What you'll learn

Understand what the Windows Prefetch artifact is
Be able to explain the artifact
Know what types of user behavior affects the artifact
Know how to conduct validation testing
Understand how to properly interpret Prefetch results
Know how to use several freely available Prefetch forensic tools

Course content

5 sections • 29 lectures • 1h 23m total length

Welcome to Windows Prefetch Forensics1:05
Welcome to the Surviving Digital Forensic Training Series: Windows Prefetch Forensics!

The goal of this class is to teach you a valuable computer forensics skill all in about one hour. The windows prefetch artifact is a core Windows operating system artifact that provides insight to help advance computer forensic investigations. Knowing how to work with this artifact is a critical skill for all analysts.
Class outline4:52
This lecture goes over the goals of the Windows prefetch class and what students will learn upon completion.
Class Tools & Downloads0:43
This lecture provides an overview of the tools you will be using in this class. The SDF series focuses on using low-cost\ no-cost computer forensic tools built by the DFIR community.
Operating system for class0:31
It is recommended that you use a Windows 10 or Windows 8 operating system for your practical platform. Earlier versions of the windows operating system will not be able to interpret the newer prefetch file format.
Tools for the practical exercises0:31
Downloads:

WinPrefetchView: http://www.nirsoft.net/utils/win_prefetch_view.html

FTK Imager: https://accessdata.com/product-download
Forensic Registry Editor: https://www.pinguin.lu/fred

What is Windows Prefetch?2:53
This lecture explains what the Windows prefetch artifact is and why it is one of the core windows forensic artifacts examiners use for investigations.
Forensic Value3:30
This lecture reviews the forensic value of the Windows prefetch artifact and goes over how examiners should approach incorporating prefetch evidence into an investigation.
Forensic Breakdown3:50
This lecture breaks down the windows prefetch artifact into its different forensic components to help examiners better understand the information the artifact contains.
File Headers2:28
Windows prefetch files will have different file headers depending on the operating system that generated the prefetch artifact. Knowing how to identify and how to differentiate between the different file headers becomes important during forensic interpretation and recovery processes, such as carving for prefetch files from unallocated space.
Prefetch Registry Key4:19
The associated windows prefetch registry key provides additional insight into the use of the Windows prefetch on the system under investigation. This lecture reviews the registry settings that may impact an investigation.
Caveats0:53
This lecture reviews additional caveats that are important to understand when working with Windows prefetch evidence.
Prefetch Knowledge Check

Overview0:24
This section covers several validation exercises that will demonstrate how user driven activity affects the prefetch artifact. These are "live" demos that you may follow along with by downloading WinPrefetchView and using any executable to test.
Download
WinPrefetchView: http://www.nirsoft.net/utils/win_prefetch_view.html
First Run Time4:17
This lecture validates what happens to the artifact when a new executable is run for the first time.
Last Run Time2:44
This lecture validates what happens to the artifact when an executable is run multiple times on the system.
Run from USB2:10
This lecture validates what happens to the artifact when an executable is run from a USB device on the system.
Deleted Executable1:49
This lecture validates what happens to the artifact when an executable that has been run on the system is deleted and the system is rebooted.
DLLs & Other Support Files1:30
This lecture reviews the artifact support files for each executable and there forensic value.
Latency Issues2:41
Sometimes when an application is "shut down" by a user the application does not completely exit, rather the application only minimizes itself and runs in the background. Under these circumstances the application is only truly shut down when the computer is turned off or the user kills the background task. This lecture reviews the affect on the artifact under these circumstances.
Validation Wrap-up1:52
This lecture examines the Ccleaner Application prefetch evidence using the knowledge gained from the validation exercises to demonstrate practical interpretation of the artifact for investigations.
Prefetch Knowledge Check

Overview0:31
This section reviews several computer forensic tools that maybe used to examine prefetch evidence. Each section goes over how to acquire, set up and use the tool as well as a review of the typical findings each tool will produce.
Sample prefetch data0:25
Attached is sample Windows prefetch data you can use for the forensic tool exercises. The sample is from a Windows 10 system, therefore if you're not using a Windows 8 or Windows 10 operating system you may not be able to decode the Windows prefetch format for viewing.
FTK Imager3:16
This lecture walks you through the process of setting up and using FTK Imager on your Windows forensic system. Demo system is Windows 10.
FTK Imager: https://accessdata.com/product-download
WinPrefetchView3:46
This lecture walks you through the process of setting up and using WinPrefetchView on your Windows forensic system. Demo system is Windows 10.
Downloads:

WinPrefetchView: http://www.nirsoft.net/utils/win_prefetch_view.html
CDQR9:42
This lecture walks you through the process of setting up and using CDQR on your Windows forensic system. Demo system is Windows 10.
Downloads:

CDQR: https://github.com/rough007/CDQR/releases

Plaso: https://github.com/log2timeline/plaso/releases
RegRipper7:01
This lecture walks you through the process of installing and using RegRipper on your Windows forensic system. Demo system is Windows 10.

Downloads:

RegRipper: https://github.com/keydet89/RegRipper2.8
Windows Prefetch Parser - Setup on Windows4:53
This lecture walks you through the process of installing Windows Prefetch Parser on your Windows forensic system. Demo system is Windows 10.

Downloads:

WindowsPrefetchParser: https://github.com/PoorBillionaire/Windows-Prefetch-Parser

Python: https://www.python.org/downloads/windows/
Windows Prefetch Parser - Usage9:02
This lecture walk you through using Windows Prefetch Parser on your Windows forensic system. Demo system is Windows 10.

Conclusion0:55
This lecture wraps up what we have learned about the Windows prefetch and its application in computer forensic investigations.
Thank you!0:35
Thank you for checking out the Surviving Digital Forensic Training Series!
Be sure to check out the other classes in the series here at Udemy.
Check out the Digital Forensics Survival Podcast and listen to talk about computer forensic analysis, techniques, methodology, tool reviews and more http://digitalforensicsurvivalpodcast.com

Requirements

Windows 8 or 10 system (Windows 10 recommended)
All in-class forensic programs are freely available and download links provided
Student testing and validation material provided

Description

Welcome to the Surviving Digital Forensics series. This class is focused on helping you become a better computer forensic examiner by understanding how to use Windows Prefetch data to prove file use and knowledge - all in about one hour.

As with previous SDF classes you will learn by doing. The class begins with Windows prefetch fundamentals and will provide an understanding of how the artifact works. Then students delve into several validation exercises to observe how user driven activity affects Windows prefetch evidence. The last section teaches students how to use several freely available DFIR community built forensic tools to examine prefetch evidence. By the end of the class students will have a solid understanding of how to use the Windows prefetch as evidence, understand the types of user behaviors that affect the prefetch and know how to use Windows prefetch forensic tools.

Expert and novice computer forensic examiners alike will gain from this class. Since we are doing it the SDF way we are going to teach you real computer forensic skills that you can apply using our method or with any forensic tool you choose. Therefore you are not just going to learn about the Windows prefetch but you will learn a method you can use to answer questions that may come up in the future.

A PC running Windows 8 or Windows 10 is required for this course. The forensic tools we use are all freely available, so beyond your laptop and operating system all you need is the desire to become a better computer forensic examiner.

Who this course is for:

Computer forensic analysts
Security Analyst
IT Professionals
Students

What you'll learn

Explore related topics

Course content

Introduction5 lectures • 8min

Understanding Windows Prefetch6 lectures • 18min

Validation Exercises8 lectures • 17min

Forensic Tools8 lectures • 39min

Conclusion2 lectures • 2min

Requirements

Description

Who this course is for: