Back to Search Start Over

Superfetch: the famous unknown spy

Authors :
Mathilde Venault
Baptiste David
Source :
Journal of Computer Virology and Hacking Techniques. 17:91-104
Publication Year :
2020
Publisher :
Springer Science and Business Media LLC, 2020.

Abstract

Since Windows Vista, Microsoft has offered us a new life companion called SysMain or Superfetch from its old name. This is a service which analyzes and records the user daily software use to increase the speed of his or her experience on the operating system. However, this service provides the opportunity to track software used and private files seen such as movies or confidential files, reveal his or her lifetime activities and map directories. More than just a privacy issue, this constitutes a reliable approach in forensic analysis. Furthermore, this service is often misunderstood due to its little documentation and myths surrounding it, which makes things soon complicated to investigate. This paper is an extended version of the talk presented at Black Hat USA 2020: it aims at debunking partial and fake news about SysMain and its files. This paper will examine in detail its architecture, analyze its mechanisms and explain its operating method. It will detail the format of all the prefetch files which has been undocumented or obsolete so far. In addition, this paper will illustrate forensic concrete cases in which SysMain turns out to be useful.

Details

ISSN :
22638733
Volume :
17
Database :
OpenAIRE
Journal :
Journal of Computer Virology and Hacking Techniques
Accession number :
edsair.doi...........dc79028b2201629f5bf0b72371e90663
Full Text :
https://doi.org/10.1007/s11416-020-00370-y