Superfetch: the famous unknown spy
- PDF / 1,524,250 Bytes
- 14 Pages / 595.276 x 790.866 pts Page_size
- 9 Downloads / 199 Views
ORIGINAL PAPER
Superfetch: the famous unknown spy Mathilde Venault1
· Baptiste David1
Received: 11 July 2020 / Accepted: 28 September 2020 © Springer-Verlag France SAS, part of Springer Nature 2020
Abstract Since Windows Vista, Microsoft has offered us a new life companion called SysMain or Superfetch from its old name. This is a service which analyzes and records the user daily software use to increase the speed of his or her experience on the operating system. However, this service provides the opportunity to track software used and private files seen such as movies or confidential files, reveal his or her lifetime activities and map directories. More than just a privacy issue, this constitutes a reliable approach in forensic analysis. Furthermore, this service is often misunderstood due to its little documentation and myths surrounding it, which makes things soon complicated to investigate. This paper is an extended version of the talk presented at Black Hat USA 2020: it aims at debunking partial and fake news about SysMain and its files. This paper will examine in detail its architecture, analyze its mechanisms and explain its operating method. It will detail the format of all the prefetch files which has been undocumented or obsolete so far. In addition, this paper will illustrate forensic concrete cases in which SysMain turns out to be useful. Keywords Superfetch · SysMain · Prefetch
1 Introduction
1.2 Goals and mechanisms
1.1 Vocabulary and history
The main goal of the service is to increase the speed of the user experience. To this end, SysMain focuses on two aspects:
The notion of Prefetcher appeared in 2001 within the American brevet 6,633,968 [1], announcing the technique which will be a part of Windows XP. Under Windows Vista, another component called Superfetch is added to the algorithm and the service is renamed within the name of this improvement, until Windows 10. In this version, the service is renamed SysMain but Microsoft did not explain this change [2]. On Windows 10, Superfetch is only a part of SysMain, which is the name of the whole service, containing many parts including the Prefetcher and Superfetch. As the name was only changed with Windows 10, the whole algorithm is commonly, though erroneously called Superfetch.
B
Mathilde Venault [email protected] Baptiste David [email protected]
1
Laboratoire de Virologie et de Cryptologie Opérationnelles, ESIEA, Laval, France
• Booting faster; • Gaining time from the start-up to the closure of any process. To boot as fast as possible, SysMain will frequently calculate the “optimal layout” which is the order of the file to launch in memory at the boot. This list is established during idle states: whenever CPU, disk and memory utilization are under a certain percentage of use, the service will process to non-urgent operations such as the optimal layout calculation. The result is written on C:\Windows\Prefetch\ Layout.ini (Fig. 1). On the other hand, increasing the navigation on applications is based on the mechanism of reducing page fa
Data Loading...
