Trace files, or Prefetch files, have been around in Windows since XP. Since then, they have helped digital forensics and computer incident responders find traces of running programs, including malware. Leading specialist in computer forensics Group-IB Oleg Skulkin tells what can be found using Prefetch files and how to do it.
Prefetch files are stored in the directory %SystemRoot%Prefetch and serve to speed up the process of launching programs. If we look at any of these files, we will see that its name consists of two parts: the name of the executable file and the checksum from the path to it, consisting of eight characters.
Prefetch files contain a lot of useful information from a forensic point of view: the name of the executable file, the number of times it was launched, lists of files and directories with which the executable interacted, and, of course, timestamps. Usually forensics use the creation date of a particular Prefetch file to determine the date of the first launch of the program. In addition, these files store the date of its last launch, and starting with version 26 (Windows 8.1), the timestamps of the last seven launches.
Let's take one of the Prefetch files, extract data from it using Eric Zimmerman's PECmd, and look at each part of it. To demonstrate, I will extract data from a file CCLEANER64.EXE-DE05DBE1.pf.
So let's start at the top. Of course, we have file creation, modification, and access timestamps:
They are followed by the name of the executable file, the checksum of the path to it, the size of the executable file, and the version of the Prefetch file:
Since we are dealing with Windows 10, next we will see the number of launches, the date and time of the last launch, and seven more timestamps indicating previous launch dates:
They are followed by information about the volume, including its serial number and creation date:
Last but not least, a list of directories and files that the executable interacted with:
So, the directories and files that the executable interacted with are exactly what I want to focus on today. It is this data that allows specialists in digital forensics, computer incident response or proactive threat detection to establish not only the fact of the execution of a particular file, but also, in some cases, to reconstruct the specific tactics and techniques of the attackers. Today, attackers often use tools to permanently delete data, such as SDelete, so the ability to restore at least traces of the use of certain tactics and techniques is simply necessary for any modern defender - a computer forensic specialist, an incident response specialist, a ThreatHunter expert.
Let's start with the Initial Access tactic (TA0001) and the most popular technique, Spearphishing Attachment (T1193). Some cybercriminal groups are quite creative in their choice of such attachments. For example, the Silence group used CHM (Microsoft Compiled HTML Help) files for this. Thus, we have one more technique - Compiled HTML File (T1223). These files are launched with hh.exe, therefore, if we extract data from his Prefetch file, we will find out which file was opened by the victim:
Let's continue with real case examples and move on to the next tactic Execution (TA0002) and CSMTP technique (T1191). Microsoft Connection Manager Profile Installer (CMSTP.exe) can be used by attackers to run malicious scripts. A good example is the Cobalt group. If we fetch data from a prefetch file cmstp.exe, then again we can find out what exactly was launched:
Another popular technique is Regsvr32 (T1117). Regsvr32.exe also often used by attackers to launch. Here is another example from the Cobalt group: if we fetch data from a prefetch file regsvr32.exe, then again we will see what was launched:
The next tactics are Persistence (TA0003) and Privilege Escalation (TA0004), as well as Application Shimming (T1138) as a technique. This technique was used by Carbanak/FIN7 to secure the system. Typically, to work with databases with information about program compatibility (.sdb) is used sdbinst.exe. Therefore, the Prefetch file of this executable can help us find out the names of such databases and their location:
As you can see in the illustration, we have not only the name of the file used for the installation, but also the name of the installed database.
Let's take a look at one of the most typical examples of network traversal (TA0008) - PsExec using administrative shares (T1077). A service named PSEXECSVC (of course, any other name can be used if the attackers used the parameter -r) will be created on the target system, so if we extract the data from the prefetch file, we will see what was run:
I will finish, perhaps, where I started - deleting files (T1107). As I have noted, many attackers use SDelete to permanently delete files at various stages of the attack life cycle. If we look at the data from the prefetch file sdelete.exe, we will see what exactly was removed:
Of course, this is not an exhaustive list of techniques that can be found during the analysis of Prefetch files, but this should be quite enough to understand that such files can help not only find launch traces, but also reverse engineer specific tactics and techniques of attackers.
Source: habr.com