It is indeed very vital for a computer forensic analyst to get the details of the application we launch,the timestamp and the path.Here in this post we will discuss how to can find that and the tools needed for this...so lets start.......
What is a Prefetcher?
It is a feature added to Ms Windows Xp to speed up or improve boot time and the loading time of applications we run on a windows box.During booting a large no of files are loaded into the memory and there by a specific amount of time is consumed in this process.But the prefetcher keeps a track of the files and the data that are loaded during boot time and make a trace of it.So when again the system is booted then this information stored by the prefetch can be used and this can certainly reduce the boot time...the same thing happens with the application that we launch after the system has been logged in.
Where we can find this prefetch?
1.It is stored in the a folder named "Prefetch" in the system root "%SYSTEMROOT%\Prefetch",in my testing system it is found in "C:\WINDOWS\Prefetch"
2.It can be enabled by changing the registry value at as shown in the image below.(By default it is enabled.)
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters"
Information stored in Prefetch file:
*When a application is loaded or launched then a prefetch file is created with .pf extension.Suppose an application called "XYZ.exe" is launched then a prefetch file is created in the "Prefetch" directory and named is in a format as "XYZ.EXE-0870E38D.pf" as shown in the image below.
*Above the hash file contains the path of the application.If the same application is launched from different location then also two different files are created.
*The Prefetch contains information like:
-Name of the application
-The no.of times the application is launched.
-Volume serial number
-Dll used by the application.
-Serial numbers of external thumb drives.
-MD5 hash
-Some binary data and some unicode information
-Volume information
-Application path
-Timestamp of volume creation.
Forensic view of Prefetch file:
If some unknown application say a malware is launched from the hard disk or from external drive then the launch time its path can be found out.If the malware is being deleted still then its leaves its traces in the prefetch which can come handy to a forensic analyst.
How to get the information:
Once you browse to the "Prefetch" folder then u can open the .pf file using a hex editor but it may be bit difficult and confusing.So here I will show you few tools which you can use to retrieve the information.
1.Windows File Analyser.(Download)
2.Win Prefetch View.(Download)
3.Prefetch Parser.(Download)
Here I have show you the screen shots of "Win Prefetch View" , here you cannot find all the information mentioned above but the others tools that I mentioned above can surely retrieve that so do give it a try.
What is a Prefetcher?
It is a feature added to Ms Windows Xp to speed up or improve boot time and the loading time of applications we run on a windows box.During booting a large no of files are loaded into the memory and there by a specific amount of time is consumed in this process.But the prefetcher keeps a track of the files and the data that are loaded during boot time and make a trace of it.So when again the system is booted then this information stored by the prefetch can be used and this can certainly reduce the boot time...the same thing happens with the application that we launch after the system has been logged in.
Where we can find this prefetch?
1.It is stored in the a folder named "Prefetch" in the system root "%SYSTEMROOT%\Prefetch",in my testing system it is found in "C:\WINDOWS\Prefetch"
2.It can be enabled by changing the registry value at as shown in the image below.(By default it is enabled.)
"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters"
Information stored in Prefetch file:
*When a application is loaded or launched then a prefetch file is created with .pf extension.Suppose an application called "XYZ.exe" is launched then a prefetch file is created in the "Prefetch" directory and named is in a format as "XYZ.EXE-0870E38D.pf" as shown in the image below.
*Above the hash file contains the path of the application.If the same application is launched from different location then also two different files are created.
*The Prefetch contains information like:
-Name of the application
-The no.of times the application is launched.
-Volume serial number
-Dll used by the application.
-Serial numbers of external thumb drives.
-MD5 hash
-Some binary data and some unicode information
-Volume information
-Application path
-Timestamp of volume creation.
Forensic view of Prefetch file:
If some unknown application say a malware is launched from the hard disk or from external drive then the launch time its path can be found out.If the malware is being deleted still then its leaves its traces in the prefetch which can come handy to a forensic analyst.
How to get the information:
Once you browse to the "Prefetch" folder then u can open the .pf file using a hex editor but it may be bit difficult and confusing.So here I will show you few tools which you can use to retrieve the information.
1.Windows File Analyser.(Download)
2.Win Prefetch View.(Download)
3.Prefetch Parser.(Download)
Here I have show you the screen shots of "Win Prefetch View" , here you cannot find all the information mentioned above but the others tools that I mentioned above can surely retrieve that so do give it a try.
"If you find this post useful and informative do post your comment and share it."
Prefetcher | What is it? and Forensic Analysis.
Reviewed by Satyajit (Admins,a.k.a Satosys)
on
Tuesday, November 09, 2010
Rating:
11 comments:
Congrats for the new domain :)
By now let me keep peeking prefetch :)
Nice one......
Why do I feel like I've just stumbled into a goldmine? bookmarked.
@all Thanks that you all liked the post...keep visting... :)
i like your blog and information about prefetcher and forensic analysis thank you
This site really is a gold mine. Thanks for posting keep it up :) Satyajit
great post - thanks for sharing
Lovely post, and nice site in general. I've bookmarked some posts for later
this is a professional post but interesting
nice post,,,,