Professional Documents
Culture Documents
This lab is designed to teach the students the artifacts embedded within Prefetch files and how
to use these files to identify malware and infection circumstances.
Please install FTK Imager on your system; both 64 and 32 bit versions are included. We need to
mount the Prefetch forensic container (AD1) in FTK Imager to export the Prefetch files to
maintain original timestamps. After installing, select File>Add Evidence Item>Image File and
browse to the file “Prefetch.ad1” in the Lab 5 folder. Right click on the top level of this image
(ending in “Prefetch [AD1]”) in the “Evidence Tree” pane and select “Export Files…” and save the
files to a directory of your choosing.
Denumirea - SEARCHFILTERHOST.EXE-AA7A1FDD.pf
Procesul EXE - SEARCHFILTERHOST.EXE a fost pornit 885 de ori.
\VOLUME{01d2f5bc8f23c7b3-
2c8f7692}\WINDOWS\SYSTEM32\SEARCHFILTERHOST.EXE
A fost pornit prima data pe 05.07.2017 17:43:31, iar ultima data a fost pe
02.08.2017 21:13:42
3. Has anything been executed from removable media? What was it and when was it run?
(Hint: Reference the Internet Lab.)
* Please skip the following questions until after the Windows Event Log Lab.
4. Going back to the Event Log Lab, when was the last instance of RDP?
a. Are there any Prefetch files of potential interest around this time frame?
dwm.exe este un executabil pe care autorii programelor răi intenționat apelează
procesele cu același nume pentru a evita detectarea pentru viruși, viermi și
troieni.
d. Look at the bottom pane of files accessed during the first 10 seconds after
9129837.exe was executed. Does anything else seem anomalous?
Dupa 10 secunde nu este descries in meniul de jos, deoarece coloanal de timp
nu a este indicata