Tags: prefetch forensic 


# Fetch


For this challenge we get a file I haven't seen before. A Windows imaging image:


After some research with Google, we find that there are tools we can use to parse these in Linux and in Windows. Initially I install `wimtools`.

sudo apt-get install wimtools
After that I mounted it to a folder and found a bunch of prefetch files:


I read some articles trying to find some easy ways of parsing the information in these files as there were quite a few, a real "needle in a haystack" situation.


Eventually I found this Windows tool as it was easier for me to have a GUI in this instance:

My aim was to look into the prefetch files of stuff that had user input like, notepad, cmd, powershell and eventually I found wordpad:


I used cyberchef to quickly convert it to lowercase:



Original writeup (https://github.com/LazyTitan33/CTF-Writeups/blob/main/Nahamcon2023/Forensics/Fetch.md).