Device Path in WinPrefetchView
As we know that the Prefetch file is used for optimizing the loading time of the application in the next time that you run it. So we could know whether any suspicious application or not by examining those .pf files on the subject computers. We could download WinPrefetchView from NirSoft.
The upper pane displays the list of all Prefetch files in your system. When you select a file in the upper pane, the lower pane displays the list of files stored inside the selected Prefetch file, which represent the files that were loaded by the application in the previous times that you used it.
You could take a look at "Full Path" and "Device Path" as above. HARDDISKVOLUME2 relates to volume C. Now take a look at volumes on this disk 0 as below. The first one is a reserved partition. So volume C is the second one. It makes sense, right?
Let's take a look at another subject computer as below. It seems that "Volume 3 = C" and "Volume 4 = D". But don't jump to conclusions too fast.
Let me show you the volumes on disk 0 as below. The first volume is a reserved partition. The second one is volume C, and the third one is volume D. What's wrong with path in WinPrefetchView??? WinPrefetchView says that "Volume 3 = C" and "Volume 4 = D", but actually there is only one volume before volume C.
As a forensic guy, we could take advantage of forensic tools but don't be so sure about the analysis result. We have to verify the analysis result so as to reduce misjudgement.
Device Path in WinPrefetchView的更多相关文章
- What is a Windows USB device path and how is it formatted?
http://community.silabs.com/t5/Interface-Knowledge-Base/Windows-USB-Device-Path/ta-p/114059 Windows ...
- EDK II之Device Path
UEFI中通过Device Path来描述设备的路径,一个完整的路径由多个Device Path Nodes组成. 下面通过输入设备的路径作为例子: PNP0A03 – PCI Host Bridge ...
- 痞子衡嵌入式:可通过USB Device Path来唯一指定i.MXRT设备进行ROM/Flashloader通信
大家好,我是痞子衡,是正经搞技术的痞子.今天痞子衡给大家介绍的是通过USB Device Path来唯一指定i.MXRT设备进行ROM/Flashloader通信. i.MXRT系列高性能微控制器从2 ...
- Fix “Windows cannot access the specified device path or file” Error
http://helpdeskgeek.com/help-desk/windows-cannot-access-the-specified-device-path-or-file/ Method 1 ...
- Device Tree Usage( DTS文件语法)
http://elinux.org/Device_Tree_Usage Device Tree Usage Top Device Tree page This page walks throu ...
- Multipath在OpenStack中的faulty device的成因及解决(part 1)
| 版权:本文版权归作者和博客园共有,欢迎转载,但未经作者同意必须保留此段声明,且在文章页面明显位置给出原文连接.如有问题,可以邮件:wangxu198709@gmail.com 简介: Multip ...
- Device Tree Usage(理解DTS文件语法)
Basic Data Format The device tree is a simple tree structure of nodes and properties. Properties are ...
- OpenStack中的Multipath faulty device的成因及解决(part 1)
| 版权:本文版权归作者和博客园共有,欢迎转载,但未经作者同意必须保留此段声明,且在文章页面明显位置给出原文连接.如有问题,可以邮件:wangxu198709@gmail.com 简介: Multip ...
- How to match between physical usb device and its drive letter?
struct tagDrives { WCHAR letter; WCHAR volume[ BUFFER_SIZE ]; } g_drives[ ]; // WCHAR GetUSBDrive( ) ...
随机推荐
- ubuntu下搭建samba服务器
samba是用于linux和windows下文件共享的协议 首先,更新源并安装samba sudo apt-get update sudo apt-get install samba 然后创建一个共享 ...
- UIkit框架之UIPickerView
1.继承链:UIview:UIResponder:NSObject 2.获取uipicker view的属性 (1)@property(nonatomic, readonly) NSIntegernu ...
- C#—WebService
一.qq是否在线 1.添加Web引用 qqOnlineWebService cn.com.webxml.www.qqOnlineWebService shelly1 = new NIIT1109 ...
- 安装Adobe Flash Player
安装Adobe Flash Player: Adobe Flash Player的安装比较容易,只要将对应的文档复制到正确的的位置即可,具体的操作 如下: (1) 将l ...
- WOJ-1097
Description JYY has placed N bombs on the plane. We assume that the firepower area of each bomb is c ...
- oracle中的装换函数
日期装换成字符的函数:TO_CHAR(date[,fmt[,params]]) 默认格式:DD-MON-RR 参数说明: date:将要装换的日期 fmt:装换的格式 params:日期的语言(可以不 ...
- github 如何合并不同分支
From: http://stackoverflow.com/questions/1123344/merging-between-forks-in-github 1. 添加remote origina ...
- selenium加载时间过长
为了获取网站js渲染后的html,需要利用selenium加载网站,但是会出现加载时间过长的现象,因此可以限制其加载时间以及强制关掉加载: # !/usr/bin/python3.4 # -*- co ...
- knockout 学习实例4 css
<!DOCTYPE html> <html> <head> <meta charset="utf-8"> <title> ...
- CSS 高级语法
选择器的分组 你可以对选择器进行分组,这样,被分组的选择器就可以分享相同的声明.用逗号将需要分组的选择器分开.在下面的例子中,我们对所有的标题元素进行了分组.所有的标题元素都是绿色的. h1,h2,h ...