This schema was originally developed by The MITRE Corporation. The CybOX XML Schema implementation is maintained by The MITRE Corporation and developed by the open CybOX Community. For more information, including how to get involved in the effort and how to submit change requests, please visit the CybOX website at http://cybox.mitre.org. Win_Prefetch_Object 2.1 01/22/2014 The following specifies the fields and types that compose this defined CybOX Object type. Each defined object is an extension of the abstract ObjectPropertiesType, defined in CybOX Common. For more information on this extension mechanism, please see the CybOX Specification. This document is intended for developers and assumes some familiarity with XML. Copyright (c) 2012-2014, The MITRE Corporation. All rights reserved. The contents of this file are subject to the terms of the CybOX License located at http://cybox.mitre.org/about/termsofuse.html. See the CybOX License for the specific language governing permissions and limitations for use of this schema. When distributing copies of the CybOX Schema, this license header must be included. The Windows_Prefetch_Entry object is intended to characterize entries in the Windows prefetch files. Starting with Windows XP, prefetching was introduced to speed up application startup. The prefetch object draws upon the descriptions and XML sample at http://www.forensicswiki.org/wiki/Prefetch_XML. The WindowsPrefetchObjectType type is intended to characterize entries in the Windows prefetch files. Starting with Windows XP, prefetching was introduced to speed up application startup. The prefetch object draws upon the descriptions and XML sample at http://www.forensicswiki.org/wiki/Prefetch_XML. Name of the executable of the prefetch file. An eight character hash of the location from which the application was run. The number of times the prefetch application has executed. Timestamp of when the prefetch application was first run. Timestamp of when the prefetch application was last run. The volume from which the prefetch application was run. If the applicatin was run from multiple volumes, there will be a separate prefetch file for each. Files (e.g., DLLs and other support files) used by the application during startup. Directories accessed by the prefetch application during startup. The AccessedFileListType specifies a list of files accessed by a prefetch application. Specifies the filename of the accessed file. The AccessedDirectoryListType specifies a list of directories accessed by a prefetch application. Specifies the pathname of the accessed directory. VolumeType characterizes the volume information in the Windows prefetch file. The volume that the prefetch application was run from. The only item in the prefecth file is the volume name. The device that the prefetch application was run from. The only item in the prefetch file is the device serial number.