đź“’
cybersecurity notes
  • Welcome
  • Memory Forensics
    • Resources
    • autovol
    • Memory Forensics - 13cubed
      • Intro to Memory Forensics
      • Windows Memory Analysis
      • Windows Process Genealogy
      • Pulling threads
      • Persistence in Memory
      • Memory Forensics Baselines
      • Extracting Prefetch
      • Shellbag forensics
    • Challenges
      • BTLO
        • Memory Analysis - Ransomware
      • Memlabs
        • Lab 1 - Beginner's Luck
    • Analysis
      • Stuxnet
      • Zeusbot
      • Darkcomet RAT
      • ZeroAccess Rootkit
  • Linux
    • Linux commands
  • Malware Analysis
    • Triaging
    • Malware Analysis - 13cubed
    • gdb
  • Networking
    • CCNA notes
      • Network devices
      • Interfaces and cables
      • OSI model & TCP-IP suite
      • Intro to CLI
      • Ethernet LAN switching (1)
      • Ethernet LAN switching (2)
      • IPv4 addressing (1)
      • IPv4 addressing (2)
      • Switch Interfaces
      • IPv4 Header
      • Static routing
      • Life of a Packet
      • Subnetting (1)
      • Subnetting (2)
      • Subnetting (3)
      • VLAN (1)
      • VLAN (2)
      • VLAN (3)
      • DTP & VTP
      • Spanning Tree Protocol (1)
      • Spanning Tree Protocol (2)
      • RSTP
      • Etherchannel
      • Dynamic routing
      • RIP & EIGRP
      • OSPF (1)
      • Others (gdrive)
Powered by GitBook
On this page
  • Prefetch
  • Steps
  1. Memory Forensics
  2. Memory Forensics - 13cubed

Extracting Prefetch

Prefetch

  • Windows feature that records and analyzes data about frequently used files and applications.

  • Uses this information to optimize startup and application launch times by prefetching necessary resources into memory.

  • Stored in C:\Windows|Prefetch folder

Steps

/vol.py -f memdump_Win10x64_15063.mem --profile Win10x64_15063 prefetchparser

  • Download the plugin from github and put it into plugins directory.

  • When you try running it, you will see this error: “Can’t load MSCompression Library”, because the prefetch files in Win10 are compressed thus requiring a third-party compression library to be installed.

  • The open-source implementation of Microsoft compression algorithms is obtained from another GitHub repository. The Express Huffman algorithm is specifically utilized by prefetch files.

  • Switch to root and clone the repo.

git clone <https://github.com/coderforlife/ms-compress.git>

  • Run the “build.sh” file to compile it and you’ll get “libMSCompression.so” file.

  • Move it to /usr/lib folder and exit out of root.

  • Run the command again and you’ll get this error: “./mam-pf/ is not a directory”

  • You need to specify the mam dump dir where the prefetch files will be dumped, where mam refers to Express Huffman algorithm.

  • Create a dump directory and run the following command

./vol.py -f memdump_Win10x64_15063.mem --profile Win10x64_15063 prefetchparser --mam-dir=./dump/

  • The parsed prefetch information is displayed, including execution times for specific processes.

  • If a file has more number of execution times, 8 entries are displayed as only the last 8 times are tracked in Win 8 and later.

  • You can find the prefetch files in the dump directory.

  • Running file against them will not result in anything as it doesn’t recognize those files.

xxd mam-pf-0000.pf | more

  • You can find the letters “MAM” in the header as it is a Express Huffman algorithm compressed file, which indeed is a valid Prefetch file.

  • Only partial Prefetch files are extracted from memory (truncated at 4096 bytes), but they still have valid headers

  • In Win10, Prefetch files are compressed and the file signature is MAM. Before Win10, the signature is SCCA. If the prefetch file is uncompressed, SCCA can be seen in the header.

PreviousMemory Forensics BaselinesNextShellbag forensics

Last updated 1 year ago