Join Us!

Forensic value of t...
 
Notifications
Clear all

Forensic value of the Prefetch directory  

  RSS
keydet89
(@keydet89)
Community Legend

All,

I recently blogged about the forensic value of the Windows XP Prefetch directory, and wanted to get some input from others…maybe see if I'm barking up the wrong tree here or what:

http://windowsir.blogspot.com

Comments/questions welcome…

thanks,

H. Carvey
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com
http://windowsir.blogspot.com

Quote
Posted : 24/03/2005 12:10 pm
andy1500mac
(@andy1500mac)
Member

Interesting…the initial thought that comes to mind is that finding any file within the prefetch folder without the .pf extension could be indicative of software being run or having been run, that the user may not have been aware of. For example a keylogger.

Might be a good place to check during network intrusion type forensic exam.

Andrew-

ReplyQuote
Posted : 24/03/2005 3:20 pm
keydet89
(@keydet89)
Community Legend

Andrew,

…the initial thought that comes to mind is that finding any file within the prefetch folder without the .pf extension could be indicative of software being run or having been run, that the user may not have been aware of. For example a keylogger.

I'm not sure I follow…the reason being that files with the .pf extension would indicate an application that was run, not files without the extension.

Might be a good place to check during network intrusion type forensic exam.

Exactly my thoughts. I've talked to a couple of forensics types, but they didn't seem to be aware of this directory (this doesn't mean that others do know of it). I found the results of the test I ran using an ADS to be very interesting, but I still have some other testing to do…

H. Carvey
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com
http://windowsir.blogspot.com

ReplyQuote
Posted : 24/03/2005 5:38 pm
andy1500mac
(@andy1500mac)
Member

Hi Harlan,

After reading your blog, my assumption was that seeing as you found mytest.txt in the prefetch folder and that the .pf extension wasn’t visible until after you ran lads. Anything similar found in the prefetch folder (meaning not containing the .pf extension on initial look) could be indicative of something suspious.

I guess what I'm getting at is that you shouldn't find anything in that folder other than files with the .pf extension (normally)…?

Maybe I'm confusing things…

ReplyQuote
Posted : 24/03/2005 6:03 pm
keydet89
(@keydet89)
Community Legend

Andy,

Sorry, I thought the example I showed was pretty clear…I apologize.

What I found was that if an application is launched by any user on an XP system, a .pf file will be created or updated in the Prefetch directory. When the application is launched from with an ADS, that's when you see the unusual file shown in the results of LADS.

You're right about finding .pf as a result of normal activities. Some of the testing I've still got to do involves rootkits, and launching applications via other paths, such as mapped drives, etc.

It is interesting, though…an excellent resource. During my research on the subject, I found several sites geared towards performance issues, recommending that you delete the contents of the directory. This was counterintuitive to me, based on what the directory is used for. However, if this is done as a security measure, then this is definitely something that analysts should look for in the deleted files.

Another interesting fact, based on experimentation and documentation at MS, is that by default, XP does prefetching for the boot process and application launches, while 2003 does it for the boot process only.

H. Carvey
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com
http://windowsir.blogspot.com

ReplyQuote
Posted : 24/03/2005 6:47 pm
Andy
 Andy
(@andy)
Active Member

Hi Harlan, I read your blog and although I must admit I have never really thought about Windows prefetch; however something else caught my eye on the blog (it might be something for another topic) - The article about timestamps within the registry. I agree the registry can be like a Windows log file, and its an area I concentrate on during an analysis. Are you aware of 'UserAssist': -
Software\Microsoft\Windows\CurrentVersion\Explorer\UserAssist - and the ROT12 encrypted entries? The last few bytes of each entry has a timestamp stored as a Win64Bit time Hex values. I am interested in these entries and use them as Explorer activity information.

Andy

ReplyQuote
Posted : 24/03/2005 7:45 pm
andy1500mac
(@andy1500mac)
Member

Look forward to hearing of any results …

FYI- Launching apps from network drive seems to populate the local prefetch folder (on the users machine)…did a quick test launching stinger from a network drive after flushing my prefetch folder contents and it was populated immediately.

Andrew-

ReplyQuote
Posted : 24/03/2005 7:47 pm
hogfly
(@hogfly)
Active Member

Harlan,
I'd like to briefly comment on my experiences using prefetch files.
My major experiences in forensics have been in dealing with compromised hosts. In fact I'm setting up a research genII honeynet for just this purpose.

The main question I get asked to solve is "How did the machine(s) get compromised"?
And I have to say I've had a lot of luck in analyzing compromised systems using prefetch files as a method of determining attack vector and what was recently run or what was running at the time of compromise. Finding out that a host was compromised after the user started a browser just minutes before helps immensely in time/date correlation.
Just wanted to throw my .02 out there and validate your findings. Prefetch is a valuable resource in any forensics analysis.

ReplyQuote
Posted : 26/03/2005 6:43 am
keydet89
(@keydet89)
Community Legend

Thanks for your comments, everyone…I didn't expect this many comments on FF, as I didn't get any comments on the blog posts… 😯

Andy1500mac…what was the client operating system? The think I'm finding is that XP Home doesn't exhibit this behaviour at all, but XP Pro seems to do it quite readily. Also, I changed the EnablePrefetcher Registry value on 2003 from '2' to '3' and couldn't get the same functionality. This was very strange. I'd like to hear what others are seeing.

Also, it's good to hear that others are using the Prefetch directory for these purposes. I would like to hear some specifics about the OS, though…

Andy…regarding your comments about the other topic; ie, the Registry as a log file…I know about the UserAssist keys. In fact, I've got quite a few Registry keys to put into another book. Aren't the keys "encrypted" via Rot13, not Rot12? And the time values you mention should be fairly easy to translate.

H. Carvey
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com
http://windowsir.blogspot.com

ReplyQuote
Posted : 26/03/2005 11:44 am
Andy
 Andy
(@andy)
Active Member

It is 13, slip of the finger 🙂 I have a html javascript translator for them.

Andy

ReplyQuote
Posted : 26/03/2005 6:09 pm
andy1500mac
(@andy1500mac)
Member

XP Pro client , part of a domain with the EnablePrefetcher value set to (3) which is I believe the default.

Andrew-

ReplyQuote
Posted : 27/03/2005 12:46 am
keydet89
(@keydet89)
Community Legend

Andrew,

Thanks. I'll need to check it out on a couple more XP Home clients.

H. Carvey
"Windows Forensics and Incident Recovery"
http://www.windows-ir.com
http://windowsir.blogspot.com

ReplyQuote
Posted : 27/03/2005 2:48 pm
Share: