Digital forensics is one of the major counterparts in protecting and understanding cyber-attacks today. There are various ways to understand and identify cyber incidents. As we all know Microsoft plays a major role in Operating System usage today. The company uses many ways to improve the performance of Windows. One of the many ways is Prefetch files. Microsoft OS prefetches files that the system expects the user will need and loads them into memory making the "fetch" of the files faster and more efficient to decrease the start-up times of the applications.
like many any other file in an operating system especially in windows, prefetch can be seen from a digital forensic perspective for further investigations. It’s important to understand why Prefetch files. In this report, I am going to analyze Prefetch files and how it could help in Digital forensics artifacts and the limitation of the files. This is not just another research report, but this will have some technical findings too. For this analysis prepose I have used Windows 10, Windows Server 2019 operating systems, and some freely available prefetch analysis tools as well.
Understanding prefetch files will help the forensic examiner, Prefetch files exist under the prefetch folder in the windows operating system installation directory. The importance of a prefetch file is that it can provide much information about what the user was doing even if the user is smart to cover the track. Prefetch files will provide a lot of useful information to the forensic investigator such as the last date used, application files stored information, how many times the application was used, and many other details
Technical Analysis
What is inside the prefetch file? The ultimate purpose of the prefetch file is to reduce the application or system boot time. This means every prefetch file will have data related to the application it belongs to in an instruction format. Prefetch file has standard naming as well in the following format, which itself metadata for forensic investigation. The naming has the following standard Application name, 8 character hash of the application location, and the file extension .pf
As mentioned in the introduction section apart from the above-given information prefetch files has the run count, a timestamp of the creation time, and the executable's last run time. Further to this basic static information prefetch folder has a large number of instructions for the commonly used programs to use at the start-up.
When users launch an application or boot the system for the very first time in Microsoft systems windows cache manager traces the data and other library information needed for the application during the loading or starting uptime. This traced data from the memory will be then saved in the prefetch file with an appropriate name, now if the user launches the application again, firstly the prefetch file will be read and load the necessary libraries and application dependencies into memory before the application request and load them, this way Microsoft reduce the load time of application and boot process of the Microsoft Operating systems.
Prefetch files help applications and programs to find the piece of data it needs at the time of start-up from the hard disk without waiting at the time on loading. Today program files used a huge amount of memory and files than before, so advance fetching those files will help the application to load faster. These files are very valuable in the digital forensic investigation also.
Prefetch file Inspection.
Prefetch files are found in c:\Windows\prefetch path and each file in the prefetch folder has a .pf extension. Each Prefetch file has a naming convention such as the application name-hash value.pf, The hash value was calculated using multiple information such as
1) Full path for the file
2) Path converted to Unicode strings
3) Path then converted to the Device path
4) Hashing value applied
5) Finally, prefetch file name generated.
Let’s have a look at a Prefetch file, before initiating the forensic analysis of the prefetch record as a forensic examiner you should check whether the prefetching process is enabled.
We will check the status of prefetching, Let's go to the registry editor and confirm the status,
Computer \HKEY_LOCAL_MACHINE \SYSTEM \CurrentControlSet \Control \Session \Manager \Memory Management \PrefetchParameters
The value of the EnablePrefetcher is set as 3 by default as shown in the image below. You can change the EnablePrefetcher values according to your prefetching needs. The options provide us with to customize EnablePrefetcher are explained below
0: Prefetching Disabled
1: Application Prefetching Enabled
2: Boot Prefetching Enabled
3: Application and Boot both Enabled
The prefetch files are saved under %SystemRoot%\Prefetch (C:\Windows\Prefetch).
Forensic Analysis of Prefetch Files
Since we understand well about the prefetch files and the reason why Microsoft has prefetch files. But we all know things we do to improve the standards and performances have been used by unethical or hackers to get more benefits in a negative way. Prefetch files are nothing exception to this. At the same time, Prefetch files are one of the fantastic artifacts for forensics investigation. It has massive metadata.
In this technical analysis, I am going to use some tools to understand what we can get from the prefetch files. For these purposes I firstly used the WinPrefetch View tool, to read and understand the prefetch files stored in my computer. WinPrefetch deals with any variant of the Windows operating system, beginning from Windows XP to Windows 10. Windows 10 prefetch files (*.pf) is a bit of a different file format compared to previous versions. At first glance, you'll spot no textual strings inside.
Analyzing Prefetch
Although by simply viewing the prefetch files we can get some basic information, you need to parse the file to get more information it got. There are a number of programs capable of parsing these files and most of them work well in GUI
Let's take a look at that CISCO Webex collaboration application. I have circled it in the screenshot above. We can see where the path to the .exe is, the number of times it has been run, and the last time it was run. This could all be critical information in a forensic investigation. Also, note in the lower pane that it lists every file used by the program with a path to the files.
If we click on the "Last Run Time" tab to sort by time, we can recreate a timeline of events that took place on that system.
Calculating the original path of the application from the hash provided in the prefetch file is relatively easy, but can be time-consuming. Depending on the version of Windows the file was taken from, a different hashing function is used
The exact location of the application executable file is as important as any timestamp metadata. Most experienced malware analysis or investigators can understand the added importance of a known file running from a temp folder against a legitimate location like, as the Windows system32 driver location.
The information we have on the filename would be quite valuable, the contents of a prefetch file have a massive amount of information for forensic. Prefetch data is extremely useful for detecting the unauthorized use of malicious software on a computer system. The prefetch file can expose when and from where the malware was executed and where the malware was run from. This is critical information for malware analysis and digital forensic, confirming the source of the malicious unauthorized files and how they reached on the system, which can be used in a security incident response, investigation, or litigation.
It's just a rule of that there is a delta time in between the time that prefetch processes monitoring the execution and the time the timestamp is actually updated of course all of this does assume that an attacker hasn't covered his or her tracks by deleting previous prefetch files which is the common anti-forensics technique. if that's happened the prefetch files may be able to be carved from unallocated space using a file carving program. if the prefetch files have been securely wiped look for prefetch evidence that would indicate a file wiper was executed in this case we actually see a prefetch file for SDelete which could have been used for that purpose if that happened the attacker would potentially leave evidence of that deletion even if he or she tries to securely delete the prefetch file. whatever wiper has been used a new prefetch file would be immediately created it's kind of a catch 22 situation because what wipes evidence of execution for the file wiper itself will create a prefetch file.
Let's see the calculator prefetch file and understand it.
let's start taking a look at the output so starting at the very top we have the file system timestamps for the prefetch file itself which is nothing new because this is exactly what we were looking at with windows explorer.
below that we have the executable name the hash the file size and the version then we have the total run count which can be extremely valuable to in this case we have the last runtime and then we have other runtimes where we can have up to seven additional timestamps for a total of the last eight times of execution because remember with Windows 8 and later, we get that information.
Also with this tool PECmd.exe, we can find the malware execution via Directories referenced and we will be able to see the red highlighter /TEMP file. This tells us that the file name or application name also we can find the tiles running out of the Program data path.
Reverse Engineering and Disassembly
Let’s deep dive into Prefetch to understand the how prefetch files are created and saved on a system. working. A Windows core component named ntkrnlpa.exe, a kernel process, is
responsible for creating, reading, writing, and executing prefetch files based on the instructions from the Windows Cache Manager. Prefetch called many functions at the time of an application launch Following are some of the functions called in prefetch files
• PfSnBeginAppLaunch
• PfPrefetchRequestVerify
• PfGenerateTrace
• [!]PfCalculateProcessHash
• PfSnScanCommandLine
ntkrnlpa.exe is a huge file and it calls hundreds of functions The process of this goes as like this.
• Starting Point
• PfProcessCreateNotification
• PfSnBeginAppLaunch
• PfSnGetPrefetchInstructions
So how does the prefetch file helps in forensic? To answer this, when an activity occurred via the last execution time you can find what activity has taken place? Then via the counter value, we can identify how frequently this activity was performed. Also, prefetch files will give the path. For example, let’s say a prefetched executable has been executed x times calculator.exe By verifying the prefetch file, you can see the file path of the files that were executed.
In addition to this full directory path listed in the prefetch file discloses the user accounts. An investigation may show that there was a temporary account created to performing the criminal activity. This will answer the question “ who” in forensic investigation. Also, the full path will show the file, program, or the application was launched from external storage or internal storage? With the last execution, the time investigator can match the time stamp USBStor registry key to get the serial number of the external storage device as well.
Even If cyber-criminal modifies the SIA and FNA timestamps in the MFT but the entries in the prefetch will not change. Following are some examples of forensic in Windows prefetch files.
1. Prefetch files can confirm that a criminal ran a clean-up program like sDelete.
2. If a program Is been deleted, a Prefetch file still exists to provide evidence of previous existence and execution.
3. Forensic investigators can decide the exact path of malware and when it was first/last run.
4. With other basic timeline analyses, forensic investigators could identify any additional malware component.
5. By doing log analysis from different log sources and using a Prefetch file’s creation timestamp and last run timestamp as reference points, an investigator might be able to correlate the information and identify the initial vector of an attack.
Limitations
Prefetch files are a very good source of evidence to decide the existence and execution of suspicious files on a system. However, it is just another one of the many Windows artifacts that help investigators to understand what a user was doing on a system at a point in time. But keep in mind all the Windows artifacts must be analyzed and examined to see the bigger picture of a cyber security breathing incident.
Also, you need to understand it monitors the first 10 seconds of application startup, and even in the new generation SSDs it has been identified to 2 to 3 seconds. Prefetching process on the system could be disabled by users or disabled by the default setting on SSDs running Windows 7 or Windows 8 Operating System. This will create the absence of the Prefetching files on the system for forensic analysis.
Another big limitation of these prefetch files is they are temporary files and the system could delete or overwrite the prefetch files, which may hide the artifacts in forensic. Also, there is no relationship between the application action and the crime in the digital forensic examination.
Though we get much useful information still as mentioned above there are limitations to use the prefetch as it will not show how the incident was initiated. We still need to work with other forensic techniques to finalize and confirm the incidents.
Conclusion
In this report, i initiated a study that to explore the potential of prefetch files. As prefetch is relating to a forensic investigation. I was able to find much interesting information. Prefetch will keep a counter as we found above and keep on updating it every time it runs the application. For a forensic investigation, having information about the first created time, Last modified time and number of times will give you the complete detail of the application. Further, it gives the full path and depending directories as well.
Arranging the prefetch in time order will also give a clear picture of what happened when an incident occurred. Will give a clear picture of what happened in the order. With the help of further registry, memory, and storage forensic will give the complete picture with evidence to conclude the incident.
