Manipulating and generating Windows 10 prefetch files
Δημιουργία και αλλαγή prefetch αρχείων για Windows 10
Master Thesis
Author
Vouvoutsis, Vasilis
Βουβούτσης, Βασίλης
Date
2019-06View/ Open
Keywords
Prefetch ; Manipulation ; Windows 10Abstract
The prefetch file format is not officially documented by Microsoft and has been understood
through reverse engineering, and trial-and-error. Without even intending to do so, prefetch files
can sometimes answer the vital questions of computer forensic analysis: who, what, when,
where, why, and sometimes even how. Even if they are designed to speed up the system’s disk
read times, can also be used for a more efficient intrusion disguise or to increase the operating
system’s attack surface. When a Windows system boots, components of many files need to be
read into memory and processed. Since windows 10, prefetch files are no more clear text, but
instead are compressed. But we now know than an attacker can re-compress prefetch files and
manipulate them by hiding or adding entries to the files.