Legal Review: What Programs were Run?

The Legal Review series answers questions often posed about evidence with high-level descriptions of forensic artifacts.

What programs were run on the machine? This is a common question that is relevant in most investigations. Application execution gives insight into the normal usage of a particular computer. Just as importantly, examining forensic artifacts associated with application usage can also reveal abnormal behavior. Knowing what a user did regularly or even immediately leading up to their departure from a company can be telling. Did they use a wiping utility to cover their tracks? Did they use cloud software to extract intellectual property? For our purposes, we will discuss this in the context of Windows operating systems and the prefetch and userassist artifacts.

Prefetch

Application prefetching was introduced to reduce the amount of time it takes to launch recently used applications1. Prefetch files are stored on the computer outside of the user’s folder and cannot, by themselves, be directly tied to a user’s actions. Prefetch files only exist for the 128 most recently used applications. These files are created by direct and indirect user action. An investigator can extract the following information from a single prefetch file:

  • The name of the application
  • The first and last time the application was launched*
  • The number of times an application was launched
  • Where the application is located on the computer
  • The name and serial number of the volume from which the application was launched.

While useful, prefetching is not always enabled by default. A configuration option dictates whether the feature is turned on or off. To reiterate, prefetch files are not intrinsically tied to a particular user. However, it is not too difficult to ascertain who was logged in at a given time when an application was first or last executed. And while this by no means proves who executed the application between the first or last execution it can assist an investigator when drawing conclusions.

We will next briefly discuss userassist, an artifact also associated with application usage but, unlike prefetch, specific to a user.

* The first time may not represent the true canonical first time the program was used if a prefetch file existed for the application prior to the currently existing one.

UserAssist

Userassist is a list of applications executed by a particular user. Each user profile on the machine has their own userassist artifacts. Because of this, userassist is more helpful associating a particular application to a user. Like prefetch, userassist provides a great deal of information about application usage:

  • The name of the application
  • The last time the application was launched
  • The number of times the application was run
  • Where the application is located on the computer
  • The cumulative time the application was in focus

In the best case scenario, both a prefetch and userassist artifact will exist for a given application. This allows us to validate our findings from two separate sources that track applications.  By relying on prefetch and userassist artifacts, investigators can begin to answer important questions surrounding the typical and atypical use of a computer.

We have only briefly covered two artifacts, however, know that there are additional artifacts we can rely on to glean more application usage data from. Please leave a comment with questions, thoughts, or what you would like to discuss next.

Legal Review: What Programs were Run?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s