Extracting Prefetch

Prefetch

  • Windows feature that records and analyzes data about frequently used files and applications.

  • Uses this information to optimize startup and application launch times by prefetching necessary resources into memory.

  • Stored in C:\Windows|Prefetch folder

Steps

/vol.py -f memdump_Win10x64_15063.mem --profile Win10x64_15063 prefetchparser

  • Download the plugin from github and put it into plugins directory.

  • When you try running it, you will see this error: “Can’t load MSCompression Library”, because the prefetch files in Win10 are compressed thus requiring a third-party compression library to be installed.

  • The open-source implementation of Microsoft compression algorithms is obtained from another GitHub repository. The Express Huffman algorithm is specifically utilized by prefetch files.

  • Switch to root and clone the repo.

git clone <https://github.com/coderforlife/ms-compress.git>

  • Run the “build.sh” file to compile it and you’ll get “libMSCompression.so” file.

  • Move it to /usr/lib folder and exit out of root.

  • Run the command again and you’ll get this error: “./mam-pf/ is not a directory”

  • You need to specify the mam dump dir where the prefetch files will be dumped, where mam refers to Express Huffman algorithm.

  • Create a dump directory and run the following command

./vol.py -f memdump_Win10x64_15063.mem --profile Win10x64_15063 prefetchparser --mam-dir=./dump/

  • The parsed prefetch information is displayed, including execution times for specific processes.

  • If a file has more number of execution times, 8 entries are displayed as only the last 8 times are tracked in Win 8 and later.

  • You can find the prefetch files in the dump directory.

  • Running file against them will not result in anything as it doesn’t recognize those files.

xxd mam-pf-0000.pf | more

  • You can find the letters “MAM” in the header as it is a Express Huffman algorithm compressed file, which indeed is a valid Prefetch file.

  • Only partial Prefetch files are extracted from memory (truncated at 4096 bytes), but they still have valid headers

  • In Win10, Prefetch files are compressed and the file signature is MAM. Before Win10, the signature is SCCA. If the prefetch file is uncompressed, SCCA can be seen in the header.

PreviousMemory Forensics BaselinesNextShellbag forensics

Last updated