Friday, May 25, 2007

Prefetch Analysis

I've seen a couple of posts recently on other blogs (here's one from Mark McKinnon) pertaining to the Windows XP Prefetch capability, and I thought I'd throw out some interesting stuff on analysis that I've done with regards to the Prefetch folder.

First off, XP's Prefetch capability is meant to enhance the user eXPerience by helping frequently used applications load faster. Microsoft has a nice writeup on that, and portions of and references to that writeup are included in my book. XP has application prefetching turned on by default, and while Windows 2003 has the capability, only boot prefetching is turned on by default. So, XP systems are rich in data that can help you assess and resolve an incident investigation.

First off, XP can maintain up to 128 Prefetch files...these are files within the Windows\Prefetch directory that end in ".pf". These files contain a bunch of prefetched code, and the second half of the files generally contain a bunch of Unicode strings that point to various modules that were accessed when the application was launched. Also, each Prefetch file contains that run count (number of times the application has been run) as well as a FILETIME object representing the last time the application was launched, within the file itself (ie, metadata).

Okay, so how can this information be used during forensics analysis? Remember Harlan's Corollary to the First Law of Computer Forensics? If you acquire an image from a system...say, a user's laptop...and you're told that the user had this laptop for a year or so, and you don't find any .pf files...what does that tell you?

Mark talked about U3 Smart Technology, and some of the Prefetch artifacts left behind by the use of tools like this. Excellent observations, but keep in mind that the Prefetch files aren't specific to a user...they're system-wide. On a multi-user system, you may have to look other places to determine which user launched the application in the first place. Ovie does a great job talking about the UserAssist keys and how they can help you narrow down who did what on the system.

I've looked to the Prefetch folder for assistance with an investigation. In one instance, there was a suspicion that a user had deleted some files and removed software from the system, and attempted to cover his tracks. While it was clear that the user had done some of these things (ie, removed software, emptied their Recycle Bin, etc.) it was also clear that they hadn't gone through the trouble of running one of those tools that delete everything; most of the artifacts I would look for were still in place (can you guess from my book what those artifacts might have been?). I found a reference to defrag.exe in the Prefetch folder, but nothing to indicate that the user had run the defrag tool (XP's built-in, automatic anti-forensics capabilities are a subject for another post). It turns out that as part of the Prefetch capability, XP runs a limited defrag every 3 days...the Prefetch capability prefetches XP's own prefetch functionality. ;-)

In another instance, I wanted to see if a user had burned anything to CD from the system. I found the installed software (Roxio Sonic), but found no references in any of the user artifacts to actually launching the software. I did, however, find an file in the Prefetch directory. Interestingly enough, the Unicode strings within the file included a reference to iTunes, which, it appeared, the user used a lot. It turns out that iTunes likes to know where your CD or DVD burner is...I confirmed this on another system on which I knew the user used iTunes, and had not burned any CDs.

So, as a wrap up, some things to look for when you're digging into the Prefetch directory:

- How many .pf files (between 0 and 128) are in the Prefetch directory?

- For each .pf file, get the last run time and the run count. The last run time is a FILETIME object, meaning that it is maintained in UTC may need to adjust using information from the TimeZoneInformation Registry key (ie, ActiveTimeBias).

- Correlate .pf files and the last run times to UserAssist key entries to tie activity to a specific user, as well as the Event Logs.

- Run strings to get the Unicode strings from the file and see what other modules were accessed when the application was launched.

Finally, there is a ProDiscover ProScript on the DVD that ships with my book (in the ch5 directory) that will locate the Prefetch folder (via the Registry) and automatically parse the .pf files, listing the last run time and run count for each. I have since updated that ProScript to display its output in time-sorted order, showing the most recent time first. I've found that this makes analysis a bit easier.


Anonymous said...

"XP's built-in, automatic anti-forensics capabilities are a subject for another post"

Can't wait for this post. Sounds very interesting.

Anonymous said...

Great post Harlan. I've used some of your material to update the ForensicsWiki article on Prefetch files.

Unknown said...


How do I parse this .pf files?

Is there a viewer I can use?

H. Carvey said...


I'll have to update the ForensicWiki page with the info, but there is a Perl script on the DVD that accompanies my book that will do this for you. Also, strings.exe from SysInternals, as well as BinText (the old Foundstone tool) will let you see the Unicode strings embedded in the file.

Unknown said...

thanks as always!


kill = secret_squirrel


Unknown said...

BTW this blog came in handy today when I was looking into what was thought to be a SPAM bot'd pc and I found where the .pf for Acrobat Reader was written to just a few seconds after an email was recieved which led me to believe that this user had in fact open an infected attachment.

Keep sharing the knowledge!

Anonymous said...

Great write up. I have been bouncing around prefetch for a while but your braindump motivated me to add a prefetch copy module in RAPIER.

Thanks again. Props to you.

Anonymous said...

How to Parse:

there is a file there called
Prefetch Analyzer.

I have NOT vetted the tool yet but assuming it is clean it looks like it provides decent data.

cw said...

I scanned the mentioned in the message from PDX Sharkey, it's packed with UPX and only esafe reports that it's a banking trojan, which I'm not sure how to interpret. Could possibly be a false positive, but thought you would be interested.

cw said... report on eSafe reports it as a banking trojan, they are the only AV vendor triggering on it. Could be a false positive. Not sure, but FYI.