Fooling Windows through Superfetch
0Mathilde Venault | Engineering Student, ESIEA
Baptiste David | PhD Student, ESIEA
Date: Thursday, August 6 | 10:00am-10:40am
Format: 40-Minute Briefings
Tracks: Data Forensics & Incident Response, Reverse Engineering
Have you ever tried to hide your traces after doing some obscure stuff on a computer? We usually think about cleaning histories, file lefts, event viewer, DNS cache, and registry keys but have you ever thought about Superfetch?
This is a Windows service whose purpose is to increase the speed of user's experience. Superfetch will analyze user's software use to prelaunch the process next time the user might need it. It also includes files used by the program such as text documents, photos, and movies. In concrete terms, the service tracks every activity on the OS and records traces into files with a ".pf " extension, called scenarios. Whenever Superfetch wants to predict which program might be launched, it will consult its prefetch files, computes probabilities and then tries to predict user decisions. This constitutes a forensic gold mine for any governmental service or any malicious person since it raises a very serious privacy issue.
In this talk, we will dive into Superfetch architecture, explain its operating method, and debunk all the myths surrounding it. In addition, we will detail the format of its inner files which were undocumented or obsolete up until now and we will show how to fool the system by editing these files. To this end, we have built a tool that allows accessing and falsifying the data of the scenarios without Windows noticing. Afterwards, the system incorporates the falsified data and processes it as the original. Thanks to this trick, you will be able to hide traces of your activity, lie to forensic analysis, or even create false evidence on a computer. Your system believes it knows everything about you: time has come to regain power.
Black Hat - USA - 2020 Hacking conference
#hacking, #hackers, #infosec, #opsec, #IT, #security