Lab 5 – Prefetch Analysis

This lab is designed to teach the students the artifacts embedded within Prefetch files and how
to use these files to identify malware and infection circumstances.

Please install FTK Imager on your system; both 64 and 32 bit versions are included. We need to
mount the Prefetch forensic container (AD1) in FTK Imager to export the Prefetch files to
maintain original timestamps. After installing, select File>Add Evidence Item>Image File and
browse to the file “Prefetch.ad1” in the Lab 5 folder. Right click on the top level of this image
(ending in “Prefetch [AD1]”) in the “Evidence Tree” pane and select “Export Files…” and save the
files to a directory of your choosing.

We are going to use WinPrefetchView to analyze the Prefetch files by selecting

“Options>Advanced Options” and browse to the directory that you just saved the Prefetch files
in.

1. Which file was executed the most number of times?

Denumirea - SEARCHFILTERHOST.EXE-AA7A1FDD.pf
Procesul EXE - SEARCHFILTERHOST.EXE a fost pornit 885 de ori.

a. What path was this file executed from?

\VOLUME{01d2f5bc8f23c7b3-
2c8f7692}\WINDOWS\SYSTEM32\SEARCHFILTERHOST.EXE

b. When was it first and last run?

A fost pornit prima data pe 05.07.2017 17:43:31, iar ultima data a fost pe
02.08.2017 21:13:42

c. What time zone does this represent?

 2. When was Thunderbird installed?
THUNDERBIRD SETUP 52.2.1.EXE-5480B4EC.pf a fost instalat pe data de 06.07.2017
18:50:37

a. When was it first used?

Pe 07.07.2017 17:38:08 a fost prima data pornit THUNDERBIRD.EXE

3. Has anything been executed from removable media? What was it and when was it run?
(Hint: Reference the Internet Lab.)

Pe data de 05.07.2017 17:48:15 a fost executat GOOGLEUPDATE.EXE

* Please skip the following questions until after the Windows Event Log Lab.

4. Going back to the Event Log Lab, when was the last instance of RDP?

RDPCLIP.EXE-A3424091.pf a fost ultima data pornit pe 01.08.2017 20:55:30

a. Are there any Prefetch files of potential interest around this time frame?
dwm.exe este un executabil pe care autorii programelor răi intenționat apelează
procesele cu același nume pentru a evita detectarea pentru viruși, viermi și
troieni.

b. What is psexesvc.exe? How many times was it executed?

Psexesvc.exe este un fișier executabil care execută utilitarul Sysinternals PsExec,

util pentru executarea la distanță a proceselor pe alte sisteme. PsExec permite
utilizatorilor să execute procese pe sisteme la distanță, fără a fi nevoie să
prezinte pe calculatoarele la distanță orice tip de software client. PsExec oferă
interactivitate completă pentru aplicațiile console. Programul poate fi utilizat
pentru a lansa instrucțiuni de comandă și pentru a rula unelte precum IpConfig
care altfel nu au capacitatea de a afișa informații despre sistemul la distanță.
A fost executat de 8 ori.
c. What was executed exactly 10 seconds prior to 9129837.exe? What could this
possibly mean?

9129837.exe - procesul utilizează un port pentru a vă conecta la rețea sau la

Internet.
cmd.exe este un fișier de linie de comandă Microsoft Windows. Linia de
comandă oferă acces textual la sistemul de fișiere și programele de calculator.

d. Look at the bottom pane of files accessed during the first 10 seconds after
9129837.exe was executed. Does anything else seem anomalous?
Dupa 10 secunde nu este descries in meniul de jos, deoarece coloanal de timp
nu a este indicata