Thursday, March 08, 2012

Prefetch Analysis, Revisited

A while I go, I posted on Prefetch file analysis, and based on some recent events, I thought that I'd revisit this topic.

By now, most analysts are familiar with Prefetch files and how they can be useful to an examination.  I think most of us tend to take a quick look over the names of the Prefetch files during analysis, just to see if anything jumps out at us (I've seen Prefetch files for "0.exe", and I'd call that odd and worth digging into).  As described on the ForensicsWiki, Prefetch files also have a good bit of embedded metadata, and can be very useful during analysis.  For example, you may look at the listing of files and something unusual may immediately jump out at you.

Also, if you include Prefetch file metadata in a timeline of an XP system, you should see a file access time for the executable "near" to when a Prefetch file for that executable is created or updated.  If that's not the case, you may have an issue of time manipulation, or the original executable may have been deleted.

Thankfully, Prefetch files are an artifact of an EXE file engaging with its eco-system and not a direct artifact of the EXE.  As such, if the EXE is deleted, the Prefetch file persists.  Very cool.

Prefetch files also contain a number of strings, which are file names and full paths that point to modules used or accessed by the executable, and even some other files accessed by the executable.  This stuff can be very interesting.  For example, if you see two Prefetch files for Notepad, remember that the hash in the .pf file name is generated using the path to the file, as well as command line options.  As most Windows systems have two copies of Notepad (one in the Windows dir, the other in the Windows\system32 dir), you're very likely to see two Prefetch files for that executable...and you will likely also find the full path to the executable right there within the embedded strings.

So, I got to thinking...how can we use this information?  How about we do a little data reduction?  Rather than running through all 128 or so .pf files manually, one at a time, we can let some code do that for us, and then display the paths to all of the executables.  We might even want to add some checking, say grep() the file path for something like "temp", so we can see executables that were launched from a path that included "Temp" or even "Temporary Internet Files".

Another idea is to do a little Least Frequency of Occurrence analysis, and run through all of the .pf files and list those module paths that only appear once in all of the files.  This is a great bit of work that can be easily automated, leaving us to just look over the output.  You can even expand your analysis to those modules that occur twice, or even three times.

The more I think of this, the more I'm thinking that this is something that would go really well in a forensic scanner.

Addendum, 3/11:  Tonight I completed transitioning the pref.pl Perl script to a module, so that the functionality can be encapsulated in other tools.  

3 comments:

A. Thulin said...

"Prefetch files also contain a number of strings, which are file names and full paths that point to modules used or accessed by the executable, and even some other files accessed by the executable."

Don't forget "files that some other executable happened to access during the crucial 10 seconds".

On a system with a MP3 player going constantly, you may find surprisngly many MP3 files referenced in prefetch files from non-audio programs. (This may depend on Task Scheduler version, though. The systems I've noticed this on particularly were all XP.)

Jimmy_Weg said...

Don't forget "files that some other executable happened to access during the crucial 10 seconds".

Explain please: "crucial 10 seconds." Thanks.

I think that Harlan said this more or less, but Prefetch can serve as an MRU. E.g., absent the registry MRU, jump list, etc. for Media Player, the prefetch likely will reveal the last file viewed in Media Player, and perhaps files played beforehand.

Keydet89 said...

Jimmy,

Yeah, I'm not a big fan of stuff that starts out with "don't forget", but I think what he's referring to is that, on XP, application prefetching occurs by monitoring page faults during the first 10 seconds of execution. That's referenced here:
http://msdn.microsoft.com/en-us/magazine/cc302206.aspx