12658,"filename_length":52,"flags":"0x0001: NOT_PREFETCHED","file_reference":{"reference":"281474976948824","entry":238168,"sequence":1},"filename":"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\SYSTEM32\\APPHELP.DLL","tracechain":[]},{"tracechain_index":3686,"tracechain_count":27,"prefetched_blocks":0,"filename_offset":12764,"filename_length":63,"flags":"0x0001: NOT_PREFETCHED","file_reference":{"reference":"844424930168709","entry":36741,"sequence":3},"filename":"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\APPPATCH\\APPPATCH64\\SYSMAIN.SDB","tracechain":[]},{"tracechain_index":3713,"tracechain_count":51,"prefetched_blocks":0,"filename_offset":12892,"filename_length":141,"flags":"0x0001: NOT_PREFETCHED","file_reference":{"reference":"0","entry":0,"sequence":0},"filename":"\\DEVICE\\HARDDISKVOLUME5\\USERS\\DONALD\\APPDATA\\LOCAL\\MICROSOFT\\WINDOWS\\CACHES\\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.1.VER0X000000000000003D.DB","tracechain":[]},{"tracechain_index":3764,"tracechain_count":9,"prefetched_blocks":0,"filename_offset":13176,"filename_length":141,"flags":"0x0001: NOT_PREFETCHED","file_reference":{"reference":"0","entry":0,"sequence":0},"filename":"\\DEVICE\\HARDDISKVOLUME5\\USERS\\DONALD\\APPDATA\\LOCAL\\MICROSOFT\\WINDOWS\\CACHES\\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.VER0X0000000000000002.DB","tracechain":[]},{"tracechain_index":3773,"tracechain_count":3,"prefetched_blocks":0,"filename_offset":13460,"filename_length":122,"flags":"0x0001: NOT_PREFETCHED","file_reference":{"reference":"0","entry":0,"sequence":0},"filename":"\\DEVICE\\HARDDISKVOLUME5\\USERS\\DONALD\\APPDATA\\ROAMING\\MICROSOFT\\WINDOWS\\RECENT\\CUSTOMDESTINATIONS\\UH7PGEZBX3SR0U074MVR.TEMP","tracechain":[]}],"volumes":[{"path_offset":104,"path_length":23,"vol_creation_time":"2013-06-02 03:43:28.889","volume_serial":2119740080,"references_offset":152,"references_data_size":816,"directory_offset":968,"directory_string_count":38,"unknown1":62,"unknown2":"00000000000000000000000000000000000000000000000000000000","unknown3":38,"unknown4":"00000000000000000000000000000000000000000000000000000000","unknown5":6029390,"path_string":"\\DEVICE\\HARDDISKVOLUME5","directory_strings":["\\DEVICE\\HARDDISKVOLUME5\\$EXTEND","\\DEVICE\\HARDDISKVOLUME5\\PROGRAM FILES","\\DEVICE\\HARDDISKVOLUME5\\PROGRAM FILES\\CCLEANER","\\DEVICE\\HARDDISKVOLUME5\\PROGRAM FILES\\COMMON FILES","\\DEVICE\\HARDDISKVOLUME5\\PROGRAM FILES\\COMMON FILES\\MICROSOFT SHARED","\\DEVICE\\HARDDISKVOLUME5\\PROGRAM FILES\\COMMON FILES\\MICROSOFT SHARED\\INK","\\DEVICE\\HARDDISKVOLUME5\\PROGRAMDATA","\\DEVICE\\HARDDISKVOLUME5\\USERS","\\DEVICE\\HARDDISKVOLUME5\\USERS\\DONALD","\\DEVICE\\HARDDISKVOLUME5\\USERS\\DONALD\\APPDATA","\\DEVICE\\HARDDISKVOLUME5\\USERS\\DONALD\\APPDATA\\LOCAL","\\DEVICE\\HARDDISKVOLUME5\\USERS\\DONALD\\APPDATA\\LOCAL\\MICROSOFT","\\DEVICE\\HARDDISKVOLUME5\\USERS\\DONALD\\APPDATA\\LOCAL\\MICROSOFT\\WINDOWS","\\DEVICE\\HARDDISKVOLUME5\\USERS\\DONALD\\APPDATA\\LOCAL\\MICROSOFT\\WINDOWS\\CACHES","\\DEVICE\\HARDDISKVOLUME5\\USERS\\DONALD\\APPDATA\\ROAMING","\\DEVICE\\HARDDISKVOLUME5\\USERS\\DONALD\\APPDATA\\ROAMING\\MOZILLA","\\DEVICE\\HARDDISKVOLUME5\\USERS\\DONALD\\APPDATA\\ROAMING\\MOZILLA\\FIREFOX","\\DEVICE\\HARDDISKVOLUME5\\USERS\\DONALD\\APPDATA\\ROAMING\\MOZILLA\\FIREFOX\\CRASH REPORTS","\\DEVICE\\HARDDISKVOLUME5\\USERS\\DONALD\\APPDATA\\ROAMING\\MOZILLA\\FIREFOX\\PROFILES","\\DEVICE\\HARDDISKVOLUME5\\USERS\\DONALD\\APPDATA\\ROAMING\\MOZILLA\\FIREFOX\\PROFILES\\29BMRORB.DEFAULT","\\DEVICE\\HARDDISKVOLUME5\\USERS\\DONALD\\APPDATA\\ROAMING\\MOZILLA\\FIREFOX\\PROFILES\\29BMRORB.DEFAULT\\EXTENSIONS","\\DEVICE\\HARDDISKVOLUME5\\USERS\\DONALD\\APPDATA\\ROAMING\\MOZILLA\\FIREFOX\\PROFILES\\29BMRORB.DEFAULT\\EXTENSIONS\\FIREFOXDAV@ICLOUD.COM","\\DEVICE\\HARDDISKVOLUME5\\USERS\\DONALD\\APPDATA\\ROAMING\\MOZILLA\\FIREFOX\\PROFILES\\29BMRORB.DEFAULT\\EXTENSIONS\\FIREFOXDAV@ICLOUD.COM\\COMPONENTS","\\DEVICE\\HARDDISKVOLUME5\\USERS\\DONALD\\APPDATA\\ROAMING\\MOZILLA\\FIREFOX\\PROFILES\\29BMRORB.DEFAULT\\INDEXEDDB","\\DEVICE\\HARDDISKVOLUME5\\USERS\\DONALD\\APPDATA\\ROAMING\\MOZILLA\\FIREFOX\\PROFILES\\29BMRORB.DEFAULT\\INDEXEDDB\\CHROME","\\DEVICE\\HARDDISKVOLUME5\\USERS\\DONALD\\DESKTOP","\\DEVICE\\HARDDISKVOLUME5\\USERS\\DONALD\\DOCUMENTS","\\DEVICE\\HARDDISKVOLUME5\\USERS\\DONALD\\DOWNLOADS","\\DEVICE\\HARDDISKVOLUME5\\USERS\\DONALD\\MUSIC","\\DEVICE\\HARDDISKVOLUME5\\USERS\\DONALD\\PICTURES","\\DEVICE\\HARDDISKVOLUME5\\USERS\\DONALD\\SKYDRIVE","\\DEVICE\\HARDDISKVOLUME5\\USERS\\DONALD\\VIDEOS","\\DEVICE\\HARDDISKVOLUME5\\WINDOWS","\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\GLOBALIZATION","\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\GLOBALIZATION\\SORTING","\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\REGISTRATION","\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\SYSTEM32","\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\WINSXS\\AMD64_MICROSOFT.WINDOWS.COMMON-CONTROLS_6595B64144CCF1DF_6.0.9600.16384_NONE_62475F7BECB72503"],"reference_table":{"version":3,"reference_count":100,"references":[{"reference":"706988414888","entry":706988414888,"sequence":0},{"reference":"562949953463549","entry":42237,"sequence":2},{"reference":"844424930154102","entry":22134,"sequence":3},{"reference":"562949953463519","entry":42207,"sequence":2},{"reference":"562949953463612","entry":42300,"sequence":2},{"reference":"281474976950665","entry":240009,"sequence":1},{"reference":"281474976951522","entry":240866,"sequence":1},{"reference":"281474976952041","entry":241385,"sequence":1},{"reference":"281474976950218","entry":239562,"sequence":1},{"reference":"281474976949265","entry":238609,"sequence":1},{"reference":"281474976948447","entry":237791,"sequence":1},{"reference":"562949953463692","entry":42380,"sequence":2},{"reference":"562949953463521","entry":42209,"sequence":2},{"reference":"281474976951204","entry":240548,"sequence":1},{"reference":"281474976951649","entry":240993,"sequence":1},{"reference":"281474976965326","entry":254670,"sequence":1},{"reference":"281474976950852","entry":240196,"sequence":1},{"reference":"281474976952048","entry":241392,"sequence":1},{"reference":"281474976952414","entry":241758,"sequence":1},{"reference":"281474976950982","entry":240326,"sequence":1},{"reference":"281474976949475","entry":238819,"sequence":1},{"reference":"281474976952258","entry":241602,"sequence":1},{"reference":"281474976950060","entry":239404,"sequence":1},{"reference":"281474976952010","entry":241354,"sequence":1},{"reference":"562949953438467","entry":17155,"sequence":2},{"reference":"281474976950914","entry":240258,"sequence":1},{"reference":"281474976951587","entry":240931,"sequence":1},{"reference":"562949953463617","entry":42305,"sequence":2},{"reference":"281474976951010","entry":240354,"sequence":1},{"reference":"281474976951742","entry":241086,"sequence":1},{"reference":"281474976952259","entry":241603,"sequence":1},{"reference":"281474976950792","entry":240136,"sequence":1},{"reference":"562949953438461","entry":17149,"sequence":2},{"reference":"281474976951536","entry":240880,"sequence":1},{"reference":"281474976951634","entry":240978,"sequence":1},{"reference":"281474976950309","entry":239653,"sequence":1},{"reference":"844424930168691","entry":36723,"sequence":3},{"reference":"281474976939952","entry":229296,"sequence":1},{"reference":"281474976951519","entry":240863,"sequence":1},{"reference":"281474976950580","entry":239924,"sequence":1},{"reference":"281474976949287","entry":238631,"sequence":1},{"reference":"281474976948921","entry":238265,"sequence":1},{"reference":"281474976928283","entry":217627,"sequence":1},{"reference":"281474976942086","entry":231430,"sequence":1},{"reference":"281474976949562","entry":238906,"sequence":1},{"reference":"281474976949219","entry":238563,"sequence":1},{"reference":"1125899907055903","entry":213279,"sequence":4},{"reference":"281474976951332","entry":240676,"sequence":1},{"reference":"281474976951345","entry":240689,"sequence":1},{"reference":"844424930171009","entry":39041,"sequence":3},{"reference":"562949953512510","entry":91198,"sequence":2},{"reference":"562949953512519","entry":91207,"sequence":2},{"reference":"562949953512518","entry":91206,"sequence":2},{"reference":"562949953512509","entry":91197,"sequence":2},{"reference":"562949953512507","entry":91195,"sequence":2},{"reference":"562949953512525","entry":91213,"sequence":2},{"reference":"562949953548697","entry":127385,"sequence":2},{"reference":"281474976951673","entry":241017,"sequence":1},{"reference":"281474976949092","entry":238436,"sequence":1},{"reference":"562949953463397","entry":42085,"sequence":2},{"reference":"281474976949295","entry":238639,"sequence":1},{"reference":"281474976951514","entry":240858,"sequence":1},{"reference":"281474976948913","entry":238257,"sequence":1},{"reference":"0","entry":0,"sequence":0},{"reference":"0","entry":0,"sequence":0},{"reference":"0","entry":0,"sequence":0},{"reference":"0","entry":0,"sequence":0},{"reference":"0","entry":0,"sequence":0},{"reference":"0","entry":0,"sequence":0},{"reference":"0","entry":0,"sequence":0},{"reference":"0","entry":0,"sequence":0},{"reference":"0","entry":0,"sequence":0},{"reference":"0","entry":0,"sequence":0},{"reference":"0","entry":0,"sequence":0},{"reference":"0","entry":0,"sequence":0},{"reference":"0","entry":0,"sequence":0},{"reference":"0","entry":0,"sequence":0},{"reference":"0","entry":0,"sequence":0},{"reference":"0","entry":0,"sequence":0},{"reference":"0","entry":0,"sequence":0},{"reference":"0","entry":0,"sequence":0},{"reference":"0","entry":0,"sequence":0},{"reference":"0","entry":0,"sequence":0},{"reference":"0","entry":0,"sequence":0},{"reference":"0","entry":0,"sequence":0},{"reference":"0","entry":0,"sequence":0},{"reference":"0","entry":0,"sequence":0},{"reference":"0","entry":0,"sequence":0},{"reference":"0","entry":0,"sequence":0},{"reference":"0","entry":0,"sequence":0},{"reference":"0","entry":0,"sequence":0},{"reference":"0","entry":0,"sequence":0},{"reference":"0","entry":0,"sequence":0},{"reference":"0","entry":0,"sequence":0},{"reference":"0","entry":0,"sequence":0},{"reference":"0","entry":0,"sequence":0},{"reference":"0","entry":0,"sequence":0},{"reference":"0","entry":0,"sequence":0},{"reference":"0","entry":0,"sequence":0},{"reference":"0","entry":0,"sequence":0}]}}]}
// REFORMAT JSON OUTPUT USING A JMES QUERY
RustyPrefetch.exe -s C:\TestData\Images\Donald_Blake_Evidence\exports\Prefetch\CCLEANER64.EXE-DE05DBE1.pf -q "metrics|[].[file_reference.entry,file_reference.sequence,filename]"
[[42237,2,"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\SYSTEM32\\NTDLL.DLL"],[22134,3,"\\DEVICE\\HARDDISKVOLUME5\\PROGRAM FILES\\CCLEANER\\CCLEANER64.EXE"],[42207,2,"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\SYSTEM32\\KERNEL32.DLL"],[42300,2,"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\SYSTEM32\\KERNELBASE.DLL"],[240009,1,"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\SYSTEM32\\LOCALE.NLS"],[240866,1,"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\SYSTEM32\\RPCRT4.DLL"],[241385,1,"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\SYSTEM32\\USER32.DLL"],[239562,1,"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\SYSTEM32\\GDI32.DLL"],[238609,1,"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\SYSTEM32\\COMDLG32.DLL"],[237791,1,"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\SYSTEM32\\ADVAPI32.DLL"],[42380,2,"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\SYSTEM32\\SHELL32.DLL"],[42209,2,"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\SYSTEM32\\OLE32.DLL"],[240548,1,"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\SYSTEM32\\OLEAUT32.DLL"],[240993,1,"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\SYSTEM32\\SHLWAPI.DLL"],[254670,1,"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\WINSXS\\AMD64_MICROSOFT.WINDOWS.COMMON-CONTROLS_6595B64144CCF1DF_6.0.9600.16384_NONE_62475F7BECB72503\\COMCTL32.DLL"],[240196,1,"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\SYSTEM32\\MSIMG32.DLL"],[241392,1,"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\SYSTEM32\\UXTHEME.DLL"],[241758,1,"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\SYSTEM32\\WTSAPI32.DLL"],[240326,1,"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\SYSTEM32\\NETAPI32.DLL"],[238819,1,"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\SYSTEM32\\CRYPT32.DLL"],[241602,1,"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\SYSTEM32\\WINTRUST.DLL"],[239404,1,"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\SYSTEM32\\ESENT.DLL"],[241354,1,"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\SYSTEM32\\VERSION.DLL"],[17155,2,"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\SYSTEM32\\WININET.DLL"],[240258,1,"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\SYSTEM32\\MSVCRT.DLL"],[240931,1,"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\SYSTEM32\\SECHOST.DLL"],[42305,2,"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\SYSTEM32\\COMBASE.DLL"],[240354,1,"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\SYSTEM32\\NETUTILS.DLL"],[241086,1,"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\SYSTEM32\\SRVCLI.DLL"],[241603,1,"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\SYSTEM32\\WKSCLI.DLL"],[240136,1,"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\SYSTEM32\\MSASN1.DLL"],[17149,2,"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\SYSTEM32\\IERTUTIL.DLL"],[240880,1,"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\SYSTEM32\\SAMCLI.DLL"],[240978,1,"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\SYSTEM32\\SHCORE.DLL"],[239653,1,"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\SYSTEM32\\IMM32.DLL"],[36723,3,"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\SYSTEM32\\MSCTF.DLL"],[229296,1,"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\WINDOWSSHELL.MANIFEST"],[240863,1,"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\SYSTEM32\\RPCSS.DLL"],[239924,1,"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\SYSTEM32\\KERNEL.APPCORE.DLL"],[238631,1,"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\SYSTEM32\\CRYPTBASE.DLL"],[238265,1,"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\SYSTEM32\\BCRYPTPRIMITIVES.DLL"],[217627,1,"\\DEVICE\\HARDDISKVOLUME5\\PROGRAM FILES\\COMMON FILES\\MICROSOFT SHARED\\INK\\TIPTSF.DLL"],[231430,1,"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\GLOBALIZATION\\SORTING\\SORTDEFAULT.NLS"],[238906,1,"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\SYSTEM32\\DBGHELP.DLL"],[241273,1,"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\SYSTEM32\\TZRES.DLL"],[246040,1,"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\SYSTEM32\\EN-US\\TZRES.DLL.MUI"],[42009,2,"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\SYSTEM32\\DWMAPI.DLL"],[231268,1,"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\FONTS\\STATICCACHE.DAT"],[240531,1,"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\SYSTEM32\\OLEACC.DLL"],[240520,1,"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\SYSTEM32\\OLEACCRC.DLL"],[238563,1,"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\SYSTEM32\\CLBCATQ.DLL"],[213279,4,"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\REGISTRATION\\R00000000000D.CLB"],[241326,1,"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\SYSTEM32\\USERENV.DLL"],[240676,1,"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\SYSTEM32\\PROFAPI.DLL"],[42101,2,"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\SYSTEM32\\TWINAPI.DLL"],[240689,1,"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\SYSTEM32\\PROPSYS.DLL"],[39041,3,"\\DEVICE\\HARDDISKVOLUME5\\USERS\\DONALD\\APPDATA\\LOCAL\\MICROSOFT\\WINDOWS\\CACHES\\CVERSIONS.1.DB"],[0,0,"\\DEVICE\\HARDDISKVOLUME5\\USERS\\DONALD\\APPDATA\\LOCAL\\MICROSOFT\\WINDOWS\\CACHES\\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.1.VER0X000000000000007A.DB"],[238269,1,"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\SYSTEM32\\BCP47LANGS.DLL"],[0,0,"\\DEVICE\\HARDDISKVOLUME5\\USERS\\DONALD\\APPDATA\\LOCAL\\MICROSOFT\\WINDOWS\\CACHES\\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.VER0X0000000000000005.DB"],[88324,3,"\\DEVICE\\HARDDISKVOLUME5\\USERS\\DONALD\\APPDATA\\LOCAL\\MICROSOFT\\WINDOWS\\APPLICATION SHORTCUTS\\DESKTOP.INI"],[91198,2,"\\DEVICE\\HARDDISKVOLUME5\\USERS\\DONALD\\DESKTOP\\DESKTOP.INI"],[91207,2,"\\DEVICE\\HARDDISKVOLUME5\\USERS\\DONALD\\DOCUMENTS\\DESKTOP.INI"],[91206,2,"\\DEVICE\\HARDDISKVOLUME5\\USERS\\DONALD\\MUSIC\\DESKTOP.INI"],[91197,2,"\\DEVICE\\HARDDISKVOLUME5\\USERS\\DONALD\\PICTURES\\DESKTOP.INI"],[91195,2,"\\DEVICE\\HARDDISKVOLUME5\\USERS\\DONALD\\VIDEOS\\DESKTOP.INI"],[91213,2,"\\DEVICE\\HARDDISKVOLUME5\\USERS\\DONALD\\DOWNLOADS\\DESKTOP.INI"],[127385,2,"\\DEVICE\\HARDDISKVOLUME5\\USERS\\DONALD\\SKYDRIVE\\DESKTOP.INI"],[91205,2,"\\DEVICE\\HARDDISKVOLUME5\\USERS\\DONALD\\APPDATA\\ROAMING\\MICROSOFT\\WINDOWS\\START MENU\\DESKTOP.INI"],[27065,98,"\\DEVICE\\HARDDISKVOLUME5\\USERS\\DONALD\\APPDATA\\ROAMING\\MICROSOFT\\WINDOWS\\START MENU\\PROGRAMS\\DESKTOP.INI"],[228982,1,"\\DEVICE\\HARDDISKVOLUME5\\PROGRAMDATA\\MICROSOFT\\WINDOWS\\START MENU\\DESKTOP.INI"],[42346,3,"\\DEVICE\\HARDDISKVOLUME5\\PROGRAMDATA\\MICROSOFT\\WINDOWS\\START MENU\\PROGRAMS\\DESKTOP.INI"],[229263,1,"\\DEVICE\\HARDDISKVOLUME5\\USERS\\PUBLIC\\DESKTOP\\DESKTOP.INI"],[0,0,"\\DEVICE\\HARDDISKVOLUME5\\USERS\\DONALD\\APPDATA\\ROAMING\\MICROSOFT\\WINDOWS\\RECENT\\CUSTOMDESTINATIONS\\CCC0FA1B9F86F7B3.CUSTOMDESTINATIONS-MS"],[239963,1,"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\SYSTEM32\\LINKINFO.DLL"],[0,0,"\\DEVICE\\HARDDISKVOLUME5\\PROGRAMDATA\\MICROSOFT\\WINDOWS\\CACHES\\CVERSIONS.2.DB"],[0,0,"\\DEVICE\\HARDDISKVOLUME5\\PROGRAMDATA\\MICROSOFT\\WINDOWS\\CACHES\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.VER0X000000000000001C.DB"],[0,0,"\\DEVICE\\HARDDISKVOLUME5\\PROGRAMDATA\\MICROSOFT\\WINDOWS\\CACHES\\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.VER0X0000000000000001.DB"],[241017,1,"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\SYSTEM32\\SETUPAPI.DLL"],[238436,1,"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\SYSTEM32\\CFGMGR32.DLL"],[217525,1,"\\DEVICE\\HARDDISKVOLUME5\\PROGRAM FILES\\DESKTOP.INI"],[240502,1,"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\SYSTEM32\\NTSHRUI.DLL"],[42085,2,"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\SYSTEM32\\SSPICLI.DLL"],[238647,1,"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\SYSTEM32\\CSCAPI.DLL"],[0,0,"\\DEVICE\\HARDDISKVOLUME5\\$EXTEND\\$OBJID"],[238639,1,"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\SYSTEM32\\CRYPTSP.DLL"],[240858,1,"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\SYSTEM32\\RSAENH.DLL"],[238257,1,"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\SYSTEM32\\BCRYPT.DLL"],[0,0,"\\DEVICE\\HARDDISKVOLUME5\\USERS\\DONALD\\APPDATA\\ROAMING\\MICROSOFT\\WINDOWS\\RECENT\\CUSTOMDESTINATIONS\\NZJ6ROFVMQWDVN6YXNLC.TEMP"],[0,0,"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\SYSTEM32\\NTMARTA.DLL"],[0,0,"\\DEVICE\\HARDDISKVOLUME5\\$MFT"],[0,0,"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\SYSTEM32\\EXPLORERFRAME.DLL"],[0,0,"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\SYSTEM32\\DUSER.DLL"],[0,0,"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\SYSTEM32\\DUI70.DLL"],[229100,1,"\\DEVICE\\HARDDISKVOLUME5\\USERS\\DESKTOP.INI"],[114778,13,"\\DEVICE\\HARDDISKVOLUME5\\USERS\\DONALD\\APPDATA\\ROAMING\\MOZILLA\\FIREFOX\\PROFILES.INI"],[241265,1,"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\SYSTEM32\\TASKSCHD.DLL"],[0,0,"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\SYSTEM32\\XMLLITE.DLL"],[0,0,"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\SYSTEM32\\WINSTA.DLL"],[0,0,"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\SYSTEM32\\URLMON.DLL"],[0,0,"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\SYSTEM32\\SECUR32.DLL"],[0,0,"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\SYSTEM32\\MPR.DLL"],[238168,1,"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\SYSTEM32\\APPHELP.DLL"],[36741,3,"\\DEVICE\\HARDDISKVOLUME5\\WINDOWS\\APPPATCH\\APPPATCH64\\SYSMAIN.SDB"],[0,0,"\\DEVICE\\HARDDISKVOLUME5\\USERS\\DONALD\\APPDATA\\LOCAL\\MICROSOFT\\WINDOWS\\CACHES\\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.1.VER0X000000000000003D.DB"],[0,0,"\\DEVICE\\HARDDISKVOLUME5\\USERS\\DONALD\\APPDATA\\LOCAL\\MICROSOFT\\WINDOWS\\CACHES\\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.VER0X0000000000000002.DB"],[0,0,"\\DEVICE\\HARDDISKVOLUME5\\USERS\\DONALD\\APPDATA\\ROAMING\\MICROSOFT\\WINDOWS\\RECENT\\CUSTOMDESTINATIONS\\UH7PGEZBX3SR0U074MVR.TEMP"]]
The DecompressPrefetch tool under the examples can be used specifically to decompress MAM prefetch files.
DecompressPrefetch.exe -p COMPRESSED.EXE-9524B8E5.pf > DECOMPRESSED_PREFETCH.pf
RustyPrefetch\target\release\examples>DecompressPrefetch.exe -h
DecompressPrefetch 0.1.0
Matthew Seyer <https://github.com/forensicmatt/RustyPrefetch>
Test tool to decompress a compressed prefetch file.
USAGE:
DecompressPrefetch.exe --prefetch <FILE>
FLAGS:
-h, --help Prints help information
-V, --version Prints version information
OPTIONS:
-p, --prefetch <FILE> The Prefetch file to decode
- Added JMES Query functionality (http://jmespath.org/)
- Added JSONL output (http://jsonlines.org/)
- Updated some unkown fields based on @JamesHabbens research.
- Fixed trace chain flag (No trace chains by default).