Prefetch
Location and Format
The windows prefetch file is located at C:\Windows\prefetch. The prefetch file naming convention is exename-filepathhash.pf.
Purpose
Prefetch was designed by Microsoft to help make loading applications faster. Prefetch does this by pre-loading pages of code when the system is booted. This pre-loading feature allows windows applications to load faster on subsequent executions. The location of thee prefetch files should never change and it should always be located in the Windows directory.
There are some interesting caveats that must be explored with prefetch files. First, up until Windows 8 the prefetch folder was only able to take 128 files. This was upgraded in Windows 8/10 to 1024 files. Secondly, the prefetching function will likely be disabled on systems that are running on SSDs (or a the very least not perform as expected). This fact likely holds true for NVME drives as well. Lastly, by default prefetch is disabled on Windows servers.
Forensic Uses
We as Forensicators use prefetch as evidence of application execution. Once an application is loaded for the first time, a prefetch file is created following the above naming convention. This file will contain the following information:
- Last 8 execution times are embedded in Windows 8+.
- Associated file and folder handles are embedded.
- Number of times application was run
- Creation time of the prefetch file indicates first known evidence of execution (Subtract 10 seconds).
- Modified time of the prefetch file indicates the last execution time (will also be embedded).
Using this information we are able to construct a base timeline of application execution, which can then be corroborated with other evidence sources.
Analysis Tools
- pecmd.exe (https://github.com/EricZimmerman/PECmd)
Example Analysis
Prefetch is a foundational artifact when it comes to Digital Forensics. This is especially true in incident response where we are more interested in what was executed on a system. For this analysis I am going to assume that you have mounted a disk image to your analysis system. Always remember that only desktops have prefetch enable by default!
The below command is run from an administrator cmd prompt and we have navigated to the prefetch directory of the system we are analyzing. I like to use Zimmerman’s PECMD.exe.
-H:\[root]\Windows\Prefetch>pecmd.exe -d .\ --csv C:\Users\User\Desktop\case\Processed_Evidence --csvf prefetch.csv
-d = specify the prefetch directory you want to ingest –csv = directory where you want the output to be –csvf = name of the output file
Pecmd.exe will output two files. One file is a timeline file that is a little less verbose but can give you the broad strokes of what is executing on the system. The other file is the verbose file that gives you all the details that you can get from prefetch. If I have indicators before going into prefetch like a malware name or other executable that I am interested in.