Wednesday, February 20, 2008

Prefetch Folder Analysis

I have received some feedback from the EnCase forums on posting my Prefetch Folder analysis EnScript and I thought this would be a good place to do it, and make it available to everyone. Before I get started I just wanted to give notation to Harlan Carvey and his book Windows Forensic Analysis which this script is based on from one of his perl scripts in that book.

For those of you that have not read the book or don't have idea on what prefetching is, prefetching is Windows way of saving load times for programs that are used often. The .pf files located in the pretech folder are cached portions of .exe files. This folder holds up to 128, sometimes more, .pf files and they all can be analyzed with this script. Each .pf file holds the hard page faults of the .exe along with metadata about where the executable is located and how many times that the .exe has been launched. There maybe multiple .exe .pf files with the same name in the directory such as rundll.exe-[characters).pf or even notepad.exe-[characters).pf each having a different set of random characters after the .exe-. These characters are not random and produced from the file path to where the .exe is located so if one notepad.exe is ran from system32 and another from windows it will generate two different .pf files. Evil will more then likely show up in this folder and you will be able to locate where it is being run from from looking at these files, or running this script.

So the big question is how do I use this EnScript, why should I download it. Well it will show you all the information talked about above, specifically:

Location of the .exe
Number of times .exe has ran
Last time .exe ran

The other data that you can correlate with this is the time that the file was created. Knowing when the .pf file was created and when it last ran will give you a date range on how long the .exe has been on the machine, great for malware(evil) or any case where the user is not supposed to be running program outside the enterprises gold build. You can also use data from the User Assist registry keys to see who ran the program because the .pf files do not give attribution to who ran the program but this area could be compared to the .pf files to give this. The EnScript can be downloaded below.

Prefetch Folder Analysis

7 comments:

Keydet89 said...

Just got wind of your blog today, via the EnCase User's forums...thanks for the shout-out about my book! ;-)

Harlan

yaniv said...

I have a question regarding the output in the report. This is what my report looks like

1) CASENAME\Item001\C\WINDOWS\Prefetch\RUNDLL32.EXE-12E27DD0.pf
Last Time RUNDLL32.EXE Ran 05/08/07 01:45:08PM

Time/Date
05/08/07 03:45:08AM

2) CASENAME\Item001\C\WINDOWS\Prefetch\RUNDLL32.EXE-12E27DD0.pf
Number of Times RUNDLL32.EXE Ran 4

Hex UInt32 Int32
____0004 4 4

3) CASENAME\Item001\C\WINDOWS\Prefetch\RUNDLL32.EXE-12E27DD0.pf
Full Path: DEVICE\HARDDISKVOLUME1\WINDOWS\SYSTEM32\RUNDLL32.EXE

Hex UInt32 Int32
00450044 4522052 4522052
00490056 4784214 4784214
00450043 4522051 4522051
0048005c 4718684 4718684
00520041 5374017 5374017
00440044 4456516 4456516
00530049 5439561 5439561
0056004b 5636171 5636171
004c004f 4980815 4980815
004d0055 5046357 5046357
00310045 3211333 3211333
0057005c 5701724 5701724
004e0049 5111881 5111881
004f0044 5177412 5177412
00530057 5439575 5439575
0053005c 5439580 5439580
00530059 5439577 5439577
00450054 4522068 4522068
0033004d 3342413 3342413
005c0032 6029362 6029362
00550052 5570642 5570642
0044004e 4456526 4456526
004c004c 4980812 4980812
00320033 3276851 3276851
0045002e 4522030 4522030
00450058 4522072 4522072


I don't understand what the Hex UInt32 Int32 represent. Do i use this information for anything?

This is a great Script. Thank you for posting it. As a side, is it possible to get this information into Excel easily?

tk_lane said...

The prefetch EnScript should give better reporting features now and I am working on getting it to output the data to excel.

Anonymous said...

Script has great promise. However, when I go to view the report in bookmarks it is totally blank as far as the data goes. It puts Prefetch Folder across the top and then the rest of the page is blank. I tried editing the fields included in the report to no avail. I know this has to be a stupid error on my part. Any ideas?

tk_lane said...

Make sure you are using a system with a prefetch directory if you are not getting results in the bookmarks view

Anonymous said...

how do I run an EnScript ? file ? on my windows xp machine ?

tk_lane said...

You need to have EnCase to run EnScripts