Digital Forensic Analysis on Prefetch Files

Year 2015, Volume: 4 Issue: 2, 39 - 49, 30.06.2015

Narasimha Shashidhar Dylan Novak

Abstract

Prefetch files, like any other file in a file system, can be viewed from a digital forensic perspective to further a forensic investigation. Using appropriate tools and techniques available to a digital forensic examiner, we explore and investigate the potential of prefetch files and what they have to offer from a digital forensic analysis perspective in an effort to contribute towards the rapidly advancing field of digital forensics. Windows' prefetch files are used to decrease the startup times of applications and are formatted in a manner to instruct application processes to load data and necessary libraries into memory that it needs before it is actually demanded. In other words, prefetch files help avoid a hard fault, thereby minimizing startup times. These files reside in the prefetch folder under the Windows installation directory of a system. This folder contains prefetch files for user and system applications as well as a ReadyBoot folder, a layout.ini file, and several database files. In this paper, we investigate the mechanism behind the creation and manipulation of prefetch files on a Windows machine. Diving deep into the assembly code generated by the disassembler IDA PRO from ntkrnlpa.exe, we are able to find the Windows kernel processes responsible for the creation of these prefetch files and parse these prefetch files to better understand their forensic value.

Keywords

Prefetching, disassembly, digital forensics, reverse engineering, forensic analysis

References

• $hash = (abs($hash) % 1000000007) % ; return $hash; } b) PfSNBeginAppLaunch
• Format Version of the Windows OS – Win XP/2003 – Win Vista/Win7 – Win8.1 x0004 SCCA signature x0008
• Unknown- Values observed x0F-Win XP 0x11 – Win 7/8 x000C Prefetch file size x0010
• Corresponding name of the executable up to 29 characters in length x004C Corresponding prefetch hash value x0050
• FILE INFORMATION FORMAT Offset Length Notes x0054 0x0074 of entries, and offset locations for sections A, B, C, D x0078 Unknown x0080
• Latest execution time of executable x0088
• Forensics Wiki, "Prefetch,” Latest Access Time for the website is http://www.forensicswiki.org/wiki/Prefetch Jan16th Mark Wade, "Decoding Prefetch Files for Forensic Purposes: Part 1." DFI News. Latest Access Time for the website http://www.dfinews.com/articles/2010/12/decoding- prefetch-files-forensic-purposes-part-1. th
• Adam Blaszczyk, "Hexacorn | Blog," Hexacorn Ltd Blog Posts RSS. Latest Access Time for the website is July 26 th http://www.hexacorn.com/blog/2012/06/13/prefetch-hash- calculator-a-hash-lookup-table-xpvistaw7w2k3w2k8
• Joachim Metz, "Analysis of SCCA," Windows Prefetch File (PF) format 1 (2011): 25.
• Shiaeles Stavros, Anargyros Chryssanthou, and Vasilios Katos, "On-scene triage open source forensic tool chests: Are they effective?," Digital Investigation 10.2 (2013): 99
• Keungi Lee, Changhoon Lee, and Sangjin Lee, "On-site investigation methodology for incident response in Windows environments," Computers & Mathematics with Applications 65.9 (2013): 1413-1420.
• Yogesh Khatri, “Windows Prefetch File”, [Online], Available: http://www.swiftforensics.com/2010/04/the- windows-prefetchfile.html, April, 2010, [ Latest Access
• Time for the website is Nov 14, 2014]
• Harlan Carvey, “Windows forensic analysis DVD toolkit”, Third edition. Syngress, 2012, pp 88-92.
• Jamie McQuaid, “Forensic Examination of Prefetch Files in Windows.” Online], Available: http://www.magnetforensics.com/forensic-analysis-of- prefetch-files-in-windows/, Aug 6, 2014 [Latest Access
• Time for the website is Feb 4, 2015]