Prefetch
Location and Format
The windows prefetch file is located at C:\Windows\prefetch. The prefetch file naming convention is exename-filepathhash.pf.
Purpose
Prefetch was designed by Microsoft to help make loading applications faster. Prefetch does this by pre-loading pages of code when the system is booted. This pre-loading feature allows windows applications to load faster on subsequent executions. The location of thee prefetch files should never change and it should always be located in the Windows directory.
There are some interesting caveats that must be explored with prefetch files. First, up until Windows 8 the prefetch folder was only able to take 128 files. This was upgraded in Windows 8/10 to 1024 files. Secondly, the prefetching function will likely be disabled on systems that are running on SSDs (or a the very least not perform as expected). This fact likely holds true for NVME drives as well. Lastly, by default prefetch is disabled on Windows servers.
Forensic Uses
We as Forensicators use prefetch as evidence of application execution. Once an application is loaded for the first time, a prefetch file is created following the above naming convention. This file will contain the following information:
- Last 8 execution times are embedded in Windows 8+.
- Associated file and folder handles are embedded.
- Number of times application was run
- Creation time of the prefetch file indicates first **known** evidence of execution (Subtract 10 seconds).
- Modified time of the prefetch file indicates the last execution time (will also be embedded).
Using this information we are able to construct a base timeline of application execution, which can then be corroborated with other evidence sources.
Analysis Tools
- pecmd.exe (https://github.com/EricZimmerman/PECmd)
Example Analysis
pending