Windows Prefetch Files

These are valuable to forensic investigators as they indicate which applications have been run on a system.  When a program is first executed on a Windows machine (from XP onwards), a prefetch file is created which helps to speed up the starting of the application in the future.

If a program has been deleted, it’s likely that there is still the presence of a Prefetch file.  They can help to identify the root cause of an incident, or identify the presence of malicious files that were at one stage downloaded/executed on the system.

Prefetch Filenames

This comprises the application name, followed by an eight character hash value from where the application was run.  As an example, if you were to execute notepad, the prefetch file would be named:

NOTEPAD.EXE-03DA9A3F.pf

 

What details can be found in a Prefetch file

  • The name of the executable
  • The number of times the application has been run
  • A timestamp indicating the last time the program was run
  • A list of DLLs used by the executable

 

Where can I find them

In %SystemRoot%\Prefetch

 

How can I view them

The Windows Prefetch Viewer application is very good, it’s also portable and does not require installing.  Great for USB’s and mobile forensic kits.

Download it here:

32-bit: http://www.nirsoft.net/utils/winprefetchview.zip

64-bit: http://www.nirsoft.net/utils/winprefetchview-x64.zip

Viewing of the prefetch files is shown below, as you can see the selected file provides details of it’s location on the disk, the number of times it was run and the last run time.  In the bottom panel is a list of the DLLs it relies on.

 

Read More

https://www.forensicswiki.org/wiki/Windows_Prefetch_File_Format

https://www.magnetforensics.com/computer-forensics/forensic-analysis-of-prefetch-files-in-windows/

 

Leave a Reply

Your email address will not be published. Required fields are marked *