Abstract
Since Windows Vista, Microsoft has offered us a new life companion called SysMain or Superfetch from its old name. This is a service which analyzes and records the user daily software use to increase the speed of his or her experience on the operating system. However, this service provides the opportunity to track software used and private files seen such as movies or confidential files, reveal his or her lifetime activities and map directories. More than just a privacy issue, this constitutes a reliable approach in forensic analysis. Furthermore, this service is often misunderstood due to its little documentation and myths surrounding it, which makes things soon complicated to investigate. This paper is an extended version of the talk presented at Black Hat USA 2020: it aims at debunking partial and fake news about SysMain and its files. This paper will examine in detail its architecture, analyze its mechanisms and explain its operating method. It will detail the format of all the prefetch files which has been undocumented or obsolete so far. In addition, this paper will illustrate forensic concrete cases in which SysMain turns out to be useful.
Sign-in/Register to access full text options 
Free) 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a call
