Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unsupported Format Windows 11 prefetch file #16

Open
massimiliano-dalcero opened this issue Nov 11, 2024 · 6 comments
Open

Unsupported Format Windows 11 prefetch file #16

massimiliano-dalcero opened this issue Nov 11, 2024 · 6 comments
Labels
enhancement

Comments

@massimiliano-dalcero
Copy link

massimiliano-dalcero commented Nov 11, 2024
edited
Loading

Description of the Issue:
Prefetch files generated on Windows 11 devices with Qualcomm processors are not recognized by libscca. When attempting to open these Prefetch files, libscca throws an error indicating that the file format is unsupported.

  File "/root/test.py", line 6, in <module>
    scca_file = pyscca.open_file_object(file_object)
OSError: pyscca_file_open_file_object: unable to open file. libscca_file_information_read_stream: invalid IO handle - unsupported format version. libscca_file_open_read: unable to read file information from stream. libscca_file_open_file_io_handle: unable to read from file handle.

Two example Prefetch files are attached to this issue for reference.

Steps to Reproduce:

  1. Use libscca to open a Prefetch file generated on a Windows 11 device with a Qualcomm processor.
  2. Observe that an error is thrown, indicating an unsupported format.

Expected Behavior:
libscca should be able to recognize and parse Prefetch files from Windows 11 with Qualcomm processors as it does with other Windows 11 platforms.

Actual Behavior:
libscca fails to open the Prefetch file and throws an error about an unsupported format.

Additional Information:

  • OS: Windows 11 on Qualcomm processor
  • Version of libscca: [indicate version, e.g., 20240427]

I have attached two samples Prefetch files generated on a Windows 11 Qualcomm device for reference.

Attachment:
prefetchs.zip

Best Regards,
Massimiliano
@joachimmetz joachimmetz changed the title Issue with Prefetch files on Windows 11 with Qualcomm processors: Unsupported Format? Unsupported Format Windows 11 prefetch file Nov 12, 2024
@joachimmetz
Copy link
Member

joachimmetz commented Nov 12, 2024
edited
Loading

Thanks for flagging, I'll have a closer look when time permits. At first glance looks like the format changed on Windows 11

libscca_file_header_read_data: format version				: 31
libscca_file_header_read_data: signature				: SCCA
libscca_file_header_read_data: unknown1					: 0x00000011
libscca_file_header_read_data: file size				: 64582
libscca_file_header_read_data: executable filename			: DLLHOST.EXE
libscca_file_header_read_data: prefetch hash				: 0xc4f24392
libscca_file_header_read_data: unknown2					: 0x00000000

also see https://github.com/libyal/libscca/blob/main/documentation/Windows%20Prefetch%20File%20(PF)%20format.asciidoc#411-format-version

@massimiliano-dalcero
Copy link
Author

Hello @joachimmetz, thanks a lot for your reply! 😊

For additional information, I tested this morning on *.pf files from other Windows 11 Pro system (23H2 - 22631.4317) with Intel processors, and everything works correctly. However, with Windows 11 24H2 (intel), the files are not recognized.

Another note:
NirSoft WinPrefetchView (released in 2021) are able to open these files without any issues. Seemingly disregarding the file version, yet still functioning correctly.

Best regards 🙏
Massimiliano

@massimiliano-dalcero
Copy link
Author

Hello @joachimmetz,

I made a modification to the code by adding "31" as a valid value for io_handle->format_version checks alongside "30". After recompiling (on Ubuntu) and reinstalling the Python module, it now works successfully.

I’m not sure if Microsoft has added any additional details or changes in version 31, but compatibility seems to remain the same as before.

Best regards,
Massimiliano

@patatetom
Copy link

hi,
other tools that handle Windows prefetch files include modifications that go in this direction...
no changlog file from Microsoft ? ;-)
regards, lacsaP.

@joachimmetz
Copy link
Member

joachimmetz commented Nov 13, 2024
edited
Loading

For additional information, I tested this morning on *.pf files from other Windows 11 Pro system (23H2 - 22631.4317) with Intel processors, and everything works correctly. However, with Windows 11 24H2 (intel), the files are not recognized.

@massimiliano-dalcero interesting, I assume this might be more a difference between 23H2 and 24H2 then the processor architecture,

NirSoft WinPrefetchView (released in 2021) are able to open these files without any issues. Seemingly disregarding the file version, yet still functioning correctly.

so the problem of not being strict in parsers is that findings can be easily misrepresented, what is worse clearly giving a warning or potentially providing wrong information?

@patatetom blindly looking at other tools is rarely a good idea for forensic purposes, also see https://osdfir.blogspot.com/2020/09/testing-digital-forensic-data.html

@patatetom
Copy link

it's just a link that shows that the changes made on this other tool - for now - only concern the simple addition of a new header, and that this is in line with the comment left by massimiliano.
I'm having the same problem with PF files in Windows 11 24H2 and so I'm following the development of libscca, which I use (once again, many thanks for this and all the other libraries).
regards, lacsaP.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@joachimmetz @massimiliano-dalcero @patatetom