Excellent content and explanation on Pre-fetch. I still learned a few new things considering i passed my 508 already :) Looking forward to deep dive videos for AMCACHE, SHIMCACHE and SHELLBAGS
Thank you for making these, things I learn here get used to help me build better products for users, often in the tiniest details and offhanded comments. It's really appreciated.
Thank you. This was amazing. Would love a dive into Windows Search. How it works, where to look for evidence and how to parse. For instance a user searching for IP before copying to an external drive etc.
yes please more deep dives thank you! kinda exciting when you have new vids with detailed info, its like sitting at cinema and the show is about to start!
There's another Deep Dive coming up late this month. It's from a guest presenter (a first for the channel), but I think you'll really enjoy it because it is very in-depth.
After creating my own youtube channel I stumbled across your channel. I really enjoyed your videos and hope to have you as a mentor. I have subscribed to you and look forward to watching your videos.
Thanks! There is one video on the channel covering .DS_Store files, but I think that's it for macOS. I will likely create some more in the future, but the primary focus will probably continue to be Windows and Linux, just because that's the vast majority of what people are investigating (and what most of the world uses).
I found 2 anti-forensics method for prefetch: First is secure delete prefetch folder twice and the second is use USB boot to secure delete prefetch folder.
Very informative videos, is it possible for you to make detailed video on Windows process and registry analysis. I know you have created videos on these topics but I am referring to video can cover much more in detail. Thanks!
Can you bring a Complete Malware Analysis and Reverse Engineering course for absolute beginners so that complete newbies find it easy and can get started easily ? Please ?.....
Fantastic episode. I have question. What tools do you use for windows 10 memory acquisition. Really appreciate your time and efforts to produce such contents.
I know it’s been a bit since this episode, but I still use it occasionally for review, have you seen or looked into malwarearcheology\ARTHIR at all? It’s based on the Kansa framework but extends it to be able to push binaries and retrieve output. Could make for an interesting episode. Thanks for all of this great information!
Shimcache would be GREAT. Thank you !!!! Also, I would like to know how to perform threat hunting from parquet files. I have converted it to data frames in python, what do I do next, how do I prepare the report? It doesn't seem to be available anywhere online and I'd love it if you could help me out. GREAT content. loved it.
Amazing Video! Sorry if this is a silly question and is answered elsewhere but I tried to find some reference material regarding how to pass prefetch by hand ( e.g., from Hex) but can't to see if this would be possible. You mentioned that sometimes executable like SVCHost or RunDLL32 will have a separate prefetch file for different command line arguments, is it possible to extract these arguments from the prefetch file itself. again sorry if I misunderstood this
The hex you referred to is actually a hash -- there is no way to "reverse" that process. You could perhaps create a hash of the binary's path and arguments using that particular hashing algorithm and compare the computed hash to the hash associated with the PF file name, but I don't think that's very well documented. As for the command line arguments, no, no way to obtain those from the parsed PF file that I am aware of.
Does anyone know if the prefetch file NTOSBOOT still exists in Win10 systems or was it 8 and prior? Also if it is now gone, has it been replaced by anything? TIA
Thanks for posting. Asking from a past case: What about ntosboot prefetch? Is it only present on servers, and on by default? (in spite of prefetch being off by default)
Perhaps a topic for another video. To be honest, I haven't done a lot of research there. This academic paper has a good bit of info on the topic, and may interest you: citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.736.1911&rep=rep1&type=pdf
Ok, but I want a simple answer, SSDs are STUPID FAST, especially with high speed DDR 3, 4, and now 5, and soon DDR 6, so why the hell do we need Prefetch, when history tells us that things will get faster? Asking your OS to write useless files to an SSD that is ALREADY fast, is rather pointless right? Am I wrong? Am I right? Can I just disable something stupid like Prefetch and let my ram and SSD do all the heavy lifting?
Keep in mind that prefetch is also keeping track of the files and directories with which a given binary interacts. It's more than just a simple caching mechanism, and does make a meaningful difference in performance. You can try disabling it even on an SSD-based system and measure the performance difference. All of that said, the feature itself is not really what's of interest to us as forensic investigators; rather, it's the data the feature provides to us. Even if you were correct and it was useless, as long as the data is accessible to us and helps us paint a clearer picture of what happened on a given system, that's what we care about.
This is the kind of content I enjoy the most. Thank you for your effort in producing such high quality content!
Really liked it a lot. Great length and complete explanations. Thank you, have been learning a lot. Linux forensics would be a great addition.
It's coming soon. :)
Extremely valuable! Like all your previous videos, they will be helpful for years to come.
Extremely useful .. expecting more videos like this
Excellent content and explanation on Pre-fetch. I still learned a few new things considering i passed my 508 already :) Looking forward to deep dive videos for AMCACHE, SHIMCACHE and SHELLBAGS
In my opinion these are a little better than the shorts
Thank you for making these, things I learn here get used to help me build better products for users, often in the tiniest details and offhanded comments. It's really appreciated.
Thank you. This was amazing. Would love a dive into Windows Search. How it works, where to look for evidence and how to parse. For instance a user searching for IP before copying to an external drive etc.
Excellent! Thanks 😊 suggestions for new episodes: Mac osX unified logs, Shim cache
Excellent tutorial, keep going one-by-one like this, it helps the community a LOT!
Excellent content, can you do a video on ShimCache and AmCache?
yes please more deep dives thank you! kinda exciting when you have new vids with detailed info, its like sitting at cinema and the show is about to start!
This is a very good video, great effort Audience centric. Appreciated it and look forward to the next deepdive episode.
I wish all your videos are a deep dive ,, it is just a one-stop-shop for the topic
There's another Deep Dive coming up late this month. It's from a guest presenter (a first for the channel), but I think you'll really enjoy it because it is very in-depth.
This was excellent. Thank you for such a great explanation of prefetch files.
Really liked the deep dive. Please keep them coming. :)
Great content and the efforts are much appreciated. This is going to help me a lot in preparing for 508. Thanks a lot Richard..!
Thank you @13Cubed!!
After creating my own youtube channel I stumbled across your channel. I really enjoyed your videos and hope to have you as a mentor. I have subscribed to you and look forward to watching your videos.
I saw this, and was clueless earlier, now I know, this is something I would want to do all my life. Maybe Forensics was my love at first sight!
😁
Thank you for all your hard work. I always get help from your content, If we have chance MacOS systems forensics would be super cool
Thanks! There is one video on the channel covering .DS_Store files, but I think that's it for macOS. I will likely create some more in the future, but the primary focus will probably continue to be Windows and Linux, just because that's the vast majority of what people are investigating (and what most of the world uses).
Love the deep dives and would love to see more.
Great new format!!
I found 2 anti-forensics method for prefetch: First is secure delete prefetch folder twice and the second is use USB boot to secure delete prefetch folder.
very cool stuff....easy to learn.
Best channel indeed!
Thank you for the deep dive on prefetch. Really useful 👍🏻
I think it is a great video about prefetch files.
Valuable Content.. Thank you for this..
Thank you for your efforts, appreciated.
Very informative videos, is it possible for you to make detailed video on Windows process and registry analysis.
I know you have created videos on these topics but I am referring to video can cover much more in detail.
Thanks!
This is awesome!!! Thank you!!
Can you bring a Complete Malware Analysis and Reverse Engineering course for absolute beginners so that complete newbies find it easy and can get started easily ? Please ?.....
I'm not an RE person by trade, but I do have a few episodes covering those topics. Check out the Introduction to Malware Analysis playlist.
Fantastic episode. I have question. What tools do you use for windows 10 memory acquisition. Really appreciate your time and efforts to produce such contents.
Magnet RAM Capture or DumpIt.
I know it’s been a bit since this episode, but I still use it occasionally for review, have you seen or looked into malwarearcheology\ARTHIR at all? It’s based on the Kansa framework but extends it to be able to push binaries and retrieve output. Could make for an interesting episode. Thanks for all of this great information!
Haven't looked at it, but I'll check it out!
Very well explained, thanks!
This is amazing content, keep it coming!
Shimcache would be GREAT. Thank you !!!! Also, I would like to know how to perform threat hunting from parquet files. I have converted it to data frames in python, what do I do next, how do I prepare the report? It doesn't seem to be available anywhere online and I'd love it if you could help me out. GREAT content. loved it.
Thanks for the feedback. Unfortunately, no experience with Hadoop so I wouldn't be able to advise you there.
Hey, excellent deep dive! One question, are there any prefetch files generated for the execution of PowerShell scripts, etc?
Not for the script itself, but for powershell.exe (or whatever would run the script), yes.
very good video. thank you!
Thank you so much for the rich content.
Keep going! Nice videos!
premium content, thank you ;)
Like before watching
New to the channel. Excellent content! Thanks!
Thanks, and welcome!
Thanks for the video...
Amazing Video! Sorry if this is a silly question and is answered elsewhere but I tried to find some reference material regarding how to pass prefetch by hand ( e.g., from Hex) but can't to see if this would be possible. You mentioned that sometimes executable like SVCHost or RunDLL32 will have a separate prefetch file for different command line arguments, is it possible to extract these arguments from the prefetch file itself. again sorry if I misunderstood this
The hex you referred to is actually a hash -- there is no way to "reverse" that process. You could perhaps create a hash of the binary's path and arguments using that particular hashing algorithm and compare the computed hash to the hash associated with the PF file name, but I don't think that's very well documented. As for the command line arguments, no, no way to obtain those from the parsed PF file that I am aware of.
@@13Cubed Thank you
Does anyone know if the prefetch file NTOSBOOT still exists in Win10 systems or was it 8 and prior? Also if it is now gone, has it been replaced by anything? TIA
What is the relation with superfetch ? it’s seems dB files but I did not find any parser for it
Thanks for posting. Asking from a past case: What about ntosboot prefetch? Is it only present on servers, and on by default? (in spite of prefetch being off by default)
Perhaps a topic for another video. To be honest, I haven't done a lot of research there. This academic paper has a good bit of info on the topic, and may interest you: citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.736.1911&rep=rep1&type=pdf
Thanks nonetheless! Will dig in.
How to convert the volume{…} to driver letters in python bro :)
When .DS_Store etc.. Coming ??
In a week or so for Patreon supporters, and either late this month or next for everyone else.
If possible can you start Linux forensic training in your channel.
Yes! I am planning to do so as time allows.
@@13Cubed thanks a lot!
Ok, but I want a simple answer, SSDs are STUPID FAST, especially with high speed DDR 3, 4, and now 5, and soon DDR 6, so why the hell do we need Prefetch, when history tells us that things will get faster? Asking your OS to write useless files to an SSD that is ALREADY fast, is rather pointless right? Am I wrong? Am I right? Can I just disable something stupid like Prefetch and let my ram and SSD do all the heavy lifting?
Keep in mind that prefetch is also keeping track of the files and directories with which a given binary interacts. It's more than just a simple caching mechanism, and does make a meaningful difference in performance. You can try disabling it even on an SSD-based system and measure the performance difference.
All of that said, the feature itself is not really what's of interest to us as forensic investigators; rather, it's the data the feature provides to us. Even if you were correct and it was useless, as long as the data is accessible to us and helps us paint a clearer picture of what happened on a given system, that's what we care about.