📙 FOR 340 - bconklin-champlain/Tech-Journal GitHub Wiki
Windows Artifacts
Prefetch & Superfetch
- Location
C:\Windows\Prefetch - One per Application with file extenstion .PF
- It optimizes the programs boot up process
Naming Convention
| programName . | programExtension . | hash . | pf |
|---|
💡 The hash is generated by the programs name and location
Prefetch Details
| OS | Details |
|---|---|
| XP | 11 00 00 00 followed by ascii SCAA |
| Vista/7 | 17 00 00 00 followed by ascii SCAA |
| 8/8.1 | 1A 00 00 00 followed by ascii SCAA |
| 10 | MAM (ascii) followed by 04 (hex) |
What it contains?
- File path for files/folders accessed during first 10 sec of application run
- Number of times application was run
- Last time application was run
- Media information for volumes accessed
- Volume Serial Number
- Volume creation date
- Layout.ini & NTOSBOOT-B00DFAAD.pf *File Paths from all over the hard drive recorded during boot time and then periodically (for disk optimization purposes)
💡 Prefetch is disabled on most modern systems due to more people using solid state drives!
Prefetch for investigators
- Creation date = first run
- Modification date = last run
- On windows 8, only last 8 time stamps are recorcded
- Prefetch is not deleted even when application is
Format
Disabling Prefetch
- EnablePrefetcher
- 0 = Disabled
- 1 = Application launch prefetching enabled
- 2 = Boot prefetching enabled
- 3 = Application launch and boot enabled
- 3 by default, 0 to disable