(EN) Prefetch & Superfetch - Forensic Cheatsheet

## Introduction The original purpose of prefetch is to cache data in the hard disk before the program starts to make the execution process faster. Superfetch works similar with prefetch. It loads data of files used by program for executables which makes booting process faster. However the use of superfetch is inefficient because the caching performance of SSD overwhelms the performance of superfetch. In the perspective of digital forensics, we can prove which program was used recently with prefetch and superfetch. Although there are various ways of proving the file execution prefetch and superfetch is the most commonly used artifact. The reason why prefetch is so commonly used is that there is a intuitive content that shows how many times and when was the program executed while other artifacts have to reach the fact using subsidiary informations. > [!info] What is Superfetch? > > Superfetch will not be introduced since it is not used after the use of SSD. > If there is a advice that writing about it would be helpful, it would be my pleasure introducing it to our readers. ## File Locations & Settings **prefetch file path** ``` C:\Windows\Prefetch\*.pf ``` ![[Untitled 32.png]] > [!question] Why some files are deleted in the location? > > Prefetch saves up to 128 file, and if there is a new file the system deletes the oldest prefetch file. **Prefetch Setting Path(Registry)** ``` COMPUTER\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management ``` ![[Untitled 33.png]] The function depends on the value of the key. - 0 : Disable prefetch - 1 : Use Application Caching - 2 : Use Boot Caching - 3 : Use Application & Boot Caching (DEFAULT) ## Prefetch File Structure File structure is required to users who wants to carve informations by themselves or make tools to analyze prefetch artifacts. This content is not necessary because there are already many well-made freeware tools. > [!NOTE] Recommended! > > When you make a tool parsing and analyzing a artifact, it will enhance either your understanding or code writing skills. > Which is the reason why i write & recommend studying a structure of a artifact. **File Header** | | | | |---|---|---| |Offset|Size|Description| |0x00|4|Version| |0x04|4|Signature : “SCCA”| |0x08|4|Unknown| |0x0C|4|프리패치파일 크기| |0x10|60|파일 이름| |0x4C|4|파일 이름에 대한 해시| Type of data varies by version. The table below is the prefetch binary structure respectively by its version - **17version** | Offset | Size | Description | | ------ | ---- | ------------------------------------ | | 0 | 4 | File metrics array 오프셋 | | 4 | 4 | file metrics 엔트리 갯수 | | 8 | 4 | Trace chains array 오프셋 | | 12 | 4 | Number of trace chains array entries | | 16 | 4 | 파일이름 오프셋 | | 20 | 4 | 파일 이름 길이 | | 24 | 4 | Volumes information 오프셋 | | 28 | 4 | 볼륨 갯수 | | 32 | 4 | Volumes information 크기 | | 36 | 8 | 마지막 실행 시각 (FILETIME) | | 44 | 16 | Unknown | | 60 | 4 | 실행 횟수 | | 64 | 4 | Unknown | - **23version** |Offset|Size|Description| |---|---|---| |0|4|File metrics 배열 오프셋| |4|4|metrics entry numbers| |8|4|Trace chains array offset| |12|4|Trace chains array number| |16|4|File name offset| |20|4|File name size| |24|4|Volumes information Offset| |28|4|Volume Numbers| |32|4|Volumes information size| |36|8|Unknown| |44|8|Last Execution time(FILETIME)| |52|16|Unknown| |68|4|Execution count| |72|4|Unknown| |76|80|Unknown| - **26version** |Offset|Size|Description| |---|---|---| |0|4|File metrics array offset| |4|4|File metrics array number| |8|4|Trace chains array offset| |12|4|Trace chains array entry number| |16|4|File name offset| |20|4|File name length| |24|4|Volumes information offset| |28|4|Volume number| |32|4|Volumes information size| |36|8|Unknown| |44|8 x 8 = 64|Last executed Time(multiple) <br>if 0,same with last accessed time| |108|16|Unknown| |124|4|Execution count| |128|4|Unknown| |132|4|Unknown| |136|88|Unknown| - **30version** 30version varies into 2 types. One of them is identical with 26version so it will not be explained again. |Offset|Size|Description| |---|---|---| |0|4|File metrics array offset| |4|4|File metrics array numbers| |8|4|Trace chains array offset| |12|4|Trace chains array entry numbers| |16|4|file name offset| |20|4|file name length| |24|4|Volumes information offset| |28|4|Volume numbers| |32|4|Volumes information Size| |36|8|Unknown| |44|8 x 8 = 64|Last execution time(multiple) <br>if 0, same with last accessed time| |108|8|Unknown| |116|4|Execution count| |120|4|Unknown| |124|4|Unknown| |128|88|Unknown| ## Prefetch Data Prefetch data would be everyone’s concern reading this article. If you had gone through the contents explained above you might now get when prefetch data is generated. in this chapter we’ll explain what kind of information is in the prefetch file. In the introduction section, I mentioned that times of execution would be one of them. Many other interesting informations can be found such as... - Execution File Name - Execution File Path - Execution count - Last Executed Time - First Executed Time - Linked DLLs - Volume Name & VSN - … The information you have to focus on differs depending on target of analysis. If you simply need proof of a certain file being executed, you have to focus on execution count and First/Last executed time. For example, if a malware executed a specific executable and you want to know what are the files linked with a malware, you already have the linked DLLs in the prefetch which prevents you from reverse engineering the executable. > [!NOTE] > Given informations are not every information existing. What I think is most important was given so if you want every information in the prefetch file, go back to [[#Prefetch File Structure]] ## Tips **[[ADS(Alternative Data Stream)]]** If there is an ADS attached to a executable, prefetch file for an ADS file is also made. ``` C:\Windows\System32\sample.exe:evil.exe C:\Windows\Prefetch\sample.exe:evil.pf ``` ## Analysis Tool **WinPrefetchView** > [!info] View the content of Windows Prefetch (.pf) files > Description Each time that you run an application in your system, a Prefetch file which contains information about the files loaded by the application is created by Windows operating system. The information in the Prefetch file is used for optimizing the loading time of the application in the next time that you run it. > [https://www.nirsoft.net/utils/win_prefetch_view.html](https://www.nirsoft.net/utils/win_prefetch_view.html) ## Conclusion Prefetch is one of the most useful artifact between windows artifacts. They have precise value, which is not single. Also useful when combining multiple artifacts. This is why most complex digital forensic analysis tools have prefetch function internally (I am not precise if autopsy supports prefetch analysis….). Most of expensive commercial tools supports prefetch. Most of investigators heavily rely on the output these tools print. So this article would be a starting point to challenge the results and prove it solely with your knowledge. Always have in mind that role of tool is to visualize processed results so there may be missing things that you might need.