Daily Blog #72: Understanding the artifacts Prefetch

Understanding the artifacts Prefetch by David Cowen - HECF Blog

Hello Reader,
            I hope you got some time off for the labor day weekend, I know I enjoyed my weekend. We have another forensic lunch coming up this Friday 9/6/13 at noon, make sure to let know you are coming to get the link as soon as it goes live here: https://plus.google.com/u/0/events/cjng3fsgmksiiubfs9h7f8dqb64?authkey=CLC4nKvk24GEZg. Today we continue the understanding series to talk about Prefetch files, I think I'm almost done.

To learn more about the data structures and the like of Prefetch files start here:

You can download a good prefetch parser from Tzworks here: https://www.tzworks.net/prototype_page.php?proto_id=1

I would like to think that all of us know what Prefetch files are, do and have our preferred tools for examining them. What you need to understand about Prefetch files is summarized below:

  • Determine first execution time of an executable referenced by this prefetch file
  • Determine last execution time of an executable referenced by this prefetch file
  • Determine the number of executions of an executable referenced by this prefetch file
  • What files and directories were loaded within the first few seconds of execution by this prefetch file
In terms of usage, which is our focus is in this series, we care most about what files and directories were loaded. Prefetch files get deleted after the maximum number of them exist (128 in xp/vista/7, 1024 in 8) with the oldest and not updated being deleted first and they get updated on each execution. There is one other caveat thats important to understand and highlighted in bold in the list above, prefetch files are not consolidated for an application like registry settings are. Here are a couple of examples
  • If a program is executed and not executed again until after 128 other program executions the old prefetch file will have been deleted and a new prefetch file will be created after. 
  • A prefetch is made for every program with a postfix on the filename that is a hash of the full path. 
  • If the prefetch files were deleted by a cleaning utility they would be regenerated on the next execution of the same program
We care mostly about identifying documents we care about being loaded on application start and the last time that the program executed. For instance lets say a copy or backup utility was running that provided us with no log or database of files being backed up. In those instances the paths fed into the program to copy may be located within the prefetch file. 

This is really helpful if the program in question is running from an external drive as its unique hash due to he external drive access will not be overwritten by any local versions of the same program.  If we have a program that has been executed multiple times and may be referencing files we care about then you should look into the shadow copies as they are also stored within them! 

Lastly Eric Zimmerman has reported that Windows 8 now has prefetch files on by default for all systems (ssd or not) and keeps up 1024 prefetch files. So with Windows 8 slowly being adopted you may have more prefetch files to analyze in your future then you had before!

Also Read: Daily Blog #71

Post a Comment