Prefetcher | What is it? and Forensic Analysis.

It is indeed very vital for a computer forensic analyst to get the details of the application we launch,the timestamp and the path.Here in this post we will discuss how to can find that and the tools needed for lets start.......
What is a Prefetcher?

It is a feature added to Ms Windows Xp to speed up or improve boot time and the loading time of applications we run on a windows box.During booting a large no of files are loaded into the memory and there by a specific amount of time is consumed in this process.But the prefetcher keeps a track of the files and the data that are loaded during boot time and make a trace of it.So when again the system is booted then this information stored by the prefetch can be used and this can certainly reduce the boot time...the same thing happens with the application that we launch after the system has been logged in.

Where we can find this prefetch?

1.It is stored in the a folder named "Prefetch" in the system root "%SYSTEMROOT%\Prefetch",in my testing system it is found in "C:\WINDOWS\Prefetch"

2.It can be enabled by changing the registry value at as shown in the image below.(By default it is enabled.)

"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters"

Information stored in Prefetch file:

*When a application is loaded or launched then a prefetch file is created with .pf extension.Suppose an application called "XYZ.exe" is launched then a prefetch file is created in the "Prefetch" directory and named is in a format as "" as shown in the image below.

*Above the hash file contains the path of the application.If the same application is launched from different location then also two different files are created.

*The Prefetch contains information like:

-Name of the application

-The no.of times the application is launched.

-Volume serial number

-Dll used by the application.

-Serial numbers of external thumb drives.

-MD5 hash

-Some binary data and some unicode information

-Volume information

-Application path

-Timestamp of volume creation.

Forensic view of Prefetch file:

If some unknown application say a malware is launched from the hard disk or from external drive then the launch time its path can be found out.If the malware is being deleted still then its leaves its traces in the prefetch which can come handy to a forensic analyst.

How to get the information:

Once you browse to the "Prefetch" folder then u can open the .pf file using a hex editor but it may be bit difficult and confusing.So here I will show you few tools which you can use to retrieve the information.

1.Windows File Analyser.(Download)

2.Win Prefetch View.(Download)

3.Prefetch Parser.(Download)

Here I have show you the screen shots of "Win Prefetch View" , here you cannot find all the information mentioned above but the others tools that I mentioned above can surely retrieve that so do give it a try.

"If you find this post useful and informative do post your comment and share it."
Suggest Article

Subscribe to Posts....

Enter your Email-ID and get "Security Tips and Hacking Tutorials"alert in your inbox,we promise to keep your email private and safe.

comment 11 comments:

Shabnam Sultan on November 11, 2010 at 8:48 AM said...

Congrats for the new domain :)

Shekhar Sahu on November 11, 2010 at 2:15 PM said...

By now let me keep peeking prefetch :)

Ayush on November 15, 2010 at 11:37 AM said...

Nice one......

Rock Kitaro on November 20, 2010 at 2:26 AM said...

Why do I feel like I've just stumbled into a goldmine? bookmarked.

Satyajit (Admins,a.k.a Satosys) said...

@all Thanks that you all liked the post...keep visting... :)

emma1 on November 27, 2010 at 2:32 AM said...

i like your blog and information about prefetcher and forensic analysis thank you

Paul on December 21, 2010 at 10:30 PM said...

This site really is a gold mine. Thanks for posting keep it up :) Satyajit

billig on February 24, 2011 at 2:37 AM said...

great post - thanks for sharing

Denish Vijgday on August 24, 2011 at 7:25 PM said...

Lovely post, and nice site in general. I've bookmarked some posts for later

tylergreen001 on September 24, 2011 at 7:49 PM said...

this is a professional post but interesting

Radhe Dhakad on August 3, 2012 at 11:28 AM said...

nice post,,,,

Post a Comment

This blog is "DoFollow",Use a "Real Name" rather than using "Keywords" otherwise comment will be rejected.

Delete this element to display blogger navbar

© 2013 SecurityHunk All Rights Reserved and Template by Fresh Blogger Templates