Wednesday, July 13, 2005

Prefetch file metadata

I exchanged emails with the anonymous poster from my previous metadata entry, and got an interesting perspective. Specifically, not enough of the folks actually performing forensic analysis of Windows XP systems are aware of the Prefetch directory and what it contains.

This reminds me of a very brief exchange I had w/ one of the virus writers from the group 29A a while back. Specifically, Benny and Ratter had written some viruses that took advantage of NTFS alternate data streams, and I asked them where they saw things going. The response I got back stated, in brief, that it was a deadend b/c everyone knows about ADSs.

Hhhhmmm...so why is it that when I talk about them at conferences, attendees sit up and say things like, "Okay...go back a sec..."??

My point is that just b/c some of us know something, we have to realize that not everyone does. Just b/c someone is, say, a forensic analyst for local, state, or even federal law enforcement, that doesn't mean that they know all of the ins and outs of Windows XP.

Keeping that in mind, .pf files within the Prefetch directory have certain metadata associated with them, specifically, the file contains several Unicode strings (view using strings.exe or BinText from FoundStone), one of which is the path to executable image. So you will see from where the executable was launched.

So...outside of strings and MAC times...what is there? Has anyone ever seen an ADS associated with a .pf file?

No comments: