Difference between pages "Prefetch" and "WinFE"

From ForensicsWiki
(Difference between pages)
Jump to: navigation, search
(External Links)
 
m (Resources:)
 
Line 1: Line 1:
{{Expand}}
+
{{Infobox_Software |
Windows Prefetch files, introduced in [[Windows|Windows XP]], are designed to speed up the application startup process. Prefetch files contain the name of the executable, a Unicode list of DLLs used by that executable, a count of how many times the executable has been run, and a timestamp indicating the last time the program was run. Although Prefetch is present in Windows 2003, by default it is only enabled for boot prefetching. The feature is also found in [[Windows|Windows Vista]], where it has been augmented with [[SuperFetch]], [[ReadyBoot]], and [[ReadyBoost]].
+
  name = Windows Forensic Environment |
 +
  maintainer = [[Windows Forensic Environment Project]] |
 +
  os = {{Windows}} |
 +
  genre = {{Live CD}} |
 +
  license = unknown |
 +
  website = http://winfe.wordpress.com |
 +
}}
  
From [http://msdn.microsoft.com/en-us/library/windows/hardware/dn653317(v=vs.85).aspx]:
 
* [[SuperFetch]]; analyzes per-machine usage patterns over time and optimizes the data that is kept in memory.
 
* [[ReadyBoot]]; decreases boot time (the time from turning power on to reaching the log-on screen) by preloading the files and startup programs needed per-machine into a cache.
 
* [[ReadyBoost]]; supports the use of flash storage devices like Universal Serial Bus (USB) flash drives and Secure Digital (SD) flash cards to boost PC performance.
 
* [[ReadyDrive]]; supports hybrid hard disk drives.
 
  
For SSD drives Prefetch is disabled by default [http://blogs.msdn.com/b/e7/archive/2009/05/05/support-and-q-a-for-solid-state-drives-and.aspx].
+
'''Windows Forensic Environment''' - a forensically sound bootable CD/USB to acquire electronic media or conduct forensic analysis.
 +
                                             
 +
== Windows Forensic Environment ("WinFE") ==
  
== Prefetch files ==
+
WinFE was developed and researched in 2008 by Troy Larson, Sr Forensic Examiner and Research at Microsoft [http://www.twine.com/item/113421dk0-g99/windows-fe].  WinFE is based off the Windows Pre-installation Environment of media being Read Only by default.
The Prefetch files are stored in the directory:
+
It works similar to Linux forensic CDs that are configured not to mount media upon booting. 
<pre>
+
However, unlike Linux boot CDs, with Win FE one can use Windows based software. Thus it is possible to include various forensic software and general portable utilities.
%SystemRoot%\Prefetch
+
WinFE can also be configured to boot from a USB device, should the evidence computer have the ability to boot to USB.
</pre>
+
  
The following files can be found in the Prefetch directory:
+
WinFE can be customized to the examiner's needs through batch files using the Windows Automated Install Kit (WAIK) or through 3rd party utilities such as WinBuilder [http://reboot.pro].
* <tt>*.pf</tt>, which are Prefetch files;
+
* <tt>Ag*.db</tt> and <tt>Ag*.db.trx</tt>, which are [[SuperFetch]] files;
+
Some examples of Windows based forensic utilities that can run in the Windows Forensic Environment include:  
* <tt>Layout.ini</tt>;
+
* X-Ways Forensics [http://www.x-ways.net],
* <tt>PfPre_*.db</tt>;
+
* AccessData FTK Imager [http://www.accessdata.com],
* <tt>PfSvPerfStats.bin</tt>
+
* Guidance Software Encase [http://www.guidancesoftware.com],
 +
* ProDiscover [http://www.techpathways.net],
 +
* RegRipper [http://www.RegRipper.wordpress.com].
  
A Prefetch file contains the name of the application, a dash, and then an eight character hash of the location from which that application was run, and a <tt>.pf</tt> extension. The filenames should be all uppercase except for the extension. E.g. a filename for [[md5deep]] would look like: <tt>MD5DEEP.EXE-4F89AB0C.pf</tt>. If an application is run from two different locations on the drive (i.e. the user runs <tt>C:\md5deep.exe</tt> and then <tt>C:\Apps\Hashing\md5deep.exe</tt>), there will be two different prefetch files in the Prefetch folder. According to MSDN up to 128 Prefetch files can be stored in the Prefetch directory [http://blogs.msdn.com/ryanmy/archive/2005/05/25/421882.aspx].
+
A write protection tool developed by Colin Ramsden was released in 2012 that provides a GUI for disk toggling [http://www.ramsdens.org.uk/]. Colin Ramsden's write protect tool effectively replaces the command line to toggle disks on/offline or readonly/readwrite.
  
=== File format ===
+
== Technical Background and Forensic Soundness ==
Each Prefetch file has a 4-byte signature (at offset 4) "SCCA" (or in hexadecimal notation 0x53 0x43 0x43 0x41). The signature is assumed to be preceded by a 4-byte format version indicator:
+
* 17 (0x00000011) for [[Windows XP]] and [[Windows 2003]]
+
* 23 (0x00000017) for [[Windows Vista]], [[Windows 2008]], [[Windows 7]] and [[Windows 2012]] (note Windows 2012 has not been confirmed)
+
* 26 (0x0000001a) for [[Windows 8|Windows 8.1]] (note this could be Windows 8 as well but has not been confirmed)
+
  
For more information about the file format see: [[Windows Prefetch File Format]]
+
Windows FE is based on the modification of just two entries in the Windows Registry.
 +
The first key is located at "HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MountMgr". The DWord "NoAutoMount" has to be set to "1".
 +
By doing this the Mount-Manager service will not automatically mount any storage device.
 +
The second key is "HKEY_LOCAL_MACHINE\system\ControlSet001\Services\partmgr\Parameters" where "SanPolicy" has to be set to "3".
 +
While both keys will avoid the mounting of storage devices the user has to mount the storage drive manually by using the command-line tool DiskPart, while the evidence drive does not need to be mounted for imaging/forensic access.
  
== Metadata ==
+
The latest modification (New for Windows 8) to the registry is SAN policy 4. SAN policy 4 Makes internal disks offline. Note. All external disks and the boot disk are online.
The Prefetch file contains various metadata.
+
* The executable's name, up to 29 characters.
+
* The run count, or number of times the application has been run.
+
* Volume related information, like volume path and volume serial number.
+
* The size of the Prefetch file (sometimes referred to as end of file (EOF)).
+
* The files and directories that were used doing the application's start-up.
+
  
=== Timestamps ===
+
Testing has shown that mounting a '''volume''' in READ ONLY mode will write a controlling code to the disk, whereas mounting a '''disk''' in READ ONLY mode will not make any changes.   Depending on the type of filesystem there is a potential modification to the disk with a documented 4-byte change to non-user created data. This modification exists for non-Windows OS disks, where Windows (FE) will write a Windows drive signature to the disk, although it is not shown to be consistent.  Various issues with Linux Boot CDs can be compared [http://www.forensicswiki.org/wiki/Forensic_Linux_Live_CD_issues] ).
The Prefetch file contains 2 types of timestamps
+
* The time when the application was last ran (executed). Version 26 of the Prefetch format maintains 7 previous last run times.
+
* The volume creation time (part of the volume information) of the volume the Prefetch file was created on.
+
  
The file system creation time of the Prefetch file indicates the first time the application was executed. Both the file system modification time of the Prefetch file and the embedded last run time indicate the last time the application was executed.
+
== Resources: ==
  
== Prefetch hash ==
+
* Windows Forensic Environment blog: [http://www.winfe.wordpress.com]
There are multiple known hashing functions to be used for prefetch file filename hashing, namely:
+
* Article on Win FE in Hakin9 magazine 2009-06 [http://hakin9.org]  
* SCCA XP hash function; used on Windows XP and Windows 2003
+
* step-by-step Video to create a Win FE CD [http://www.youtube.com/v/J3T5wnPiObI]
* SCCA Vista hash function; used on Windows Vista
+
* WinPE Technical Reference: [http://technet.microsoft.com/en-us/library/dd744322(WS.10).aspx]
* SCCA 2008 hash function; used on Windows 2008, Windows 7, (possibly: Windows 2012) and Windows 8 (including 8.1)
+
* Windows Automated Installation Kit: [http://www.microsoft.com/downloads/details.aspx?familyid=696DD665-9F76-4177-A811-39C26D3B3B34&displaylang=en]
 
+
* WinFE Write Protect tool [http://www.ramsdens.org.uk/]
=== SCCA XP hash function ===
+
* WinFE Online Training course [http://courses.dfironlinetraining.com/windows-forensic-environment]
A Python implementation of the SCCA XP hash function:
+
 
+
<pre>
+
def ssca_xp_hash_function(filename):
+
    hash_value = 0
+
    for character in filename:
+
        hash_value = ((hash_value * 37) + ord(character)) % 0x100000000
+
        hash_value = (hash_value * 314159269) % 0x100000000
+
        if hash_value > 0x80000000:
+
            hash_value = 0x100000000 - hash_value
+
 
+
    return (abs(hash_value) % 1000000007) % 0x100000000
+
</pre>
+
 
+
=== SCCA Vista hash function ===
+
A Python implementation of the SCCA Vista hash function:
+
 
+
<pre>
+
def ssca_vista_hash_function(filename):
+
    hash_value = 314159
+
    for character in filename:
+
        hash_value = ((hash_value * 37) + ord(character)) % 0x100000000
+
    return hash_value
+
</pre>
+
 
+
=== SCCA 2008 hash function ===
+
A Python implementation of the SCCA 2008 hash function:
+
 
+
<pre>
+
def ssca_2008_hash_function(filename):
+
    hash_value = 314159
+
    filename_index = 0
+
    filename_length = len(filename)
+
    while filename_index + 8 < filename_length:
+
        character_value = ord(filename[filename_index + 1]) * 37
+
        character_value += ord(filename[filename_index + 2])
+
        character_value *= 37
+
        character_value += ord(filename[filename_index + 3])
+
        character_value *= 37
+
        character_value += ord(filename[filename_index + 4])
+
        character_value *= 37
+
        character_value += ord(filename[filename_index + 5])
+
        character_value *= 37
+
        character_value += ord(filename[filename_index + 6])
+
        character_value *= 37
+
        character_value += ord(filename[filename_index]) * 442596621
+
        character_value += ord(filename[filename_index + 7])
+
        hash_value = ((character_value - (hash_value * 803794207)) % 0x100000000)
+
        filename_index += 8
+
 
+
    while filename_index < filename_length:
+
      hash_value = (((37 * hash_value) + ord(filename[filename_index])) % 0x100000000)
+
      filename_index += 1
+
 
+
    return hash_value
+
</pre>
+
 
+
== Registry Keys ==
+
<pre>
+
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters
+
</pre>
+
 
+
The EnablePrefetcher Registry value can be used to disable prefetch.
+
 
+
== See Also ==
+
* [[Prefetch XML]]
+
* [[ReadyBoot]]
+
* [[SuperFetch]]
+
* [[Windows]]
+
* [[Windows Prefetch File Format]]
+
 
+
== External Links ==
+
* [http://msdn.microsoft.com/msdnmag/issues/01/12/XPKernel/default.aspx More detail from Microsoft]
+
* [http://en.wikipedia.org/wiki/Prefetcher Wikipedia Prefetcher]
+
* [http://msdn.microsoft.com/en-us/library/ms940847(v=winembedded.5).aspx MSDN: Disabling Prefetch]
+
* [http://msdn.microsoft.com/en-us/magazine/cc302206.aspx Windows XP: Kernel Improvements Create a More Robust, Powerful, and Scalable OS], by [[Mark Russinovich]], [[David Solomon]], December 2001
+
* [http://www.microsoft.com/whdc/driver/kernel/XP_kernel.mspx Kernel Enhancements for Windows XP], by [[Microsoft]], January 13, 2003 (Microsoft's description of Prefetch when Windows XP was introduced)
+
* [http://blogs.msdn.com/b/ryanmy/archive/2005/05/25/421882.aspx Misinformation and the The Prefetch Flag], MSDN Blogs, May 25, 2005
+
* [http://windowsir.blogspot.ch/2005/07/prefetch-file-metadata.html Prefetch file metadata], by [[Harlan Carvey]], July 13, 2005
+
* [http://windowsir.blogspot.ch/2006/04/prefetch-files-revisited.html Prefetch files, revisited], by [[Harlan Carvey]], April 13, 2006
+
* [http://www.codeproject.com/Articles/29449/Windows-Memory-Management Windows Memory Management], by logicchild, September 17, 2008
+
* [http://www.codeproject.com/Articles/29692/Windows-Memory-Management-Part Windows Memory Management - Part 2], by logicchild, September 25, 2008
+
* [http://blogs.msdn.com/b/e7/archive/2009/05/05/support-and-q-a-for-solid-state-drives-and.aspx Support and Q&A for Solid-State Drives], by Steven Sinofsky, May 5, 2009
+
* [http://computer-forensics.sans.org/blog/2009/08/05/de-mystifying-defrag-identifying-when-defrag-has-been-used-for-anti-forensics-part-1-windows-xp/ De-mystifying Defrag: Identifying When Defrag Has Been Used for Anti-Forensics (Part 1 - Windows XP)], by [[Chad Tilbury]], August 5, 2009
+
* [http://www.swiftforensics.com/2010/04/the-windows-prefetchfile.html Windows Prefetch File (old blog entry from 42 LLC)], by [[Yogesh Khatri]], April 14, 2010
+
* [http://msdn.microsoft.com/en-us/library/windows/hardware/dn653317(v=vs.85).aspx Windows PC Accelerators], by Microsoft, October 8, 2010
+
* [http://www.dfinews.com/articles/2010/12/decoding-prefetch-files-forensic-purposes-part-1 Decoding Prefetch Files for Forensic Purposes: Part 1], by [[Mark Wade]], December 8, 2010
+
* [http://crucialsecurityblog.harris.com/2011/04/11/prefetch-files-at-face-value/ Prefetch Files at Face Value], by [[Mark Wade]], April 11, 2011
+
* [http://kitrap08.blogspot.hk/2011/07/windows-logical-prefetcher.html Windows Logical Prefetcher], TTS blog, July 30, 2011 (article is in Russian)
+
* [http://labit.in/pliki-prefetch-w-windows/ Prefetch i niedokładny licznik] by Paweł Hałdrzyński, August 20, 2011 (article in Polish; uncertain about the year of publication)
+
* [http://windowsir.blogspot.ch/2012/03/prefetch-analysis-revisited.html Prefetch Analysis, Revisited], by [[Harlan Carvey]], March 8, 2012
+
* [http://windowsir.blogspot.ch/2012/03/prefetch-analysis-revisitedagain.html Prefetch Analysis, Revisited...Again...], by [[Harlan Carvey]], March 15, 2012
+
* [http://www.hexacorn.com/blog/2012/06/13/prefetch-hash-calculator-a-hash-lookup-table-xpvistaw7w2k3w2k8/ Prefetch Hash Calculator + a hash lookup table xp/vista/w7/w2k3/w2k8], Hexacorn blog, June 13, 2012
+
* [http://www.hexacorn.com/blog/2012/10/29/prefetch-file-names-and-unc-paths/ Prefetch file names and UNC paths], Hexacorn blog, October 29, 2012
+
* [http://journeyintoir.blogspot.ch/2012/12/ntosboot-prefetch-file.html NTOSBOOT Prefetch File], by [[Corey Harrell]], December 5, 2012
+
* [http://www.invoke-ir.com/2013/09/whats-new-in-prefetch-for-windows-8.html What's New in the Prefetch for Windows 8??], by Jared Atkinson, September 21, 2013
+
* [http://www.swiftforensics.com/2013/10/windows-prefetch-pf-files.html?m=1 Windows Prefetch (.PF) files], by [[Yogesh Khatri]], October 21, 2013
+
* [http://resources.infosecinstitute.com/windows-systems-artifacts-digital-forensics-part-iii-prefetch-files/ Windows Systems and Artifacts in Digital Forensics: Part III: Prefetch Files], by Ivan Dimov, November 21, 2013
+
* [http://i.imgur.com/riuljsK.jpg Prefetch 101 - a Windows 8 Prefetch file walkthrough], by Jared Atkinson, 2014
+
 
+
== Tools ==
+
 
+
=== Commercial ===
+
 
+
=== Free - Non Open Source ===
+
* [http://www.woanware.co.uk/forensics/prefetchforensics.html PrefetchForensics], PrefetchForensics is an application to extract information from Windows Prefetch files
+
* [http://redwolfcomputerforensics.com/index.php?option=com_content&task=view&id=42&Itemid=55 Prefetch-Parser], Parse the prefetch files and display information
+
* [http://www.mitec.cz/wfa.html Windows File Analyzer] - Parses Prefetch files, thumbnail databases, shortcuts, index.dat files, and the recycle bin
+
* [http://www.tzworks.net/prototype_page.php?proto_id=1 Windows Prefetch Parser (pf)], Free tool that can be run on Windows, Linux or Mac OS-X
+
 
+
=== Open Source ===
+
* [https://code.google.com/p/prefetch-tool/ prefetch-tool], Script to extract information from windows prefetch folder
+
* [http://bitbucket.cassidiancybersecurity.com/prefetch-parser prefetch-parser], Standalone Python tools that parses Windows prefetch files and extracts all known and forensically relevant artefacts contained.
+
* [[plaso]]
+
 
+
[[Category:Windows]]
+

Latest revision as of 13:45, 29 June 2014

Windows Forensic Environment
Maintainer: Windows Forensic Environment Project
OS: Windows
Genre: Live CD
License: unknown
Website: http://winfe.wordpress.com


Windows Forensic Environment - a forensically sound bootable CD/USB to acquire electronic media or conduct forensic analysis.

Windows Forensic Environment ("WinFE")

WinFE was developed and researched in 2008 by Troy Larson, Sr Forensic Examiner and Research at Microsoft [1]. WinFE is based off the Windows Pre-installation Environment of media being Read Only by default. It works similar to Linux forensic CDs that are configured not to mount media upon booting. However, unlike Linux boot CDs, with Win FE one can use Windows based software. Thus it is possible to include various forensic software and general portable utilities. WinFE can also be configured to boot from a USB device, should the evidence computer have the ability to boot to USB.

WinFE can be customized to the examiner's needs through batch files using the Windows Automated Install Kit (WAIK) or through 3rd party utilities such as WinBuilder [2].

Some examples of Windows based forensic utilities that can run in the Windows Forensic Environment include:

  • X-Ways Forensics [3],
  • AccessData FTK Imager [4],
  • Guidance Software Encase [5],
  • ProDiscover [6],
  • RegRipper [7].

A write protection tool developed by Colin Ramsden was released in 2012 that provides a GUI for disk toggling [8]. Colin Ramsden's write protect tool effectively replaces the command line to toggle disks on/offline or readonly/readwrite.

Technical Background and Forensic Soundness

Windows FE is based on the modification of just two entries in the Windows Registry. The first key is located at "HKEY_LOCAL_MACHINE\system\ControlSet001\Services\MountMgr". The DWord "NoAutoMount" has to be set to "1". By doing this the Mount-Manager service will not automatically mount any storage device. The second key is "HKEY_LOCAL_MACHINE\system\ControlSet001\Services\partmgr\Parameters" where "SanPolicy" has to be set to "3". While both keys will avoid the mounting of storage devices the user has to mount the storage drive manually by using the command-line tool DiskPart, while the evidence drive does not need to be mounted for imaging/forensic access.

The latest modification (New for Windows 8) to the registry is SAN policy 4. SAN policy 4 Makes internal disks offline. Note. All external disks and the boot disk are online.

Testing has shown that mounting a volume in READ ONLY mode will write a controlling code to the disk, whereas mounting a disk in READ ONLY mode will not make any changes. Depending on the type of filesystem there is a potential modification to the disk with a documented 4-byte change to non-user created data. This modification exists for non-Windows OS disks, where Windows (FE) will write a Windows drive signature to the disk, although it is not shown to be consistent. Various issues with Linux Boot CDs can be compared [9] ).

Resources:

  • Windows Forensic Environment blog: [10]
  • Article on Win FE in Hakin9 magazine 2009-06 [11]
  • step-by-step Video to create a Win FE CD [12]
  • WinPE Technical Reference: [13]
  • Windows Automated Installation Kit: [14]
  • WinFE Write Protect tool [15]
  • WinFE Online Training course [16]