Faculty Mentor: Narasimha Shashidhar
Associate Professor, Department of Computer Science
Student Team Member: Dylan Novak
Funding provided by the College of Sciences Dean’s Office
Faculty Report
Student Reflection
Overview
The Internet is presently an indispensable tool for our everyday tasks. In addition to our typical Internet usage, most of us desire the ability to browse the Internet in a private manner. We use the term private browsing to refer to the mode(s) available in most major web browsers that permits one to browse the Internet without leaving any evidence of the browsing session on the host computer. In this project, we set out to analyze the forensic artifacts that are potentially available/left behind on the host machine after a user has browsed the Internet using one of these “private” browsing modes. This research ultimately led us to explore a certain esoteric file on the Windows Operating System called the prefetch file. The “prefetch” functionality was first introduced with the Windows XP version of the operating system. The purpose of prefetching is to enhance the performance of user applications being run on the operating system. To that end, Windows generates a profile of information gathered during the application launch phase and stores this information in the \Windows\Prefetch directory. The prefetch files (.pf) are subsequently modified whenever an application is launched. According to several sources, prefetch files contain metadata such as the path from which the application was launched, the name of the executable, a partial history of application launch times, the number of times the application has been run and files and directories used for the application’s startup. This data has long been touted as a resource for many types of digital investigations with a rich repository of forensic artifacts. However, only a very small portion of this resource and the file format has been decoded and much of remaining data and their relationship to other structures within the file system has not been fully discovered.
Our Contribution
The majority of existing work in this area is among bloggers and similar venues in the digital forensic community that are not considered to be of academic quality. Recent scholarly literature that reference prefetch functionality and forensic applicability must therefore rely on these blog posts, various incomplete articles, or refer to prefetch characteristics without reference. Our first contribution in this work was to remedy (albeit, to a limited extent) this lack. In our work, we have parsed much of the structure of the popular open source Google Chrome Browser prefetch file CHROME.EXED999B1BA. pf located in C:\Windows\Prefetch manually. This, together with the existing previously-identified artifacts will prove to be quite useful for forensic examiners. Next, we disassembled the executable ntkrnlpa.exe, using the IDA disassembler to decipher precisely how the Windows XP operating system reads and writes these prefetch files. Finally, we were able to completely understand the PfCalculateProcessHash procedure, and write a PERL application that checks the integrity of prefetch files. An application to correlate the timestamps within prefetch files with other files in the file system will also be developed for the purposes of establishing other forensically significant relationships. I am proud to note that my student presented this work as a poster at the College of Science Research Conference at the University of Texas, San Antonio on October 3, 2014. We thank you very much for the opportunity and look forward to presenting our work at the Undergraduate Research Symposium in April, 2015.