Forensic Friday - Prefetch
What is Windows Prefetch?
Windows Prefetch creates files when a user opens an application on a Windows host. The Windows Operating system will make a prefetch record when an application is run from a specific area for the absolute time. Microsoft introduced prefetch with the Windows XP operating system. The idea behind the prefetch is that it would accelerate the boot process and start-up process. In older versions of Windows, prefetch files were limited to 128 files. With newer versions, the limit was increased to 1024.
Prefetch files are great artifacts to review during an IR engagement. However, prefetch is disabled on most Windows server operating systems by default. So make sure the prefetch files are enabled before going down the rabbit hole. You can verify prefetch is enabled using the registry. Open Registry Editor and navigate to the location below:
Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters
The default value is set to 3. The values can be changed if needed. Here are the options of the values.
0: Prefetching is Disabled
1: Application Prefetching Enabled
2: Boot Prefetching Enabled
3: Application and Boot both enabled
In a prefetch file, the metadata found is;
Hash on the executable path
Path of the executable file
Creation, modified, and accessed timestamp
Number of times the executable was ran
Last run time
Timestamp for the previous eight run time
File Referenced by the executable
Directories referenced by the executable
The actual prefetch files are located in:
You could also navigate to the Prefetch directory. If the files or directory is not there, that would also be an indication it is not enabled. Prefetch files are named in a format containing the name of the application followed by an eight-character hash of the location where the application was run and the .PF extension.
Why is prefetch important?
In a forensic investigation, prefetch files can be a crucial artifact. When you are in an incident response you often arrive at the crime scene after the crime has been committed and the operator has left the scene. So the threat actor often has the time to clean up their tracks. This could be as simple as deleting the executables they pulled down or clearing event logs. A prefetch file can prove that a threat actor ran programs like Mimikatz to steal credentials, data exfil programs like RClone or PCloud, recons tools like Advanced IP Scanner, Port Scanners, and so much more. Even if the threat actor deleted these files, a prefetch artifact can still exist and provide evidence of the execution. Establishing a timeline when conducting an incident response effort is essential, and the prefetch files can help with that. The prefetch file will tell the investigator exactly what file was executed, when it was executed, and how many times it was executed.
How do you review a prefetch file?
A prefetch file can not be reviewed with a text editor like notepad. An investigator needs to have a tool to parse the data out and make it readable. Eric Zimmerman's Prefetch Explorer Command Line (PECmd) is our favorite tool to view prefetch files. The tool can be downloaded from here. What is satisfying about this tool is that it will bulk parse out the entire prefetch folder and can export the results to a CSV file. To execute the tool, open Windows Command Line and navigate to the folder with the PECmd tool and then enter the easy one-liner command below:
PECmd.exe –d "C:\Windows\Prefetch\"
You can also parse specific prefetch files using -f. We parsed UPFC.exe below:
PECmd.exe –f "C:\Windows\Prefetch\UPFC.EXE-EDB57E2A.pf"
Next, watch the magic of Eric Zimmerman's tool PECmd parse out everything into an easy-to-read format. Other tools can be used to view prefetch files, such as FTK Imager, OS Forensics, and WinPrefetch View. However, PECmd is our preference. We would recommend testing the other tools as well to see which one you like the most!
We have also leveraged EDR platforms to retrieve the prefetch files during incident response engagements. These platforms are great because they can help you scale your forensic effort. In addition to the detection and prevention capabilities the EDR platform provides, most have the ability to network contain a host. This effectively takes the host offline while still allowing the investigator the ability to access the host to retrieve the forensic artifacts since the host can only communicate with the EDR cloud console. Prefetch files can also be pulled from memory! You can use a tool like volatility to analyze the memory image.
We are here to help!
Are you looking for ongoing advisory services to assist in identifying vulnerabilities and security policies that should be in place and help improve your security posture? The team at Inception Security™ has been leveraged to enhance the security posture of fortune 100 companies, small and medium-sized businesses. Our team has a depth of knowledge in the cybersecurity industry and will be able to provide value to your business right away.
Contact Inception Security if your company is looking for advisory services.