Sunday, July 5, 2015

Windows 10 - Analyzing "FILEZILLA.EXE-93859B09.pf" prefetch file

In the previous post we painted a scenario. In this post we will continue where we left off.

The Windows 10 prefetch file is compressed, thus trying to read it like a Windows 7 or earlier prefetch file is not possible. As a result, we have to put in some work to learn about it. Let's do just that!

Putting in work!
Thanks to some excellent research done by the people in the references, our job has been made somewhat easier.

First let's decompress "FILEZILLA.EXE-93859B09.pf". To do this we will use a python script "w10pfdecomp.py" which is in the reference section. .

Now that we have the "FILEZILLA.EXE-93859B09.pf" decompressed to "FILEZILLA.EXE-93859B09.pf.DECOMPRESSED". Let's see what strings of interest are related to FileZilla.

We can see that the file was run from "\VOLUME{01d0afe55dc4b8c4-8e60ce0c}\USERS\SECURIYNIK\DESKTOP\FILEZILLA_3.11.0.2_WIN32\FILEZILLA-3.11.0.2\FILEZILLA.EXE"

This already is an indication that yes, we are making progress and that this file was actually executed.

Let's dig deeper.

Verifying the name of the executable which was run.
The above executable "FILEZILLA.EXE" clearly matches with the "FILEZILLA.EXE-93859B09.pf"

Verifying the hash of file

From the above, the hash presented in the hex "09 9B 85 93" also matches the hash which is found in the filename. Note the byte order was reversed, so
"09 9B 85 93"  became "93 85 9B 09".

Size of the .pf file?

The size of the file is reported "E0 43 01 00". Let's convert this to decimal. Note we need to once again change the byte order. This time "E0 43 01 00" becomes "00 01 43 E0". When converted this gives us "82912".



















Let's compare the decompressed file size with what Windows provides us for its properties.































Looking at the size we calculate and the size reported by Windows, it is safe to conclude that the file size is "82912" bytes



Number of times it was executed?

Let's find out how many times this program was executed.

From the above we see the "FILEZILLA.EXE" ran 1 time as show by hex "01 00 00 00"
What time program was executed?


So far we know the program ran. However, if we knew what time it ran this  information may help us to perform some correlation to get a clearer picture.

From the above we see the timestamp "F1 8C 8C E9 C8 B6 D0 01". Similarly to the previous cases, we need to change the byte order before we convert this to decimal. So the new hex value is "01 D0 B6 C8 E9 8C 8C F1". Once converted to decimal the value becomes "130805363221761260". This value is the time in epoch. Using an online calculator we get the time as follows:









From the above we have the execution time as localtime "7/4/2015, 10:18:42 pm".


Awesome!!! Now we have a much clearer picture as to what may have transpired. 


Next step would be to check any network logs, full packet capture devices and or flow data you may have to understand WHAT was sent, the WHERE and the WHY. We already have the WHEN, HOW and potentially WHO. 

Most of what was just done could be easily done with tools such as "WinPrefetchView" or some other tool which perform similar operations. However, remember, knowing how the tool works is much more important than knowing how to work the tool :-)

In the next post we will take a quick look at

"WinPrefetchView"


References:
https://gist.github.com/dfirfpi/113ff71274a97b489dfd
http://blog.digital-forensics.it/2015/06/a-first-look-at-windows-10-prefetch.html
https://technet.microsoft.com/en-us/sysinternals/bb545021.aspx
http://mh-nexus.de/en/hxd/
http://i.imgur.com/riuljsK.jpg
https://github.com/libyal/libscca/blob/master/documentation/Windows%20Prefetch%20File%20%28PF%29%20format.asciidoc
http://www.swiftforensics.com/2013/10/windows-prefetch-pf-files.html?m=1
http://www.epochconverter.com/epoch/ldap-timestamp.php
http://forensicswiki.org/wiki/Windows_Prefetch_File_Format
http://www.nirsoft.net/utils/win_prefetch_view.html
http://www.rapidtables.com/convert/number/hex-to-decimal.htm

2 comments:

  1. This comment has been removed by the author.

    ReplyDelete
    Replies
    1. :-) Thanks for reading the blog post. However, do remember the reference is also important ;-)
      Check this link.
      https://gist.github.com/dfirfpi/113ff71274a97b489dfd

      Delete