Join Us!

Prefetch folder is ...
 
Notifications
Clear all

Prefetch folder is empty  

  RSS
morpheusc
(@morpheusc)
New Member

Hi all,

I'm new to DFIR, i'm helping on a case of incident. After got the vhd image, i found that the prefetch folder is empty. Any idea why the folder is empty.

Many thanks,
Mor

Quote
Posted : 23/01/2020 5:46 pm
BytesDigger
(@bytesdigger)
New Member

Prefetch is most likely disabled on this system. You can check the registry to see if it's enabled.

Look in the following registry hive
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters

There's a DWORD value called EnablePrefetcher

If that value is set to 0, then prefetch is disabled. Windows sometimes disables prefetch on computers with SSD drives. As SSD drives can be quite fast, there's not always a significant performance improvement to using prefetch. Since prefetch generates more write cycles on the disk, it wears down SSD. It's possible that in your case, windows may have disabled prefetch. However, if you have reason to believe that anti-forensics were used as part of your Forensic/IR, then you may want to look for evidence that suggests that this was done deliberately.

Hope this helps you,

JP

ReplyQuote
Posted : 23/01/2020 10:35 pm
keydet89
(@keydet89)
Community Legend

Hi all,

I'm new to DFIR, i'm helping on a case of incident. After got the vhd image, i found that the prefetch folder is empty. Any idea why the folder is empty.

Many thanks,
Mor

Is the system a Windows server?

ReplyQuote
Posted : 24/01/2020 11:43 am
morpheusc
(@morpheusc)
New Member

Hi all,

I'm new to DFIR, i'm helping on a case of incident. After got the vhd image, i found that the prefetch folder is empty. Any idea why the folder is empty.

Many thanks,
Mor

Is the system a Windows server?

Yes, Windows

ReplyQuote
Posted : 24/01/2020 1:44 pm
morpheusc
(@morpheusc)
New Member

Prefetch is most likely disabled on this system. You can check the registry to see if it's enabled.

Look in the following registry hive
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters

There's a DWORD value called EnablePrefetcher

If that value is set to 0, then prefetch is disabled. Windows sometimes disables prefetch on computers with SSD drives. As SSD drives can be quite fast, there's not always a significant performance improvement to using prefetch. Since prefetch generates more write cycles on the disk, it wears down SSD. It's possible that in your case, windows may have disabled prefetch. However, if you have reason to believe that anti-forensics were used as part of your Forensic/IR, then you may want to look for evidence that suggests that this was done deliberately.

Hope this helps you,

JP

Thanks JP. Checking on the image.

ReplyQuote
Posted : 24/01/2020 1:57 pm
keydet89
(@keydet89)
Community Legend

Hi all,

I'm new to DFIR, i'm helping on a case of incident. After got the vhd image, i found that the prefetch folder is empty. Any idea why the folder is empty.

Many thanks,
Mor

Is the system a Windows server?

Yes, Windows

Is it a Server system, such as Windows 2008, 2012, 2016, or 2019?

ReplyQuote
Posted : 24/01/2020 4:14 pm
BytesDigger
(@bytesdigger)
New Member

Hi all,

I'm new to DFIR, i'm helping on a case of incident. After got the vhd image, i found that the prefetch folder is empty. Any idea why the folder is empty.

Many thanks,
Mor

Is the system a Windows server?

Yes, Windows

Is it a Server system, such as Windows 2008, 2012, 2016, or 2019?

Good point… it would be disabled by default on a Server system!

ReplyQuote
Posted : 25/01/2020 3:58 am
morpheusc
(@morpheusc)
New Member

Hi all,

I'm new to DFIR, i'm helping on a case of incident. After got the vhd image, i found that the prefetch folder is empty. Any idea why the folder is empty.

Many thanks,
Mor

Is the system a Windows server?

Yes, Windows

Is it a Server system, such as Windows 2008, 2012, 2016, or 2019?

It is Windows server 2016

ReplyQuote
Posted : 28/01/2020 5:11 pm
morpheusc
(@morpheusc)
New Member

Hi all,

I'm new to DFIR, i'm helping on a case of incident. After got the vhd image, i found that the prefetch folder is empty. Any idea why the folder is empty.

Many thanks,
Mor

Is the system a Windows server?

Yes, Windows

Is it a Server system, such as Windows 2008, 2012, 2016, or 2019?

Good point… it would be disabled by default on a Server system!

Seems disabled by default

ReplyQuote
Posted : 28/01/2020 5:19 pm
Share: