Prefetch Deep Dive

This is the premiere of a new 13Cubed series called Deep Dives. In this episode, we'll take an in-depth look at one of the most important Windows "evidence of execution" artifacts. The following topics will be covered: An Introduction to Prefetch; Prefetch Location and File Naming Convention; Prefetch Hash Computation and Exceptions to the Rule; Prefetch File Analysis via MACB Timestamps; Parsing Prefetch Files via PECmd; and Extracting Prefetch Data from Memory.

** If you enjoy this video, please consider supporting 13Cubed on Patreon at patreon.com/13cubed. **

Prefetch Explorer (PECmd):
https://ericzimmerman.github.io/

Prefetch Hashes:
http://www.hexacorn.com/blog/2012/06/...

Prefetch Anti-Forensics:
http://www.hexacorn.com/blog/2012/03/...

Volatility:
https://github.com/volatilityfoundati...

Volatility prefetchparser Plugin:
https://github.com/superponible/volat...

Open Source Implementations of Microsoft Compression Algorithms:
https://github.com/coderforlife/ms-co...

Background Music Courtesy of Anders Enger Jensen:
   / hariboosx  

#Forensics #DigitalForensics #DFIR #ComputerForensics #WindowsForensics