Perfetch Hash Cracker: A powerful prefetch hash cracking tool

About Perfetch Hash Cracker

Perfetch Hash Cracker is a powerful brute force cracking tool based on Rust, which can help researchers to crack prefetch hashes by blasting.

In the information security forensics activities for the Windows operating system, we may find some deleted prefetch files and see the file names. While the contents of these files may not be recoverable, the filename itself is usually sufficient to allow us to find the full path to the executable that created the prefetch file.

Working Mechanism

The provided Bodyfile is mainly used to get the path to each folder on the target volume, the tool will append the provided executable name to the end of these paths to create a list of possible full paths to the executable. Each possible full path is then hashed using the provided hash function. If a possible full path is detected whose result matches the provided hash, output that path.

Download

Developers can get the source code here,

git clone https://github.com/harelsegev/prefetch-hash-cracker.git

Environment

When using this tool, we must provide the following content:

1. Executable file name: including the extension, this part of the content will be embedded in the prefetch file name;
2. Prefetch hash: the last 8 hexadecimal digit values at the end of the prefetch file name, in front of the .pf suffix;
3. Hash function;
4. Bodyfile;
5. Mount point;

Hash Function

Given below are the three known prefetch hash functions:

• SCCA XP: for Windows XP operating system;
• SCCA Vista: for Windows Vista and Windows 10 operating systems;
• SCCA 2008: for Windows 7, Windows 8 and Windows 8.1 operating systems;

Bodyfile

The executable file executes the Bodyfile of the volume in which it resides.

The Bodyfile format is not strictly limited, so some format variants may not necessarily be supported, but Bodyfiles created with fls and MFTECmd should work fine.

Mount Point

The mount point of : bodyfile:0|C:/Users/Peter/Desktop($FILE_NAME)|62694–48–2|d/d-wx-wx-wx|…

29 Character Limitation

If the executable’s name exceeds 29 characters (including the suffix), it will be truncated in the prefetch filename. For example, execute the following file:

• This is a very long file nameSo this part will be truncated.exe

Running the tool in the C:\Temp directory on a Windows 10 device creates the following prefetch files:

• THIS IS A VERY LONG FILE NAME-D0B882CC.pf

At this point, the executable filename cannot be derived from the prefetch filename, so it cannot be provided to the tool.

Screenshot

License

The development and release of this project follow the MIT License.

Github

References

https://github.com/harelsegev/prefetch-hash-cracker#The-29-character-limit