skip to content
DFIRinProgress Blog

Prefetch Files: Identifying Files Targeted by Data Extraction, Staging and Exfiltration

/ 4 min read

TL;DR

Why Should I Care? Prefetch files provide significant value to a forensic investigation and may even assist in identifying files targeted as part of data extraction, staging and exfiltration.

What Should I Consider? Consider using prefetch files to understand files and directories referenced by an application within approximately the first 10 seconds.

Introduction

Prefetch files provide significant value to forensic investigations, particularly in providing evidence of execution. This post aims to explore how prefetch files can be used to understand a Threat Actor’s actions, focusing on the execution of archiving software such as 7-Zip.

What are Prefetch Files?

As with most forensic artefacts, prefetch files were not originally introduced for their forensic value. They were originally created to speed up subsequent launches of applications. As part of this, prefetch files store information about files and directories referenced by an application within roughly 10 seconds of startup. Prefetch files are enabled by default on Microsoft Windows desktop operating systems. Additionally, they also record the last 8 run times of an application. Prefetch files are in the /Windows/Prefetch directory.

Why the Interest in Archiving Software?

Archiving software such as 7-Zip is often used for legitimate purposes yet frequently abused by Threat Actors to extract and stage data. Detecting its use after an incident can be valuable for understanding the scope of a data staging where other evidence sources are unavailable. Threat actors typically enter an environment with a prebuilt toolkit, often compressed and requiring extraction. When extraction of the toolkit is done using archiving software such as 7-Zip, it may be possible to identify the contents of the archive. Completing this will provide indicators of compromise to support the investigation.

Using PECmd to Identify the Contents of Extracted Archived Files

Objective: Identify the contents of a Threat Actors toolkit extracted with 7-Zip.

1. Tool of Choice: PECmd

The tool of choice is Eric Zimmerman’s prefetch Explorer Command Line (PECmd) which allows for easy analysis of prefetch files. PECmd can be downloaded directly from Eric Zimmerma’s website: https://ericzimmerman.github.io

2. Collecting Prefetch File

Before running PECmd, you need to obtain the prefetch files from the system you are investigating. Prefetch files are located under \Windows\Prefetch. Copy the desired prefetch file to a folder on your forensic workstation. In this case, we identified the prefetch file associated with 7-Zip.

3. Running PECmd

Open a PowerShell or Command Prompt and navigate to your tools directory that contains PECmd. Run PECmd on the prefetch files by using the following command syntax:

Terminal window
PECmd.exe -f [Prefetch filename] -–csv [output path]

This command requests PECmd to parse the prefetch file output through the -f attribute. The --csv attribute directs the tool to output the results in CSV format to the chosen output path, which allows for easy review and revisiting as required.

4. Analyzing the Output

Below we have the terminal output of PECmd against the 7-Zip archive. We can see several details which have been parsed out of the prefetch file including as highlighted:

  • Created, modified and accessed timestamps
  • Executable name and file size
  • Run count and run timestamps
  • Directories referenced
  • Files referenced

At this point the significance of prefetch files in our objective of identifying the contents of an extracte archive becomes evident. Within the PERFLOGS directory, we discover a folder named THREATACTORTOOLKIT. Furthermore, the “files referenced” section reveals the specific files extracted during this operation, including netscan, proddump, and psexec, which are commonly found in threat actor toolkits. A reminder that prefetch files will only capture approximately the first 10 seconds of an application running meaning that there are no guarantees rather an indication / point of piviot provided. PECmd Output for 7-Zip PECmd Output for 7-Zip Cont.

Data Staging and Exfiltration

Data staging and exfiltration is another common operation by Threat Actors to support their objective of double extortion. If the files staged or exfiltrated originate from a physical drive on the system and prefetch files are enabled, it may be possible to identify the targeted files or directories. Admittedly this scenario is quite rare, as often Threat Actors will stage and exfiltrate from network shares which contain sensitive company data.

Data Exfiltration with Rclone Example Scenario

Objective: Identify files and directories targeted by Rclone for data exfiltration by a Threat Actor.

For the sake of this example, we will assume that sensitive data resides on a workstation. In the outputs below, we applied the same process described above to the prefetch file associated with Rclone. There are several referenced directories of interest, notably the directories under the CONFIDENTIALINFORMATION directory. Additionally, in the “files referenced” section, we identified several files that were targeted in the program operation, all located within the directories of interest. PECmd Output for Rclone PECmd Output for Rclone Cont.

Resouces