Adam Witt has presented a fresh Python script. It’s called Windows Prefetch Carver and, as you already understood, can be used to carve Windows Prefetch artifacts from arbitrary binary data. Unfortunately, Windows 10 Prefetch files are compressed, and are unable to be carved from disk in this manner, but all other Prefetch formats are supported (Windows XP – Windows 8.1).

Load More Related Articles
  • FSEParser v 2.1 released

    New version of FSEventsParser has been released. FSEvents files are written to disk by OS …
  • Volatility Workbench Beta

    PassMark Software has released a beta version of Volatility Workbench – a graphical …
  • Mac FS Events Parser for Autopsy

    Mark McKinnon has written a plugin that will export the /.fseventsd directory to the temp …
Load More In Software

Leave a Reply

Your email address will not be published. Required fields are marked *