A library for fast parse & import of Windows Prefetch into Elasticsearch.

Last update: Nov 24, 2022

Overview

prefetch2es

Fast import of Windows Prefetch(.pf) into Elasticsearch.

prefetch2es uses C library libscca.

Usage

When using from the commandline interface:

$ prefetch2es /path/to/your/file.pf

When using from the python-script:

from prefetch2es.prefetch2es import prefetch2es

if __name__ == '__main__':
    filepath = '/path/to/your/file.pf'
    prefetch2es(filepath)

Arguments

prefetch2es supports importing from multiple files.

$ prefetch2es file1.pf file2.pf file3.pf

Also, possible to import recursively from a specific directory.

$ tree .
pffiles/
  ├── file1.pf
  ├── file2.pf
  ├── file3.pf
  └── subdirectory/
    ├── file4.pf
    └── subsubdirectory/
      ├── file5.pf
      └── file6.pf

$ prefetch2es /pffiles/ # The Path is recursively expanded to file1~6.pf.

Options

--host: 
    ElasticSearch host address
    (default: localhost)

--port: 
    ElasticSearch port number
    (default: 9200)

--index: 
    Index name
    (default: prefetch2es)

--scheme:
  Scheme to use (http, or https)
  (default: http)

--pipeline
  Elasticsearch Ingest Pipeline to use
  (default: )

--login:
  The login to use if Elastic Security is enable
  (default: )

--pwd:
  The password linked to the login provided
  (default: )

Examples

When using from the commandline interface:

$ prefetch2es /path/to/your/file.pf --host=localhost --port=9200 --index=foobar

When using from the python-script:

if __name__ == '__main__':
    prefetch2es('/path/to/your/file.pf', host=localhost, port=9200, index='foobar')

With the Amazon Elasticsearch Serivce (ES):

$ prefetch2es /path/to/your/file.pf --host=example.us-east-1.es.amazonaws.com --port=443 --scheme=https --index=foobar

With credentials for Elastic Security:

$ prefetch2es /path/to/your/file.pf --host=localhost --port=9200 --index=foobar --login=elastic --pwd=******

Note: The current version does not verify the certificate.

Supported Prefetch versions

Windows XP
Windows 2003
Windows Vista (SP0)
Windows 7 (SP0)
Windows 8.1
Windows 10 1809
Windows 10 1903

For more information, please visit libscca.

Appendix

prefetch2json

Extra feature. 🍣 🍣 🍣

Convert from Windows Prefetch to json file.

$ prefetch2json /path/to/your/file.pf /path/to/output/target.json

Convert from Windows Prefetch to Python dict object.

from prefetch2es import prefetch2json

if __name__ == '__main__':
  filepath = '/path/to/your/file.pf'
  result: dict = prefetch2json(filepath)

Output Format Example

Using the sample prefetch file of EricZimmerman/Prefetch as an example.

{
  "name": "CALC.EXE",
  "filenames": [
    "\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\NTDLL.DLL",
    ...
  ],
  "exec_count": 2,
  "last_exec_time": 130974496211967500,
  "format_version": 23,
  "prefetch_hash": 2013131135,
  "metrics": [
    {
      "filename": "\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\NTDLL.DLL",
      "file_reference": 281474976736310
    },
    ...
  ],
  "volumes": [
    {
      "path": "\\DEVICE\\HARDDISKVOLUME2",
      "creation_time": 130974525181093750,
      "serial_number": 2281737263
    }
  ]
}

Installation

via PyPI

$ pip install prefetch2es

via DockerHub

$ docker pull sumeshi/prefetch2es:latest

Run with Docker

https://hub.docker.com/r/sumeshi/prefetch2es

prefetch2es

# "host.docker.internal" is only available in mac and windows environments.
# For linux, use the --add-host option.
$ docker run -t --rm -v $(pwd):/app/work sumeshi/prefetch2es:latest prefetch2es /app/work/SAMPLE.pf --host=host.docker.internal

prefetch2json

$ docker run -t --rm -v $(pwd):/app/work sumeshi/prefetch2es:latest prefetch2es /app/work/SAMPLE.pf /app/work/out.json

Do not use the "latest" image if at all possible.
The "latest" image is not a released version, but is built from the contents of the master branch.

Contributing

CONTRIBUTING

The source code for prefetch2es is hosted at GitHub, and you may download, fork, and review it from this repository(https://github.com/sumeshi/prefetch2es). Please report issues and feature requests. 🍣 🍣 🍣

License

prefetch2es is released under the MIT License.

A library for fast parse & import of Windows Prefetch into Elasticsearch.

Related tags

Overview

prefetch2es

Usage

Arguments

Options

Examples

Supported Prefetch versions

Appendix

prefetch2json

Output Format Example

Installation

via PyPI

via DockerHub

Run with Docker

prefetch2es

prefetch2json

Contributing

License

Owner

S.Nakano

This project is a sample demo of Arxiv search related to AI/ML Papers built using Streamlit, sentence-transformers and Faiss.

Reverse-ikea-image-search - A simple image of ikea search using jina.ai

基于RSSHUB阅读器实现的获取P站排行和P站搜图，使用时需使用代理

Pythonic search engine based on PyLucene.

Pysolr — Python Solr client

Full text search for flask.

document organizer with tags and full-text-search, in a simple and clean sqlite3 schema

A simple tool for searching images inside a local folder with text/image input using CLIP

A simple search engine that allow searching for chess games

Simple algorithm search engine like google in python using function

A Python web searcher library with different search engines

Deep Image Search - AI-Based Image Search Engine

Senginta is All in one Search Engine Scrapper for used by API or Python Module. It's Free!

PwnWiki Telegram database searching bot

Wagtail CLIP allows you to search your Wagtail images using natural language queries.

Eland is a Python Elasticsearch client for exploring and analyzing data in Elasticsearch with a familiar Pandas-compatible API.

A sentence search engine that fetches examples from trusted news/media organisations. Great for writing better English.

ElasticSearch ODM (Object Document Mapper) for Python - pip install esengine

Modular search for Django

PwnWiki 数据库搜索命令行工具；该工具有点像 searchsploit 命令，只是搜索的不是 Exploit Database 而是 PwnWiki 条目