IR 307: Prefetch Forensics (15 pts)

What You Need for This Project

Purpose

To practice analyzing Prefetch folder data. Prefetch is a feature intended to make Windows applications load faster, for multi-use client systems. It has the side effect of leaving a forensic trail of recently-used programs.

Viewing the Prefetch Folder

On your Windows machine, at the bottom, click the yellow folder icon to open File Explorer.

Navigate to

C:\Windows\Prefetch

The folder is empty, as shown below.

This is because Prefetch is disabled by default for Windows Servers.

Enabling Prefetch

In Server Manager, at the top right, click Tools.

Click "Windows PowerShell"

In Powershell, execute these commands, as shown below:

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters" /v EnablePrefetcher /t REG_DWORD /d 3 /f

reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Prefetcher" /v MaxPrefetchFiles /t REG_DWORD /d 8192 /f

Enable-MMAgent -OperationAPI

net start sysmain

Launching Applications

At the lower left of your desktop, click the blue e to launch Internet Explorer.

Click Start and type WORDPAD. In the search results, click WORDPAD.

Viewing the Prefetch Folder Again

In File Explorer, viewing the

C:\Windows\Prefetch

folder, at the top, click the curved-arrow Refresh button.

The folder shows entries for IEXPLORE.EXE and WORDPAD.EXE, as shown below.

Running "Vulnerable Server"

We'll download and launch this application, to create forensic artifacts to examine.

On your Windows machine, in Internet Explorer, open this page:

http://getfirefox.com

Install Firefox.

In Firefox, go to

http://sites.google.com/site/lupingreycorner/vulnserver.zip

If that link doesn't work, try this alterative download link.

Save the "vulnserver.zip" file in your Downloads folder.

Click Start, "File Explorer". Navigate to your Downloads folder.

In your Downloads folder, right-click vulnserver.

Click "Extract All...", Extract.

A "vulnserver" window opens. Double-click vulnserver.

In the "Open File - Security Warning" box, click OK.

The Vulnserver application opens, as shown below.

Downloading PECmd

On your Windows Server, in Internet Explorer, go to

https://ericzimmerman.github.io/

Click the number next to PECmd, as shown below.

Click Save.

Click "Open folder".

A File Explorer window appears showing the Downloads folder.

Right-click PECmd and click "Extract All..." Extract.

A window appears showing PECmd.exe.

At the top left, click File. Point to "Open command prompt", and click "Open command prompt as administrator", as shown below.

In the User Account Control box, click Yes.

Running PECmd

Right-click the Start button and click "Command Prompt (admin)".

In the Command Prompt window, execute this command, as shown below.

PECmd.exe -d "C:\Windows\Prefetch" --csv "C:\exam"
Several pages of messages scroll by, ending with three lines of purple text, as shown below.

Installing OpenOffice

The results are hard to read without a spreadsheet, so we'll install a free one.

In Internet Explorer, go to

https://www.openoffice.org/download/

Click the "Download full installation" button, as shown below.

The next page shows a timer at 5 aseconds, which doesn't count down.

Click "Problems Downloading" and click "direct link".

Click Save.

Click "Open folder".

Double-click the installer and install the software with the default options.

Viewing the Prefetch Analysis

In File Explorer, navigate to C:\exam.

You see two CSV files.

Right-click the first one and click "Open with", "OpenOffice Calc", as shown below.

In OpenOffice, click Next and click Finish.

In the Text Import box, check the Comma box and clear all the other boxes, as shown below.

Click OK.

A spreadsheet appears, showing one line per application launched.

Right-click the VULNSERVER line and click Copy, as shown below.

Click the Start button and type NOTEPAD.

In the search results, click NOTEPAD.

In Notepad, press Ctrl+V to paste in the data about VULNSERVER.

From the Notepad menu bar, click View, "Word Wrap".

Complete information about the VULNSERVER launch appears, as shown below.

Flag IR 307.1: DLL Filename (15 pts)

Every DLL used by the program is listed. Find the DLL that was launched from the DOWNLOADS\VULNSERVER folder. The DLL file's name is covered by a green box in the image below.

That's the flag.

References

Prefetch Forensics
How to enable PreFetch in Windows Server

Posted 11-7-19
em dashes changed to normal dashes in PowerShell command 11-8-19