Manipulating and generating Windows 10 prefetch files
Δημιουργία και αλλαγή prefetch αρχείων για Windows 10
The prefetch file format is not officially documented by Microsoft and has been understood through reverse engineering, and trial-and-error. Without even intending to do so, prefetch files can sometimes answer the vital questions of computer forensic analysis: who, what, when, where, why, and sometimes even how. Even if they are designed to speed up the system’s disk read times, can also be used for a more efficient intrusion disguise or to increase the operating system’s attack surface. When a Windows system boots, components of many files need to be read into memory and processed. Since windows 10, prefetch files are no more clear text, but instead are compressed. But we now know than an attacker can re-compress prefetch files and manipulate them by hiding or adding entries to the files.