The examination of prefetch files is commonly done during live response. They are easy to grab, quick to analyze and can provide useful information when investigating malicious activity.
Here is what information we can glean from the prefetch:
When a malicious file was executed
Where it was launched from
How many times it has been run
What DLLs were used by the malicious code
Name and location of the malicious file (even if deleted)
Timeline of attack activity
General suspicious activity
Let’s start with an overview of prefetch.
Prefetching was first seen in Windows XP and is used to speed up the operating system and application startup. Here is how Microsoft defines it: “Each time you turn on your computer, Windows keeps track of the way your computer starts and which programs you commonly open. Windows saves this information as a number of small files in the prefetch folder. The next time you turn on your computer, Windows refers to these files to help speed the start process.” (http://windows.microsoft.com/en-us/windows-vista/what-is-the-prefetch-folder)
Prefetching is enabled by default on Windows XP, 7 & 8. On Windows Server 2003 and 2008 a registry modification is required to enable prefetching.
The EnablePrefetcher registry key controls the prefetch function and is found in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters
There are 4 valid values for the EnablePrefetch key:
0 = Prefetch is disabled. Windows will disable prefetch if a SSD (Solid State Drive) is detected.
1 = Application prefetch. Creates prefetch only on application launch.
2 = Boot prefetching enabled. Creates prefetch for the boot process.
3 = Boot and application prefetching enabled. This is the default setting.
The Prefetch files are located in C:\%SystemRoot%\Prefetch directory. The naming convention for the files is the name of the executable followed by a dash, followed by a hash of the application path and arguments used. The only exception to this is the NTOSBOOT-BOOFAAD.pf file. This file contains the prefetch info for the boot process and is only found on systems that are configured to perform prefetch when booting.
Above is a sample of a prefetch directory listing. It is common to see multiple prefetch files for executables that are used to spawn processes such as RUNDLL32.EXE and DLLHOST.EXE. There is a maximum number 128 files in the prefetch directory. If the maximum number of files is reached, all but 30 of the prefetch files will be deleted to make room for more current activity.
Now let’s talk about why all this is useful.
One of my favorite uses of prefetch data is getting a timeline of application execution on a system. Having a time stamp will provide a place to start when looking at logs and other artifacts. For example: using the time stamp you could check browser logs to see what web sites were visited immediately prior to the application execution.
There are many Prefetch tools available but my favorite for getting timeline information is PFDump.exe written by Michael Spohn. (http://malware-hunters.net/all-downloads/) PFDump will parse through the prefetch metadata and return a tab delimited file that can be easily viewed and sorted in Excel.
The example below is the output of the PFDump utility that is sorted by most recent access time first. Here you can clearly see the order of events. First a program called EVIL.EXE is run, and then a few hours later RAR.EXE, then FTP.COM, and finally PSEXEC.EXE.
Another useful piece of information in the metadata is the run count. This will list the number of times a file has been executed. It’s important to note here that if a prefetch file gets pruned the count for that application run count will be reset to zero. It’s my experience that files with the lowest run counts are the most interesting. Legitimate applications like Word and Chrome have high run counts. Suspicious activity is often found in the files with lower run counts.
Notice how the metadata also contains the full application path. This information will remain in the prefetch even if the application has been deleted by the attacker or an anti-virus program. If it has been deleted, an analyst can use this info to carve the file from unallocated space for analysis.
The metadata also tells us where the application was launched from. Using prefetch data it is a simple task to look for applications called from suspicious locations such as temp folders, or to identify unique directories created by the attacker for staging tools.
Be careful regarding the MD5 and SHA hashes in the metadata. These are not the hashes of the application itself, but rather the hashes used by Windows to create the prefetch file name. These hashes are derived from the file path as well as any arguments that were passed to the application.
Another tool for analyzing prefetch data is Prefetch_info.exe written by Mark McKinnon (http://cfed-ttf.blogspot.com/2008/02/prefetch-information.html). This utility is useful for doing a deep dive into an interesting or suspicious prefetch file to uncover what .DLLs it accessed and possibly identify additional locations to look for artifacts.
The last point I want to make about the prefetch data is that there are many legitimate programs that are not often used by a typical user but are commonly used by attackers. For example, most users do not use PowerShell but it is popular with attackers since it is a powerful utility that is installed on Windows systems by default. Once an attacker installs a backdoor or root kit they have full access to the system and can run and/or install any program they desire. Even legitimate, off the shelf programs, can be used for malicious purposes. Reviewing the prefetch information can assist in identifying malicious activity. If PowerShell, OpenVPN or any other unusual programs appear in prefetch it warrants additional investigation.
The prefetch directory is relatively small compared the registry or $MFT, but if looked at intelligently there are significant artifacts that can be uncovered quickly.