Skip to main content

Posts

Showing posts from April, 2024

Prefetch Internals note

1. Overview Prefetch is artifact that exists in Windows. This artifact records program execution files read by that program in 10 seconds. Prefetch is one of the most well-known artifacts, but its recording mechanism is very complex as follows. (This is an simplified version, not the whole thing.) I reversed the kernel to look for something interesting in the data related to prefetch. However, I could not find any incident response usable data. Now that I understand the mechanisms involved in prefetch, I leave this blog as a note. ・Same executable but different prefetch conditions ・High probability bypass prefetch 2. Same executable but different prefetch conditions Generally, prefetch is created for each executable file path. This is handled internally as the following NT kernel path. If the hashes of this path are the same, they are written to the same prefetch. \Device\HarddiskVolume2\Windows\System32\cmd.exe However, there are a few exceptions. You will see a l...