Enable prefetcher on windows server OS's
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters" /v EnablePrefetcher /t REG_DWORD /d 3 /f
reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Prefetcher" /v MaxPrefetchFiles /t REG_DWORD /d 8192 /f
powershell /c "Enable-MMAgent -OperationAPI"
The USN Journal records filesystem operations
Operations are recorded in the hidden NTFS file $Extend\$UsnJrnl:$J
The USN journal rolls over fairly quickly (Approx 30mb)
Filtering the USN journal for prefetch file modifications gives useful timestamps related to program execution!
Attacker can completely delete the USN Journal.
We are forced to carve the disk for USN records!