Prefetch

Tracks execution of apps

LogoForensic Investigation : Prefetch File - Hacking ArticlesHacking Articles
LogoPrefetchWindows Forensic Handbook

Operating System Availability

Major Version
Support
Major Version
Support

Windows 11

Server 2019

⚠️

Windows 10

Server 2016

⚠️

Windows 8

Server 2012

⚠️

Windows 7

Server 2008

⚠️

Windows Vista

Server 2003

⚠️

Windows XP

Windows Server systems do not have Prefetch enabled by default.

File Location:

  • C:\Windows\Prefetch

Example of Prefetch filesb

Parsing Data

Single file parsing and directory.

PECmd.exe -d C:\Windows\prefetch 
PECmd.exe -f C:\Windows\pretfetch\filename.pf
Parsed Data

Timeline Parsing

Parse entire prefetch and output a timeline. Will record the execution times of each entry and populate.

pecmd -f E:\C\Windows\prefetch -q --csvf baserd01-pretfetch.csv --csv G:\execution
LogoTooling Thursday: PECmdMedium

Considerations

  • Tracks last 8 times executed (last 7 + initial prefetch file date creation).

  • Contains total run times.

  • Subtract approximately 10 seconds for initial from MCAB timestamps because it tracks first 10 seconds of execution.

  • C:\Windows\Prefetch stores both 64bit and 32bit executable executions.

  • Hash at the end of filename specifies file location path and command line.

    • Files that will always have multiple prefetch entries:

      • MMC

      • RunDll

      • Svchost

      • Cmd

      • Dllhost

  • Tracks files the .exe interacted with, can discover files compressed in compression related prefetch files.

Anti Forensics

If prefetch files are deleted, they will not be repopulated when applications are run again. Common anti-forensics technique.

Evidence of prefetch wiping.
All prefetch files wiped, may be referenced in the file.
PreviousDAMNextShimcache

Last updated