Prefetch folder is ...
 
Notifications
Clear all

Prefetch folder is empty

9 Posts
3 Users
0 Likes
4,204 Views
(@morpheusc)
Posts: 5
Active Member
Topic starter
 

Hi all,

I'm new to DFIR, i'm helping on a case of incident. After got the vhd image, i found that the prefetch folder is empty. Any idea why the folder is empty.

Many thanks,
Mor

 
Posted : 23/01/2020 5:46 pm
(@bytesdigger)
Posts: 8
Active Member
 

Prefetch is most likely disabled on this system. You can check the registry to see if it's enabled.

Look in the following registry hive
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters

There's a DWORD value called EnablePrefetcher

If that value is set to 0, then prefetch is disabled. Windows sometimes disables prefetch on computers with SSD drives. As SSD drives can be quite fast, there's not always a significant performance improvement to using prefetch. Since prefetch generates more write cycles on the disk, it wears down SSD. It's possible that in your case, windows may have disabled prefetch. However, if you have reason to believe that anti-forensics were used as part of your Forensic/IR, then you may want to look for evidence that suggests that this was done deliberately.

Hope this helps you,

JP

 
Posted : 23/01/2020 10:35 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Hi all,

I'm new to DFIR, i'm helping on a case of incident. After got the vhd image, i found that the prefetch folder is empty. Any idea why the folder is empty.

Many thanks,
Mor

Is the system a Windows server?

 
Posted : 24/01/2020 11:43 am
(@morpheusc)
Posts: 5
Active Member
Topic starter
 

Hi all,

I'm new to DFIR, i'm helping on a case of incident. After got the vhd image, i found that the prefetch folder is empty. Any idea why the folder is empty.

Many thanks,
Mor

Is the system a Windows server?

Yes, Windows

 
Posted : 24/01/2020 1:44 pm
(@morpheusc)
Posts: 5
Active Member
Topic starter
 

Prefetch is most likely disabled on this system. You can check the registry to see if it's enabled.

Look in the following registry hive
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters

There's a DWORD value called EnablePrefetcher

If that value is set to 0, then prefetch is disabled. Windows sometimes disables prefetch on computers with SSD drives. As SSD drives can be quite fast, there's not always a significant performance improvement to using prefetch. Since prefetch generates more write cycles on the disk, it wears down SSD. It's possible that in your case, windows may have disabled prefetch. However, if you have reason to believe that anti-forensics were used as part of your Forensic/IR, then you may want to look for evidence that suggests that this was done deliberately.

Hope this helps you,

JP

Thanks JP. Checking on the image.

 
Posted : 24/01/2020 1:57 pm
keydet89
(@keydet89)
Posts: 3568
Famed Member
 

Hi all,

I'm new to DFIR, i'm helping on a case of incident. After got the vhd image, i found that the prefetch folder is empty. Any idea why the folder is empty.

Many thanks,
Mor

Is the system a Windows server?

Yes, Windows

Is it a Server system, such as Windows 2008, 2012, 2016, or 2019?

 
Posted : 24/01/2020 4:14 pm
(@bytesdigger)
Posts: 8
Active Member
 

Hi all,

I'm new to DFIR, i'm helping on a case of incident. After got the vhd image, i found that the prefetch folder is empty. Any idea why the folder is empty.

Many thanks,
Mor

Is the system a Windows server?

Yes, Windows

Is it a Server system, such as Windows 2008, 2012, 2016, or 2019?

Good point… it would be disabled by default on a Server system!

 
Posted : 25/01/2020 3:58 am
(@morpheusc)
Posts: 5
Active Member
Topic starter
 

Hi all,

I'm new to DFIR, i'm helping on a case of incident. After got the vhd image, i found that the prefetch folder is empty. Any idea why the folder is empty.

Many thanks,
Mor

Is the system a Windows server?

Yes, Windows

Is it a Server system, such as Windows 2008, 2012, 2016, or 2019?

It is Windows server 2016

 
Posted : 28/01/2020 5:11 pm
(@morpheusc)
Posts: 5
Active Member
Topic starter
 

Hi all,

I'm new to DFIR, i'm helping on a case of incident. After got the vhd image, i found that the prefetch folder is empty. Any idea why the folder is empty.

Many thanks,
Mor

Is the system a Windows server?

Yes, Windows

Is it a Server system, such as Windows 2008, 2012, 2016, or 2019?

Good point… it would be disabled by default on a Server system!

Seems disabled by default

 
Posted : 28/01/2020 5:19 pm
Share: