Friday, March 25, 2005

More about the Prefetcher

So far, there hasn't been much of a response to my previous Prefetch blog post...though I have heard that some folks have been thinking along those lines. I wanted to add a couple of things I've stumbled across...

First, XP prefetches for the boot process and application launch, by default, while 2003 only prefetches for the boot process. As a system hardening recommendation, I'd suggest modifying the 2003 Registry value to prefetch for application launches, as well. The Prefetch directory shouldn't take up a great deal of space...for servers, pretty much the same applications will be launched over and over, so the predominant changes to the directory will be updates to file access times. However, if any unusual applications are launched, a record (ie, a '.pf' file) will be created in the Prefetch directory.

Second, I thought I mention something about the layout.ini file that you see in the Prefetch directory. This file is used by the system defrag tool to optimize system performance, by placing all of the files and directories listed in the layout.ini file in the same contiguous space. Having all of these files and directories close together in the same place makes the access of those objects more efficient.

So...what I did today was write a Perl script that parses the layout.ini file for executable files (based on .exe, .dll, and .sys file extensions) and then extract file version information from each of these. This script can easily be modified to flag files that aren't Microsoft (or Adobe or Symantec) files, or on files that don't have file version information. I should probably add extracting MAC times, as well, prior to grabbing file version info.

Here's an excerpt from the output of the script:

C:\WINDOWS\SYSTEM32\USERINIT.EXE
File Version : 5.1.2600.2180
Product Version : 5.1.2600.2180
OS : NT/Win32
Type : Application
CompanyName : Microsoft Corporation
FileDescription : Userinit Logon Application
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
InternalName : userinit
Copyright : © Microsoft Corporation. All rights reserved.
Trademarks :
OrigFileName : USERINIT.EXE
ProductName : Microsoft® Windows® Operating System
ProductVersion : 5.1.2600.2180
PrivateBuild :
SpecialBuild :

This sort of thing is extremely useful, allowing for quicker searches of "suspicious" files. The key is in understanding how the Prefetch directory and the layout.ini file are populated, and then determining how they can be used (exploited??) by a forensic analyst.

9 comments:

Anonymous said...

Besides forensically investing a system, the prefetch folder is also useful in tracking the presence of virus-type activity. Even with updated definitions there is still a window during which new viruses can run rampant before the AV companies catch up. Boot the infected system with a PE disc and check the prefetch folder to find the current file name of the unknown virus, then delete the actual virus from whereever it is hiding, etc.

H. Carvey said...

"...forensically investing a system..."

Huh? ;-)

"Boot the infected system with a PE disc and check the prefetch folder to find the current file name of the unknown virus..."

I'm not clear on how this would be helpful. If the virus is unknown, how do you know which file you want? Correct me if I'm wrong, but you seem to be suggesting that someone investigate no further than simply a filename...and one doesn't have to read far in any of the online public forums to see where that can lead you.

Thanks for your thoughts...

Anonymous said...

This prefetch directory looks very cool!

What I'd like to see is a program that parses the prefetch directory and spits out a list of all of the programs that have been run on the machine along with the last date/time they were run. Similar to the Perl script you have now, but with an added line for:

Last run: Mon, 28 Mar 2005 13:44:25 -0800

Ideally this program would be self-contained so that it could be added to larger incident reponse toolkits (cough). Does this sound possible, or do you not want to be my unpaid development staff? [grin]

H. Carvey said...

What you're asking sounds pretty easy...I'm sure I could come up with something... ;-)

H. Carvey said...

Okay...it's done.

Anonymous said...

Great catch, I'm sure the undelete process doesn't usually delete these traces either (have to double check that). My Prefetch files also show some filenames that I've opened - several file names in the Notepad.exe.pf for example. Any idea if those are just remnants of something, or MRUs? I can't seem to make one show up in there when I use Notepad, but it does make me wonder why those filenames are there. Any ideas?

H. Carvey said...

My Prefetch files also show some filenames that I've opened - several file names in the Notepad.exe.pf for example. Any idea if those are just remnants of something, or MRUs?

One way to find out...try it. Try different ways of opening the files...open the file via Notepad's "File, Open" menu option, then try opening it at the command prompt (ie, C:\>notepad myfile.txt). Monitor what happens.

Also, what version of the OS are you using? I'm seeing ADS behavior on XP Pro only...

Anonymous said...

BESIDES layout.ini ARE THERE ANY OTHER FILES YOU SHOULDN'T DELETE OUT OF PREFETCH DIRECTORY?

H. Carvey said...

YES...ANYTHING IN ALL CAPS! ;-)