Description:
Windows caches portions of frequently accessed programs in order to speed up program launches. The prefetch folder reveals which programs you have been running recently, how many times you executed the program and when you last executed the program. This is one place where forensic investigators should look at first when looking at a compromised/suspect machine. Keith Lee has created a
Meterpreter module and an
independent tool prefetch-tool to demonstrate this.
According to Keith's submission to us: "The inspiration for this meterpreter script came from Pauldotcom Ep171 (
http://pauldotcom.com/wiki/index.php/Episode171) Windows prefetch folder contains a lot of information about:
1. Recently run programs
2. How often certain programs are executed Based on this information, you can find out how the target machine was used by the user and perhaps the roles of the computer.
Check out my blog post here
http://milo2012.wordpress.com/2009/10/22/meterpreter-script-for-prefetch-tool/You can contact me on twitter at
@keith55 or keith.lee2012[at]gmail.com "
Tags: basics ,
Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying.
Comments: