Windows 7 Pre-fetch...
 
Notifications
Clear all

Windows 7 Pre-fetch File writes  

  RSS
SamTIJ
(@samtij)
New Member

I would really appreciate some help on this - I am interested in understanding possible explanations for writings to a Windows Pre-fetch file occurring under the following circumstances on a laptop running Windows 7 and approximately 8 hours after last use-

Closed laptop in sleep mode
Closed laptop in hibernate mode
Closed laptop in hybrid mode
Closed laptop with power management settings set to never (e.g. screen dim)
Closed laptop with settings for lid closure set to Do Nothing

Situation - I claim no use on the laptop for a period of 8+ hours and the laptop was found closed in a laptop bag and analysis showed the pre-fetch file write at the end of the 8+ hour period but did not show a shutdown event. The laptop was not connected to power - just battery.

I hope this makes sense - let me know if any further information is needed.

Quote
Posted : 05/03/2019 9:50 am
(@bunnysniper)
Active Member

Closed laptop in sleep mode
Closed laptop in hibernate mode
Closed laptop in hybrid mode
Closed laptop with power management settings set to never (e.g. screen dim)
Closed laptop with settings for lid closure set to Do Nothing

1. No file from disk executed, but potentially files in memory
2. Nothing happens
3. No file from disk executed, but potentially files in memory
4. Files from memory and disk executed
5. Files from memory and disk executed

What could have triggered the write process for a prefetch file could be a "Scheduled Task" or classical AT job on Windows. Some kind of malware in the memory could have done this in theory, too. In case 4 and 5 the laptop is running as usual and all services (C>netstat -bano) are active and respond the incoming traffic.

Which file was modified, please? Full name and path please.

regards,
Robin

ReplyQuote
Posted : 05/03/2019 11:19 am
(@jaclaz)
Community Legend

What could have triggered the write process for a prefetch file could be a "Scheduled Task" or classical AT job on Windows. Some kind of malware in the memory could have done this in theory, too. In case 4 and 5 the laptop is running as usual and all services (C>netstat -bano) are active and respond the incoming traffic.

Yep, besides malware, there could be differences if there was a connection (cabled or wireless) to the internet or even only to a local (disconnected from the internet) lan, particularly if there are other "always/on" devices, (let's say router/hardware firewall, NAS or any of the newish crappy iot devices - like smart thermostats, IP cameras, etc. - again even if not actually connected to the internet).

Anyone remembers the good ol' times when you had (on desktops) AT power supplies and switching off actually meant switching off?

jaclaz

ReplyQuote
Posted : 05/03/2019 1:35 pm
SamTIJ
(@samtij)
New Member

Thank you very much for your reply Bunnysniper. Unfortunately, I don't have specific information (or current access to the disc image or device) on the files that were modified.

I do have a list of files that were analysed to determine the changes - which i will post here shortly.

I also have a somewhat vague reference to the matter, being-

The device shows the last files accessed to be on xx/xx/xxxx, however, these are writings to Windows pre-fetch files, and is not something a user would be able to access, rather these are modifications done by the windows system to enable files to load faster and keep with user selections.

To make the situation slightly clearer and provide an explanation for my scenarios 1-5, if I was confident the laptop was closed and in a bag and the last use was some 8+ hours earlier, could I readily show that the pre-fetch write was not related in any way to user interaction at or around that time? The laptop showed no evidence of a shutdown (the previous one being a week prior) and the last login was at the suggested time of last used interaction just over 8 hours earlier.

ReplyQuote
Posted : 05/03/2019 1:48 pm
SamTIJ
(@samtij)
New Member

The searches were conducted on the following files-

pagefile.sys
swapfile.sys
$MFT
$LogFile
Hiberfil.sys

If it helps (and my apologies the information isn't more thorough and my questions are potentially too broad, this is beyond my skill set) it is also noted that information relating to the pre-fetch file write came from the registry files.

ReplyQuote
Posted : 05/03/2019 2:46 pm
SamTIJ
(@samtij)
New Member

One more piece of information that may be important. The pre-fetch file write was the last activity (file or user) for at least 24 hours.

Thank you for your reply Jaclaz, perhaps that information above is indicative that it might not be attributable to malware etc., on the basis that presumably it would have continued over the 24 hours or so after.

ReplyQuote
Posted : 05/03/2019 2:54 pm
(@bunnysniper)
Active Member

The searches were conducted on the following files-

pagefile.sys
swapfile.sys
$MFT
$LogFile
Hiberfil.sys

This will not lead to a successful investigation in a short time, sorry. Now it is important to analyse the *pf file. Evidence is not only the last write time, but the content *inside* the pf file itself. Correlate these times with the last recorded executions from amcache.hve and AppcompatCache. Take shellbags into consideration if you expect interactive user behavior.

If you can`t find the solution I have some more locations you can look for evidence…

regards, Robin

PS a copy of amcache and shimcache might be inside the hiberfil.sys file. HiberRecon from Arsenal and Volatility could be your next good friends -)

ReplyQuote
Posted : 05/03/2019 3:34 pm
SamTIJ
(@samtij)
New Member

Thank you very much and I fully appreciate that the process is detailed and time consuming. I will see if I can gain access to the disc image and take you advice on the method to approach the review.

ReplyQuote
Posted : 05/03/2019 4:33 pm
Share: