đ FOR 340 - tconklin-champlain/Tech-Journal GitHub Wiki
Windows Artifacts
Prefetch & Superfetch
- Location
C:\Windows\Prefetch - One per Application with file extenstion .PF
- It optimizes the programs boot up process
Naming Convention
| programName . | programExtension . | hash . | pf |
|---|
đĄ The hash is generated by the programs name and location
Prefetch Details
| OS | Details |
|---|---|
| XP | 11 00 00 00 followed by ascii SCAA |
| Vista/7 | 17 00 00 00 followed by ascii SCAA |
| 8/8.1 | 1A 00 00 00 followed by ascii SCAA |
| 10 | MAM (ascii) followed by 04 (hex) |
What it contains?
- File path for files/folders accessed during first 10 sec of application run
- Number of times application was run
- Last time application was run
- Media information for volumes accessed
- Volume Serial Number
- Volume creation date
- Layout.ini & NTOSBOOT-B00DFAAD.pf *File Paths from all over the hard drive recorded during boot time and then periodically (for disk optimization purposes)
đĄ Prefetch is disabled on most modern systems due to more people using solid state drives!
Prefetch for investigators
- Creation date = first run
- Modification date = last run
- On windows 8, only last 8 time stamps are recorcded
- Prefetch is not deleted even when application is
Format
Disabling Prefetch
- EnablePrefetcher
- 0 = Disabled
- 1 = Application launch prefetching enabled
- 2 = Boot prefetching enabled
- 3 = Application launch and boot enabled
- 3 by default, 0 to disable