Excellent content and explanation on Pre-fetch. I still learned a few new things considering i passed my 508 already :) Looking forward to deep dive videos for AMCACHE, SHIMCACHE and SHELLBAGS
Thank you for making these, things I learn here get used to help me build better products for users, often in the tiniest details and offhanded comments. It's really appreciated.
yes please more deep dives thank you! kinda exciting when you have new vids with detailed info, its like sitting at cinema and the show is about to start!
Thank you. This was amazing. Would love a dive into Windows Search. How it works, where to look for evidence and how to parse. For instance a user searching for IP before copying to an external drive etc.
There's another Deep Dive coming up late this month. It's from a guest presenter (a first for the channel), but I think you'll really enjoy it because it is very in-depth.
Thanks! There is one video on the channel covering .DS_Store files, but I think that's it for macOS. I will likely create some more in the future, but the primary focus will probably continue to be Windows and Linux, just because that's the vast majority of what people are investigating (and what most of the world uses).
After creating my own youtube channel I stumbled across your channel. I really enjoyed your videos and hope to have you as a mentor. I have subscribed to you and look forward to watching your videos.
Fantastic episode. I have question. What tools do you use for windows 10 memory acquisition. Really appreciate your time and efforts to produce such contents.
I know it’s been a bit since this episode, but I still use it occasionally for review, have you seen or looked into malwarearcheology\ARTHIR at all? It’s based on the Kansa framework but extends it to be able to push binaries and retrieve output. Could make for an interesting episode. Thanks for all of this great information!
Does anyone know if the prefetch file NTOSBOOT still exists in Win10 systems or was it 8 and prior? Also if it is now gone, has it been replaced by anything? TIA
Very informative videos, is it possible for you to make detailed video on Windows process and registry analysis. I know you have created videos on these topics but I am referring to video can cover much more in detail. Thanks!
Thanks for posting. Asking from a past case: What about ntosboot prefetch? Is it only present on servers, and on by default? (in spite of prefetch being off by default)
Perhaps a topic for another video. To be honest, I haven't done a lot of research there. This academic paper has a good bit of info on the topic, and may interest you: citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.736.1911&rep=rep1&type=pdf
I found 2 anti-forensics method for prefetch: First is secure delete prefetch folder twice and the second is use USB boot to secure delete prefetch folder.
Shimcache would be GREAT. Thank you !!!! Also, I would like to know how to perform threat hunting from parquet files. I have converted it to data frames in python, what do I do next, how do I prepare the report? It doesn't seem to be available anywhere online and I'd love it if you could help me out. GREAT content. loved it.
Amazing Video! Sorry if this is a silly question and is answered elsewhere but I tried to find some reference material regarding how to pass prefetch by hand ( e.g., from Hex) but can't to see if this would be possible. You mentioned that sometimes executable like SVCHost or RunDLL32 will have a separate prefetch file for different command line arguments, is it possible to extract these arguments from the prefetch file itself. again sorry if I misunderstood this
The hex you referred to is actually a hash -- there is no way to "reverse" that process. You could perhaps create a hash of the binary's path and arguments using that particular hashing algorithm and compare the computed hash to the hash associated with the PF file name, but I don't think that's very well documented. As for the command line arguments, no, no way to obtain those from the parsed PF file that I am aware of.
Can you bring a Complete Malware Analysis and Reverse Engineering course for absolute beginners so that complete newbies find it easy and can get started easily ? Please ?.....
If you acquire memory using DumpIt or a similar tool (or perform a snapshot in a VMware ESXi environment and retrieve the resulting VMEM and VMSN files), you can analyze the memory with Volatility. This often allows you to extract prefetch information directly from memory, which can be particularly useful in scenarios where prefetch files have been purged from disk as part of anti-forensic efforts. In such cases, memory analysis may still enable you to recover valuable data.
Ok, but I want a simple answer, SSDs are STUPID FAST, especially with high speed DDR 3, 4, and now 5, and soon DDR 6, so why the hell do we need Prefetch, when history tells us that things will get faster? Asking your OS to write useless files to an SSD that is ALREADY fast, is rather pointless right? Am I wrong? Am I right? Can I just disable something stupid like Prefetch and let my ram and SSD do all the heavy lifting?
Keep in mind that prefetch is also keeping track of the files and directories with which a given binary interacts. It's more than just a simple caching mechanism, and does make a meaningful difference in performance. You can try disabling it even on an SSD-based system and measure the performance difference. All of that said, the feature itself is not really what's of interest to us as forensic investigators; rather, it's the data the feature provides to us. Even if you were correct and it was useless, as long as the data is accessible to us and helps us paint a clearer picture of what happened on a given system, that's what we care about.
This is the kind of content I enjoy the most. Thank you for your effort in producing such high quality content!
Really liked it a lot. Great length and complete explanations. Thank you, have been learning a lot. Linux forensics would be a great addition.
It's coming soon. :)
Extremely valuable! Like all your previous videos, they will be helpful for years to come.
Excellent content and explanation on Pre-fetch. I still learned a few new things considering i passed my 508 already :) Looking forward to deep dive videos for AMCACHE, SHIMCACHE and SHELLBAGS
Thank you for making these, things I learn here get used to help me build better products for users, often in the tiniest details and offhanded comments. It's really appreciated.
Extremely useful .. expecting more videos like this
Excellent content, can you do a video on ShimCache and AmCache?
yes please more deep dives thank you! kinda exciting when you have new vids with detailed info, its like sitting at cinema and the show is about to start!
Thank you. This was amazing. Would love a dive into Windows Search. How it works, where to look for evidence and how to parse. For instance a user searching for IP before copying to an external drive etc.
This is a very good video, great effort Audience centric. Appreciated it and look forward to the next deepdive episode.
Excellent tutorial, keep going one-by-one like this, it helps the community a LOT!
Excellent! Thanks 😊 suggestions for new episodes: Mac osX unified logs, Shim cache
Great content and the efforts are much appreciated. This is going to help me a lot in preparing for 508. Thanks a lot Richard..!
Thank you @13Cubed!!
In my opinion these are a little better than the shorts
I wish all your videos are a deep dive ,, it is just a one-stop-shop for the topic
There's another Deep Dive coming up late this month. It's from a guest presenter (a first for the channel), but I think you'll really enjoy it because it is very in-depth.
Thank you for all your hard work. I always get help from your content, If we have chance MacOS systems forensics would be super cool
Thanks! There is one video on the channel covering .DS_Store files, but I think that's it for macOS. I will likely create some more in the future, but the primary focus will probably continue to be Windows and Linux, just because that's the vast majority of what people are investigating (and what most of the world uses).
Really liked the deep dive. Please keep them coming. :)
Love the deep dives and would love to see more.
Great new format!!
This was excellent. Thank you for such a great explanation of prefetch files.
After creating my own youtube channel I stumbled across your channel. I really enjoyed your videos and hope to have you as a mentor. I have subscribed to you and look forward to watching your videos.
I saw this, and was clueless earlier, now I know, this is something I would want to do all my life. Maybe Forensics was my love at first sight!
😁
This is amazing content, keep it coming!
Thank you for the deep dive on prefetch. Really useful 👍🏻
Best channel indeed!
Thank you for your efforts, appreciated.
What is the relation with superfetch ? it’s seems dB files but I did not find any parser for it
Hey, excellent deep dive! One question, are there any prefetch files generated for the execution of PowerShell scripts, etc?
Not for the script itself, but for powershell.exe (or whatever would run the script), yes.
very cool stuff....easy to learn.
Valuable Content.. Thank you for this..
Fantastic episode. I have question. What tools do you use for windows 10 memory acquisition. Really appreciate your time and efforts to produce such contents.
Magnet RAM Capture or DumpIt.
Thank you so much for the rich content.
This is awesome!!! Thank you!!
I know it’s been a bit since this episode, but I still use it occasionally for review, have you seen or looked into malwarearcheology\ARTHIR at all? It’s based on the Kansa framework but extends it to be able to push binaries and retrieve output. Could make for an interesting episode. Thanks for all of this great information!
Haven't looked at it, but I'll check it out!
Does anyone know if the prefetch file NTOSBOOT still exists in Win10 systems or was it 8 and prior? Also if it is now gone, has it been replaced by anything? TIA
I think it is a great video about prefetch files.
Very informative videos, is it possible for you to make detailed video on Windows process and registry analysis.
I know you have created videos on these topics but I am referring to video can cover much more in detail.
Thanks!
Very well explained, thanks!
very good video. thank you!
Thanks for posting. Asking from a past case: What about ntosboot prefetch? Is it only present on servers, and on by default? (in spite of prefetch being off by default)
Perhaps a topic for another video. To be honest, I haven't done a lot of research there. This academic paper has a good bit of info on the topic, and may interest you: citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.736.1911&rep=rep1&type=pdf
Thanks nonetheless! Will dig in.
Keep going! Nice videos!
I found 2 anti-forensics method for prefetch: First is secure delete prefetch folder twice and the second is use USB boot to secure delete prefetch folder.
Shimcache would be GREAT. Thank you !!!! Also, I would like to know how to perform threat hunting from parquet files. I have converted it to data frames in python, what do I do next, how do I prepare the report? It doesn't seem to be available anywhere online and I'd love it if you could help me out. GREAT content. loved it.
Thanks for the feedback. Unfortunately, no experience with Hadoop so I wouldn't be able to advise you there.
Amazing Video! Sorry if this is a silly question and is answered elsewhere but I tried to find some reference material regarding how to pass prefetch by hand ( e.g., from Hex) but can't to see if this would be possible. You mentioned that sometimes executable like SVCHost or RunDLL32 will have a separate prefetch file for different command line arguments, is it possible to extract these arguments from the prefetch file itself. again sorry if I misunderstood this
The hex you referred to is actually a hash -- there is no way to "reverse" that process. You could perhaps create a hash of the binary's path and arguments using that particular hashing algorithm and compare the computed hash to the hash associated with the PF file name, but I don't think that's very well documented. As for the command line arguments, no, no way to obtain those from the parsed PF file that I am aware of.
@@13Cubed Thank you
New to the channel. Excellent content! Thanks!
Thanks, and welcome!
Can you bring a Complete Malware Analysis and Reverse Engineering course for absolute beginners so that complete newbies find it easy and can get started easily ? Please ?.....
I'm not an RE person by trade, but I do have a few episodes covering those topics. Check out the Introduction to Malware Analysis playlist.
premium content, thank you ;)
What do you mean by "dumping the memory" into volatility ?
If you acquire memory using DumpIt or a similar tool (or perform a snapshot in a VMware ESXi environment and retrieve the resulting VMEM and VMSN files), you can analyze the memory with Volatility. This often allows you to extract prefetch information directly from memory, which can be particularly useful in scenarios where prefetch files have been purged from disk as part of anti-forensic efforts. In such cases, memory analysis may still enable you to recover valuable data.
@13Cubed oh gotcha ,by the way I love your content so much man ,thanks for your service :)
@ Thank you!
When .DS_Store etc.. Coming ??
In a week or so for Patreon supporters, and either late this month or next for everyone else.
How to convert the volume{…} to driver letters in python bro :)
Thanks for the video...
Like before watching
If possible can you start Linux forensic training in your channel.
Yes! I am planning to do so as time allows.
@@13Cubed thanks a lot!
Ok, but I want a simple answer, SSDs are STUPID FAST, especially with high speed DDR 3, 4, and now 5, and soon DDR 6, so why the hell do we need Prefetch, when history tells us that things will get faster? Asking your OS to write useless files to an SSD that is ALREADY fast, is rather pointless right? Am I wrong? Am I right? Can I just disable something stupid like Prefetch and let my ram and SSD do all the heavy lifting?
Keep in mind that prefetch is also keeping track of the files and directories with which a given binary interacts. It's more than just a simple caching mechanism, and does make a meaningful difference in performance. You can try disabling it even on an SSD-based system and measure the performance difference.
All of that said, the feature itself is not really what's of interest to us as forensic investigators; rather, it's the data the feature provides to us. Even if you were correct and it was useless, as long as the data is accessible to us and helps us paint a clearer picture of what happened on a given system, that's what we care about.