Wednesday 13 October 2021
Friday 8 October 2021
Thursday 7 October 2021
Prefetch Digital forensics
Subscribe to " FACEITNET " Youtube channel for more interesting videos
Abstract
Digital forensics is one of the major counterparts in protecting and understanding cyber-attacks today. There are various ways to understand and identify cyber incidents. As we all know Microsoft plays a major role in Operating System usage today. The company uses many ways to improve the performance of Windows. One of the many ways is Prefetch files. Microsoft OS prefetches files that the system expects the user will need and loads them into memory making the "fetch" of the files faster and more efficient to decrease the start-up times of the applications.
like many any other file in an operating system especially in windows, prefetch can be seen from a digital forensic perspective for further investigations. It’s important to understand why Prefetch files. In this report, I am going to analyze Prefetch files and how it could help in Digital forensics artifacts and the limitation of the files. This is not just another research report, but this will have some technical findings too. For this analysis prepose I have used Windows 10, Windows Server 2019 operating systems, and some freely available prefetch analysis tools as well.
Understanding prefetch files will help the forensic examiner, Prefetch files exist under the prefetch folder in the windows operating system installation directory. The importance of a prefetch file is that it can provide much information about what the user was doing even if the user is smart to cover the track. Prefetch files will provide a lot of useful information to the forensic investigator such as the last date used, application files stored information, how many times the application was used, and many other details
Introduction
Software developers and operating system designers have always been interested in speeding up the start-up times of operating systems and their application software.
The word Prefetch explains it clearly, Prefetch means grep the information in advance. In IT Prefetching means loading the required files or resources before they are required, to reduce the waiting time. This is how Microsoft Operating Systems faster the boot time or load time of applications by making cache files Have you ever thought about how your computer loads the files and websites you were reading just before your computer has gone to reboot unexpectedly? It is because your browser made a cached all the files you have used, Prefetch works exactly the same, it makes a cache of all your application files, boot files, and other files to use later.
The prefetch files are temporary files and are stored in the system folder under the prefetch drive. This folder stores the frequently used files in your system. These prefetch files can be used to collect timestamps and other resources utilized when the file executes. The following information could be pulled out from the prefetch files.
1. Run Count - Number of times the application has been run
2. Resources loaded – Name of the executable
3. Version
4. Timestamp
5. The files and directories that were referenced during the application start-up
6. Hash of the executable path.
7. Last Run Time
Prefetch files are used to learn the application behavior, such as whether the application is executed automatically or not. Furthermore, this will help forensic analysis to do a forensic investigation. Prefetch has been around since Windows XP. In Windows XP, Vista, and 7 the number of prefetch files are limited to 128 whereas in Windows 8 and above it is up to 1024.
Prefetch files are one of the best artifacts for forensics investigators to analyze the application behavior and to see when the file was executed and who executed it. Also, it will give the application location and the connected files. Locard’s exchange principle, any interactions, or contacts between two entities will result in the exchange of material. whenever a program runs the operating system will create data within the system, this data may exist for short time, or some data may be available until the system reboots. Even some other artifacts will be there after the reboot as well. Whatever the type there will be always some artifacts for forensic investigation
Technical Analysis
What is inside the prefetch file? The ultimate purpose of the prefetch file is to reduce the application or system boot time. This means every prefetch file will have data related to the application it belongs to in an instruction format. Prefetch file has standard naming as well in the following format, which itself metadata for forensic investigation. The naming has the following standard Application name, 8 character hash of the application location, and the file extension .pf
As mentioned in the introduction section apart from the above-given information prefetch files has the run count, a timestamp of the creation time, and the executable's last run time. Further to this basic static information prefetch folder has a large number of instructions for the commonly used programs to use at the start-up.
When users launch an application or boot the system for the very first time in Microsoft systems windows cache manager traces the data and other library information needed for the application during the loading or starting uptime. This traced data from the memory will be then saved in the prefetch file with an appropriate name, now if the user launches the application again, firstly the prefetch file will be read and load the necessary libraries and application dependencies into memory before the application request and load them, this way Microsoft reduce the load time of application and boot process of the Microsoft Operating systems.
Prefetch files help applications and programs to find the piece of data it needs at the time of start-up from the hard disk without waiting at the time on loading. Today program files used a huge amount of memory and files than before, so advance fetching those files will help the application to load faster. These files are very valuable in the digital forensic investigation also.
Prefetch file Inspection.
Prefetch files are found in c:\Windows\prefetch path and each file in the prefetch folder has a .pf extension. Each Prefetch file has a naming convention such as the application name-hash value.pf, The hash value was calculated using multiple information such as
1) Full path for the file
2) Path converted to Unicode strings
3) Path then converted to the Device path
4) Hashing value applied
5) Finally, prefetch file name generated.
Let’s have a look at a Prefetch file, before initiating the forensic analysis of the prefetch record as a forensic examiner you should check whether the prefetching process is enabled.
We will check the status of prefetching, Let's go to the registry editor and confirm the status,
Computer \HKEY_LOCAL_MACHINE \SYSTEM \CurrentControlSet \Control \Session \Manager \Memory Management \PrefetchParameters
The value of the EnablePrefetcher is set as 3 by default as shown in the image below. You can change the EnablePrefetcher values according to your prefetching needs. The options provide us with to customize EnablePrefetcher are explained below
0: Prefetching Disabled
1: Application Prefetching Enabled
2: Boot Prefetching Enabled
3: Application and Boot both Enabled
The prefetch files are saved under %SystemRoot%\Prefetch (C:\Windows\Prefetch).
Forensic Analysis of Prefetch Files
Since we understand well about the prefetch files and the reason why Microsoft has prefetch files. But we all know things we do to improve the standards and performances have been used by unethical or hackers to get more benefits in a negative way. Prefetch files are nothing exception to this. At the same time, Prefetch files are one of the fantastic artifacts for forensics investigation. It has massive metadata.
In this technical analysis, I am going to use some tools to understand what we can get from the prefetch files. For these purposes I firstly used the WinPrefetch View tool, to read and understand the prefetch files stored in my computer. WinPrefetch deals with any variant of the Windows operating system, beginning from Windows XP to Windows 10. Windows 10 prefetch files (*.pf) is a bit of a different file format compared to previous versions. At first glance, you'll spot no textual strings inside.
Analyzing Prefetch
Although by simply viewing the prefetch files we can get some basic information, you need to parse the file to get more information it got. There are a number of programs capable of parsing these files and most of them work well in GUI
Let's take a look at that CISCO Webex collaboration application. I have circled it in the screenshot above. We can see where the path to the .exe is, the number of times it has been run, and the last time it was run. This could all be critical information in a forensic investigation. Also, note in the lower pane that it lists every file used by the program with a path to the files.
If we click on the "Last Run Time" tab to sort by time, we can recreate a timeline of events that took place on that system.
Calculating the original path of the application from the hash provided in the prefetch file is relatively easy, but can be time-consuming. Depending on the version of Windows the file was taken from, a different hashing function is used
The exact location of the application executable file is as important as any timestamp metadata. Most experienced malware analysis or investigators can understand the added importance of a known file running from a temp folder against a legitimate location like, as the Windows system32 driver location.
The information we have on the filename would be quite valuable, the contents of a prefetch file have a massive amount of information for forensic. Prefetch data is extremely useful for detecting the unauthorized use of malicious software on a computer system. The prefetch file can expose when and from where the malware was executed and where the malware was run from. This is critical information for malware analysis and digital forensic, confirming the source of the malicious unauthorized files and how they reached on the system, which can be used in a security incident response, investigation, or litigation.
It's just a rule of that there is a delta time in between the time that prefetch processes monitoring the execution and the time the timestamp is actually updated of course all of this does assume that an attacker hasn't covered his or her tracks by deleting previous prefetch files which is the common anti-forensics technique. if that's happened the prefetch files may be able to be carved from unallocated space using a file carving program. if the prefetch files have been securely wiped look for prefetch evidence that would indicate a file wiper was executed in this case we actually see a prefetch file for SDelete which could have been used for that purpose if that happened the attacker would potentially leave evidence of that deletion even if he or she tries to securely delete the prefetch file. whatever wiper has been used a new prefetch file would be immediately created it's kind of a catch 22 situation because what wipes evidence of execution for the file wiper itself will create a prefetch file.
Let's see the calculator prefetch file and understand it.
let's start taking a look at the output so starting at the very top we have the file system timestamps for the prefetch file itself which is nothing new because this is exactly what we were looking at with windows explorer.
below that we have the executable name the hash the file size and the version then we have the total run count which can be extremely valuable to in this case we have the last runtime and then we have other runtimes where we can have up to seven additional timestamps for a total of the last eight times of execution because remember with Windows 8 and later, we get that information.
Also with this tool PECmd.exe, we can find the malware execution via Directories referenced and we will be able to see the red highlighter /TEMP file. This tells us that the file name or application name also we can find the tiles running out of the Program data path.
Reverse Engineering and Disassembly
Let’s deep dive into Prefetch to understand the how prefetch files are created and saved on a system. working. A Windows core component named ntkrnlpa.exe, a kernel process, is
responsible for creating, reading, writing, and executing prefetch files based on the instructions from the Windows Cache Manager. Prefetch called many functions at the time of an application launch Following are some of the functions called in prefetch files
• PfSnBeginAppLaunch
• PfPrefetchRequestVerify
• PfGenerateTrace
• [!]PfCalculateProcessHash
• PfSnScanCommandLine
ntkrnlpa.exe is a huge file and it calls hundreds of functions The process of this goes as like this.
• Starting Point
• PfProcessCreateNotification
• PfSnBeginAppLaunch
• PfSnGetPrefetchInstructions
So how does the prefetch file helps in forensic? To answer this, when an activity occurred via the last execution time you can find what activity has taken place? Then via the counter value, we can identify how frequently this activity was performed. Also, prefetch files will give the path. For example, let’s say a prefetched executable has been executed x times calculator.exe By verifying the prefetch file, you can see the file path of the files that were executed.
In addition to this full directory path listed in the prefetch file discloses the user accounts. An investigation may show that there was a temporary account created to performing the criminal activity. This will answer the question “ who” in forensic investigation. Also, the full path will show the file, program, or the application was launched from external storage or internal storage? With the last execution, the time investigator can match the time stamp USBStor registry key to get the serial number of the external storage device as well.
Even If cyber-criminal modifies the SIA and FNA timestamps in the MFT but the entries in the prefetch will not change. Following are some examples of forensic in Windows prefetch files.
1. Prefetch files can confirm that a criminal ran a clean-up program like sDelete.
2. If a program Is been deleted, a Prefetch file still exists to provide evidence of previous existence and execution.
3. Forensic investigators can decide the exact path of malware and when it was first/last run.
4. With other basic timeline analyses, forensic investigators could identify any additional malware component.
5. By doing log analysis from different log sources and using a Prefetch file’s creation timestamp and last run timestamp as reference points, an investigator might be able to correlate the information and identify the initial vector of an attack.
Limitations
Prefetch files are a very good source of evidence to decide the existence and execution of suspicious files on a system. However, it is just another one of the many Windows artifacts that help investigators to understand what a user was doing on a system at a point in time. But keep in mind all the Windows artifacts must be analyzed and examined to see the bigger picture of a cyber security breathing incident.
Also, you need to understand it monitors the first 10 seconds of application startup, and even in the new generation SSDs it has been identified to 2 to 3 seconds. Prefetching process on the system could be disabled by users or disabled by the default setting on SSDs running Windows 7 or Windows 8 Operating System. This will create the absence of the Prefetching files on the system for forensic analysis.
Another big limitation of these prefetch files is they are temporary files and the system could delete or overwrite the prefetch files, which may hide the artifacts in forensic. Also, there is no relationship between the application action and the crime in the digital forensic examination.
Though we get much useful information still as mentioned above there are limitations to use the prefetch as it will not show how the incident was initiated. We still need to work with other forensic techniques to finalize and confirm the incidents.
Conclusion
In this report, i initiated a study that to explore the potential of prefetch files. As prefetch is relating to a forensic investigation. I was able to find much interesting information. Prefetch will keep a counter as we found above and keep on updating it every time it runs the application. For a forensic investigation, having information about the first created time, Last modified time and number of times will give you the complete detail of the application. Further, it gives the full path and depending directories as well.
Arranging the prefetch in time order will also give a clear picture of what happened when an incident occurred. Will give a clear picture of what happened in the order. With the help of further registry, memory, and storage forensic will give the complete picture with evidence to conclude the incident.
Reference
1. OTW (2016). Digital Forensics, Part 6: Analyzing Windows Pre-fetch Files for Evidence. [online] hackers-arise. Available at: https://www.hackers-arise.com/post/2016/11/02/digital-forensics-part-6-analyzing-windows-pre-fetch-files-for-evidence.
2. Magnet Forensics. (2014). Forensic Analysis of Prefetch files in Windows. [online] Available at: https://www.magnetforensics.com/blog/forensic-analysis-of-prefetch-files-in-windows/.
3. B, M. (2016). Windows Wednesday: Prefetch Files. [online] Medium. Available at: https://bromiley.medium.com/windows-wednesday-prefetch-files-683f6ab5b9db.
4. Forensic Focus. (2019). Hunting For Attackers’ Tactics And Techniques With Prefetch Files. [online] Available at: https://www.forensicfocus.com/articles/hunting-for-attackers-tactics-and-techniques-with-prefetch-files/.
5. Rocha, L. (2016). Digital Forensics – Prefetch Artifacts. [online] Count Upon Security. Available at: https://countuponsecurity.com/2016/05/16/digital-forensics-prefetch-artifacts/ [Accessed 26 Sep. 2021].
6. Ch, R. and el (2020). Forensic Investigation : Prefetch File. [online] Hacking Articles. Available at: https://www.hackingarticles.in/forensic-investigation-prefetch-file/.
7. Infosec Resources. (n.d.). Windows Systems and Artifacts in Digital Forensics: Part III: Prefetch Files. [online] Available at: https://resources.infosecinstitute.com/topic/windows-systems-artifacts-digital-forensics-part-iii-prefetch-files/.
8. www.sans.org. (n.d.). SANS Digital Forensics and Incident Response Blog | Device Profiling With Windows Prefetch | SANS Institute. [online] Available at: http://sans.org/blog/device-profiling-with-windows-prefetch/ [Accessed 26 Sep. 2021].
9. GitHub. 2021. libscca/Windows Prefetch File (PF) format.asciidoc at main · libyal/libscca. [online] Available at: <https://github.com/libyal/libscca/blob/main/documentation/Windows%20Prefetch%20File%20(PF)%20format.asciidoc> [Accessed 26 September 2021].
10. https://www.researchgate.net/. 2021. Exploring the limits of prefetching. [ONLINE] Available at: https://www.researchgate.net/publication/220497769_Exploring_the_limits_of_prefetching. [Accessed 20 September 2021].
Friday 1 October 2021
Friday 24 September 2021
Subscribe to:
Posts (Atom)
-
<!DOCTYPE html> <html> <head> <meta name="viewport" content="width=device-width, initial-scale=1"&...
-
Subscribe to " FACEITNET " Youtube channel for more interesting videos FaceITNet Youtube Channel IDS using SNORT Install...
-
Subscribe to " FACEITNET " Youtube channel for more interesting videos FaceITNet Youtube Channel Most of us have used Cisco Pa...