Wrong created date ...
 
Notifications
Clear all

Wrong created date for prefetch files.  

  RSS
Pesar
(@pesar)
New Member

Hi everybody ) I'm a student who is learning windows forensic. Recently I learned about Prefetch files and how to analyze them but when I go through my windows prefetch files I can see the creation date for some programs are not correct.
As you can see the creation data for some of them are 2103/2102/2065 and so on ..how is that possible? a windows bug? running windows 10 build 1709.

Quote
Posted : 25/05/2018 1:54 pm
athulin
(@athulin)
Community Legend

… when I go through my windows prefetch files I can see the creation date for some programs are not correct.
As you can see the creation data for some of them are 2103/2102/2065 and so on ..how is that possible?

To start with … what exactly is reported in each column? What tool or tools are you using?

Bugs in time stamp translation is not unheard of, but is often tool dependent.

ReplyQuote
Posted : 25/05/2018 2:04 pm
Pesar
(@pesar)
New Member

Hello,
I'm using the windows inbuilt feature(sort by>more>choose details(date created)) but I have the Same results with Nirsoft WinPrefetchView.

ReplyQuote
Posted : 25/05/2018 2:15 pm
athulin
(@athulin)
Community Legend

Hello,
I'm using the windows inbuilt feature(sort by>more>choose details(date created))

Details are extremely important in forensics

1. What columns are being displayed in the screen dump you included? (As you don't include column headers, readers can only guess. But guesses are not useful.)

2. Is the column with the unusual years 'Date created'? Or is it some other time stamp? (The sort feature you mention allows you to sort also by columns that are not shown, so it need not be Date created)

3. What is the column with the 'real' years?

But you also seem to say that you have sorted by Date created, and while coluimn 2 appears to be sorted, it is sorted in reverse … which you don't mention. (And which I'm not sure if Windows Explorer can be convinced of doing … ? – I'm looking at Win10, latest update (10.0.17134.48). )

And just in case Are there any prefetch files showing empty time stamp fields? If there are, you may want to read

https://articles.forensicfocus.com/2013/04/06/interpretation-of-ntfs-timestamps/

which shows some circumstances in which that may happen. It may also suggest a possible explanation to your basic question.

ReplyQuote
Posted : 25/05/2018 6:39 pm
Pesar
(@pesar)
New Member

Many Thanks for the reply ) My bad sorry
the first column is for creation date(i sorted it) and the sconed one is modified time(execution time)also there Is no prefetch file without timestamp.
As you can see the creation date is not normal. and to answer your question the real year is the second column(2018).TY

ReplyQuote
Posted : 25/05/2018 8:59 pm
MDCR
 MDCR
(@mdcr)
Active Member

If you were handed an image to analyse, the timestamps could have been altered. Changing timestamps on disk can be done with one line of code in for each common type


System.IO.File.SetCreationTime("C\Windows\Prefetch\DLLHOST.EXE-A15F3076.pf", Date.Now)
System.IO.File.SetLastAccessTime("C\Windows\Prefetch\DLLHOST.EXE-A15F3076.pf", Date.Now)
System.IO.File.SetLastWriteTime("C\Windows\Prefetch\DLLHOST.EXE-A15F3076.pf", Date.Now)

Never - ever - trust timestamps, always correlate with other events. I can edit them directly on disk as well, but that is slightly more challenging. There are even tools available for anyone to use like Timestomp.

ReplyQuote
Posted : 26/05/2018 8:03 am
Pesar
(@pesar)
New Member

If you were handed an image to analyse, the timestamps could have been altered. Changing timestamps on disk can be done with one line of code in for each common type


System.IO.File.SetCreationTime("C\Windows\Prefetch\DLLHOST.EXE-A15F3076.pf", Date.Now)
System.IO.File.SetLastAccessTime("C\Windows\Prefetch\DLLHOST.EXE-A15F3076.pf", Date.Now)
System.IO.File.SetLastWriteTime("C\Windows\Prefetch\DLLHOST.EXE-A15F3076.pf", Date.Now)

Never - ever - trust timestamps, always correlate with other events. I can edit them directly on disk as well, but that is slightly more challenging. There are even tools available for anyone to use like Timestomp.

thanks for your explanation.so how can I find the real timestamp? how can I analyze the prefetch file without the correct timestamp? ty

ReplyQuote
Posted : 26/05/2018 1:01 pm
Bunnysniper
(@bunnysniper)
Active Member

how can I analyze the prefetch file without the correct timestamp? ty

Please read this article https://www.fireeye.com/blog/threat-research/2013/08/execute.html

It could get renewed, since it does not cover Windows 10 and some newer artifacts, but I am sure it will help you.

regards,
Robin

ReplyQuote
Posted : 26/05/2018 1:37 pm
randomaccess
(@randomaccess)
Active Member

thanks for your explanation.so how can I find the real timestamp? how can I analyze the prefetch file without the correct timestamp? ty

Can you get all the other NTFS timestamps out?
And parse the suspect prefetch files with PEcmd (Eric's prefetch parser)?

Might give you some other clues about the times

ReplyQuote
Posted : 27/05/2018 5:59 pm
hectic_forensics
(@hectic_forensics)
Junior Member

thanks for your explanation.so how can I find the real timestamp? how can I analyze the prefetch file without the correct timestamp? ty

Go to the MFT and look up the MFT file record for that file. Parse out all the relevant timestamps yourself from each attribute there.

There is no better validation than you looking at that data and then trying to work out where you tools are taking their interpretation of the data from. Once you have that you can investigate further.

ReplyQuote
Posted : 29/05/2018 9:11 am
Share: