Windows Prefetcher and forensic analysis

When doing Forensic analysis, many times you need to find if a user had run a binary on the analyzed system, there are some places where we can obtain information about application run s like entries in the "RunMRU" registry location (HKEY_CURRENT_USER \ Software \ Microsoft \ Windows \ CurrentVersion \ Explorer \ RunMRU), but today i will talk about the Prefetcher files.

The Prefetcher:

"It is a component of the Memory manager that speeds up the Windows boot process, and shortens the amount of time it takes to start up programs."

"Windows XP monitors the files that are used when the computer starts and when you start applications. By monitoring these files, Windows XP can prefetch them. Prefetching data is the process whereby data that is expected to be requested is read ahead into the cache. Prefetching boot files and applications decreases the time needed to start Windows XP and start applications."

This feature was introduced with XP, and it's available in VISTA.

In short when you launch an application windows will create .pf file in the prefetch directory (%SYSTEMROOT%\Prefetch\), this file will contain information to speed up future application startups.

This file contains different information about the application, but at the end of the file we can find the path of the file image.

The name of the file is FILE-HASH.pf, the HASH is calculated with the path of the file image, so if the same binary is run from two different location, we will have two different prefetch files.

So now you can find if an application was run on the Windows system and you can have the MAC times of the prefetch file and the image file to add to the timeline analysis, also there is a counter of how many times the application was used.  (You can use Windows File Analyzer to get all this information)

This could be helpful when analyzing Malware on infected machines, the malware maybe is deleted but the prefetch entry is still available, or to find the executable of the malware analyzing all the prefetch files.

Maybe you are wondering how many files Windows will save? It's supposed to maintain 128 entries, any entry over 128 will be flushed, most frequently used applications will be preserved.

Do you know more places to find information about applications runs?

More info on Prefetch

A tool for analyzing Prefetch directory: Windows File Analyzer

-CMM

1 comentarios:

Karlie said...

I recently came accross your blog and have been reading along. I thought I would leave my first comment. I dont know what to say except that I have enjoyed reading. Nice blog. I will keep visiting this blog very often.


Joannah

http://2gbmemory.net