Showing:

Annotations
Diagrams
Source
Used by
Main schema Win_Prefetch_Object.xsd
Namespace http://cybox.mitre.org/objects#WinPrefetchObject-2
Annotations
This schema was originally developed by The MITRE Corporation. The CybOX XML Schema implementation is maintained by The MITRE Corporation and developed by the open CybOX Community. For more information, including how to get involved in the effort and how to submit change requests, please visit the CybOX website at http://cybox.mitre.org.
Element WinPrefetchObj:Windows_Prefetch_Entry
Namespace http://cybox.mitre.org/objects#WinPrefetchObject-2
Annotations
The Windows_Prefetch_Entry object is intended to characterize entries in the Windows prefetch files. Starting with Windows XP, prefetching was introduced to speed up application startup. The prefetch object draws upon the descriptions and XML sample at http://www.forensicswiki.org/wiki/Prefetch_XML.
Diagram
Diagram Win_Prefetch_Object_xsd.tmp#WindowsPrefetchObjectType_Application_File_Name Win_Prefetch_Object_xsd.tmp#WindowsPrefetchObjectType_Prefetch_Hash Win_Prefetch_Object_xsd.tmp#WindowsPrefetchObjectType_Times_Executed Win_Prefetch_Object_xsd.tmp#WindowsPrefetchObjectType_First_Run Win_Prefetch_Object_xsd.tmp#WindowsPrefetchObjectType_Last_Run Win_Prefetch_Object_xsd.tmp#WindowsPrefetchObjectType_Volume Win_Prefetch_Object_xsd.tmp#WindowsPrefetchObjectType_Accessed_File_List Win_Prefetch_Object_xsd.tmp#WindowsPrefetchObjectType_Accessed_Directory_List Win_Prefetch_Object_xsd.tmp#WindowsPrefetchObjectType
Type WinPrefetchObj:WindowsPrefetchObjectType
Type hierarchy
Children WinPrefetchObj:Accessed_Directory_List, WinPrefetchObj:Accessed_File_List, WinPrefetchObj:Application_File_Name, WinPrefetchObj:First_Run, WinPrefetchObj:Last_Run, WinPrefetchObj:Prefetch_Hash, WinPrefetchObj:Times_Executed, WinPrefetchObj:Volume
Source
<xs:element name="Windows_Prefetch_Entry" type="WinPrefetchObj:WindowsPrefetchObjectType">
  <xs:annotation>
    <xs:documentation>The Windows_Prefetch_Entry object is intended to characterize entries in the Windows prefetch files. Starting with Windows XP, prefetching was introduced to speed up application startup. The prefetch object draws upon the descriptions and XML sample at http://www.forensicswiki.org/wiki/Prefetch_XML.</xs:documentation>
  </xs:annotation>
</xs:element>
Element WinPrefetchObj:WindowsPrefetchObjectType / WinPrefetchObj:Application_File_Name
Namespace http://cybox.mitre.org/objects#WinPrefetchObject-2
Annotations
Name of the executable of the prefetch file.
Diagram
Diagram
Type StringObjectPropertyType
Source
<xs:element name="Application_File_Name" type="cyboxCommon:StringObjectPropertyType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>Name of the executable of the prefetch file.</xs:documentation>
  </xs:annotation>
</xs:element>
Element WinPrefetchObj:WindowsPrefetchObjectType / WinPrefetchObj:Prefetch_Hash
Namespace http://cybox.mitre.org/objects#WinPrefetchObject-2
Annotations
An eight character hash of the location from which the application was run.
Diagram
Diagram
Type StringObjectPropertyType
Source
<xs:element name="Prefetch_Hash" type="cyboxCommon:StringObjectPropertyType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>An eight character hash of the location from which the application was run.</xs:documentation>
  </xs:annotation>
</xs:element>
Element WinPrefetchObj:WindowsPrefetchObjectType / WinPrefetchObj:Times_Executed
Namespace http://cybox.mitre.org/objects#WinPrefetchObject-2
Annotations
The number of times the prefetch application has executed.
Diagram
Diagram
Type LongObjectPropertyType
Source
<xs:element name="Times_Executed" type="cyboxCommon:LongObjectPropertyType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The number of times the prefetch application has executed.</xs:documentation>
  </xs:annotation>
</xs:element>
Element WinPrefetchObj:WindowsPrefetchObjectType / WinPrefetchObj:First_Run
Namespace http://cybox.mitre.org/objects#WinPrefetchObject-2
Annotations
Timestamp of when the prefetch application was first run.
Diagram
Diagram
Type DateTimeObjectPropertyType
Source
<xs:element name="First_Run" type="cyboxCommon:DateTimeObjectPropertyType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>Timestamp of when the prefetch application was first run.</xs:documentation>
  </xs:annotation>
</xs:element>
Element WinPrefetchObj:WindowsPrefetchObjectType / WinPrefetchObj:Last_Run
Namespace http://cybox.mitre.org/objects#WinPrefetchObject-2
Annotations
Timestamp of when the prefetch application was last run.
Diagram
Diagram
Type DateTimeObjectPropertyType
Source
<xs:element name="Last_Run" type="cyboxCommon:DateTimeObjectPropertyType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>Timestamp of when the prefetch application was last run.</xs:documentation>
  </xs:annotation>
</xs:element>
Element WinPrefetchObj:WindowsPrefetchObjectType / WinPrefetchObj:Volume
Namespace http://cybox.mitre.org/objects#WinPrefetchObject-2
Annotations
The volume from which the prefetch application was run. If the applicatin was run from multiple volumes, there will be a separate prefetch file for each.
Diagram
Diagram Win_Prefetch_Object_xsd.tmp#VolumeType_VolumeItem Win_Prefetch_Object_xsd.tmp#VolumeType_DeviceItem Win_Prefetch_Object_xsd.tmp#VolumeType
Type WinPrefetchObj:VolumeType
Children WinPrefetchObj:DeviceItem, WinPrefetchObj:VolumeItem
Source
<xs:element name="Volume" type="WinPrefetchObj:VolumeType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>The volume from which the prefetch application was run. If the applicatin was run from multiple volumes, there will be a separate prefetch file for each.</xs:documentation>
  </xs:annotation>
</xs:element>
Element WinPrefetchObj:VolumeType / WinPrefetchObj:VolumeItem
Namespace http://cybox.mitre.org/objects#WinPrefetchObject-2
Annotations
The volume that the prefetch application was run from. The only item in the prefecth file is the volume name.
Diagram
Diagram
Type WindowsVolumeObjectType
Source
<xs:element name="VolumeItem" type="WinVolumeObj:WindowsVolumeObjectType" minOccurs="0" maxOccurs="unbounded">
  <xs:annotation>
    <xs:documentation>The volume that the prefetch application was run from. The only item in the prefecth file is the volume name.</xs:documentation>
  </xs:annotation>
</xs:element>
Element WinPrefetchObj:VolumeType / WinPrefetchObj:DeviceItem
Namespace http://cybox.mitre.org/objects#WinPrefetchObject-2
Annotations
The device that the prefetch application was run from. The only item in the prefetch file is the device serial number.
Diagram
Diagram
Type DeviceObjectType
Source
<xs:element name="DeviceItem" type="DeviceObj:DeviceObjectType" minOccurs="0" maxOccurs="unbounded">
  <xs:annotation>
    <xs:documentation>The device that the prefetch application was run from. The only item in the prefetch file is the device serial number.</xs:documentation>
  </xs:annotation>
</xs:element>
Element WinPrefetchObj:WindowsPrefetchObjectType / WinPrefetchObj:Accessed_File_List
Namespace http://cybox.mitre.org/objects#WinPrefetchObject-2
Annotations
Files (e.g., DLLs and other support files) used by the application during startup.
Diagram
Diagram Win_Prefetch_Object_xsd.tmp#AccessedFileListType_Accessed_Filename Win_Prefetch_Object_xsd.tmp#AccessedFileListType
Type WinPrefetchObj:AccessedFileListType
Children WinPrefetchObj:Accessed_Filename
Source
<xs:element name="Accessed_File_List" type="WinPrefetchObj:AccessedFileListType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>Files (e.g., DLLs and other support files) used by the application during startup.</xs:documentation>
  </xs:annotation>
</xs:element>
Element WinPrefetchObj:AccessedFileListType / WinPrefetchObj:Accessed_Filename
Namespace http://cybox.mitre.org/objects#WinPrefetchObject-2
Annotations
Specifies the filename of the accessed file.
Diagram
Diagram
Type StringObjectPropertyType
Source
<xs:element name="Accessed_Filename" type="cyboxCommon:StringObjectPropertyType" minOccurs="1" maxOccurs="unbounded">
  <xs:annotation>
    <xs:documentation>Specifies the filename of the accessed file.</xs:documentation>
  </xs:annotation>
</xs:element>
Element WinPrefetchObj:WindowsPrefetchObjectType / WinPrefetchObj:Accessed_Directory_List
Namespace http://cybox.mitre.org/objects#WinPrefetchObject-2
Annotations
Directories accessed by the prefetch application during startup.
Diagram
Diagram Win_Prefetch_Object_xsd.tmp#AccessedDirectoryListType_Accessed_Directory Win_Prefetch_Object_xsd.tmp#AccessedDirectoryListType
Type WinPrefetchObj:AccessedDirectoryListType
Children WinPrefetchObj:Accessed_Directory
Source
<xs:element name="Accessed_Directory_List" type="WinPrefetchObj:AccessedDirectoryListType" minOccurs="0">
  <xs:annotation>
    <xs:documentation>Directories accessed by the prefetch application during startup.</xs:documentation>
  </xs:annotation>
</xs:element>
Element WinPrefetchObj:AccessedDirectoryListType / WinPrefetchObj:Accessed_Directory
Namespace http://cybox.mitre.org/objects#WinPrefetchObject-2
Annotations
Specifies the pathname of the accessed directory.
Diagram
Diagram
Type StringObjectPropertyType
Source
<xs:element name="Accessed_Directory" type="cyboxCommon:StringObjectPropertyType" minOccurs="1" maxOccurs="unbounded">
  <xs:annotation>
    <xs:documentation>Specifies the pathname of the accessed directory.</xs:documentation>
  </xs:annotation>
</xs:element>
Complex Type WinPrefetchObj:WindowsPrefetchObjectType
Namespace http://cybox.mitre.org/objects#WinPrefetchObject-2
Annotations
The WindowsPrefetchObjectType type is intended to characterize entries in the Windows prefetch files. Starting with Windows XP, prefetching was introduced to speed up application startup. The prefetch object draws upon the descriptions and XML sample at http://www.forensicswiki.org/wiki/Prefetch_XML.
Diagram
Diagram Win_Prefetch_Object_xsd.tmp#WindowsPrefetchObjectType_Application_File_Name Win_Prefetch_Object_xsd.tmp#WindowsPrefetchObjectType_Prefetch_Hash Win_Prefetch_Object_xsd.tmp#WindowsPrefetchObjectType_Times_Executed Win_Prefetch_Object_xsd.tmp#WindowsPrefetchObjectType_First_Run Win_Prefetch_Object_xsd.tmp#WindowsPrefetchObjectType_Last_Run Win_Prefetch_Object_xsd.tmp#WindowsPrefetchObjectType_Volume Win_Prefetch_Object_xsd.tmp#WindowsPrefetchObjectType_Accessed_File_List Win_Prefetch_Object_xsd.tmp#WindowsPrefetchObjectType_Accessed_Directory_List
Type extension of ObjectPropertiesType
Type hierarchy
Used by
Children WinPrefetchObj:Accessed_Directory_List, WinPrefetchObj:Accessed_File_List, WinPrefetchObj:Application_File_Name, WinPrefetchObj:First_Run, WinPrefetchObj:Last_Run, WinPrefetchObj:Prefetch_Hash, WinPrefetchObj:Times_Executed, WinPrefetchObj:Volume
Source
<xs:complexType name="WindowsPrefetchObjectType">
  <xs:annotation>
    <xs:documentation>The WindowsPrefetchObjectType type is intended to characterize entries in the Windows prefetch files. Starting with Windows XP, prefetching was introduced to speed up application startup. The prefetch object draws upon the descriptions and XML sample at http://www.forensicswiki.org/wiki/Prefetch_XML.</xs:documentation>
  </xs:annotation>
  <xs:complexContent>
    <xs:extension base="cyboxCommon:ObjectPropertiesType">
      <xs:sequence>
        <xs:element name="Application_File_Name" type="cyboxCommon:StringObjectPropertyType" minOccurs="0">
          <xs:annotation>
            <xs:documentation>Name of the executable of the prefetch file.</xs:documentation>
          </xs:annotation>
        </xs:element>
        <xs:element name="Prefetch_Hash" type="cyboxCommon:StringObjectPropertyType" minOccurs="0">
          <xs:annotation>
            <xs:documentation>An eight character hash of the location from which the application was run.</xs:documentation>
          </xs:annotation>
        </xs:element>
        <xs:element name="Times_Executed" type="cyboxCommon:LongObjectPropertyType" minOccurs="0">
          <xs:annotation>
            <xs:documentation>The number of times the prefetch application has executed.</xs:documentation>
          </xs:annotation>
        </xs:element>
        <xs:element name="First_Run" type="cyboxCommon:DateTimeObjectPropertyType" minOccurs="0">
          <xs:annotation>
            <xs:documentation>Timestamp of when the prefetch application was first run.</xs:documentation>
          </xs:annotation>
        </xs:element>
        <xs:element name="Last_Run" type="cyboxCommon:DateTimeObjectPropertyType" minOccurs="0">
          <xs:annotation>
            <xs:documentation>Timestamp of when the prefetch application was last run.</xs:documentation>
          </xs:annotation>
        </xs:element>
        <xs:element name="Volume" type="WinPrefetchObj:VolumeType" minOccurs="0">
          <xs:annotation>
            <xs:documentation>The volume from which the prefetch application was run. If the applicatin was run from multiple volumes, there will be a separate prefetch file for each.</xs:documentation>
          </xs:annotation>
        </xs:element>
        <xs:element name="Accessed_File_List" type="WinPrefetchObj:AccessedFileListType" minOccurs="0">
          <xs:annotation>
            <xs:documentation>Files (e.g., DLLs and other support files) used by the application during startup.</xs:documentation>
          </xs:annotation>
        </xs:element>
        <xs:element name="Accessed_Directory_List" type="WinPrefetchObj:AccessedDirectoryListType" minOccurs="0">
          <xs:annotation>
            <xs:documentation>Directories accessed by the prefetch application during startup.</xs:documentation>
          </xs:annotation>
        </xs:element>
      </xs:sequence>
    </xs:extension>
  </xs:complexContent>
</xs:complexType>
Complex Type WinPrefetchObj:VolumeType
Namespace http://cybox.mitre.org/objects#WinPrefetchObject-2
Annotations
VolumeType characterizes the volume information in the Windows prefetch file.
Diagram
Diagram Win_Prefetch_Object_xsd.tmp#VolumeType_VolumeItem Win_Prefetch_Object_xsd.tmp#VolumeType_DeviceItem
Used by
Children WinPrefetchObj:DeviceItem, WinPrefetchObj:VolumeItem
Source
<xs:complexType name="VolumeType">
  <xs:annotation>
    <xs:documentation>VolumeType characterizes the volume information in the Windows prefetch file.</xs:documentation>
  </xs:annotation>
  <xs:sequence>
    <xs:element name="VolumeItem" type="WinVolumeObj:WindowsVolumeObjectType" minOccurs="0" maxOccurs="unbounded">
      <xs:annotation>
        <xs:documentation>The volume that the prefetch application was run from. The only item in the prefecth file is the volume name.</xs:documentation>
      </xs:annotation>
    </xs:element>
    <xs:element name="DeviceItem" type="DeviceObj:DeviceObjectType" minOccurs="0" maxOccurs="unbounded">
      <xs:annotation>
        <xs:documentation>The device that the prefetch application was run from. The only item in the prefetch file is the device serial number.</xs:documentation>
      </xs:annotation>
    </xs:element>
  </xs:sequence>
</xs:complexType>
Complex Type WinPrefetchObj:AccessedFileListType
Namespace http://cybox.mitre.org/objects#WinPrefetchObject-2
Annotations
The AccessedFileListType specifies a list of files accessed by a prefetch application.
Diagram
Diagram Win_Prefetch_Object_xsd.tmp#AccessedFileListType_Accessed_Filename
Used by
Children WinPrefetchObj:Accessed_Filename
Source
<xs:complexType name="AccessedFileListType">
  <xs:annotation>
    <xs:documentation>The AccessedFileListType specifies a list of files accessed by a prefetch application.</xs:documentation>
  </xs:annotation>
  <xs:sequence>
    <xs:element name="Accessed_Filename" type="cyboxCommon:StringObjectPropertyType" minOccurs="1" maxOccurs="unbounded">
      <xs:annotation>
        <xs:documentation>Specifies the filename of the accessed file.</xs:documentation>
      </xs:annotation>
    </xs:element>
  </xs:sequence>
</xs:complexType>
Complex Type WinPrefetchObj:AccessedDirectoryListType
Namespace http://cybox.mitre.org/objects#WinPrefetchObject-2
Annotations
The AccessedDirectoryListType specifies a list of directories accessed by a prefetch application.
Diagram
Diagram Win_Prefetch_Object_xsd.tmp#AccessedDirectoryListType_Accessed_Directory
Used by
Children WinPrefetchObj:Accessed_Directory
Source
<xs:complexType name="AccessedDirectoryListType">
  <xs:annotation>
    <xs:documentation>The AccessedDirectoryListType specifies a list of directories accessed by a prefetch application.</xs:documentation>
  </xs:annotation>
  <xs:sequence>
    <xs:element name="Accessed_Directory" type="cyboxCommon:StringObjectPropertyType" minOccurs="1" maxOccurs="unbounded">
      <xs:annotation>
        <xs:documentation>Specifies the pathname of the accessed directory.</xs:documentation>
      </xs:annotation>
    </xs:element>
  </xs:sequence>
</xs:complexType>