Hi all,
I'm new to DFIR, i'm helping on a case of incident. After got the vhd image, i found that the prefetch folder is empty. Any idea why the folder is empty.
Many thanks,
Mor
Prefetch is most likely disabled on this system. You can check the registry to see if it's enabled.
Look in the following registry hive
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters
There's a DWORD value called EnablePrefetcher
If that value is set to 0, then prefetch is disabled. Windows sometimes disables prefetch on computers with SSD drives. As SSD drives can be quite fast, there's not always a significant performance improvement to using prefetch. Since prefetch generates more write cycles on the disk, it wears down SSD. It's possible that in your case, windows may have disabled prefetch. However, if you have reason to believe that anti-forensics were used as part of your Forensic/IR, then you may want to look for evidence that suggests that this was done deliberately.
Hope this helps you,
JP
Hi all,
I'm new to DFIR, i'm helping on a case of incident. After got the vhd image, i found that the prefetch folder is empty. Any idea why the folder is empty.
Many thanks,
Mor
Is the system a Windows server?
Hi all,
I'm new to DFIR, i'm helping on a case of incident. After got the vhd image, i found that the prefetch folder is empty. Any idea why the folder is empty.
Many thanks,
MorIs the system a Windows server?
Yes, Windows
Prefetch is most likely disabled on this system. You can check the registry to see if it's enabled.
Look in the following registry hive
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParametersThere's a DWORD value called EnablePrefetcher
If that value is set to 0, then prefetch is disabled. Windows sometimes disables prefetch on computers with SSD drives. As SSD drives can be quite fast, there's not always a significant performance improvement to using prefetch. Since prefetch generates more write cycles on the disk, it wears down SSD. It's possible that in your case, windows may have disabled prefetch. However, if you have reason to believe that anti-forensics were used as part of your Forensic/IR, then you may want to look for evidence that suggests that this was done deliberately.
Hope this helps you,
JP
Thanks JP. Checking on the image.
Hi all,
I'm new to DFIR, i'm helping on a case of incident. After got the vhd image, i found that the prefetch folder is empty. Any idea why the folder is empty.
Many thanks,
MorIs the system a Windows server?
Yes, Windows
Is it a Server system, such as Windows 2008, 2012, 2016, or 2019?
Hi all,
I'm new to DFIR, i'm helping on a case of incident. After got the vhd image, i found that the prefetch folder is empty. Any idea why the folder is empty.
Many thanks,
MorIs the system a Windows server?
Yes, Windows
Is it a Server system, such as Windows 2008, 2012, 2016, or 2019?
Good point… it would be disabled by default on a Server system!
Hi all,
I'm new to DFIR, i'm helping on a case of incident. After got the vhd image, i found that the prefetch folder is empty. Any idea why the folder is empty.
Many thanks,
MorIs the system a Windows server?
Yes, Windows
Is it a Server system, such as Windows 2008, 2012, 2016, or 2019?
It is Windows server 2016
Hi all,
I'm new to DFIR, i'm helping on a case of incident. After got the vhd image, i found that the prefetch folder is empty. Any idea why the folder is empty.
Many thanks,
MorIs the system a Windows server?
Yes, Windows
Is it a Server system, such as Windows 2008, 2012, 2016, or 2019?
Good point… it would be disabled by default on a Server system!
Seems disabled by default