Difference between pages "Prefetch" and "Incident Response"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(External Links)
 
(External Links)
 
Line 1: Line 1:
 
{{Expand}}
 
{{Expand}}
Windows Prefetch files, introduced in [[Windows|Windows XP]], are designed to speed up the application startup process. Prefetch files contain the name of the executable, a Unicode list of DLLs used by that executable, a count of how many times the executable has been run, and a timestamp indicating the last time the program was run. Although Prefetch is present in Windows 2003, by default it is only enabled for boot prefetching. The feature is also found in [[Windows|Windows Vista]], where it has been augmented with [[SuperFetch]], [[ReadyBoot]], and [[ReadyBoost]]. For SSD drives Prefetch is disabled by default [http://blogs.msdn.com/b/e7/archive/2009/05/05/support-and-q-a-for-solid-state-drives-and.aspx].
 
  
Up to 128 Prefetch files are stored in the <tt>%SystemRoot%\Prefetch</tt> directory [http://blogs.msdn.com/ryanmy/archive/2005/05/25/421882.aspx]. Each file in that directory should contain the name of the application, a dash, and then an eight character hash of the location from which that application was run, and a <tt>.pf</tt> extension. The filenames should be all uppercase except for the extension. The format of hashes is not known. A sample filename for [[md5deep]] would look like: <tt>MD5DEEP.EXE-4F89AB0C.pf</tt>. If an application is run from two different locations on the drive (i.e. the user runs <tt>C:\md5deep.exe</tt> and then <tt>C:\Apps\Hashing\md5deep.exe</tt>), there will be two different prefetch files in the Prefetch folder.
+
Incident Response is a set of procedures for an investigator to examine a computer security incident. This process involves figuring out what was happened and preserving information related to those events. Because of the fluid nature of computer investigations, incident response is more of an art than a science.  
  
== File format ==
+
== Tools ==
Each Prefetch file has a 4-byte signature (at offset 4) "SCCA" (or in hexadecimal notation 0x53 0x43 0x43 0x41). The signature is assumed to be preceded by a 4-byte format version indicator:
+
* 17 (0x00000011) for [[Windows XP]] and [[Windows 2003]]
+
* 23 (0x00000017) for [[Windows Vista]], [[Windows 2008]], [[Windows 7]] and [[Windows 2012]] (note Windows 2012 has not been confirmed)
+
* 26 (0x0000001a) for [[Windows 8|Windows 8.1]] (note this could be Windows 8 as well but has not been confirmed)
+
  
For more information about the file format see: [[Windows Prefetch File Format]]
+
Incident response tools can be grouped into three categories. The first category is '''Individual Tools'''. These are programs designed to probe parts of the operating system and gather useful and/or volatile data. The tools are self-contained, useful, discrete, and do not create a large footprint on the victim system.
  
== Metadata ==
+
Standalone tools have been combined to create '''Script Based Tools'''. These tools combine a number of standalone tools that are run via a script or batch file. They require minimal interaction from the user and gather a fixed set of data. These tools are good in that they automate the incident response process and provide the examiner with a standard process to defend in court. They also do not require the first responder to necessarily be an expert with the individual tools. Their weakness, however, is that they can be inflexible. Once the order of the tools is set, it can be difficult to change. Some script based tools allow the user to pick and choose which standalone tools will be used in a given examination.
The Prefetch file contains various metadata.
+
* The executable's name, up to 29 characters.
+
* The run count, or number of times the application has been run.
+
* Volume related information, like volume path and volume serial number.
+
* The size of the Prefetch file (sometimes referred to as end of file (EOF)).
+
* The files and directories that were used doing the application's start-up.
+
  
=== Timestamps ===
+
The final category of tools are '''Agent Based Tools'''. These tools require the examiner to install a program on the victim which can then report back to a central server. The upshot is that one examiner can install the program on multiple computers, gather data from all of them, and then view the results in the aggregate. Finding the victim or victims can be easier if they stand out from the crowd.
The Prefetch file contains 2 types of timestamps
+
* The time when the application was last ran (executed). Version 26 of the Prefetch format maintains 7 previous last run times.
+
* The volume creation time (part of the volume information) of the volume the Prefetch file was created on.
+
  
The file system creation time of the Prefetch file indicates the first time the application was executed. Both the file system modification time of the Prefetch file and the embedded last run time indicate the last time the application was executed.
+
== See Also ==
 +
* Obsolete: [[List of Script Based Incident Response Tools]]
  
== Prefetch hash ==
+
== External Links ==
There are multiple known hashing functions to be used for prefetch file filename hashing, namely:
+
* [http://dfrws.org/2002/papers/Papers/Jesse_Kornblum.pdf Preservation of Fragile Digital Evidence by First Responders], by [[Jesse Kornblum]], DFRWS 2002
* SCCA XP hash function; used on Windows XP and Windows 2003
+
* [https://labs.mwrinfosecurity.com/system/assets/131/original/Journey-to-the-Centre-of-the-Breach.pdf Journey to the Centre of the Breach], by Ben Downton, June 2, 2010
* SCCA Vista hash function; used on Windows Vista
+
* [http://blog.handlerdiaries.com/?p=325 Keeping Focus During an Incident], by jackcr, January 17, 2014
* SCCA 2008 hash function; used on Windows 2008, Windows 7, (possibly: Windows 2012) and Windows 8 (including 8.1)
+
  
=== SCCA XP hash function ===
+
=== Emergency Response ===
A Python implementation of the SCCA XP hash function:
+
* [http://www.mdchhs.com/sites/default/files/JEM-9-5-02-CHHS.pdf Addressing emergency response provider fatigue in emergency response preparedness, management, policy making, and research], Clark J. Lee, JD, September 2011
  
<pre>
+
=== Kill Chain ===
def ssca_xp_hash_function(filename):
+
* [http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-Paper-Intel-Driven-Defense.pdf Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains], by Eric M. Hutchins, Michael J. Clopperty, Rohan M. Amin, March 2011
    hash_value = 0
+
* [http://www.emc.com/collateral/hardware/solution-overview/h11154-stalking-the-kill-chain-so.pdf Stalking the kill chain], by RSA
    for character in filename:
+
        hash_value = ((hash_value * 37) + ord(character)) % 0x100000000
+
        hash_value = (hash_value * 314159269) % 0x100000000
+
        if hash_value > 0x80000000:
+
            hash_value = 0x100000000 - hash_value
+
  
    return (abs(hash_value) % 1000000007) % 0x100000000
+
=== Incident Lifecycle ===
</pre>
+
* [http://www.itsmsolutions.com/newsletters/DITYvol5iss7.htm Expanding the Expanded Incident Lifecycle], by Janet Kuhn, February 18, 2009
 +
* [https://www.enisa.europa.eu/activities/cert/support/incident-management/browsable/workflows/incident-lifecycle Incident lifecycle], by [[ENISA]]
  
=== SCCA Vista hash function ===
+
=== Intrusion Analysis ===
A Python implementation of the SCCA Vista hash function:
+
* [http://www.threatconnect.com/files/uploaded_files/The_Diamond_Model_of_Intrusion_Analysis.pdf The Diamond Model of Intrusion Analysis], by Sergio Caltagirone, Andrew Pendergast, Christopher Betz
  
<pre>
+
=== Product related ===
def ssca_vista_hash_function(filename):
+
* [http://middleware.internet2.edu/idtrust/2009/papers/05-khurana-palantir.pdf Palantir: A Framework for Collaborative Incident Response and Investigation], Himanshu Khurana, Jim Basney, Mehedi Bakht, Mike Freemon, Von Welch, Randy Butler, April 2009
    hash_value = 314159
+
    for character in filename:
+
        hash_value = ((hash_value * 37) + ord(character)) % 0x100000000
+
    return hash_value
+
</pre>
+
  
=== SCCA 2008 hash function ===
+
== Tools ==
A Python implementation of the SCCA 2008 hash function:
+
=== Individual Tools ===
 +
* [http://technet.microsoft.com/en-us/sysinternals/0e18b180-9b7a-4c49-8120-c47c5a693683.aspx Sysinternals Suite]
  
<pre>
+
=== Script Based Tools ===
def ssca_2008_hash_function(filename):
+
* [[First Responder's Evidence Disk|First Responder's Evidence Disk (FRED)]]
    hash_value = 314159
+
* [[COFEE|Microsoft COFEE]]
    filename_index = 0
+
* [[Windows Forensic Toolchest|Windows Forensic Toolchest (WFT)]]
    filename_length = len(filename)
+
* [[Regimented Potential Incident Examination Report|RAPIER]]
    while filename_index + 8 < filename_length:
+
        character_value = ord(filename[filename_index + 1]) * 37
+
        character_value += ord(filename[filename_index + 2])
+
        character_value *= 37
+
        character_value += ord(filename[filename_index + 3])
+
        character_value *= 37
+
        character_value += ord(filename[filename_index + 4])
+
        character_value *= 37
+
        character_value += ord(filename[filename_index + 5])
+
        character_value *= 37
+
        character_value += ord(filename[filename_index + 6])
+
        character_value *= 37
+
        character_value += ord(filename[filename_index]) * 442596621
+
        character_value += ord(filename[filename_index + 7])
+
        hash_value = ((character_value - (hash_value * 803794207)) % 0x100000000)
+
        filename_index += 8
+
 
+
    while filename_index < filename_length:
+
      hash_value = (((37 * hash_value) + ord(filename[filename_index])) % 0x100000000)
+
      filename_index += 1
+
 
+
    return hash_value
+
</pre>
+
 
+
== Registry Keys ==
+
<pre>
+
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters
+
</pre>
+
 
+
The EnablePrefetcher Registry value can be used to disable prefetch.
+
 
+
== See Also ==
+
* [[Windows Prefetch File Format]]
+
* [[SuperFetch]]
+
* [[Prefetch XML]]
+
* [[Windows]]
+
 
+
== External Links ==
+
* [http://msdn.microsoft.com/msdnmag/issues/01/12/XPKernel/default.aspx More detail from Microsoft]
+
* [http://en.wikipedia.org/wiki/Prefetcher Wikipedia Prefetcher]
+
* [http://msdn.microsoft.com/en-us/library/ms940847(v=winembedded.5).aspx MSDN: Disabling Prefetch]
+
* [http://www.microsoft.com/whdc/driver/kernel/XP_kernel.mspx Kernel Enhancements for Windows XP], by [[Microsoft]], January 13, 2003 (Microsoft's description of Prefetch when Windows XP was introduced)
+
* [http://blogs.msdn.com/b/ryanmy/archive/2005/05/25/421882.aspx Misinformation and the The Prefetch Flag], MSDN Blogs, May 25, 2005
+
* [http://windowsir.blogspot.ch/2005/07/prefetch-file-metadata.html Prefetch file metadata], by [[Harlan Carvey]], July 13, 2005
+
* [http://windowsir.blogspot.ch/2006/04/prefetch-files-revisited.html Prefetch files, revisited], by [[Harlan Carvey]], April 13, 2006
+
* [http://blogs.msdn.com/b/e7/archive/2009/05/05/support-and-q-a-for-solid-state-drives-and.aspx Support and Q&A for Solid-State Drives], by Steven Sinofsky, May 5, 2009
+
* [http://computer-forensics.sans.org/blog/2009/08/05/de-mystifying-defrag-identifying-when-defrag-has-been-used-for-anti-forensics-part-1-windows-xp/ De-mystifying Defrag: Identifying When Defrag Has Been Used for Anti-Forensics (Part 1 - Windows XP)], by [[Chad Tilbury]], August 5, 2009
+
* [http://www.swiftforensics.com/2010/04/the-windows-prefetchfile.html Windows Prefetch File (old blog entry from 42 LLC)], by [[Yogesh Khatri]], April 14, 2010
+
* [http://www.dfinews.com/articles/2010/12/decoding-prefetch-files-forensic-purposes-part-1 Decoding Prefetch Files for Forensic Purposes: Part 1], by [[Mark Wade]], December 8, 2010
+
* [http://crucialsecurityblog.harris.com/2011/04/11/prefetch-files-at-face-value/ Prefetch Files at Face Value], by [[Mark Wade]], April 11, 2011
+
* [http://kitrap08.blogspot.hk/2011/07/windows-logical-prefetcher.html Windows Logical Prefetcher], TTS blog, July 30, 2011 (article is in Russian)
+
* [http://labit.in/pliki-prefetch-w-windows/ Prefetch i niedokładny licznik] by Paweł Hałdrzyński, August 20, 2011 (article in Polish; uncertain about the year of publication)
+
* [http://windowsir.blogspot.ch/2012/03/prefetch-analysis-revisited.html Prefetch Analysis, Revisited], by [[Harlan Carvey]], March 8, 2012
+
* [http://windowsir.blogspot.ch/2012/03/prefetch-analysis-revisitedagain.html Prefetch Analysis, Revisited...Again...], by [[Harlan Carvey]], March 15, 2012
+
* [http://www.hexacorn.com/blog/2012/06/13/prefetch-hash-calculator-a-hash-lookup-table-xpvistaw7w2k3w2k8/ Prefetch Hash Calculator + a hash lookup table xp/vista/w7/w2k3/w2k8], Hexacorn blog, June 13, 2012
+
* [http://www.hexacorn.com/blog/2012/10/29/prefetch-file-names-and-unc-paths/ Prefetch file names and UNC paths], Hexacorn blog, October 29, 2012
+
* [http://journeyintoir.blogspot.ch/2012/12/ntosboot-prefetch-file.html NTOSBOOT Prefetch File], by [[Corey Harrell]], December 5, 2012
+
* [http://www.invoke-ir.com/2013/09/whats-new-in-prefetch-for-windows-8.html What's New in the Prefetch for Windows 8??], by Jared Atkinson, September 21, 2013
+
* [http://www.swiftforensics.com/2013/10/windows-prefetch-pf-files.html?m=1 Windows Prefetch (.PF) files], by [[Yogesh Khatri]], October 21, 2013
+
* [http://i.imgur.com/riuljsK.jpg Prefetch 101 -  a Windows 8 Prefetch file walkthrough], by Jared Atkinson, 2014
+
 
+
== Tools ==
+
  
=== Commercial ===
+
=== Agent Based Tools ===
 +
* [[GRR]]
 +
* [[First Response|Mandiant First Response]]
  
=== Free - Non Open Source ===
+
== Books ==
* [http://www.woanware.co.uk/forensics/prefetchforensics.html PrefetchForensics], PrefetchForensics is an application to extract information from Windows Prefetch files
+
There are several books available that discuss incident response. For [[Windows]], ''[http://www.windows-ir.com/ Windows Forensics and Incident Recovery]'' by [[Harlan Carvey]] is an excellent introduction to possible scenarios and how to respond to them.
* [http://redwolfcomputerforensics.com/index.php?option=com_content&task=view&id=42&Itemid=55 Prefetch-Parser], Parse the prefetch files and display information
+
* [http://www.mitec.cz/wfa.html Windows File Analyzer] - Parses Prefetch files, thumbnail databases, shortcuts, index.dat files, and the recycle bin
+
* [http://www.tzworks.net/prototype_page.php?proto_id=1 Windows Prefetch Parser (pf)], Free tool that can be run on Windows, Linux or Mac OS-X
+
  
=== Open Source ===
+
[[Category:Incident Response]]
* [https://code.google.com/p/prefetch-tool/ prefetch-tool], Script to extract information from windows prefetch folder
+

Revision as of 14:33, 17 March 2014

Information icon.png

Please help to improve this article by expanding it.
Further information might be found on the discussion page.

Incident Response is a set of procedures for an investigator to examine a computer security incident. This process involves figuring out what was happened and preserving information related to those events. Because of the fluid nature of computer investigations, incident response is more of an art than a science.

Tools

Incident response tools can be grouped into three categories. The first category is Individual Tools. These are programs designed to probe parts of the operating system and gather useful and/or volatile data. The tools are self-contained, useful, discrete, and do not create a large footprint on the victim system.

Standalone tools have been combined to create Script Based Tools. These tools combine a number of standalone tools that are run via a script or batch file. They require minimal interaction from the user and gather a fixed set of data. These tools are good in that they automate the incident response process and provide the examiner with a standard process to defend in court. They also do not require the first responder to necessarily be an expert with the individual tools. Their weakness, however, is that they can be inflexible. Once the order of the tools is set, it can be difficult to change. Some script based tools allow the user to pick and choose which standalone tools will be used in a given examination.

The final category of tools are Agent Based Tools. These tools require the examiner to install a program on the victim which can then report back to a central server. The upshot is that one examiner can install the program on multiple computers, gather data from all of them, and then view the results in the aggregate. Finding the victim or victims can be easier if they stand out from the crowd.

See Also

External Links

Emergency Response

Kill Chain

Incident Lifecycle

Intrusion Analysis

Product related

Tools

Individual Tools

Script Based Tools

Agent Based Tools

Books

There are several books available that discuss incident response. For Windows, Windows Forensics and Incident Recovery by Harlan Carvey is an excellent introduction to possible scenarios and how to respond to them.