Hi everybody ) I'm a student who is learning windows forensic. Recently I learned about Prefetch files and how to analyze them but when I go through my windows prefetch files I can see the creation date for some programs are not correct.
As you can see the creation data for some of them are 2103/2102/2065 and so on ..how is that possible? a windows bug? running windows 10 build 1709.
… when I go through my windows prefetch files I can see the creation date for some programs are not correct.
As you can see the creation data for some of them are 2103/2102/2065 and so on ..how is that possible?
To start with … what exactly is reported in each column? What tool or tools are you using?
Bugs in time stamp translation is not unheard of, but is often tool dependent.
Hello,
I'm using the windows inbuilt feature(sort by>more>choose details(date created)) but I have the Same results with Nirsoft WinPrefetchView.
Hello,
I'm using the windows inbuilt feature(sort by>more>choose details(date created))
Details are extremely important in forensics
1. What columns are being displayed in the screen dump you included? (As you don't include column headers, readers can only guess. But guesses are not useful.)
2. Is the column with the unusual years 'Date created'? Or is it some other time stamp? (The sort feature you mention allows you to sort also by columns that are not shown, so it need not be Date created)
3. What is the column with the 'real' years?
But you also seem to say that you have sorted by Date created, and while coluimn 2 appears to be sorted, it is sorted in reverse … which you don't mention. (And which I'm not sure if Windows Explorer can be convinced of doing … ? – I'm looking at Win10, latest update (10.0.17134.48). )
And just in case Are there any prefetch files showing empty time stamp fields? If there are, you may want to read
https://articles.forensicfocus.com/2013/04/06/interpretation-of-ntfs-timestamps/
which shows some circumstances in which that may happen. It may also suggest a possible explanation to your basic question.
Many Thanks for the reply ) My bad sorry
the first column is for creation date(i sorted it) and the sconed one is modified time(execution time)also there Is no prefetch file without timestamp.
As you can see the creation date is not normal. and to answer your question the real year is the second column(2018).TY
If you were handed an image to analyse, the timestamps could have been altered. Changing timestamps on disk can be done with one line of code in for each common type
System.IO.File.SetCreationTime("C\Windows\Prefetch\DLLHOST.EXE-A15F3076.pf", Date.Now)
System.IO.File.SetLastAccessTime("C\Windows\Prefetch\DLLHOST.EXE-A15F3076.pf", Date.Now)
System.IO.File.SetLastWriteTime("C\Windows\Prefetch\DLLHOST.EXE-A15F3076.pf", Date.Now)
Never - ever - trust timestamps, always correlate with other events. I can edit them directly on disk as well, but that is slightly more challenging. There are even tools available for anyone to use like Timestomp.
If you were handed an image to analyse, the timestamps could have been altered. Changing timestamps on disk can be done with one line of code in for each common type
System.IO.File.SetCreationTime("C\Windows\Prefetch\DLLHOST.EXE-A15F3076.pf", Date.Now)
System.IO.File.SetLastAccessTime("C\Windows\Prefetch\DLLHOST.EXE-A15F3076.pf", Date.Now)
System.IO.File.SetLastWriteTime("C\Windows\Prefetch\DLLHOST.EXE-A15F3076.pf", Date.Now)
Never - ever - trust timestamps, always correlate with other events. I can edit them directly on disk as well, but that is slightly more challenging. There are even tools available for anyone to use like Timestomp.
thanks for your explanation.so how can I find the real timestamp? how can I analyze the prefetch file without the correct timestamp? ty
how can I analyze the prefetch file without the correct timestamp? ty
Please read this article https://
It could get renewed, since it does not cover Windows 10 and some newer artifacts, but I am sure it will help you.
regards,
Robin
thanks for your explanation.so how can I find the real timestamp? how can I analyze the prefetch file without the correct timestamp? ty
Can you get all the other NTFS timestamps out?
And parse the suspect prefetch files with PEcmd (Eric's prefetch parser)?
Might give you some other clues about the times
thanks for your explanation.so how can I find the real timestamp? how can I analyze the prefetch file without the correct timestamp? ty
Go to the MFT and look up the MFT file record for that file. Parse out all the relevant timestamps yourself from each attribute there.
There is no better validation than you looking at that data and then trying to work out where you tools are taking their interpretation of the data from. Once you have that you can investigate further.