These are valuable to forensic investigators as they indicate which applications have been run on a system. When a program is first executed on a Windows machine (from XP onwards), a prefetch file is created which helps to speed up the starting of the application in the future.
If a program has been deleted, it’s likely that there is still the presence of a Prefetch file. They can help to identify the root cause of an incident, or identify the presence of malicious files that were at one stage downloaded/executed on the system.
This comprises the application name, followed by an eight character hash value from where the application was run. As an example, if you were to execute notepad, the prefetch file would be named:
What details can be found in a Prefetch file
- The name of the executable
- The number of times the application has been run
- A timestamp indicating the last time the program was run
- A list of DLLs used by the executable
Where can I find them
How can I view them
The Windows Prefetch Viewer application is very good, it’s also portable and does not require installing. Great for USB’s and mobile forensic kits.
Download it here:
Viewing of the prefetch files is shown below, as you can see the selected file provides details of it’s location on the disk, the number of times it was run and the last run time. In the bottom panel is a list of the DLLs it relies on.