Evidence of file execution

Don’t Deny It!

When you were a child, did you ever do something that you shouldn’t have, and when caught and subsequently questioned by your parents as to whether you just did something which is blaringly obvious, did you deny it?

Have you ever had an end user in a corporate scenario deny they executed a downloaded file when what’s happening on their endpoint is in direct contradiction to what they’re saying?

Have you received an alert from the SOC, or your SIEM that shows someone is running a hacking tool and when you try and find it, you can’t. Or when you find it and the investigation commences they deny it was ever run?

This is where evidence of execution comes in. When you were a child, you may have been told not to touch something. You did, and then potentially dropped it and it is now broken. Denying you touched it is pointless at this point, (assuming the right circumstances are in place whereby it was a ceramic teacup or something and you had to touch it for it to fall off a table and break. In this instance your parents know you touched the teapot.

Windows prefetch is one of the many forensic artefacts that will prove a file was run on a system showing evidence of execution. Which user account ran the file, and proving who was at the keyboard is totally different and not the point of this post, but this will get you started.

Windows prefetch is a folder that’s located on Windows client operating systems, and was originally created to speed up the access of programs that are  frequently used. I have a feeling this is due to because Windows opens files and throws them back anywhere on the disk (requiring defragmentation) but also because spindle drives were slow and anything to improve the performance of file opening and user experience was beneficial. Yes I did say Windows client OS’s, you will not find prefetch on a server. It’s a shame, but it’s not turned on by default for some reason.

Where’s Prefetch?

So you can browse to C:\Windows\Prefetch and see a bunch of files in there. At face value there’s not much value here. It’s in the underlying metadata. Today I want to introduce a tool from nirsoft called WinPrefetchView. You can get it from here: https://www.nirsoft.net/utils/win_prefetch_view.html

Nirsoft have heaps of other small and useful utilities that are as good for sysadmins as well as forensic analysts. Upon opening WinPrefetchView, everything is right where you need it. The most important things here are:

  • Filename
  • Created Time
  • Process Exe
  • Process Path
  • Run Counter
  • Last Run Time

winprefetchview

In the screenshot above, I’ve toggled on highlighting Odd/Even rows, which is available from the ‘View’ menu.

I’ll avoid the obvious ones here, but what’s valuable is the “Run Counter”. If the focus of the investigation is more malware based, you might expect to see the run counter have a value of 1, maybe 2 (if the binary is designed to execute without any user notification. The user may try running it again, unsure as to why nothing appeared on screen which is why you would expect to see 2). For more frequent programs you’ll see much higher run counts.

Also looking at “Last Run Time”, you can determine in the case of someone running hacking tools, or torrent software for example. Using timestamps help you narrow your focus for the rest of the investigation. Whether it’s malware, or malpractice, having a point in time from where you can draw a line for the investigation is critical.

Use this to correlate between firewall logs, security card swipe access, pass it on to the security guards to recall and backup CCTV footage. Everything works backwards (or forwards as well potentially) from this mark.

Antiforensics and Wiping the wiper!

A final point I want to make about Prefetch, is this can also help you see if someone is attempting to perform antiforensics. As Rob Lee from SANS says, you can’t “wipe the wiper”. If someone uses a file wiping tool, sure you can clear the evidence of the original file, but then there’s evidence of the fie wiper, visible within prefetch generally (the last 128 files are kept for older versions of Windows and potentially up to 256 for Windows 10 (I can’t recall the source on this so I could be wrong).

So take a look at WinPrefetchView, and good luck with your investigations!

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s