We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.
The cookies that are categorized as "Necessary" are stored on your browser as they are essential for enabling the basic functionalities of the site. ...
Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.
Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Advertisement cookies are used to provide visitors with customized advertisements based on the pages you visited previously and to analyze the effectiveness of the ad campaigns.
To a computer forensics expert like Paula Januszkiewicz, Windows Prefetch files are a virtual treasure trove that can reveal not only what has happened on an operating system but when it took place. In this brief tutorial, Paula shares the tool and method needed to unlock the contents of these digital artifacts.
Prefetch files offer a digital snapshot of events inside your Windows operating system (OS). Because they are created when an executable program is run from a particular location for the very first time, forensic specialists can use these files to determine what was running and when.
In the event of a cyber-attack, the timeline of evidence captured in Prefetch files can prove extremely useful in determining the root cause. However, unlocking their secrets is dependent on knowing the right method and having the right tools.
In this example, Paula uses CQPrefetchParser.exe to analyze Prefetch to reveal the history of execution of executable programs in the OS. This tool, created by experts at CQURE, can be used to detect what kind of DLLs were loaded and also how many times a particular executable has run. Download the CQURE free tool by clicking the banner below.
Using prefetch you can investigate what kind of different types of executables were running in the operating system. The CQPrefetch Parser tool has various options. It takes as a parameter a prefetch file to analyze. We can also specify only the directory that contains the prefetch files or the /out where we are able to decompress the PF file.
CQPreferchParser shows all the paths that were related to that particular prefetch file, as well as modules, the different types of DLLs that were loaded when this particular executable was running. Additionally, you can see a part of the execution history, for example like how many times notepad.exe was executed and what was the last time I had it opened.
CQPrefetchParser is a great tool to support us in a prefetch analysis while performing forensics, but it can itself be deleted if an attacker has administrative privileges to that computer. So, remember that you may have to use some audit tools to eventually recover prefetch files in order to analyze them in the future.
Join us LIVE from 6PM CET on Nov. 23, 2021 for our biggest ever annual cybersecurity webinar feat. Sami Laiho, Michael Grafnetter & Paula Januszkiewicz.
Take this chance to grow your skills in Azure AD security, digital forensics, shadow credential injection attacks, and Privileged Access Workstations.
Do you want to receive the geekiest cybersecurity solutions, tools, and tricks, straight to your inbox?
Learn more about our offer in terms of Consulting. Our Cybersecurity Experts perform consulting work on a daily basis, hence we are fully prepared for any challenge.
