Decoding Prefetch Files for Forensic Purposes: Part 2
Part 2 of this article will demonstrate what the existence of the prefetch file itself can tell you. Examining the contents of the prefetch directory can provide a storyline of activity on a computer system because the prefetch file captures the activity of applications that were first or subsequently executed. By using a tool, such as Guidance Software’s EnCase1 or WinPrefetch View,2 you can extract the prefetch files and just view the file’s creation or last access time stamp. First and foremost, the existence of the prefetch file shows that a certain application not only existed on the computer, but has at one time been executed. By sorting the entries by file creation or last access time it is possible to see what applications were executed on the system and to see what activity might have occurred on the system.
For instance, the entries in Figure 1 show that on April 9, 2010, two separate cmd.exe programs were executed. After the second cmd.exe (cmd.exe-5D0264ff.pf) was executed the application CONSENT.exe was executed (as shown by consent.exe-65f6206D.pf), which indicates the computer system is a Vista or Windows 7 system. The consent.exe program is the popup window that is presented to the user when requesting a program that requires administrator access, such as the MMC.exe application, which was executed ten seconds after CONSENT.exe. The presence of the prefetch files indicates that on April 9, 2010, at 1:16 PM two instances of CMD.exe were executed from different locations, followed by the execution of the program MMC.exe. This event spawned the execution of CONSENT.exe (this file will be executed first before MMC.exe even though chronologically MMC.exe was executed first). The MMC program is the Microsoft Management Console program and used to manage user accounts, Windows Events logs, disk management, and other management programs. Figure 1 also shows that the application PSEXEC.exe was executed, which is a command-line tool that allows a user to execute commands remotely on a computer system.
Click for larger image.
Figure 1: Analyzing the Prefetch Folder
So what can prefetch files tell you? The existence of two prefetch files with the same application prefix and different trailing hashes would be indicative of two files (i.e. I) that were executed from two different locations. The eight-character hash that exists in the prefetch file’s name is based on the location from which the application was executed. In this example, a rogue CMD.exe was executed from a different location than Windows\System32. This scenario can also detect a possible malware infection in which the malware was executed in one location, say the desktop or temp directory, then removed itself from the original location and placed a copy in Windows\System32, then re-executed itself once it changed locations. This would cause the creation of two instances of the same prefetch file prefix with two different eight-character trailing hashes. If during a forensic exam there are two prefetch files located with different trailing hashes, and the examiner needs to determine the location the file was executed from, the examiner can reverse engineer the location through trial and error. There is no magic algorithm that will allow you to plug in a formula and reproduce the path from which the application was executed. However, since the eight-character hash was created from an algorithm using the executed file’s location you can take any file, rename it to the prefix of the prefetch file (i.e. calc.exe), and place it in different suspected directories. Then execute the file and monitor the prefetch directory until the trailing hash file matches. This process is very time consuming so it is wise to focus on suspect directories.
The number and type of prefetch files in the prefetch directory can also reveal information about the individual who is using the computer system. The operating system will reduce the number of prefetch files once a certain number is met. The number of prefetch files can reveal a few different items.
- The system is relatively new and only a few different applications have been executed on the system. This situation is typical of a normal home user. They may only use about ten to fifteen programs over time.
- The system has been used extensively, and either over a short or long period of time the user(s) have executed many different programs. The timestamps and number of times the application was executed will provide background information on the duration and frequency these applications have been used.
- The type of applications that have been executed can also help in profiling the user’s technical capabilities. For instance, by identifying the type of programs the individual executes, the analyst can determine if the user is highly technical (for example if there are prefetch files for programming tools such as Python and Perl or technical programs such as IdaPro and VMWare.) The presence of hacker tools, such as nmap, Metasploit, or netcat could easily reveal the nature and intent of a computer user. On the other hand if the user is only using Internet web browsers, mail clients, and social networking software (i.e. Yahoo, Microsoft’s Instant Messenger) then you get a better profile of the type of computer user.
Here are some more practical forensic examples of how the prefetch file can be used to aid a forensic exam:
- A simple scenario is where network logs show that system PC-A was scanning system PC-B with a tool such as Nessus. When the local administrators asked the user of PC-A about the activity he denied the allegations and even said that they could search his system for the tool Nessus if they wanted to. The seemingly savvy user had not only removed the Nessus tool after its use but also used a tool such as BCWipe to overwrite all unallocated space. What the user of system PC-A didn’t realize is that when he executed Nessus a prefetch file was created capturing the first time and last time the file was executed, the number of times it was run, and the location from which it was executed. These timestamps should correlate with the network logs and any activity recorded on system PC-B. The other valuable artifact is the prefetch file for the wiping tool BCWipe. The same type of incriminating information is contained in the BCWipe prefetch file.
- From a forensic standpoint a prefetch file can be used to show that an employee who denied obtaining a salary spreadsheet actually did open a Microsoft Excel file named ABCorp_2010_Salaries.xls on their computer, which was located on an external thumb drive. For this to occur the employee would have to have opened the file by double clicking on the spreadsheet to open the file.
While there are many different tools that can be used to analyze prefetch files, three of the most useful tools to date are Prefetch_info.exe3 (Prefetch _parse_gui.exe) by Mark McKinnon, WinPrefetch View by NirSoft, and the EnCase EnScript PFDump4 (V2.2) created by Dominik Weber.
Prefetch_info.exe is a Windows command line tool that neatly parses out both the file’s metadata (time stamps), and the NTFS/MFT file log. Prefetch_info.exe can only be run on one prefetch file at a time. This tool can quickly return results on a prefetch file of interest.
The second tool by Mark McKinnon, Prefetch_parse_gui.exe is a graphical based tool that analyzes a whole directory of prefetch files. NirSoft’s WinPrefetch View is modularized with the top section listing each prefetch file along with all its associated metadata. The bottom section displays the NTFS/MFT log data for the prefetch entry that is selected in the top section. Figure 2 shows the interface for WinPrefetch View. By default this tool will read the prefetch files of the local computer system. The Advanced Options entry under the Options tab allows you to select another location where prefetch files might have been extracted out of an image. The metadata shown below can be sorted by columns and any results of interest can be exported to HTML reports.
Click for larger image.
Figure 2: WinPrefetch View
The most extensive analytical prefetch tool seen so far is Dominik Weber’s PFDump EnScript. The EnScript will identify all the prefetch files on the loaded hard drive and identify if the prefetch file is a hosting application prefetch file or a regular application prefetch file. If no entries are selected all of the files with the “.pf” extension will be processed. There are two options on the main page, Toggle MFT processing for selected files, and Toggle hash verification for selected files. The Toggle MFT processing for selected files allows the option to extract and process any Master File Table record information that is located within the prefetch file. EnCase’s Console will provide a status of the EnScript’s operation, while the prefetch artifacts for the selected files are placed in EnCase’s Bookmark section. Figure 3 shows the options available when analyzing identified application hosting prefetch files, and the output of an identified command line used to start compmgmt.msc. When working with application hosting files, by default PFDump will try many different standard command line options that the hosting application might have used to execute the process. Identifying how a process of interest was started and the options used might prove useful during forensic analysis. There is also an entry to insert a suspected command line option that might have been used to start a process. This can be used to verify a command line option that might have been discovered in unallocated space.
Figure 3: PFDump EnScript Hosting Application Entries and output
If the prefetch files have been purposefully or systematically deleted through routine maintenance, there is still a chance to recover prefetch files of interest. Common sense in computer forensics states that any file that has been deleted can be recovered as long as the file has not been overwritten. The same rule holds true for prefetch files. A common method to search for and extract files is to search for a file’s header. Since every file has a distinguished file header, we can search through unallocated space looking for the specified prefetch file header. That header in ASCII is “….SCCA”. In hexadecimal, the prefetch file is represented as “11 00 00 00 53 43 43 41”. Once the file has been identified it can be carved out and analyzed with one of the aforementioned tools. Since prefetch files do not have file footers it is okay if extra data is carved out when extracting a potential prefetch file. Any excess data will be easily recognized and discarded.
When analyzing prefetch files there are a few items to note: When certain applications are executed and are in an “open state” the prefetch file will not be created until the application is closed. For instance, if the application netcat was executed for the first time on June 14th, at 13:00:00, but the file was not shut down until June 15th, at 15:00:00, the prefetch file will not be created until the netcat application is closed, twenty-six hours later than when it was first executed. This delay in file creation will throw off timeline analysis. Programs that are located in a user’s Startup directory will not create a prefetch file.
When performing an Internet search for prefetch files, many of the initial findings are telling users to remove the prefetch files to speed up their computers. This may not be a sign of anti-forensics. The lack of prefetch files may be due to the system’s registry key settings, “Enable Prefetcher,” which might have been modified to disable prefetching. Below is the registry key that controls what actions the operating system will take with regard to prefetching. By default Windows XP, Vista, and Windows 7 have a value of “3,” which has both application and boot prefetching enabled. On Windows 2003 systems the default value is “2,” which is why there is no application prefetching.
- HKLM\System\CurrentControlSet\Control\SessionManager\MemoryManagement\Prefetch paramters
- Value: 0 “zero” = Prefetching is disabled
- Value: 1 = Application Prefetching is enabled
- Value: 2 = Boot Prefetching is enabled
- Value: 3 = Both application & boot prefetching is enabled5
The existence of a prefetch file for Windows Defragmenting tools, DRAG.exe and DFRNTFS.exe also does not necessarily indicate a user removing prefetch files, or defragging their computer to cover up some malicious activity. The Windows operating system, specifically the Task Scheduler, will start the defrag process to reallocate entries in the Layout.ini file. When this occurs a new prefetch file will be created, DFRNTFS.exe and DEFRAG.exe. If these prefetch files already existed the run count will be incremented by one each time it was run.
This article reveals the many different forensic artifacts that can be recovered from prefetch file analysis while conducting forensic analysis. Whether prefetch file analysis can help in an investigation depends on the type of forensic investigation that is being conducted.
Mark Wade is a Digital Forensic Analyst with Harris Corporation (Crucial Security Programs), performing digital forensics for a Federal Law Enforcement agency as a government contractor. Mark has been engaged in computer/network security for the past twelve years with specific focus in penetration testing, IDS and firewall management, incident response, malware analysis, and most recently spent the last three years conducting computer forensics. E-mail: firstname.lastname@example.org