WFA Guidance.pdf

Windows File Analyser Guidance—Allan S Hay

** The following information is a guide to understanding the Prefetch Folder and Windows Shortcut File

Format ( LNK) and all work undertaken in my research, should be verified by the analyst. Prior to re-

lease this product was tested in the Forensic Computing community, and some of their findings are

incorporated into this guidance. All output from WFA should be verified by the analyst. **

Allan S Hay

November 2005

The program is divided into 3 parts, which the latter 2 I go into some depth to explain the workings of

how the data is derived.

Thumbnail Analyser

This program in most circumstances, will extract the OLE embedded data from a Thumbs.db file and

present the information in a visible format. The larger the size of file being examined, directly affects

the time for the Objects to be rendered.

Although it may look that the file is not being processed, be patient. Select a single image ( Save) to

be exported, or select (Report). The number on the top left of the report ( Count) is the number of

images rendered.

For a thorough explanation of the Forensic value of the Thumbs.db structure an excellent source of

information can be found at:

http://www.accessdata.com/files/whitepapers/tdb.pdf

Prefetch Analyser

The Prefetch cache is resident on a Windows XP OS. Microsoft created a Prefetch cache to improve

boot and application launch time. The functionality of how the cache performs is based on a Registry

key which can be found here (HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Control\

Session Manager\Memory Management\PrefetchParameter).

The Prefetch cache purpose is to speed up processes at boot and during application run time. By

cachingcommonly used applications the OS can determine to apportion system resources in anticipa-

tion that the user will access the application. When an application is launched the system updates an

entry in the path C:/Windows/Prefetch with the name of the application and a file extension (.pf).

The file contains among other items the last time that the file was modified as a 64bit HEX value time,

and increments an integer on how many times the application has been run.

Before I explain where the information is, please bear in mind that the Prefetch cache is taking infor-

mation from the boot process and can take information from Scheduled Tasks. Therefore, it would be

prudent to access the RUN (NTUSER/Software/Microsoft/Windows/Explorer/RUN) key in the registry

and also the TASKS ( C:/Windows/Tasks). After this scour the drive to determine if there is any 3rd

party software scheduling resident on the drive.

Preftech Folder

It would appear that in system idle time every 3-5 days (but can be longer), depending on how the

caching is determined, the folder will purge itself. The analyst can search across the drive using a

GREP expression and pull out the data from the Unallocated Clusters. By scrutinising the data struc-

ture the analyst should be able to determine the data from the two forgoing offsets, minus temporal

data.

The following should be used to search across the Unallocated Clusters to determine the historic Pre-

fetch Files.

( ….SCCA.)

or:

("\\x11\\x00\\x00\\x00\\x53\\x43\\x43\\x41\\x0F", FileClass::GREP);

Using a hex editor program, open a file in the Prefetch folder, try finding an .exe that you would use

regularly, perhaps MS Word. In your hex editor, go to File Offset 120. You will see an 64 bit hex value,

which is the date that the executable was last summoned, and this gets updated in the PF file. Go to

File Offset 144, note the value. This is the number of times that the application has been run, since

the creation of the .pf file.

This is an OS dependent folder, so the examiner has to understand that PFA will only work on Windows

XP. Hopefully Windows Vista will include a Prefetch or equivalent. Before using PFA, it is best to see

where the data you are interpreting is located, and using a hex editor you will be able to see the

changes being made. MiTec HexEdit can be downloaded from the link below:

http://www.mitec.cz/Downloads/HEXEdit.zip

The research work that I have carried out has been evolved into Version 1.0 of the Prefetch Folder

Analyser, which Michal Mutl has coded for me. The program will automatically read the local drive of

the user when first initialized. Within the main viewing pane is the breakdown of the resident data.

Navigate with Hexedit to your Prefetch Folder on your OS and select a file which is in regular use.

Open a .pf file in HexEdit and you should see an image similar to the one on the following page.

Figure 1.0

The following is an image captured from the Winword.pf when viewed via Hexedit. Note the File Off-

set 120 which is a 64 bit Windows Time entry. By placing the cursor on the first byte, the Hexedit pro-

gram enumerates the string and this can be seen on the left hand panel. Note this time for later.

Prefetch Folder

Figure 1.0

The following is an image captured from the Winword.pf when viewed via Hexedit. Note the File Offset 120

which is a 64 bit Windows Time entry. By placing the cursor on the first byte, the Hexedit program

enumerates the string and this can be seen on the left hand panel. Note this time for later.

This image is the same as the previous, but File Offset 144 is highlighted which is the incremental integer. The

value interpreted with Hexedit can be seen in the left hand panel in the Data section.

Figure 1.1

Prefetch Folder

As can be seen from the header information I have accessed a .pf file for WinWord (MS Word).

I then run MS Word, only the application is needed, not a proprietary file type associated with MS

Word. I do not have to open a document, only the application needs to be summoned.

Using Hexedit it is possible to differentiate between 2 files, when placed within Hexedit for comparison.

I loaded the original Winword.pf and a previously saved Winword .pf file prior to using MS Word.

It is possible to see the data that has changed. In this case look at the two 64 bit File Time differences.

Both are highlighted in the panel on the left.

Figure 1.2

For your information when using MiTec HexEdit. When the user compares two files, the area shaded

in green represents the comparative differences between the two files.

The last image in the section shows the differences as at File Offset 144. In Figure 1.0, the integer was

showing a value of 8 runs. Note that I used MS Word on only one occasion and the value has incremented by one.

Prefetch Folder

Using PFA

The program has been developed to output the following information which may be of interest of the

analyst.

Application:

This column highlights the name of the application or program. In research work, I found that some

programs that are not installed, that is stand alone, will not have any entries in the Prefetch Folder.

Or entries that are standalone can have erroneous runs.

Created Date:

When the system flushes the cache as and when it sees fit, ( MS state 3 days, though I do not agree

with this), a new .pf file should be generated when the program is either executed, or on next boot

up, a new .pf file will created. The first time that the program is used the .pf will increment by one

and so on. If the .pf file is not flushed, then from time the .pf file being created, along with the value

at File Offset 144, should give an indication of how many times that the program has been used.

Written:

Easily understood as the time and date at which the file was written to.

Last Accessed:

This is not to be interpreted as the last time that the file was accessed to update, this could have

been accessed by a third party utility.

Plik z chomika:

Inne pliki z tego folderu:

Inne foldery tego chomika: