In this scenario there is a suspect case in which a user may have exfiltrated data via FTP. However, upon looking at the computer's control panel, there is no FTP application installed. Looking in the program files directory, there is no sign of an FTP application. So what do we do next? I'm glad you asked!
What is the prefetch?
According to Microsoft "Each time you turn on your computer, Windows keeps track of the way your computer starts and which programs you commonly open."
Checking to see if prefetch is enabled.
From the above we see the registry entry "EnablePrefetcher" with a value of 0x3.
A value of 0x3 means "Application launch and Boot Prefetching enabled"
0 – Disable Prefetcher
1 – Application launch Prefetching enabled
2 – Boot Prefetching enabled
Now that we know that prefetching is enabled, let's look to see what entries may be there.
Boom!! There it is, we have an entry for FileZilla.
Now at least we know while there is no FTP application installed, a FTP application was executed.
Now let's look at the next post to see what else we can learn about its execution.