Metasploit Post Exploitation Meterpreter Script Prefetchtool
|
|
|
||||||||||||
Description:
Windows caches portions of frequently accessed programs in order to speed up program launches. The prefetch folder reveals which programs you have been running recently, how many times you executed the program and when you last executed the program. This is one place where forensic investigators should look at first when looking at a compromised/suspect machine. Keith Lee has created a Meterpreter module and an independent tool prefetch-tool to demonstrate this.
According to Keith's submission to us: "The inspiration for this meterpreter script came from Pauldotcom Ep171 (http://pauldotcom.com/wiki/index.php/Episode171) Windows prefetch folder contains a lot of information about:
1. Recently run programs
2. How often certain programs are executed Based on this information, you can find out how the target machine was used by the user and perhaps the roles of the computer.
Check out my blog post here http://milo2012.wordpress.com/2009/10/22/meterpreter-script-for-prefetch-tool/
You can contact me on twitter at @keith55 or keith.lee2012[at]gmail.com "
According to Keith's submission to us: "The inspiration for this meterpreter script came from Pauldotcom Ep171 (http://pauldotcom.com/wiki/index.php/Episode171) Windows prefetch folder contains a lot of information about:
1. Recently run programs
2. How often certain programs are executed Based on this information, you can find out how the target machine was used by the user and perhaps the roles of the computer.
Check out my blog post here http://milo2012.wordpress.com/2009/10/22/meterpreter-script-for-prefetch-tool/
You can contact me on twitter at @keith55 or keith.lee2012[at]gmail.com "