Welcome to Part One of the "Artifacts of Execution" blog series! As the title states, this will be dedicated to the "Prefetch" file and how it can be used from a forensics perspective.
Used to preload a snippet of code in commonly used applications to ensure they open faster
Prefetch files will not identify the user that executed the application
Limited to 1024 files on Windows 8+ systems
Located within C:\Windows\Prefetch
Will require tools to interpret data contained within
Prefetch file name contains a "hash" of the directory where it was executed from
Can show when an application was first and last executed
Attempts to "prefetch" associated applications. Will record for ~10 seconds and attempt to preload these
Can be deleted by a threat actor
Provides timestamp of last 8 execution times
Have you ever executed an application for the first time and it takes a bit to load? But the second time you execute this, it seems to load faster? This is a feature implemented by Windows called "Prefetch" or "Prefetching". Essentially, windows will preload a snippet of code for commonly used applications to help them open faster. On newer Windows systems (Windows 8+), this is limited to 1024 files. From a forensics perspective, this can be used for program execution. Please note that due to the compression of these files, you'll need a specialized tool to further analyze data contained within the prefetch file.
Curious where you can find these? Well, open file explorer and head to 'C:\Windows\Prefetch'. Here, you'll see a list of files with the '.pf' extension. You'll notice that the first format of the filename is the application name, whereas the second half will contain a "hash". No, this isn't a file hash, but more-so a representation of the directory where the file was executed from. So if you see two listings of 'cmd.exe' within here, that means cmd.exe was executed from two different locations, which should raise some red flags.
Well, lets just open this within a text editor, right? WRONG. As I mentioned, these are compressed and will require a tool to analyze these properly.
A fantastic tool to analyze Prefetch files is a tool named 'PECmd' by Eric Zimmerman. This can be downloaded from here: https://ericzimmerman.github.io/#!index.md
Now normally in a real investigation, you likely wouldn't just be running this tool. You're probably running a tool such as Axiom, CyberTriage, X-Ways, FTK, etc. that will parse a large number of these artifacts. But you'd still need to be familiar with how to interpret the output. Also, what if you're in a scenario when you don't have access to the above tools and need to parse this on the fly? Always be prepared!
Executing this tool is extremely straight forward. Once its downloaded, open a shell such as PowerShell or CMD.
A good rule of thumb is to run the Help command in order to see the various features of the tool with
In our case, we just want to run this against the entire prefetch directory. For this, we'll use the command
pecmd.exe -d "C:\Windows\prefetch" --csv ~/Desktop --csvf output.csv"
This will run the tool against the entire prefetch directory and write the contents to a CSV file and save it to the desktop. Although I can't find all of the sheer detail that this tool provides, shown below is some of the information you can get when running the tool against the entire prefetch directory. Note the executable name, timestamps, last run times, previous run times, and more.
Another key feature of Prefetch analysis is the fact that it records for ~10 seconds. This means that whatever primary application is executed, prefetch will record that and attempt to identify other files/directories that the primary application requested. Again, this is all for feature and convenience, but we can use it for forensics. From a forensics perspective, this can tell us what other DLLs, executables, directories, etc. that may have been called by application executed. Additionally, if a file is deleted with a file wiping tool, we could potentially see each file that was touched by the wiping tool. This is fantastic for forensics!
Now remember, these artifacts can be deleted by a TA. There's other artifacts we can use to also show program execution and maybe see the deleted files within the USN Journal (a story for another day), but it's always great practice to secure your privileged accounts to keep this from happening.
I'm all about practical examples, so lets give a few real world examples.
A TA has gained unauthorized access to a system you're investigating. You're not sure what was executed yet, but you decide to parse through the Prefetch files. Here, you find reference to 'evil.exe'. Let's run 'PECmd' by Eric Zimmerman to see what other files may have been "prefetched" by the OS when this was executed and gather more information about it.
.\PECmd.exe -f "C:\Windows\Prefetch\EVIL.EXE.EXE-26DD15B4.pf"
Awesome! Now we have information about when it was last run, how many times it was executed, and additional timestamps! We can also see the directories and files referenced by 'evil.exe'. Again, this is the OS attempting to preload or "prefetch" important files that 'evil.exe' may need, but this just means more artifacts for us!
Lets try another one! A TA executed a suspicious PowerShell script, and we're not quite sure what it does yet (assuming scriptblock logging isn't enabled or the script isn't available for analysis), let's check the PowerShell prefetch file and see if we can gather what other files may have been prefetched and logged during the execution of it!
Okay, there's some weird stuff in this prefetch file. We see reference to 'notevil.ps1' and possible Living off the Land (LOL) binaries, such as 'ipconfig', 'netstat', 'arp' and 'whoami'. Could be indicative of suspicious reconnaissance or information discovery regarding the host. Lets check the actual script for a sanity check and see if prefetch did in fact log relevant binaries.
Looks suspicious to me! And it seems that prefetch did attempt to preload the necessary binaries that this script uses, as listed earlier.
Okay, one more example! A TA runs the Sysinternals tool 'Sdelete' (https://learn.microsoft.com/en-us/sysinternals/downloads/sdelete) to remove their malicious tools. Not only does this tool delete files, but it will actually fully wipe them by writing over the unallocated space. Well, remember, Prefetch is recording for ~10 seconds in an effort to conveniently pre-load code that the executable may need. So, once 'Sdelete' is executed, we should be able to see what 'Sdelete' touched as part of its execution. Again, let's run 'PECmd' against the prefetch file for 'Sdelete'!
Okay.. it was run two times and 16:57:21 and 16:56:38.
What's this?! It looks like Sdelete referenced two suspicious files named 'evil.exe.exe' and 'Notevil.ps1'. Success!
So circling this back to forensics, if you want to see what a malicious Excel/Word file did, when it was executed, what files it interacted with, check out those prefetch files! You might just see the execution of excel and the files it interacted with, such as PowerShell.exe and potentially DLL files that were dropped! Although fairly volatile and easy to clear, Prefetch is an amazing forensics artifact and should be collected from any intrusion analysis case.