David Nides · Apr 4, 2013 · 10:23 PM UTC

David Nides @DAVNADS

4 Apr 2013

Is there any way to reverse the hash at the end of a prefetch file to get the full path info? #DFIR

Hal Pomeranz · Apr 4, 2013 · 10:26 PM UTC

Hal Pomeranz · Apr 4, 2013 · 10:26 PM UTC

Hal Pomeranz @hal_pomeranz

4 Apr 2013

Replying to @DAVNADS

@DAVNADS The EXE name is included in the mapped files list in the PF file. Is that sufficient?

Apr 4, 2013 · 10:26 PM UTC

David Nides · Apr 4, 2013 · 10:30 PM UTC

David Nides @DAVNADS

4 Apr 2013

@hal_pomeranz lets pretend I don't have the file just the file name :-)

Hal Pomeranz · Apr 4, 2013 · 10:32 PM UTC

Hal Pomeranz @hal_pomeranz

4 Apr 2013

@DAVNADS AFAIK that PF file path hashing algorithm has not been reversed

David Nides · Apr 4, 2013 · 10:30 PM UTC

David Nides @DAVNADS

4 Apr 2013

@hal_pomeranz its never that easy ;-)