Forensic Riddle #3 – Answer

December 5, 2011 in Forensic Riddles - Answers

The answer to riddle #3 may surprise you. First of all, it is not Base64-encoded – this is just to make life easier for people who are using portable devices to read this blog – now they can actually read the answer 🙂

Secondly, the actual answer. Prefetch file _is_ there. Or should I say, PrefetchADS is there.

It turns out that it is possible to hide the Prefetch data by fooling the OS to append it as an Alternate Data Stream (ADS) to an existing file. So, in this particular case the prefetch data is hidden inside the ADS attached to Layout.ini file.

I chose Layout.ini for this demo, yet malware could use _any_ existing file inside the %SystemRoot%\Prefetch directory, e.g. any of the .pf files residing there.

The following screenshots demonstate how it works:

  • Hiding the Prefetch data inside PrefetchADS

  • Viewing the content of the PrefetchADS with Notepad

The bottom line:

  • Next time you investigate the %SystemRoot%\Prefetch directory, make sure you look at the ADS as well

Thanks for trying & next riddle on Friday!

Share this 🙂

Comments are closed.