Prefetch files are highly used in DFIR, especially when malware compromised a windows system or the malicious attacker decided to execute files and to leave his track to us, the analysts. Let's start step-by-step.
System Processes
What are system processes? Basically, a program, a piece of code that may be a single line or millions of lines. A computer program is usually written by a computer programmer in a programming language.
When a process executes, it passes through different states. These stages may differ in different operating systems, and the names of these states are also not standardized.
Executables
In general, a process can have one of the following five states at a time:
Start – This is the initial state when a process is first started/created.
Ready – The process is waiting to be assigned to a processor. Ready processes are waiting to have the processor allocated to them by the operating system so that they can run. The process may come into this state after the Start state or while running it by but interrupted by the scheduler to assign CPU to some other process.
Running – Once the process has been assigned to a processor by the OS scheduler, the process state is set to running and the processor executes its instructions.
Waiting – Process moves into the waiting state if it needs to wait for a resource, such as waiting for user input, or waiting for a file to become available.
Terminate – Once the process finishes its execution, or is terminated by the operating system, it is moved to the terminated state where it waits to be removed from the main memory.
Last EXE Created
Before we are diving into the forensics evidence and the tools we are using in order to collect forensics data, we may use the core windows shell process PowerShell.
Detect all .exe files created on the system, filtered by date and time –
Filter: may change by the file extension needed.
LastWriteTime: index parameter, may be changed by the indexing needed.
cmatch: may change by the date needed.
What are Prefetch Files?
A Prefetch file is a file created when you open an application on your windows system. Windows makes a prefetch record when an application is run from a specific area for the absolute first time.
To check the status of prefetching, open the following location in Registry editor:
Make sure the value is set to 3. All the options that windows provide us with in order to customize prefetching are explained below:
0 - Prefetching Disabled
1 - Application Prefetching Enabled
2 - Boot Prefetching Enabled
3 - Application and Boot both Enabled
I also recommend you monitor this registry hive in case a malicious attacker will try to delete his tracks.
What Forensic Information We May Achieve?
Proof of program execution can be a significant asset for a forensic investigator, they can prove that a certain executable was executed on the system to cover up the tracks. Before initiating the forensic analysis of the prefetch record as a forensic examiner you should check whether the prefetching process is enabled.
The following is a list of metadata which can be found in the .pf file –
Executable’s name
The eight-character hash of the executable path.
Creation, modified, and accessed timestamp of executable
The path of the executable file
Last run time
The timestamp for the last 8 run times (1 last run time and other 7 other last run times)
Volume information
Run count (Number of times the application has been executed)
File Referenced by the executable
Directories referenced by the executable
Tools
As we can already understand, high-value forensic evidence may be collected from .pf files.
Therefore, there are some valuable tools we may use while we are investigating a system. I choose 2 kinds of tools, CLI and GUI.
PECmd.exe
PECmd is a command-line tool by Eric Zimmerman, used for bulk analysis of prefetch files. This tool can also export your prefetch artifacts to .csv.
From this tool, we may collect the following -
Executable's Hash, Size and listed DLL files used.
Creation Time of the executable.
Last accessed time of the executable.
A number of times the file was executed.
WinPrefetchView
WinPrefetch View is a tool to read and examine the prefetch files stored in your system. The tool was developed by Nirsoft. This utility deals with any variant of Windows, beginning from Windows XP to Windows 10.
From this tool, we may collect the following -
Creation Time of the executable.
Last accessed time of the executable.
A number of times the file was executed + the exact date & time.
Scenario
We received a call from a stressed finance guy who was surfing the internet and suddenly he observed malicious content running on his computer.
Super-fast investigation led us to his Downloads folder where we find an executable called “Invoice.exe”. Due to our forensic knowledge, we wanted to collect the following evidence:
The time the suspicious file was Downloaded.
The time the executable was executed.
What is the attacker’s initial vector?
According to the file explorer, we may see the exact time the file was modified on the system - 16/09/2021, 1:41.
In order to collect evidence about the execution time, we will use Prefetch Files and the correct tools we already know.
According to the WinPrefetchView, we may see the exact time the file was executed on the system - 16/09/2021, 2:14.
So we have the source folder, creation time and execution time. All of these led us to his browsing history, where we wanted to check if his browsing habits led him to this case.
To do that, we may need the following file – (Navigation History + Downloads + Search History) -
And to cross-checking times to find the exact URL, which may be the attacker’s vector –
To sum things up –
The Malicious file changes his name from “Malware.exe” to “Invoice.exe” inside the victim’s Downloads folder.
The Malicious file was executed 15 minutes after it was downloaded.
The initial access was enabled throw a malicious file downloaded from Telegram Web.
Sources
Eric Zimmerman's PECmd.exe - https://github.com/EricZimmerman/PECmd
Nirsoft's WinPrefetchView - https://www.nirsoft.net/utils/win_prefetch_view.html
Web Browser Forensics - https://nasbench.medium.com/web-browsers-forensics-7e99940c579a
Sans's Hunting and Gathering with PowerShell - https://www.sans.org/white-papers/38842/
Comments