±Forensic Focus Partners

Become an advertising partner

±Your Account


Username
Password

Forgotten password/username?

Site Members:

New Today: 2 Overall: 36763
New Yesterday: 9 Visitors: 145

±Follow Forensic Focus

Forensic Focus Facebook PageForensic Focus on TwitterForensic Focus LinkedIn GroupForensic Focus YouTube Channel

RSS feeds: News Forums Articles

±Latest Articles

±Latest Videos

±Latest Jobs

Prefetch folder is empty

Computer forensics discussion. Please ensure that your post is not better suited to one of the forums below (if it is, please post it there instead!)
Reply to topicReply to topic Printer Friendly Page
Forum FAQSearchView unanswered posts
Page 1, 2  Next 
  

morpheusc
Newbie
 

Prefetch folder is empty

Post Posted: Jan 23, 20 18:46

Hi all,

I'm new to DFIR, i'm helping on a case of incident. After got the vhd image, i found that the prefetch folder is empty. Any idea why the folder is empty.

Many thanks,
Mor  
 
  

BytesDigger
Newbie
 

Re: Prefetch folder is empty

Post Posted: Jan 23, 20 23:35

Prefetch is most likely disabled on this system. You can check the registry to see if it's enabled.


Look in the following registry hive:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters

There's a DWORD value called: EnablePrefetcher

If that value is set to 0, then prefetch is disabled. Windows sometimes disables prefetch on computers with SSD drives. As SSD drives can be quite fast, there's not always a significant performance improvement to using prefetch. Since prefetch generates more write cycles on the disk, it wears down SSD. It's possible that in your case, windows may have disabled prefetch. However, if you have reason to believe that anti-forensics were used as part of your Forensic/IR, then you may want to look for evidence that suggests that this was done deliberately.


Hope this helps you,

JP  
 
  

keydet89
Senior Member
 

Re: Prefetch folder is empty

Post Posted: Jan 24, 20 12:43

- morpheusc
Hi all,

I'm new to DFIR, i'm helping on a case of incident. After got the vhd image, i found that the prefetch folder is empty. Any idea why the folder is empty.

Many thanks,
Mor


Is the system a Windows server?  
 
  

morpheusc
Newbie
 

Re: Prefetch folder is empty

Post Posted: Jan 24, 20 14:44

- keydet89
- morpheusc
Hi all,

I'm new to DFIR, i'm helping on a case of incident. After got the vhd image, i found that the prefetch folder is empty. Any idea why the folder is empty.

Many thanks,
Mor


Is the system a Windows server?


Yes, Windows  
 
  

morpheusc
Newbie
 

Re: Prefetch folder is empty

Post Posted: Jan 24, 20 14:57

- BytesDigger
Prefetch is most likely disabled on this system. You can check the registry to see if it's enabled.


Look in the following registry hive:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters

There's a DWORD value called: EnablePrefetcher

If that value is set to 0, then prefetch is disabled. Windows sometimes disables prefetch on computers with SSD drives. As SSD drives can be quite fast, there's not always a significant performance improvement to using prefetch. Since prefetch generates more write cycles on the disk, it wears down SSD. It's possible that in your case, windows may have disabled prefetch. However, if you have reason to believe that anti-forensics were used as part of your Forensic/IR, then you may want to look for evidence that suggests that this was done deliberately.


Hope this helps you,

JP


Thanks JP. Checking on the image.  
 
  

keydet89
Senior Member
 

Re: Prefetch folder is empty

Post Posted: Jan 24, 20 17:14

- morpheusc
- keydet89
- morpheusc
Hi all,

I'm new to DFIR, i'm helping on a case of incident. After got the vhd image, i found that the prefetch folder is empty. Any idea why the folder is empty.

Many thanks,
Mor


Is the system a Windows server?


Yes, Windows


Is it a Server system, such as Windows 2008, 2012, 2016, or 2019?  
 
  

BytesDigger
Newbie
 

Re: Prefetch folder is empty

Post Posted: Jan 25, 20 04:58

- keydet89
- morpheusc
- keydet89
- morpheusc
Hi all,

I'm new to DFIR, i'm helping on a case of incident. After got the vhd image, i found that the prefetch folder is empty. Any idea why the folder is empty.

Many thanks,
Mor


Is the system a Windows server?


Yes, Windows


Is it a Server system, such as Windows 2008, 2012, 2016, or 2019?



Good point... it would be disabled by default on a Server system!  
 

Page 1 of 2
Page 1, 2  Next