The Windows 10 prefetch file is compressed, thus trying to read it like a Windows 7 or earlier prefetch file is not possible. As a result, we have to put in some work to learn about it. Let's do just that!
Putting in work!
Thanks to some excellent research done by the people in the references, our job has been made somewhat easier.
First let's decompress "FILEZILLA.EXE-93859B09.pf". To do this we will use a python script "w10pfdecomp.py" which is in the reference section. .
We can see that the file was run from "\VOLUME{01d0afe55dc4b8c4-8e60ce0c}\USERS\SECURIYNIK\DESKTOP\FILEZILLA_3.11.0.2_WIN32\FILEZILLA-3.11.0.2\FILEZILLA.EXE"
This already is an indication that yes, we are making progress and that this file was actually executed.
Let's dig deeper.
Verifying the name of the executable which was run.
The above executable "FILEZILLA.EXE" clearly matches with the "FILEZILLA.EXE-93859B09.pf"
Verifying the hash of file
"09 9B 85 93" became "93 85 9B 09".
Size of the .pf file?
Let's compare the decompressed file size with what Windows provides us for its properties.
Looking at the size we calculate and the size reported by Windows, it is safe to conclude that the file size is "82912" bytes
Number of times it was executed?
Let's find out how many times this program was executed.
What time program was executed?
So far we know the program ran. However, if we knew what time it ran this information may help us to perform some correlation to get a clearer picture.
From the above we have the execution time as localtime "7/4/2015, 10:18:42 pm".
Awesome!!! Now we have a much clearer picture as to what may have transpired.
Next step would be to check any network logs, full packet capture devices and or flow data you may have to understand WHAT was sent, the WHERE and the WHY. We already have the WHEN, HOW and potentially WHO.
Most of what was just done could be easily done with tools such as "WinPrefetchView" or some other tool which perform similar operations. However, remember, knowing how the tool works is much more important than knowing how to work the tool :-)
In the next post we will take a quick look at
"WinPrefetchView"
References:
https://gist.github.com/dfirfpi/113ff71274a97b489dfd
http://blog.digital-forensics.it/2015/06/a-first-look-at-windows-10-prefetch.html
https://technet.microsoft.com/en-us/sysinternals/bb545021.aspx
http://mh-nexus.de/en/hxd/
http://i.imgur.com/riuljsK.jpg
https://github.com/libyal/libscca/blob/master/documentation/Windows%20Prefetch%20File%20%28PF%29%20format.asciidoc
http://www.swiftforensics.com/2013/10/windows-prefetch-pf-files.html?m=1
http://www.epochconverter.com/epoch/ldap-timestamp.php
http://forensicswiki.org/wiki/Windows_Prefetch_File_Format
http://www.nirsoft.net/utils/win_prefetch_view.html
http://www.rapidtables.com/convert/number/hex-to-decimal.htm
This comment has been removed by the author.
ReplyDelete:-) Thanks for reading the blog post. However, do remember the reference is also important ;-)
DeleteCheck this link.
https://gist.github.com/dfirfpi/113ff71274a97b489dfd