Hi, I’m Mohaimin, an avid DFIR enthusiast on a perpetual journey of learning and unraveling the mysteries of digital investigations. Have you ever wondered how forensics investigators track down the footprints left by malicious software on a computer? One powerful clue lies in a lesser-known component called “Prefetch.”
What is Prefetch?
Prefetch is a Windows feature that improves application startup times by predicting which files will be needed and loading them into memory in advance. This way, when we launch an application, our computer doesn’t have to search for the required files, resulting in faster execution.
Unveiling Malware with Prefetch
Digital investigators often rely on Prefetch to track down signs of suspicious activity. If we suspect that a malware known as “XYZ” has been executed on a system, we can look for its Prefetch file. A Prefetch file is created when an application runs for the first time and is updated each time the application is launched again.
Anti-Forensic Maneuvers: Wiping out Prefetch Files
Malware creators and cybercriminals are no strangers to anti-forensic techniques. One common tactic is to erase Prefetch files, effectively erasing potential evidence of their activities. These files are usually located in the following directories:
- 64-bit Systems:
C:\Windows\System32\Prefetch - 32-bit Systems:
C:\Windows\SysWOW64\Prefetch
Important Facts about Prefetch Files:
- Initial Absence: Before an application is run, no Prefetch file exists for it. Prefetch files are generated upon the first execution.
- Limited to Workstations: Prefetch files are typically found only on Windows workstations, not on servers.
- Rapid Record: A Prefetch file is created at the first execution of an application. It records the details of the files accessed during runtime.
- Usually run time: “Time – (Delta) approx 10 seconds.” We can see the actual time inside of prefetch files when we analyse with PECmd.exe (EZ tool)
- Timestamps Galore: Windows 8 and above store data from the last 8 executions in Prefetch files, providing a wealth of timestamps. This includes the first execution and the last 8 runs, totaling 9 timestamps.
- One Prefetch per App: Normally, a single Prefetch file is associated with each application. However, some applications like svchost, mmc.exe, dllhost.exe, and rundll32.exe might have multiple Prefetch files due to parameter variations.
- Cmd Peculiarities: The cmd application usually has one Prefetch files. If there are two, one from 64-bit and another from 32-bit execution, it’s a potential red flag, signaling unusual behavior.
Prefetch Files naming:
Prefetch files, like CMD.EXE-4A81B364.pf, combine application name with unique hash (4A81B364) to aid speedy application loading and analysis.
Meet PECmd.exe:
PECmd.exe is a command-line tool that uncovers Prefetch file insights. It reveals accessed files, directories, and execution details, aiding forensic experts in tracking application activities.
Prefetch Analysis Demo:
Run PECmd.exe Command:
PECmd.exe -f C:\Cases\F\Windows\prefetch\ATOMICSERVICE.EXE-94EEF3DF.pf
Here last run is the exact time the application was last executed.
Inspect Output: Discover:
- Accessed files/folders during execution.
- Execution timestamps.
- Parameter and argument insights.
Red & Yellow Flags:
While studying PECmd.exe output, focus on red and yellow highlights. Red indicates potential malicious actions, needing deeper analysis. Yellow signifies irregularities deserving attention.