Wednesday, March 23, 2005

What is the Prefetcher?

Ever wondered what the Prefetcher is? As of Windows XP, MS added a prefetcher to improve boot and application launch time. Like many other things on Windows systems, this functionality is controlled by a Registry key.

Basically what happens is that when an application is launched, via pretty much any means (there are some methods I haven't tested yet...but even launching an app via a Scheduled Task works...), the system figures that you may want to launch it again at some point, so it creates a file in the %SYSTEMROOT%\Prefetch directory, with a ".pf" extension. This file contains some binary data, as well as some other information in Unicode (more on this in a minute).

The file that is created is given a name based on the following elements:
  • The name of the application
  • A dash
  • A value representing a hash of the path to the application
  • The '.pf' extension

As the hash in the filename is based on the absolute path to the executable image file, if you run the same application after copying it to a different location, you'll get a different hash value, hence a different '.pf' file will be created in the Prefetch directory.

Back to the topic of Unicode data within the '.pf' file...if you open the file, near the end you'll see several paths. Most of these are paths to modules used by the application...but the path to the executable image file can also be seen here.

Combining this path with the MAC times on the file itself can provide valuable information to a forensics analyst.

I've test this by running apps from the command prompt, as a Scheduled Task, via Start->Run, etc. Nothing of note happened until I ran an application from within an NTFS alternate data stream. I created the ADS using the following command:

C:\>type c:\windows\notepad.exe > mytest.txt:np.exe

After running this command, I launched the application using the following command:

C:\>start .\mytest.txt:np.exe

Notepad ran just fine (as expected), and when I listed the contents of the Prefetch directory, I found this entry:

... 0 MYTEST.TXT

Hhhmmm...no '.pf' file. Or...is there? I ran LADS.EXE version 4.0 against the Prefetch directory, and found this:

Scanning directory c:\windows\prefetch

size ADS in file

---------- ---------------------------------

7960 c:\windows\prefetch\MYTEST.TXT:NP.EXE-0870E38D.pf

Nice! Very interesting!

So...what's my point? Let's say you want to determine if a user had run an application on a system. Well, there are locations in the Registry that record when a user launches an application in a certain way...via Start->Run, for example (search the Registry for "RunMRU"). While I haven't been able to determine whether or not there's any difference between Prefetch file names based on the user account, you should find a Prefetch file for the application (assuming, of course, the user doesn't know about prefetching and hasn't deleted the contents of the directory).

A forensic analyst can combine the MAC times of the file with the path found within the '.pf' file itself (yes, the absolute path to the ADS is in the '.pf' created in the ADS example I used), and add that to a timeline of system activity.

As I have an opportunity to try other things, I'll post them here. But don't be afraid to try your own things instead of asking me, "what happens if you..."

1 comment:

Anonymous said...

million thanks. Very helpful