Abstract
Since Windows Vista, Microsoft has offered us a new life companion called SysMain or Superfetch from its old name. This is a service which analyzes and records the user daily software use to increase the speed of his or her experience on the operating system. However, this service provides the opportunity to track software used and private files seen such as movies or confidential files, reveal his or her lifetime activities and map directories. More than just a privacy issue, this constitutes a reliable approach in forensic analysis. Furthermore, this service is often misunderstood due to its little documentation and myths surrounding it, which makes things soon complicated to investigate. This paper is an extended version of the talk presented at Black Hat USA 2020: it aims at debunking partial and fake news about SysMain and its files. This paper will examine in detail its architecture, analyze its mechanisms and explain its operating method. It will detail the format of all the prefetch files which has been undocumented or obsolete so far. In addition, this paper will illustrate forensic concrete cases in which SysMain turns out to be useful.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
Zwiegincew, A., Walsh, J.E.: Prefetching of pages prior to a hard page fault sequence. U.S. Patent (2001)
suat.cini: Superfetch service has been promoted to sysmain. congratulations! [Online]. Available: https://answers.microsoft.com/en-us/insider/forum/all/superfetch-service-has-been-promoted-to-sysmain/395cd8b7-7a02-44fa-af91-dd6b358b7276. Accessed 07 2018
Shashidhar, N.K., Novak, D.: Digital forensic analysis on prefetch files. Int. J. Inf. Secur. Sci. 4(2), 39–49 (2015). https://pdfs.semanticscholar.org/2e5e/bffd41661a4ca85420be881f70b2162a4638.pdf
Metz, J.: Superfetch databases [Online]. Available: https://github.com/libyal/libscca/blob/master/documentation/Windows%20Prefetch%20File%20%28PF%29%20format.asciidocc. Accessed 02 2020
Blog, R.: Windows superfetch file format-partial specification [Online]. Available: http://blog.rewolf.pl/blog/?p=214. Accessed 10 2011
Metz, J.: Superfetch databases [Online]. Available: https://github.com/libyal/libagdb/blob/master/documentation/Windows%20SuperFetch%20(DB)%20format.asciidoc. Accessed 04 2014
Blog, H.: Prefetch hash calculator [Online]. Available: http://www.hexacorn.com/blog/2012/06/13/prefetch-hash-calculator-a-hash-lookup-table-xpvistaw7w2k3w2k8. Accessed 06 2012
Hiddenillusion Blog: Go prefetch yourself [Online]. Available: https://hiddenillusion.github.io/2016/05/10/go-prefetch-yourself/. Accessed 05 2016
Yosifovich, S., Russinovich, M.E., Ionescu, A.: Windows Internals, Part 2 (6th edn.). Microsoft Press, Redmond, Washington (2017)
Margosis, A., Rusisnovich, M.: Windows Sysinternal Administrator’s Reference. Microsoft Press, Redmond, Washington (2011)
Blog, I.: Windows dll hijacking (hopefully) clarified [Online]. Available: https://itm4n.github.io/windows-dll-hijacking-clarified. Accessed 04 2020
Author information
Authors and Affiliations
Corresponding author
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
About this article
Cite this article
Venault, M., David, B. Superfetch: the famous unknown spy. J Comput Virol Hack Tech 17, 91–104 (2021). https://doi.org/10.1007/s11416-020-00370-y
Received:
Accepted:
Published:
Issue Date:
DOI: https://doi.org/10.1007/s11416-020-00370-y