David Nides · Apr 4, 2013 · 10:23 PM UTC

David Nides @DAVNADS

4 Apr 2013

Is there any way to reverse the hash at the end of a prefetch file to get the full path info? #DFIR

Hal Pomeranz · Apr 4, 2013 · 10:26 PM UTC

Hal Pomeranz @hal_pomeranz

4 Apr 2013

@DAVNADS The EXE name is included in the mapped files list in the PF file. Is that sufficient?

David Nides · Apr 4, 2013 · 10:30 PM UTC

David Nides @DAVNADS

4 Apr 2013

@hal_pomeranz lets pretend I don't have the file just the file name :-)

Hal Pomeranz · Apr 4, 2013 · 10:32 PM UTC

Hal Pomeranz · Apr 4, 2013 · 10:32 PM UTC

Hal Pomeranz @hal_pomeranz

4 Apr 2013

Replying to @DAVNADS

@DAVNADS AFAIK that PF file path hashing algorithm has not been reversed

Apr 4, 2013 · 10:32 PM UTC

This tweet is unavailable

David Nides · Apr 5, 2013 · 12:56 AM UTC

David Nides @DAVNADS

5 Apr 2013

@hunterforensics @hal_pomeranz thx saw this. Great research. Makes me want to go dark and figure out how to reverse it.