Helpful Navigation Toolbar

Friday, February 21, 2014

Using Prefetch Files to Perform Triage Analysis


The topic of today's post is one of the methods that I use to help determine which system(s) are possibly infected with malware as quickly as possible. I will not cover the basic structure and formatting of the Windows Prefetch files, as there are PLENTY of topics on that. If you want to learn more, I highly recommend starting with the Prefetch entry on the ForensicsWiki if you are not familiar with the structure of Prefetch files. To be very brief, when an executable is run on a system, the Windows operating system usually creates a Prefetch file associated with that executable and records everything that the executable accesses within 10 seconds of starting. Admittedly there are MANY factors that can change what data is recorded in the Prefetch files, including malware itself, and, in some cases like systems with solid state drives, sometimes Prefetch files don't exist at all.

But once again, this post is not going to be focusing on that. This post is going to go through a quick-walk through of collecting data from a system and using some tools to help parse out data that we want. This post will cover analyzing Prefetch files to determine when applications were run and what possible files of interest that the application(s) accessed. For this scenario I pulled the Prefetch files from a system that was infected with a ZeuS variant (md5: 611614c95937e1a53394d31a3c6e18be)

After we gather the Prefetch files from the system(s), we can start our analysis. In order to accomplish this, I wrote a small Perl script, which you can download here. (md5: 3f5f48f5bfe52d97a71d01b7874e94b8)(SHA1: c166f04b8130760ead947fb49d2919e40c65a93a)

The only non-standard module required to run it is IO:All, which is a great file system module that you should be using if you are not! Please feel free to make any modifications or adjustments to my code as well, but if you have any ideas for improvement please share!! I decided to take the time to write this script, rather than relying on other tools, for two reasons. The first is that I wanted to be able to try to pull out files of interest (files in user directories, temp directories, files ending in .txt and .dat, etc.) quickly rather than having to sort through lots of text. For example, the output of the raw data (954KB) is quite a bit more than the possible files of interest data (160KB). 


File size comparison of all Prefetch file data (-alldata), compared to files of interest (-foi), run with no flags (which happen to be the same size in this case) and Prefetch file metadata (-pfmetadata). Hooray data reduction!

The second reason is that I often try to carve Prefetch files from unallocated space in an effort to try to determine historical execution times and I haven't found a tool that will parse partial Prefetch files that well (you can run my script with the -pfmetadata flag and it will only pull out filenames, OS version, times run, and last run time(s)). This can be useful when trying to determine possibly how long something had been present without solely relying on system timestamps.


My Excel Prefetch entries on a Windows 8.1 laptop

As we go through the output of the script, one item in particular interest jumps out as being strange. There is a file named "PO.exe" that was executed one time under the file path "\DEVICE\HARDDISKVOLUME1\USERS\ROCKET_RACCOON\APPDATA\ROAMING\TUTMGIFSFYPBW\PO.EXE". 


PrefetchIOC-parser.pl file of interest output for "PO.exe"

This seems like an oddly named folder, so I browsed to that directory and, sure enough, I found a file named "PO.exe" under that path.  I also found a registry entry for "PO.exe", under the "HKCU\Software\Microsoft\Windows\CurrentVersion\Run\PO" path, which is a method of persistence that both malicious and non-malicious programs can utilize on a Windows machine. Additionally, a check of the hash on VirusTotal shows that the file is indeed malicious. 

38/48 detection ratio, from 5 months ago!


Taking a look at Prefetch files can lead an examiner in the right direction of trying to determine if a device is compromised or not. While it is not always a 100% definitive answer, looking at Prefetch files can be a another method that an examiner can use when trying find the evil that may reside on a device. It is part of the reason that I included Prefetch file copying in my Windows Live Response tool set. I hope that this quick walk through has been insightful and hopefully you can try to use a similar methodology on cases you may encounter! 

PS: Be sure to make a copy of the contents of the Prefetch folder and run the script against that location. It will not work against the contents of the Prefetch folder on a live machine. Once again, why I included Prefetch copying as part of the Windows Live Response tools!



No comments:

Post a Comment