Prefetch Perfection

Challenge:

Prefetch files are another handy tool to show evidence of execution. What time was Internet Explorer opened? (GMT)

Submit the flag as flag{YYYY-MM-DD HH:MM:SS}.

Solution:

The provided Zip archive contained a folder of Prefetch files. Windows Prefetch files are used to reduce the time it takes for an application to launch by storing a list of resources required by the application. This allows the OS to optimize memory management and hold resources in memory that are most commonly required based on the user’s usage patterns. For this challenge the pertinent metadata stored in a Prefetch file is going to be the last run timestamps.

I used Adam Witt’s Windows-Prefetch-Parser to parse the prefetch file:

$ python2 prefetch.py  -f ./prefetch/IEXPLORE.EXE-F6A52C86.pf | grep Executed
Last Executed: 2017-05-01 21:11:41.058966

The completed flag is, flag{2017-05-01 21:11:41}.

Published:

Updated:

Leave a comment