All SDF courses may now be found at SUMURI.COM. This course will remain live in UDEMY for existing students.
Welcome to the Surviving Digital Forensics series. This class is focused on helping you become a better computer forensic examiner by understanding how to use Windows Prefetch data to prove file use and knowledge - all in about one hour.
As with previous SDF classes you will learn by doing. The class begins with a brief overview of the Windows Prefetch and an understanding of how it works. Then we will get into a number of validation exercises to see how user activity really affects Windows Prefetch data. Learning is hands on and we will use low cost and no cost computer forensic tools to do so.
Expert and novice computer forensic examiners alike will gain from this class. Since we are doing it the SDF way we are going to teach you real computer forensic skills that you can apply using our method or with any forensic tool you choose. Therefore you are not just going to learn about the Windows Prefetch but you will learn a method you can use to answer questions that may come up in the future.
1. Introduction and Welcome to the SDF series
2. What this class is all about
3. How to get the most of this class
4. What is the Windows Prefetch?
5. About ".pf" files
6. "Open State" issues and other exclusions
7. Prefetch Registry Setting
8. Set up for the practicals
9. Validation Exercise: Running a program for the first time
10. Validation Exercise: Last run time
11. Validation Exercise: Flushing out rogue applications
12. Validation Exercise: Running a program from a USB device
13. Validation Exercise: Proving file use and knowledge
14. Setting up for the student practical
15. Student Practical
16. Windows 7 versus Windows 8
17. Final thoughts about the Prefetch
18. Thank you!
19 How to get your Udemy certificate
A PC running Windows 7 or Windows 8+ is required for this course. The forensic tools we use are all freely available, so beyond your operating system all you need is the desire to become a better computer forensic examiner.
Welcome to SDF! This is the second part of the "Proving File Use & Knowledge" series that I am doing. If you are looking to sharpen your computer forensics skills then you are in the right place.
In this module I give you a brief overview of what we will be doing.
It is important to understand the artifact we are working with. This module details what the Windows Prefetch is and how we can use it as computer forensic examiners. Included in this section is a PDF file with some survival tips.
In this module we will take a closer look at a Prefetch file, or a ",pf" file.
File headers do change along with the version of Windows OS you are running. Here is some more details to help you figure out the signature you are looking for.
Understanding how the Windows Prefetch behaves is another important factor. This module talks about some things you need to always be mindful of when using Prefetch data as evidence.
Sometimes you do no see what you expect during a Prefetch analysis. If so, my first step is to check out the Windows Registry key in order to see if the Prefetch is turned on for the system. This module shows you where to look at what to look for to accomplish this.
In this section we get our test system ready for the upcoming practicals.
This is the introduction practical and the beginning of our Prefetch validation exercises.
Next up is more validation and looking at multiple launches of our test application.
Windows Prefetch can be used to identify malware being run from non-standard locations. In this exercise we will take a closer look.
Make sure you do this validation exercise. I have seen different results in Windows Prefetch behavior when applications are run from an attached USB device. I test three applications in this exercise and go over the results. I suggest you do the same.
Sometimes you get file name data caught up in Prefetch File data. This often includes the file's path which leads directly back to a user account. In this exercise we will see it first hand.
So far we have been using WinPrefetchView on a live system. You can use it to analyze exported Prefetch folders from target systems too and that is exactly what you will be doing in the next student practical. I will go through the set up process.
In this practical you are working with the Prefetch files provided in the last module. Look ahead to the Student Practical Questions and answer them using WInPrefetchView and what you have learned about interpreting Windows Prefetch data.
There is a difference in the evidence you can gather from a Windows 7 system and a Windows 8 system. At this time I can only show you the difference (via a pay tool) because I am still searching for a low cost/ no cost solutions. At this point be advised of the difference and I will update this section as soon as I find a solution.
Solid State Drives (SSDs) affect PreFetch and SuperFetch evidence. So, depending on the evidence you are working with you may or may not have any artifacts. In this section I show you how to determine if the PreFetch or SuperFetch is enabled on a Live system as well as where this information is located on an image file of the system.
Thanks for joining me in another edition of the SDF series. I hope you enjoyed the class!
Check out other classes of the SDF series at http://sumuri.com/training/surviving-digital-forensics/
Follow me on Twitter @LeclairDF to get the latest happenings of the SDF series.
Check out our Blog at http://sumuri.com/about/news/
Check out our Youtube channel https://www.youtube.com/user/SumuriNews
By the way, music "sax rock & roll" by Kevin MacLeod - incompetech (dot) com
Over twelve years of experience as a Computer Forensic Analyst, author and developer of computer forensic training and analysis tools. Specialties include: Windows forensics, Mac forensics, iOS forensics, Mac Server forensics & mobile device forensics. Creator of the "Surviving Digital Forensics" series and part of SUMURI's RECON for Mac OS X development team.
Certifications include: CFCE, CISSP, CCE, EnCE, A+, Network+
Regularly instruct law enforcement, government and corporate investigators both nationally and internationally in computer forensics.