by Mark A. Wade
A thorough examination of the contents of a prefetch file can provide a wealth of information to a forensic analyst, but what can just the existence of prefetch files tell you? Examining the contents of the prefetch directory can provide a storyline of activity on a computer system. Because the prefetch file captures the activity of applications that were first or subsequently executed, an examiner can quickly identify application activity on the computer system. By using certain tools to parse the prefetch file, after extracting them, an analyst can begin to identify the type of activity that occurred on a computer system. First and foremost, the existence of the prefetch file shows that a certain application not only existed on the computer, but at one time had been executed. Sorting the prefetch entries by file creation or last access, it is possible to see what applications were executed on the system and to see what activity might have occurred on the system.
For instance, the entries in Figure 1 show that on April 9, 2010, two separate
cmd.exe programs were executed. After the second
cmd.exe-5D0264ff.pf) was executed the application
CONSENT.exe was executed (as shown by
consent.exe-65f6206D.pf), which indicates the computer system is a Vista or Windows 7 system. The
consent.exe program is the popup window that is presented to the user when requesting a program that requires administrator access, such as, the
MMC.exe application, which was executed ten seconds after
CONSENT.exe. The presence of the prefetch files indicates that on April 9, 2010, at 1:16 PM two instances of
CMD.exe were executed from different locations, followed by the execution of the program
MMC.exe. This event spawned the execution of
CONSENT.exe (this file was executed first before
MMC.exe even though chronologically
MMC.exe was executed first). The MMC program is the Microsoft Management Console program and is used to manage user accounts, Windows Events logs, disk management, and other management programs. Figure 1 also shows that the application
PSEXEC.exe was executed, which is a command-line tool that allows a user to execute commands remotely on a computer system.
So what can prefetch files tell you? As discussed in the paper Decoding Prefetch Files for Forensic Purposes, the uniqueness of the prefetch file’s name indicates the location of where the prefetch file was executed. The existence of two prefetch files that have the same application prefix and different trailing hashes would be indicative of two files that were executed from two different locations. The eight-character hash that exists in the prefetch file’s name is based on the location where the application was executed. In this example, a rogue
CMD.exe was executed from a different location than
C:\Windows\System32. This scenario can also detect a possible malware infection in which the malware was executed in one location, say the desktop or temp directory, then removed itself from the original location and placed a copy in
C:\Windows\System32, then re-executed itself once it changed locations. This would cause the creation of two instances of the same prefetch file prefix with two different eight-character trailing hashes. As previously mentioned, a wealth of forensic artifacts can be extracted from the contents of a prefetch file, but at face value, the prefetch file can begin to quickly tell the story of what applications were executed on a system.