Prefetcher | What is it? and Forensic Analysis.

It is indeed very vital for a computer forensic analyst to get the details of the application we launch,the timestamp and the path.Here in this post we will discuss how to can find that and the tools needed for this...so lets start.......
Prefetcher
What is a Prefetcher?

It is a feature added to Ms Windows Xp to speed up or improve boot time and the loading time of applications we run on a windows box.During booting a large no of files are loaded into the memory and there by a specific amount of time is consumed in this process.But the prefetcher keeps a track of the files and the data that are loaded during boot time and make a trace of it.So when again the system is booted then this information stored by the prefetch can be used and this can certainly reduce the boot time...the same thing happens with the application that we launch after the system has been logged in.

Where we can find this prefetch?

1.It is stored in the a folder named "Prefetch" in the system root "%SYSTEMROOT%\Prefetch",in my testing system it is found in "C:\WINDOWS\Prefetch"

2.It can be enabled by changing the registry value at as shown in the image below.(By default it is enabled.)

"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters"


Information stored in Prefetch file:

*When a application is loaded or launched then a prefetch file is created with .pf extension.Suppose an application called "XYZ.exe" is launched then a prefetch file is created in the "Prefetch" directory and named is in a format as "XYZ.EXE-0870E38D.pf" as shown in the image below.

*Above the hash file contains the path of the application.If the same application is launched from different location then also two different files are created.

*The Prefetch contains information like:

-Name of the application

-The no.of times the application is launched.

-Volume serial number

-Dll used by the application.

-Serial numbers of external thumb drives.

-MD5 hash

-Some binary data and some unicode information

-Volume information

-Application path

-Timestamp of volume creation.

Forensic view of Prefetch file:

If some unknown application say a malware is launched from the hard disk or from external drive then the launch time its path can be found out.If the malware is being deleted still then its leaves its traces in the prefetch which can come handy to a forensic analyst.


How to get the information:

Once you browse to the "Prefetch" folder then u can open the .pf file using a hex editor but it may be bit difficult and confusing.So here I will show you few tools which you can use to retrieve the information.

1.Windows File Analyser.(Download)

2.Win Prefetch View.(Download)

3.Prefetch Parser.(Download)


Here I have show you the screen shots of "Win Prefetch View" , here you cannot find all the information mentioned above but the others tools that I mentioned above can surely retrieve that so do give it a try.

"If you find this post useful and informative do post your comment and share it."
Prefetcher | What is it? and Forensic Analysis. Prefetcher | What is it? and Forensic Analysis. Reviewed by Satyajit (Admins,a.k.a Satosys) on Tuesday, November 09, 2010 Rating: 5

11 comments:

Shabnam Sultan said...

Congrats for the new domain :)

Shekhar Sahu said...

By now let me keep peeking prefetch :)

Ayush said...

Nice one......

Rock Kitaro said...

Why do I feel like I've just stumbled into a goldmine? bookmarked.

Satyajit (Admins,a.k.a Satosys) said...

@all Thanks that you all liked the post...keep visting... :)

emma1 said...

i like your blog and information about prefetcher and forensic analysis thank you

Paul said...

This site really is a gold mine. Thanks for posting keep it up :) Satyajit

billig said...

great post - thanks for sharing

Denish Vijgday said...

Lovely post, and nice site in general. I've bookmarked some posts for later

Anonymous said...

this is a professional post but interesting

Unknown said...

nice post,,,,

Powered by Blogger.