Hot off the heels of yesterday’s discussion on Windows prefetch files, today’s post is going to focus on one of the tools I did not provide an example of: PECmd.
If you’ve been following me through the Zeltser Challenge, then you’re already familiar with Eric Zimmerman’s AppCompatCacheParser tool I reviewed a few weeks ago. PECmd is another great tool to have a grasp of and in any DFIR arsenal.
PECmd Overview
PECmd is written and maintained by Eric Zimmerman. The tool is currently at version 0.7.2.0, and can be downloaded from Eric’s software download site. The goal of PECmd (I think) was to provide a reliable, Windows-based prefetch parser that display as much data as could be squeezed out of the files.
PECmd comes with a succinct list of parsing options:
Note that you will need either a -f or -d flag to specify a source for files to be parsed. Here’s an example of how simple it is:
C:\Tools\PECmd>PECmd.exe -f CMD.EXE-D269B812.pfLet’s discuss some of the output:
- One of the neat “features” Eric has implemented is to highlight key areas of concern. This includes, in the screenshot above, the last run time of the executable. More on this below.
- Notice the tool also outputs other execution times. One thing I omitted from yesterday’s post, to include in today’s, was that prefetch files contain the last eight execution times of the executable. For “popular” files, you will most certainly not have the entire cache of run times. However, as an analyst, be sure to compare the list of run times again the number of times executed.
- Take a look at the list of timestamps discussed in yesterday’s post. You may notice a discrepancy between my file’s modified time and last executed time. Any thoughts on why this is? (Hint: It’s nothing malicious, but an important consideration of when we’re moving and analyzing evidence files)
Now, the second half of the output:
Notice that this contains much more data, and some additional highlights.
- One neat feature from PECmd is the -k switch. This little feature allows you to input keyword(s) of choice and return highlighted text. Here’s an example where I am looking for any instance of
appdatain my output:
C:\Tools\PECmd> PECmd -f CMD.EXE-D269B812.pf -k appdataAnd the corresponding output:
If you’re performing one-off analysis and looking for known-bad folders/files, you can use the keywords to quickly bring artifacts of interest to the surface.
Output Options
One of my favorite features of PECmd is the wealth of output options. Have a look at the help menu’s choices:
Eric’s decision to include JSON output is one of my favorite features of any tool, as JSON is usually a format I can quickly get into another tool if need be. There’s also a --pretty option, just in case you want to export JSON and read it that way.
Aside from helpful JSON output, Eric’s also implemented a neat little feature to provide a timeline. Using the --csv output not only provides a TSV (tab-separated) of the expected output, but also provides a timeline file that gives the recorded dates of program execution. Have a look:
We could parse an entire directory of prefetch files and very quickly throw a timeline together to find execution events related to any suspicious or known-bad files. This is by far one of the easiest ways to use prefetch to identify other leads to run down.
Note that there is also a -q option that, when used in accompaniment with--csv or--json, skips the stdout and simply writes to the files.
A Quick Note About Windows 10
I made a note in yesterday’s post that Windows 10 implemented a new compression algorithm in prefetch files. Because of this, not all tools play nicely. PECmd luckily does, however it requires Windows 8+ to parse Windows 10 prefetch files. This is due to reliance on a Windows API only available in Windows 8+. PECmd will give you an appropriate error if you try to parse Windows 10 on systems older than Windows 8.
Until tomorrow, Happy Forensicating!
