±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 0 Overall: 36775
New Yesterday: 0 Visitors: 109

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Prefetch on Windows Servers

Discussion of forensic issues related to all types of mobile phones and underlying technologies (GSM, GPRS, UMTS/3G, HSDPA, LTE, Bluetooth etc.)
Subforums: Mobile Telephone Case Law
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
 
  

wilber999
Member
 

Prefetch on Windows Servers

Post Posted: Jun 18, 09 03:01

In responding to incidents, I typically gather valuable information from the PREFETCH on Windows workstations. However, Windows servers have the PREFETCH capability turned off by default.

Questions:
1. Is there a technical reason that this is off?
2. Is there harm in enabling this for clients that I assist in Incident preparation?

Any info is greatly appreciated.
_________________
Bill Dean, CCE 
 
  

keydet89
Senior Member
 

Re: Prefetch on Windows Servers

Post Posted: Jun 18, 09 03:08

- wilber999
In responding to incidents, I typically gather valuable information from the PREFETCH on Windows workstations. However, Windows servers have the PREFETCH capability turned off by default.

Questions:
1. Is there a technical reason that this is off?


If by "Windows servers" you mean Windows 2003, then application prefetching is disabled by default by Microsoft. This is likely due to the fact that servers are not necessarily intended for day-to-day use from the console for things like, well...running applications. For example, in most circles, checking email and web browsing from a server is a huge NO-NO. The same can be said for word processing...why would you want to do that from a server?

Boot prefetching, however, is enabled by default.

- wilber999

2. Is there harm in enabling this for clients that I assist in Incident preparation?


No, not necessarily...I mean, if you're not running a number of applications from the server, then I can't really see where there'd be a significant performance hit.

However, that does beg the question...why would you *want* to enable it? What does it give you that you cannot get from another source? For example, on Windows XP, application prefetch files can tell us that an application was run, when it was last run, and how many times it had been run. But we can also get that, even on Windows 2003, from the UserAssist keys within the user's hive files. Keep in mind that application prefetch files are NOT user-specific.

So...why would you want to enable application prefetching on Windows servers for "incident preparation"?  
 
  

wilber999
Member
 

Re: Prefetch on Windows Servers

Post Posted: Jun 18, 09 04:12

My last couple of incidents have involved terminal servers/citrix servers in remote desktop mode. In addition, enabling it in other instances has allowed me to determine information needed to help determine information to resolve the issue.

Enabling it (and the ability to recover the deleted .pf files) provides more information that helps me to determine the what, when, and how many times executed of an application and determine which userassist hives to parse to determine the "offender". This would specific to terminal servers where there are many profiles
_________________
Bill Dean, CCE 
 
  

keydet89
Senior Member
 

Re: Prefetch on Windows Servers

Post Posted: Jun 18, 09 06:05

- wilber999
My last couple of incidents have involved terminal servers/citrix servers in remote desktop mode. In addition, enabling it in other instances has allowed me to determine information needed to help determine information to resolve the issue.


Well, based on your experience, I would say that it's probably a good thing.

Keep in mind, though, that this may have limited success. For example, my team is still seeing a lot of Conficker, which installs as a ServiceDll; this doesn't show up in the Prefetch files on XP systems. You will, however, be able to find the other debris and artifacts left by the infection.

Where this will work for you is if a user runs an unauthorized application...you may also find entries in the UserAssist keys (for GUI apps) and the user's MUICache key, as well. Depending upon the application launched, you may also find other artifacts that point to a user.

- wilber999
Enabling it (and the ability to recover the deleted .pf files) provides more information that helps me to determine the what, when, and how many times executed of an application and determine which userassist hives to parse to determine the "offender". This would specific to terminal servers where there are many profiles


I'm not sure I follow the "...and determine which userassist hives to parse..." part.  
 

Page 1 of 1