# Prefetch

{% embed url="<https://www.hackingarticles.in/forensic-investigation-prefetch-file/>" %}

{% embed url="<https://psmths.gitbook.io/windows-forensics/artifacts-by-type/filesystem-artifacts/prefetch>" %}

### Operating System Availability

| Major Version | Support | Major Version | Support |
| ------------- | ------- | ------------- | ------- |
| Windows 11    | ✅       | Server 2019   | ⚠️      |
| Windows 10    | ✅       | Server 2016   | ⚠️      |
| Windows 8     | ✅       | Server 2012   | ⚠️      |
| Windows 7     | ✅       | Server 2008   | ⚠️      |
| Windows Vista | ✅       | Server 2003   | ⚠️      |
| Windows XP    | ✅       |               |         |

{% hint style="warning" %}
Windows Server systems do not have Prefetch enabled by default.
{% endhint %}

### File Location:

* C:\Windows\Prefetch

<figure><img src="/files/nm9bPs61tvE3PAHZH7Qd" alt=""><figcaption><p>Example of Prefetch filesb</p></figcaption></figure>

### Parsing Data

Single file parsing and directory.

```
PECmd.exe -d C:\Windows\prefetch 
PECmd.exe -f C:\Windows\pretfetch\filename.pf
```

<figure><img src="/files/hxaNTRFkqHthBNGvIHi9" alt=""><figcaption><p>Parsed Data</p></figcaption></figure>

### Timeline Parsing

Parse entire prefetch and output a timeline. Will record the execution times of each entry and populate.

```powershell
pecmd -f E:\C\Windows\prefetch -q --csvf baserd01-pretfetch.csv --csv G:\execution
```

<figure><img src="/files/CjAej8mIrhgWOryxOKfs" alt=""><figcaption></figcaption></figure>

{% embed url="<https://bromiley.medium.com/tooling-thursday-pecmd-83d1d6d6346b>" %}

### Considerations

* Tracks last 8 times executed (last 7 + initial prefetch file date creation).
* Contains total run times.
* Subtract approximately 10 seconds for initial from MCAB timestamps because it tracks first 10 seconds of execution.
* C:\Windows\Prefetch stores both 64bit and 32bit executable executions.
* Hash at the end of filename specifies file location path and command line.
  * Files that will always have multiple prefetch entries:
    * MMC
    * RunDll
    * Svchost
    * Cmd
    * Dllhost
* Tracks files the .exe interacted with, can discover files compressed in compression related prefetch files.&#x20;

### Anti Forensics

If prefetch files are deleted, they will not be repopulated when applications are run again. Common anti-forensics technique.

<figure><img src="/files/MRnBGCn3jKjR1skl5Kbi" alt=""><figcaption><p>Evidence of prefetch wiping.</p></figcaption></figure>

<figure><img src="/files/fM0GtXPlYeb2sO4Z7lcX" alt=""><figcaption><p>All prefetch files wiped, may be referenced in the file.</p></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://nk0.gitbook.io/dfir/windows/forensics/evidence-of-execution/prefetch.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.