THE DFIR BLOG
Menu

Windows Forensics

Evidence of execution - Prefetch

6/16/2019

 
Prefetch Basics: Windows Prefetch stores application specific data in order to help it to start quicker. Each time you turn on your computer, Windows keeps track of the way your computer starts and which programs you commonly open. Windows saves this information as a number of small files in the prefetch folder. The next time you turn on your computer, Windows refers to these files to help speed the start process.

The os loads key pieces of data and code from disk into memory before it's actually needed. 

Location: c:\Windows\Prefetch
Prefetch Investigation FAQ:

When you should grab prefetch file?
You can grab is before performing Incident Response as the prefetch directory is populated after the application is executed. The content of the file is pretty volatile. 

How you can use it in an Investigation?
Analysis of prefetch file is common in investigation, it has wealth of information stored in it.
*  It contains:
  • number of time an application has been executed,
  • The original path of execution,
  • the last time of execution
Note: Up to last 8 times application executed is stored in prefetch file. If I also add the timestamp of the prefetch file creation - we will have 9 run times of the application. 

Here is what information we can glean from the prefetch:
  • When a malicious file was executed?
  • Where it was launched from?
  • How many times it has been run?
  • What DLLs were used by the malicious code?
  • Name and location of the malicious file (even if deleted)?
profitcoin
4/28/2021 03:08:39 pm

FOR RECOVERY OF STOLEN BITCOIN / CRYPTOCURRENCY ,  RECOVERY OF LOST FUNDS FROM SCAMMER.  Have  you ever been a victim of a scam?  or have you lost your money to fake hackers online? I implore you to contact this trustworthy hacker and   recovery expert [email protected] , I was a victim of fake people posing as  binary options and bitcoin investors,  I lost a sum of $4,000 and 2BTC from my bitcoin wallet to these fakes. It took a while before I realized they were scams and this really hurt .Then an in-law of mine heard about it and recommended to me a specialist with the address -  [email protected]  .
WhatsApp: ‪+12016775078‬. He helped me recover my lost bitcoins  in less than 72hrs  and the fakes were caught and made to pay for what they did to me .if you have lost any amount to online scams and you're seeking to recover LOST FUNDS from wallet hackers, fake hackers,  online dating scams, BTC wallet hack, recovery of lost funds from fake binary investors  .Reach out to  Wizard Charles Group Hackers  to help you


Comments are closed.

    Archives

    September 2019
    August 2019
    July 2019
    June 2019
    March 2019
    March 2018

    Categories

    All
    ATA
    Detection
    Forensics
    Microsoft
    Rules
    Windows
    Windows Foreniscs

    RSS Feed

  • Infosec
  • Mac Forensics
  • Windows Forensics
  • Linux Forensics
  • Memory Forensics
  • Incident Response
  • Blog
  • About Me
  • Infosec
  • Mac Forensics
  • Windows Forensics
  • Linux Forensics
  • Memory Forensics
  • Incident Response
  • Blog
  • About Me