Prefetch

Tracks execution of apps

Forensic Investigation : Prefetch FileHacking Articles

Prefetch | Windows Forensic Handbookpsmths.gitbook.io

Operating System Availability

Major Version	Support	Major Version	Support
Windows 11	✅	Server 2019	⚠️
Windows 10	✅	Server 2016	⚠️
Windows 8	✅	Server 2012	⚠️
Windows 7	✅	Server 2008	⚠️
Windows Vista	✅	Server 2003	⚠️
Windows XP	✅

Windows Server systems do not have Prefetch enabled by default.

File Location:

• C:\Windows\Prefetch

Example of Prefetch filesb

Parsing Data

Single file parsing and directory.

PECmd.exe -d C:\Windows\prefetch 
PECmd.exe -f C:\Windows\pretfetch\filename.pf

Parsed Data

Timeline Parsing

Parse entire prefetch and output a timeline. Will record the execution times of each entry and populate.

pecmd -f E:\C\Windows\prefetch -q --csvf baserd01-pretfetch.csv --csv G:\execution

Tooling Thursday: PECmdMedium

Considerations

• Tracks last 8 times executed (last 7 + initial prefetch file date creation).

• Contains total run times.

• Subtract approximately 10 seconds for initial from MCAB timestamps because it tracks first 10 seconds of execution.

• C:\Windows\Prefetch stores both 64bit and 32bit executable executions.

• Hash at the end of filename specifies file location path and command line.

  • Files that will always have multiple prefetch entries:

    • MMC

    • RunDll

    • Svchost

    • Cmd

    • Dllhost

• Tracks files the .exe interacted with, can discover files compressed in compression related prefetch files.

Anti Forensics

If prefetch files are deleted, they will not be repopulated when applications are run again. Common anti-forensics technique.

Evidence of prefetch wiping.

All prefetch files wiped, may be referenced in the file.