PECmd – Windows Prefetch Analysis For Incident Responders

0

OVERVIEW

Prefetch is a process or technique developed by the Windows operating system to maximize the performance and minimize wait times of an application to be loaded.

In general, prefetch automatically gets loaded with the application by caching required files and resources into memory which typically results in increasing the speed & minimizing the wait time. Prefetch is officially introduced by Microsoft and published at  Windows XP and introduced various different versions of the prefetch files to increase the stability & functions  of the prefetch files:

Some versions are :

  • Windows XP and Windows 2003
  • Vista and Windows 7
  • Windows 8.1
  • Windows 10

File location C:\\Windows\prefetch [*Required administrator privilege]

On further we can observe File name followed by a random number which is the HASHING generated by prefetch used to determine the path from where the file was executed, Depending on the version of Windows the file was taken from, a different hashing function is used.

Also Read: How DKIM SPF & DMARC Work to Prevent Email Spoofing and Phishing

NOTE: Prefetch is enabled default on windows workstations not on windows servers

In addition the Maximum number of prefetch files which can be stored at Windows XP to Windows 7 =128 & Windows 8 to Windows 10=1024.

Forensic investigation with Prefetch files

Prefetch files are generally used to investigate the applications that have been executed on a system, hence these files contain sensitive data used to retrieve user’s application history on a computer which is used for forensic investigations, 

in most cases of cyber attacks, the attacker uses many malicious files to get executed on the victim system to gather sensitive information or to compromise the entire system, while the attacks take places its required multiple application to get executed,

While investigating the prefetch file we can determine the application which is accessed by the attackers on the targeted computer while compromising it, hence it is used to map or determine the activity of the attack execution.

The file consists of detailed information about the time when the file is created & accessed which are used to co-relate the activity happening on the victim system.

Also Read: Latest IOCs – Threat Actor URLs , IP’s & Malware Hashes

Prefetch analysis using PECmd

PECmd is an open-source CMD tool used to fetch all possible forensic artifacts from a prefetch file, 

Download → https://ericzimmerman.github.io/#!index.md

Note: The above-mentioned link is used to download PECmd.

Also Read: Most Common Windows Event IDs to Hunt – Mind Map

 PECmd.exe will retrieve the list of the following detail mentioned below

  1. Created on [Display created date/time]
  2. Modified on [Display modified date/time]
  3. Last modified [Display last date/time]
  4. Executable Name [Display extension date/time]
  5. Hash [Display Prefetch hash]
  6. File Size [Display File size in bytes]
  7. Windows Version [Display OS version]
  8. Run Count [Display total run count of the specific file in the system]
  9. Other Run time [Display total date/time of top 7 count of the specific file in the system]
  10. Volume information 
    1. Directories referenced [List of directories referenced]
    2. File referenced [List of files referenced] 

Also Read: Persistence Remote Password Reset – Event IDs to Monitor

Conclusion:

Prefetch analysis is used to investigate Windows forensics artifacts which help to investigate & understand the activity done by the user on a system at a particular time. It majorly helps to reveal the root cause of an attack and helps to uncover the bigger picture of an incident or investigation.

Previous articleProxyshell Vulnerability – Large Exploitation of Microsoft Exchange Servers
Next articleTop Cloud Security Challenges and Risks
Harisuthan
A Cyber Security Aspirant Security Researcher | Red-Teamer |

LEAVE A REPLY

Please enter your comment!
Please enter your name here